remove unused ssh_string in ssh_channel_open_forward_unix

Signed-off-by: Rémi Coulom <remi.coulom@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
tests: Fix build script to work also on MacOS correctly
2026-02-04 12:20:42 +09:00 · 2025-07-25 19:52:37 +02:00 · 2025-07-25 16:40:56 +02:00 · 2025-07-25 13:20:15 +02:00 · 2025-07-25 13:20:15 +02:00 · 2025-07-25 13:20:15 +02:00
345 changed files with 53175 additions and 19600 deletions
--- a/.clang-format
+++ b/.clang-format
@@ -0,0 +1,29 @@
+---
+# https://clang.llvm.org/docs/ClangFormatStyleOptions.html
+BasedOnStyle: LLVM
+IndentWidth: 4
+UseTab: Never
+AllowShortIfStatementsOnASingleLine: false
+BreakBeforeBraces: Custom
+BraceWrapping:
+    AfterEnum: false
+    AfterFunction: true
+    AfterStruct: false
+    AfterUnion: false
+    AfterExternBlock: false
+    BeforeElse: false
+    BeforeWhile: false
+IndentCaseLabels: false
+IndentCaseBlocks: false
+ColumnLimit: 80
+AlignAfterOpenBracket: Align
+AllowAllParametersOfDeclarationOnNextLine: false
+BinPackArguments: false
+BinPackParameters: false
+AllowAllArgumentsOnNextLine: false
+AllowShortFunctionsOnASingleLine: Empty
+BreakAfterReturnType: ExceptShortType
+AlwaysBreakAfterReturnType: AllDefinitions
+AlignEscapedNewlines: Left
+ForEachMacros: ['ssh_callbacks_iterate']
+AlignConsecutiveMacros: 'Consecutive'
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,5 @@
 *.a
 *.o
-.*
 *.swp
 *~$
 cscope.*
@@ -10,3 +9,5 @@ compile_commands.json
 tags
 /build
 /obj*
+doc/tags.xml
+.DS_Store
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,26 +1,43 @@
 ---
 variables:
  BUILD_IMAGES_PROJECT: libssh/build-images
-  CENTOS7_BUILD: buildenv-centos7
-  COVERITY_BUILD: buildenv-coverity
+  CENTOS8_BUILD: buildenv-c8s
+  CENTOS9_BUILD: buildenv-c9s
+  CENTOS10_BUILD: buildenv-c10s
  FEDORA_BUILD: buildenv-fedora
  MINGW_BUILD: buildenv-mingw
  TUMBLEWEED_BUILD: buildenv-tumbleweed
  UBUNTU_BUILD: buildenv-ubuntu
-  RAWHIDE_BUILD: buildenv-rawhide
+  ALPINE_BUILD: buildenv-alpine

 stages:
+  - review
  - build
  - test
  - analysis

-.build:
-  stage: build
+# This is some black magic to select between branch pipelines and
+# merge request pipelines to avoid running same pipelines in twice
+workflow:
+  rules:
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"'
+      when: never
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: never
+    - if: '$CI_COMMIT_BRANCH'
+
+.build_options:
  variables:
    CMAKE_DEFAULT_OPTIONS: "-DCMAKE_BUILD_TYPE=RelWithDebInfo -DPICKY_DEVELOPER=ON"
-    CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON -DWITH_DSA=ON"
-    CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DWITH_BENCHMARKS=ON"
+    CMAKE_DEFAULT_DEBUG_OPTIONS: "-DCMAKE_C_FLAGS='-O0 -g -ggdb' -DPICKY_DEVELOPER=ON"
+    CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON"
+    CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DGSSAPI_TESTING=ON -DWITH_BENCHMARKS=ON -DFUZZ_TESTING=ON"
    CMAKE_OPTIONS: $CMAKE_DEFAULT_OPTIONS $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS
+
+.build:
+  extends: .build_options
+  stage: build
  before_script: &build
    - uname -a
    - cat /etc/os-release
@@ -35,7 +52,11 @@ stages:
      make -j$(nproc) install
  # Do not use after_script as it does not make the targets fail
  tags:
-    - shared
+    - saas-linux-small-amd64
+  only:
+    - merge_requests
+    - branches
+
  except:
    - tags
  artifacts:
@@ -58,34 +79,117 @@ stages:
 .fedora:
  extends: .tests
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
-  variables:
-    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
-
-.fedora_rawhide:
-  extends: .fedora
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$RAWHIDE_BUILD
-  before_script:
-    - *build
-    # Legacy cp is needed for SHA1 tests to pass
-    - update-crypto-policies --set LEGACY

 .tumbleweed:
  extends: .tests
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD

+.fips:
+  extends: .tests
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
+  before_script:
+    - *build
+    - echo "# userspace fips" > /etc/system-fips
+    # We do not need the kernel part, but in case we ever do:
+    # mkdir -p /var/tmp/userspace-fips
+    # echo 1 > /var/tmp/userspace-fips/fips_enabled
+    # mount --bind /var/tmp/userspace-fips/fips_enabled \
+    # /proc/sys/crypto/fips_enabled
+    - update-crypto-policies --show
+    - update-crypto-policies --set FIPS
+    - update-crypto-policies --show
+
+###############################################################################
+#                                   Review                                    #
+###############################################################################
+review:
+  variables:
+    GIT_DEPTH: 100
+  stage: review
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  script:
+    - ERROR=0
+      codespell --ignore-words-list=keypair,sorce,ned,nd,ue,pendin || ERROR=1;
+      ./.gitlab-ci/clang-format-check.sh || ERROR=1;
+      ./.gitlab-ci/git-check-signoff-trailer.sh ${CI_MERGE_REQUEST_DIFF_BASE_SHA} || ERROR=1;
+      ./.gitlab-ci/shellcheck.sh || ERROR=1;
+      exit $ERROR
+  # the format is not always matching our intentions
+  allow_failure: true
+  tags:
+    - saas-linux-small-amd64
+  only:
+    - merge_requests

 ###############################################################################
 #                               CentOS builds                                 #
 ###############################################################################
-# pkd tests fail on CentOS7 docker images, so we don't use -DSERVER_TESTING=ON
-centos7/openssl_1.0.x/x86_64:
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD
+centos10s/openssl_3.5.x/x86_64:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS10_BUILD
  extends: .tests
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON -DWITH_PKCS11_PROVIDER=ON
  script:
-    - cmake3 $CMAKE_OPTIONS .. &&
+    - export OPENSSL_ENABLE_SHA1_SIGNATURES=1
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
      make -j$(nproc) &&
      ctest --output-on-failure

+centos10s/openssl_3.5.x/x86_64/fips:
+  extends: .fips
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS10_BUILD
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON -DWITH_PKCS11_PROVIDER=ON
+  script:
+    - export OPENSSL_ENABLE_SHA1_SIGNATURES=1
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
+
+centos9s/openssl_3.5.x/x86_64:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
+  extends: .tests
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
+  script:
+    - export OPENSSL_ENABLE_SHA1_SIGNATURES=1
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      ctest --output-on-failure
+
+centos9s/mbedtls_2.x/x86_64:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
+  extends: .tests
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_BLOWFISH_CIPHER=OFF"
+
+centos9s/openssl_3.5.x/x86_64/fips:
+  extends: .fips
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
+  script:
+    - export OPENSSL_ENABLE_SHA1_SIGNATURES=1
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
+
+centos8s/openssl_1.1.1/x86_64:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
+  extends: .tests
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
+  script:
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      ctest --output-on-failure
+
+centos8s/openssl_1.1.1/x86_64/fips:
+  extends: .fips
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
+  script:
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure

 ###############################################################################
 #                               Fedora builds                                 #
@@ -98,99 +202,81 @@ fedora/docs:
  extends: .build
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
-    - cmake .. && make docs
+    - cmake .. && make docs_coverage && make docs
+  coverage: '/^Documentation coverage is \d+.\d+%/'

 fedora/ninja:
  extends: .fedora
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
-    - cmake -G Ninja $CMAKE_OPTIONS ../ && ninja && ninja test
+    - cmake -G Ninja $CMAKE_OPTIONS ../ && ninja && CTEST_OUTPUT_ON_FAILURE=1 ninja test

-fedora/openssl_1.1.x/x86_64:
+fedora/coverage:
  extends: .fedora
-
-fedora/openssl_1.1.x/x86_64/fips:
-  extends: .fedora
-  before_script:
-    - echo "# userspace fips" > /etc/system-fips
-    # We do not need the kernel part, but in case we ever do:
-    # mkdir -p /var/tmp/userspace-fips
-    # echo 1 > /var/tmp/userspace-fips/fips_enabled
-    # mount --bind /var/tmp/userspace-fips/fips_enabled \
-    # /proc/sys/crypto/fips_enabled
-    - update-crypto-policies --show
-    - update-crypto-policies --set FIPS
-    - update-crypto-policies --show
-    - mkdir -p obj && cd obj && cmake
-      -DCMAKE_BUILD_TYPE=RelWithDebInfo
-      -DPICKY_DEVELOPER=ON
-      -DWITH_BLOWFISH_CIPHER=ON
-      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-      -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON
-      -DWITH_DSA=ON
-      -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON ..
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_BUILD_TYPE=Debug -DWITH_COVERAGE=ON"
  script:
-    - cmake $CMAKE_OPTIONS .. &&
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
      make -j$(nproc) &&
-      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
+      make coverage_xml
+  coverage: /^\s*lines:\s*\d+.\d+\%/
+  artifacts:
+    name: ${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
+    expire_in: 1 week
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: obj/coverage_xml.xml

-fedora/openssl_1.1.x/x86_64/minimal:
+fedora/openssl_3.x/x86_64:
+  extends: .fedora
+
+fedora/openssl_3.x/x86_64/pkcs11-provider:
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON -DWITH_PKCS11_PROVIDER=ON
+  extends: .fedora
+
+fedora/openssl_3.x/x86_64/minimal:
  extends: .fedora
  variables:
  script:
    - cmake $CMAKE_DEFAULT_OPTIONS
+      -DWITH_EXEC=OFF
      -DWITH_SFTP=OFF
      -DWITH_SERVER=OFF
      -DWITH_ZLIB=OFF
      -DWITH_PCAP=OFF
-      -DWITH_DSA=OFF
      -DUNIT_TESTING=ON
      -DCLIENT_TESTING=ON
      -DWITH_GEX=OFF .. &&
      make -j$(nproc)

-fedora/openssl_3.0/x86_64:
-  extends: .fedora_rawhide
-
-fedora/openssl_3.0/x86_64/fips:
-  extends: .fedora_rawhide
-  before_script:
-    - echo "# userspace fips" > /etc/system-fips
-    # We do not need the kernel part, but in case we ever do:
-    # mkdir -p /var/tmp/userspace-fips
-    # echo 1 > /var/tmp/userspace-fips/fips_enabled
-    # mount --bind /var/tmp/userspace-fips/fips_enabled \
-    # /proc/sys/crypto/fips_enabled
-    - update-crypto-policies --show
-    - update-crypto-policies --set FIPS
-    - update-crypto-policies --show
-    - mkdir -p obj && cd obj && cmake
-      -DCMAKE_BUILD_TYPE=RelWithDebInfo
-      -DPICKY_DEVELOPER=ON
-      -DWITH_BLOWFISH_CIPHER=ON
-      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-      -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON
-      -DWITH_DSA=ON
-      -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON ..
+.valgrind:
+  extends: .fedora
+  stage: analysis
  script:
-    - cmake $CMAKE_OPTIONS .. &&
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
      make -j$(nproc) &&
-      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
+      make test_memcheck
+    - cat Testing/Temporary/MemoryChecker.*.log | wc -l | grep "^0$"

-fedora/openssl_3.0/x86_64/minimal:
-  extends: .fedora_rawhide
+# The PKCS#11 support is turned off as it brings dozens of memory issues from
+# engine_pkcs11 or openssl itself
+fedora/valgrind/openssl:
  variables:
-  script:
-    - cmake $CMAKE_DEFAULT_OPTIONS
-      -DWITH_SFTP=OFF
-      -DWITH_SERVER=OFF
-      -DWITH_ZLIB=OFF
-      -DWITH_PCAP=OFF
-      -DWITH_DSA=OFF
-      -DUNIT_TESTING=ON
-      -DCLIENT_TESTING=ON
-      -DWITH_GEX=OFF .. &&
-      make -j$(nproc)
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=OFF
+  extends: .valgrind
+
+fedora/valgrind/mbedtls:
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_MBEDTLS=ON
+  extends: .valgrind
+
+fedora/valgrind/libgcrypt:
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_GCRYPT=ON
+  extends: .valgrind

 # Address sanitizer doesn't mix well with LD_PRELOAD used in the testsuite
 # so, this is only enabled for unit tests right now.
@@ -247,10 +333,10 @@ fedora/libgcrypt/x86_64:
  variables:
    CMAKE_ADDITIONAL_OPTIONS: "-DWITH_GCRYPT=ON -DWITH_DEBUG_CRYPTO=ON"

-fedora/mbedtls/x86_64:
+fedora/mbedtls_2.x/x86_64:
  extends: .fedora
  variables:
-    CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DSA=OFF"
+    CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON "

 # Unit testing only, no client and pkd testing, because cwrap is not available
 # for MinGW
@@ -267,7 +353,7 @@ fedora/mingw64:
      -DWITH_PCAP=ON
      -DUNIT_TESTING=ON .. &&
      make -j$(nproc) &&
-      ctest --output-on-failure
+      ctest --output-on-failure -E torture_rand

 # Unit testing only, no client and pkd testing, because cwrap is not available
 # for MinGW
@@ -284,7 +370,7 @@ fedora/mingw32:
      -DWITH_PCAP=ON
      -DUNIT_TESTING=ON .. &&
      make -j$(nproc) &&
-      ctest --output-on-failure
+      ctest --output-on-failure -E torture_rand


 ###############################################################################
@@ -297,6 +383,11 @@ fedora/mingw32:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  before_script:
    - |
+      # for merge requests
+      if [[ -n "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]]; then
+          export CI_COMMIT_BEFORE_SHA="$CI_MERGE_REQUEST_DIFF_BASE_SHA"
+      fi
+      # for branches run
      if [[ -z "$CI_COMMIT_BEFORE_SHA" ]]; then
          export CI_COMMIT_BEFORE_SHA=$(git rev-parse "${CI_COMMIT_SHA}~20")
      fi
@@ -307,32 +398,23 @@ fedora/mingw32:

      export CI_COMMIT_RANGE="$CI_COMMIT_BEFORE_SHA..$CI_COMMIT_SHA"
  tags:
-    - shared
+    - saas-linux-small-amd64
  except:
    - tags
+  only:
+    - merge_requests
  artifacts:
    expire_in: 1 week
    when: on_failure
    paths:
      - obj-csbuild/

-fedora/csbuild/openssl_1.1.x:
+fedora/csbuild/openssl_3.x:
  extends: .csbuild
  script:
    - csbuild
      --build-dir=obj-csbuild
-      --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)"
-      --git-commit-range $CI_COMMIT_RANGE
-      --color
-      --print-current --print-fixed
-
-fedora/csbuild/openssl_3.0.x:
-  extends: .csbuild
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$RAWHIDE_BUILD
-  script:
-    - csbuild
-      --build-dir=obj-csbuild
-      --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)"
+      --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON @SRCDIR@ && make clean && make -j$(nproc)"
      --git-commit-range $CI_COMMIT_RANGE
      --color
      --print-current --print-fixed
@@ -342,7 +424,7 @@ fedora/csbuild/libgcrypt:
  script:
    - csbuild
      --build-dir=obj-csbuild
-      --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_GCRYPT=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)"
+      --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_GCRYPT=ON @SRCDIR@ && make clean && make -j$(nproc)"
      --git-commit-range $CI_COMMIT_RANGE
      --color
      --print-current --print-fixed
@@ -357,24 +439,95 @@ fedora/csbuild/mbedtls:
      --color
      --print-current --print-fixed

+###############################################################################
+#                               Fedora abidiff                                #
+###############################################################################
+
+fedora/abidiff:
+  stage: analysis
+  variables:
+    GIT_DEPTH: "100"
+    CMAKE_OPTIONS: $CMAKE_DEFAULT_DEBUG_OPTIONS $CMAKE_BUILD_OPTIONS
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  before_script:
+    - uname -a
+    - cat /etc/os-release
+    - mount
+    - df -h
+    - cat /proc/swaps
+    - free -h
+    - |
+      # for merge requests
+      if [[ -n "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]]; then
+          export CI_COMMIT_BEFORE_SHA="$CI_MERGE_REQUEST_DIFF_BASE_SHA"
+      fi
+      # for branches run
+      if [[ -z "$CI_COMMIT_BEFORE_SHA" ]]; then
+          export CI_COMMIT_BEFORE_SHA=$(git rev-parse "${CI_COMMIT_SHA}~20")
+      fi
+
+      # Check if the commit exists in this branch
+      # This is not the case for a force push
+      git branch --contains $CI_COMMIT_BEFORE_SHA 2>/dev/null || export CI_COMMIT_BEFORE_SHA=$(git rev-parse "${CI_COMMIT_SHA}~20")
+
+    - mkdir -p obj-${CI_COMMIT_BEFORE_SHA}
+    - mkdir -p obj-${CI_COMMIT_SHA}
+
+    - export INSTALL_DIR1=$(pwd)/install/${CI_COMMIT_BEFORE_SHA}
+    - export INSTALL_DIR2=$(pwd)/install/${CI_COMMIT_SHA}
+  script:
+    - git checkout ${CI_COMMIT_BEFORE_SHA}
+    - pushd obj-${CI_COMMIT_BEFORE_SHA}
+    - cmake ${CMAKE_OPTIONS} -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR1} .. &&
+      make -j$(nproc) && make -j$(nproc) install
+    - popd
+    - ls -l ${INSTALL_DIR1}/lib*/
+    - git checkout ${CI_COMMIT_SHA}
+    - pushd obj-${CI_COMMIT_SHA}
+    - cmake ${CMAKE_OPTIONS} -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR2} .. &&
+      make -j$(nproc) && make -j$(nproc) install
+    - popd
+    - ls -l ${INSTALL_DIR2}/lib*/
+    - ./.gitlab-ci/checkabi.sh ${INSTALL_DIR1} ${INSTALL_DIR2}
+  tags:
+    - saas-linux-small-amd64
+  except:
+    - tags
+  only:
+    - merge_requests

 ###############################################################################
 #                               Ubuntu builds                                 #
 ###############################################################################
-ubuntu/openssl_1.1.x/x86_64:
+ubuntu/openssl_3.0.x/x86_64:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$UBUNTU_BUILD
  extends: .tests


+###############################################################################
+#                               Alpine builds                                 #
+###############################################################################
+alpine/openssl_3.x/musl:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BUILD
+  extends: .tests
+  script:
+    - cmake $CMAKE_DEFAULT_OPTIONS
+      -DWITH_SFTP=ON
+      -DWITH_SERVER=ON
+      -DWITH_ZLIB=ON
+      -DWITH_PCAP=ON
+      -DUNIT_TESTING=ON .. &&
+      make -j$(nproc) &&
+      ctest --output-on-failure
+
+
 ###############################################################################
 #                             Tumbleweed builds                               #
 ###############################################################################
-tumbleweed/openssl_1.1.x/x86_64/gcc:
+tumbleweed/openssl_3.x/x86_64/gcc:
  extends: .tumbleweed
-  variables:
-    CMAKE_ADDITIONAL_OPTIONS: "-DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"

-tumbleweed/openssl_1.1.x/x86/gcc:
+tumbleweed/openssl_3.x/x86/gcc:
  extends: .tumbleweed
  script:
    - cmake
@@ -384,15 +537,15 @@ tumbleweed/openssl_1.1.x/x86/gcc:
      -DWITH_SERVER=ON
      -DWITH_ZLIB=ON
      -DWITH_PCAP=ON
-      -DWITH_DSA=ON
-      -DUNIT_TESTING=ON ..
+      -DUNIT_TESTING=ON .. &&
+      make -j$(nproc)

-tumbleweed/openssl_1.1.x/x86_64/gcc7:
+tumbleweed/openssl_3.x/x86_64/gcc7:
  extends: .tumbleweed
  variables:
-    CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7 -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
+    CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7"

-tumbleweed/openssl_1.1.x/x86/gcc7:
+tumbleweed/openssl_3.x/x86/gcc7:
  extends: .tumbleweed
  script:
    - cmake
@@ -400,15 +553,24 @@ tumbleweed/openssl_1.1.x/x86/gcc7:
      -DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7
      $CMAKE_DEFAULT_OPTIONS
      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-      -DWITH_DSA=ON
      -DUNIT_TESTING=ON .. &&
      make -j$(nproc) &&
      ctest --output-on-failure

-tumbleweed/openssl_1.1.x/x86_64/clang:
+tumbleweed/openssl_3.x/x86_64/clang:
  extends: .tumbleweed
  variables:
-    CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
+    CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++"
+
+tumbleweed/mbedtls-3.6.x/x86_64/gcc:
+  extends: .tumbleweed
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: "-DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config -DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_BLOWFISH_CIPHER=OFF "
+
+tumbleweed/mbedtls-3.6.x/x86_64/clang:
+  extends: .tumbleweed
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config -DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_BLOWFISH_CIPHER=OFF "

 tumbleweed/static-analysis:
  extends: .tests
@@ -437,7 +599,7 @@ tumbleweed/static-analysis:
 ###############################################################################
 # That is a specific runner that we cannot enable universally.
 # We restrict it to builds under the $BUILD_IMAGES_PROJECT project.
-freebsd/x86_64:
+freebsd/openssl_1.1.1/x86_64:
  image:
  extends: .tests
  before_script:
@@ -468,6 +630,8 @@ freebsd/x86_64:
 ###############################################################################
 #                           Visual Studio builds                              #
 ###############################################################################
+# 2024-05-13: These jobs run out of the stages as they take extremely long and
+# usually timeout with the update to Gitlab 17.0
 .vs:
  stage: test
  cache:
@@ -480,8 +644,10 @@ freebsd/x86_64:
    - cmake --build .
    - ctest --output-on-failure
  tags:
-    - windows
-    - shared-windows
+    - saas-windows-medium-amd64
+  only:
+    - merge_requests
+    - branches
  except:
    - tags
  artifacts:
@@ -490,8 +656,6 @@ freebsd/x86_64:
    paths:
      - obj/
  before_script:
-    - choco install --no-progress -y cmake
-    - $env:Path += ';C:\Program Files\CMake\bin'
    - If (!(test-path .vcpkg\archives)) { mkdir -p .vcpkg\archives }
    - $env:VCPKG_DEFAULT_BINARY_CACHE="$PWD\.vcpkg\archives"
    - echo $env:VCPKG_DEFAULT_BINARY_CACHE
@@ -531,7 +695,7 @@ visualstudio/x86:

 coverity:
  stage: analysis
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$COVERITY_BUILD
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
  script:
    - mkdir obj && cd obj
    - wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=$COVERITY_SCAN_PROJECT_NAME" -O /tmp/coverity_tool.tgz
@@ -547,7 +711,7 @@ coverity:
      --form description="CI build"
      https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
  tags:
-    - shared
+    - saas-linux-small-amd64
  only:
    refs:
      - master
@@ -561,3 +725,41 @@ coverity:
    when: on_failure
    paths:
      - obj/cov-int/*.txt
+
+###############################################################################
+#                                  MacOS                                      #
+###############################################################################
+.macos:
+  tags:
+    - saas-macos-medium-m1
+  image: macos-14-xcode-15
+  before_script:
+    - echo "MacOS runner started"
+    - brew update
+    - brew install cmake openssl cmocka doxygen
+    - mkdir obj && cd obj
+  only:
+    - branches@libssh/libssh-mirror
+    - branches@cryptomilk/libssh-mirror
+    - branches@jjelen/libssh-mirror
+    - branches@marco.fortina/libssh-mirror
+
+# TODO add -DFUZZ_TESTING=ON clang cant find _LLVMFuzzerInitialize on arm64
+macos-m1:
+  extends: .macos
+  variables:
+    HOMEBREW_NO_AUTO_UPDATE: 1
+    CMAKE_DEFAULT_OPTIONS: "-DCMAKE_BUILD_TYPE=RelWithDebInfo -DPICKY_DEVELOPER=ON"
+    CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON"
+    CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON"
+    CMAKE_OPTIONS: $CMAKE_DEFAULT_OPTIONS $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS
+  stage: test
+  script:
+    - cmake $CMAKE_OPTIONS .. &&
+      make -j$(sysctl -n hw.logicalcpu) &&
+      ctest --output-on-failure
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
--- a/.gitlab-ci/checkabi.sh
+++ b/.gitlab-ci/checkabi.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+INSTALL_DIR1=${1}
+INSTALL_DIR2=${2}
+
+abidiff \
+    --headers-dir1 "${INSTALL_DIR1}/include/libssh/" \
+    --headers-dir2 "${INSTALL_DIR2}/include/libssh/" \
+    "${INSTALL_DIR1}/lib64/libssh.so" \
+    "${INSTALL_DIR2}/lib64/libssh.so" \
+    --fail-no-debug-info
+abiret=$?
+
+ABIDIFF_ERROR=$(((abiret & 0x01) != 0))
+ABIDIFF_USAGE_ERROR=$(((abiret & 0x02) != 0))
+ABIDIFF_ABI_CHANGE=$(((abiret & 0x04) != 0))
+ABIDIFF_ABI_INCOMPATIBLE_CHANGE=$(((abiret & 0x08) != 0))
+ABIDIFF_UNKNOWN_BIT_SET=$(((abiret & 0xf0) != 0))
+
+if [ $ABIDIFF_ERROR -ne 0 ]; then
+    echo "abidiff reported ABIDIFF_ERROR."
+    exit 1
+fi
+if [ $ABIDIFF_USAGE_ERROR -ne 0 ]; then
+    echo "abidiff reported ABIDIFF_USAGE_ERROR."
+    exit 1
+fi
+if [ $ABIDIFF_UNKNOWN_BIT_SET -ne 0 ]; then
+    echo "abidiff reported ABIDIFF_UNKNOWN_BIT_SET."
+    exit 1
+fi
+
+if [ $ABIDIFF_ABI_INCOMPATIBLE_CHANGE -ne 0 ]; then
+    echo "abidiff result ABIDIFF_ABI_INCOMPATIBLE_CHANGE, this breaks the API!"
+    exit 1
+fi
+
+if [ $ABIDIFF_ABI_CHANGE -ne 0 ]; then
+  echo "Ignoring abidiff result ABI_CHANGE"
+fi
+
+exit 0
--- a/.gitlab-ci/clang-format-check.sh
+++ b/.gitlab-ci/clang-format-check.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# Based on Github Action
+# https://github.com/yshui/git-clang-format-lint
+
+diff=$(git-clang-format --diff --commit "$CI_MERGE_REQUEST_DIFF_BASE_SHA")
+[ "$diff" = "no modified files to format" ] && exit 0
+[ "$diff" = "clang-format did not modify any files" ] && exit 0
+
+printf "You have introduced coding style breakages, suggested changes:\n\n"
+
+echo "${diff}" | colordiff
+exit 1
--- a/.gitlab-ci/git-check-signoff-trailer.sh
+++ b/.gitlab-ci/git-check-signoff-trailer.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+if [ $# != 1 ]; then
+    echo "Usage: $0 UPSTREAM_COMMIT_SHA"
+    exit 1
+fi
+
+failed=0
+
+if [ -z "$CI_COMMIT_SHA" ]; then
+    echo "CI_COMMIT_SHA is not set"
+    exit 1
+fi
+
+CI_COMMIT_RANGE="$1..$CI_COMMIT_SHA"
+
+red='\033[0;31m'
+blue='\033[0;34m'
+
+echo -e "${blue}Checking commit range: $CI_COMMIT_RANGE"
+echo
+echo
+
+for commit in $(git rev-list "$CI_COMMIT_RANGE"); do
+    git show -s --format=%B "$commit" | grep "^Signed-off-by: " >/dev/null 2>&1
+    ret=$?
+    if [ $ret -eq 1 ]; then
+        echo -e "${red}  >>> Missing Signed-off-by trailer in commit $commit"
+        failed=$(("$failed" + 1))
+    fi
+done
+
+echo
+echo
+
+exit $failed
--- a/.gitlab-ci/shellcheck.sh
+++ b/.gitlab-ci/shellcheck.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# Simplified and de-github-ed version of
+# https://github.com/ludeeus/action-shellcheck/blob/master/action.yaml
+
+statuscode=0
+
+declare -a filepaths
+shebangregex="^#! */[^ ]*/(env *)?[abk]*sh"
+set -f # temporarily disable globbing so that globs in inputs aren't expanded
+
+while IFS= read -r -d '' file; do
+  filepaths+=("$file")
+done < <(find . \
+    -type f \
+    '(' \
+    -name '*.bash' \
+    -o -name '.bashrc' \
+    -o -name 'bashrc' \
+    -o -name '.bash_aliases' \
+    -o -name '.bash_completion' \
+    -o -name '.bash_login' \
+    -o -name '.bash_logout' \
+    -o -name '.bash_profile' \
+    -o -name 'bash_profile' \
+    -o -name '*.ksh' \
+    -o -name 'suid_profile' \
+    -o -name '*.zsh' \
+    -o -name '.zlogin' \
+    -o -name 'zlogin' \
+    -o -name '.zlogout' \
+    -o -name 'zlogout' \
+    -o -name '.zprofile' \
+    -o -name 'zprofile' \
+    -o -name '.zsenv' \
+    -o -name 'zsenv' \
+    -o -name '.zshrc' \
+    -o -name 'zshrc' \
+    -o -name '*.sh' \
+    -o -path '*/.profile' \
+    -o -path '*/profile' \
+    -o -name '*.shlib' \
+    ')' \
+    -print0)
+
+while IFS= read -r -d '' file; do
+    head -n1 "$file" | grep -Eqs "$shebangregex" || continue
+    filepaths+=("$file")
+done < <(find . \
+    -type f ! -name '*.*' -perm /111 \
+    -print0)
+
+shellcheck "${filepaths[@]}" || statuscode=$?
+
+set +f # re-enable globbing
+
+exit "$statuscode"
--- a/.gitlab/merge_request_templates/default.md
+++ b/.gitlab/merge_request_templates/default.md
@@ -0,0 +1,16 @@
+Add a description of the new feature/bug fix. Reference any relevant bugs.
+
+## Checklist
+ * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author
+ * [ ] Code modified for feature
+ * [ ] Test suite updated with functionality tests
+ * [ ] Test suite updated with negative tests
+ * [ ] Documentation updated
+ * [ ] The project pipelines timeout is [extended](https://docs.gitlab.com/ee/ci/pipelines/settings.html#set-a-limit-for-how-long-jobs-can-run) at least to 2 hours.
+
+## Reviewer's checklist:
+ * [ ] Any issues marked for closing are addressed
+ * [ ] There is a test suite reasonably covering new functionality or modifications
+ * [ ] Function naming, parameters, return values, types, etc., are consistent and according to [CONTRIBUTING.md](https://gitlab.com/libssh/libssh-mirror/-/blob/master/CONTRIBUTING.md)
+ * [ ] This feature/change has adequate documentation added
+ * [ ] No obvious mistakes in the code
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -0,0 +1,10 @@
+#
+# GitLeaks Repo Specific Configuration
+#
+# This allowlist is used to help Red Hat ignore false positives during its code
+# scans.
+
+[allowlist]
+  paths = [
+    '''tests/*''',
+  ]
--- a/147
+++ b/147
@@ -1,7 +1,128 @@
 CHANGELOG
 =========

-version 0.10.0 (released 2022-07-xx)
+version 0.11.0 (released 2024-07-31)
+  * Deprecations and Removals:
+    * Dropped support for DSA
+    * Deprecated Blowfish cipher (will be removed in next release)
+    * Deprecated SSH_BIND_OPTIONS_{RSA,ECDSA}KEY in favor of generic HOSTKEY
+    * Removed the usage of deprecated OpenSSL APIs (Note: Minimum supported
+      OpenSSL version is 1.1.1)
+    * Disabled preauth compression (zlib) by default
+    * Support for pkcs#11 engines are deprecated, pkcs11-provider is used instead
+    * Deprecation of old async SFTP API
+    * libgcrypt cryptographic backend is deprecated
+    * Deprecation of knownhosts hashing
+  * SFTP Improvements:
+    * Added support for async SFTP IO
+    * Added support for sftp_limits() and applied capping to SFTP read/write
+      operations accordingly
+    * Added sftp_home_directory() API support for sftp extension "home-directory"
+    * Added sftp_lsetstat() API for lsetstat extensions
+    * Added sftp_expand_path() to canonicalize path using expand-path@openssh.com
+      extension
+    * Implemented stat and realpath in sftpserver
+    * Added sftp_readlink() API to support hardlink@openssh.com
+    * New extensible callback based SFTP server
+    * Introduced the posix-rename@openssh.com extension
+  * New functions and features:
+    * Added support for PKCS #11 provider for OpenSSL 3.0
+    * Added testing for GSSAPI Authentication
+    * Implemented proxy jump using libssh
+    * Recategorized loglevels to show fatal errors and alignment with OpenSSH
+      log levels
+    * Added ssh_channel_request_pty_size_modes() API to set terminal modes for
+      PTYs
+    * Added function to check username syntax
+    * Added support to check all keys in authorized_keys instead of one in
+      example server implementation
+    * Handled hostkey similar to OpenSSH
+    * Added ssh_session_socket_close() API in order to not close socket passed
+      through options on error conditions
+    * Added option SSH_BIND_OPTIONS_IMPORT_KEY_STR to read user-supplied key
+      string in ssh_bind_options_set()
+    * Improved log handling around ssh_set_callbacks
+    * Added ssh_set_error_invalid in ssh_options_set()
+    * Prevented signature blob to start with 1 bit in libgcrypt
+    * Added support to unbreak key comparison of Ed25519 keys imported from PEM
+      or OpenSSH container
+    * Added support to calculate missing CRT parameters when building RSA key
+    * Added ssh_pki_export_privkey_base64_format() and
+      ssh_pki_export_privkey_file_format() to support exporting keys in different
+      formats (PEM, OpenSSH)
+    * Added support to compare certificates and handle automatic certificate
+      authentication
+    * Added support to make compile-commands generation conditional
+    * Built fuzzers for normal testing
+    * Avoided passing other events to callbacks when called recursively
+    * Added control master and path options
+    * Refactored channel_rcv_data, check for errors and report more useful errors
+    * Added support to connect to other host addresses than just the first one
+    * Terminated the server properly when the MaxAuthTries is reached
+    * Added support for no-more-sessions@openssh.com request in both client and
+      server
+    * Added callback to support forwarded-tcpip requests
+    * Bumped minimal CMake version to 3.12
+    * Added support for MBedTLS 3.6.x
+    * Added support for +,-,^ modifiers in front of algorithm lists in options
+    * Added callbacks for channel open response, and channel request response
+    * Replaced chroot() from chroot_wrapper internal library with chroot()
+      from priv_wrapper package
+    * Added a placeholder for non-expanded identities
+    * Improved handling of channel transfer window sizes
+
+version 0.10.6 (released 2023-12-18)
+ * Fix CVE-2023-6004: Command injection using proxycommand
+ * Fix CVE-2023-48795: Potential downgrade attack using strict kex
+ * Fix CVE-2023-6918: Missing checks for return values of MD functions
+ * Fix ssh_send_issue_banner() for CMD(PowerShell)
+ * Avoid passing other events to callbacks when poll is called recursively (#202)
+ * Allow @ in usernames when parsing from URI composes
+
+version 0.10.5 (released 2023-05-04)
+ * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing
+ * Fix CVE-2023-2283: a possible authorization bypass in
+   pki_verify_data_signature under low-memory conditions.
+ * Fix several memory leaks in GSSAPI handling code
+ * Escape braces in ProxyCommand created from ProxyJump options for zsh
+   compatibility.
+ * Fix pkg-config path relocation for MinGW
+ * Improve doxygen documentation
+ * Fix build with cygwin due to the glob support
+ * Do not enqueue outgoing packets after sending SSH2_MSG_NEWKEYS
+ * Add support for SSH_SUPPRESS_DEPRECATED
+ * Avoid functions declarations without prototype to build with clang 15
+ * Fix spelling issues
+ * Avoid expanding KnownHosts, ProxyCommands and IdentityFiles repetitively
+ * Add support sk-* keys through configuration
+ * Improve checking for Argp library
+ * Log information about received extensions
+ * Correctly handle rekey with delayed compression
+ * Move the EC keys handling to OpenSSL 3.0 API
+ * Record peer disconnect message
+ * Avoid deadlock when write buffering occurs and we call poll recursively to
+   flush the output buffer
+ * Disable preauthentication compression by default
+ * Add CentOS 8 Stream / OpenSSL 1.1.1 to CI
+ * Add accidentally removed default compile flags
+ * Solve incorrect parsing of ProxyCommand option
+
+version 0.10.4 (released 2022-09-07)
+  * Fixed issues with KDF on big endian
+
+version 0.10.3 (released 2022-09-05)
+  * Fixed possible infinite loop in known hosts checking
+
+version 0.10.2 (released 2022-09-02)
+  * Fixed tilde expansion when handling include directives
+  * Fixed building the shared torture library
+  * Made rekey test more robust (fixes running on i586 build systems e.g koji)
+
+version 0.10.1 (released 2022-08-30)
+  * Fixed proxycommand support
+  * Fixed musl libc support
+
+version 0.10.0 (released 2022-08-26)
  * Added support for OpenSSL 3.0
  * Added support for mbedTLS 3
  * Added support for Smart Cards  (through openssl pkcs11 engine)
@@ -57,7 +178,7 @@ version 0.9.4 (released 2020-04-09)
  * Fixed CVE-2020-1730 - Possible DoS in client and server when handling
    AES-CTR keys with OpenSSL
  * Added diffie-hellman-group14-sha256
-  * Fixed serveral possible memory leaks
+  * Fixed several possible memory leaks

 version 0.9.3 (released 2019-12-10)
  * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
@@ -208,7 +329,7 @@ version 0.6.1 (released 2014-02-08)
  * Fixed DSA signature extraction.
  * Fixed some memory leaks.
  * Fixed read of non-connected socket.
-  * Fixed thread dectection.
+  * Fixed thread detection.

 version 0.6.0 (released 2014-01-08)
  * Added new publicy key API.
@@ -233,7 +354,7 @@ version 0.6.0 (released 2014-01-08)
 version 0.5.5 (released 2013-07-26)
  * BUG 103: Fix ProxyCommand parsing.
  * Fix setting -D_FORTIFY_SOURCE=2.
-  * Fix pollset error return if emtpy.
+  * Fix pollset error return if empty.
  * Fix NULL pointer checks in channel functions.
  * Several bugfixes.

@@ -249,7 +370,7 @@ version 0.5.3 (released 2012-11-20)
  * BUG #84 - Fix bug in sftp_mkdir not returning on error.
  * BUG #85 - Fixed a possible channel infinite loop if the connection dropped.
  * BUG #88 - Added missing channel request_state and set it to accepted.
-  * BUG #89 - Reset error state to no error on successful SSHv1 authentiction.
+  * BUG #89 - Reset error state to no error on successful SSHv1 authentication.
  * Fixed a possible use after free in ssh_free().
  * Fixed multiple possible NULL pointer dereferences.
  * Fixed multiple memory leaks in error paths.
@@ -310,7 +431,7 @@ version 0.4.7 (released 2010-12-28)
  * Fixed a possible memory leak in ssh_get_user_home().
  * Fixed a memory leak in sftp_xstat.
  * Fixed uninitialized fd->revents member.
-  * Fixed timout value in ssh_channel_accept().
+  * Fixed timeout value in ssh_channel_accept().
  * Fixed length checks in ssh_analyze_banner().
  * Fixed a possible data overread and crash bug.
  * Fixed setting max_fd which breaks ssh_select().
@@ -333,7 +454,7 @@ version 0.4.5 (released 2010-07-13)
  * Added option to bind a client to an ip address.
  * Fixed the ssh socket polling function.
  * Fixed Windows related bugs in bsd_poll().
-  * Fixed serveral build warnings.
+  * Fixed several build warnings.

 version 0.4.4 (released 2010-06-01)
  * Fixed a bug in the expand function for escape sequences.
@@ -352,17 +473,17 @@ version 0.4.3 (released 2010-05-18)
  * Fixed sftp_chown.
  * Fixed sftp_rename on protocol version 3.
  * Fixed a blocking bug in channel_poll.
-  * Fixed config parsing wich has overwritten user specified values.
+  * Fixed config parsing which has overwritten user specified values.
  * Fixed hashed [host]:port format in knownhosts
  * Fixed Windows build.
-  * Fixed doublefree happening after a negociation error.
+  * Fixed doublefree happening after a negotiation error.
  * Fixed aes*-ctr with <= OpenSSL 0.9.7b.
  * Fixed some documentation.
  * Fixed exec example which has broken read usage.
  * Fixed broken algorithm choice for server.
  * Fixed a typo that we don't export all symbols.
  * Removed the unneeded dependency to doxygen.
-  * Build examples only on the Linux plattform.
+  * Build examples only on the Linux platform.

 version 0.4.2 (released 2010-03-15)
  * Added owner and group information in sftp attributes.
@@ -384,7 +505,7 @@ version 0.4.1 (released 2010-02-13)
  * Added an example for exec.
  * Added private key type detection feature in privatekey_from_file().
  * Fixed zlib compression fallback.
-  * Fixed kex bug that client preference should be prioritary
+  * Fixed kex bug that client preference should be priority
  * Fixed known_hosts file set by the user.
  * Fixed a memleak in channel_accept().
  * Fixed underflow when leave_function() are unbalanced
@@ -522,7 +643,7 @@ version 0.11-dev
  * Keyboard-interactive authentication working.

 version 0.1 (released 2004-03-05)
-  * Begining of sftp subsystem implementation.
+  * Beginning of sftp subsystem implementation.
  * Some cleanup into channels implementation
  * Now every channel functions is called by its CHANNEL handler.
  * Added channel_poll() and channel_read().
@@ -543,7 +664,7 @@ version 0.0.4 (released 2003-10-10)
  * Added a wrapper.c file. The goal is to provide a similar API to every
    cryptographic functions. bignums and sha/md5 are wrapped now.
  * More work than it first looks.
-  * Support for other crypto libs planed (lighter libs)
+  * Support for other crypto libs planned (lighter libs)
  * Fixed stupid select() bug.
  * Libssh now compiles and links with openssl 0.9.6
  * RSA pubkey authentication code now works !
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,4 @@
-cmake_minimum_required(VERSION 3.3.0)
-cmake_policy(SET CMP0048 NEW)
+cmake_minimum_required(VERSION 3.12.0)

 # Specify search path for CMake modules to be loaded by include()
 # and find_package()
@@ -10,7 +9,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)

-project(libssh VERSION 0.10.0 LANGUAGES C)
+project(libssh VERSION 0.11.00 LANGUAGES C)

 # global needed variable
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -22,7 +21,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 #     Increment AGE. Set REVISION to 0
 #   If the source code was changed, but there were no interface changes:
 #     Increment REVISION.
-set(LIBRARY_VERSION "4.9.0")
+set(LIBRARY_VERSION "4.10.0")
 set(LIBRARY_SOVERSION "4")

 # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked
@@ -42,6 +41,8 @@ macro_ensure_out_of_source_build("${PROJECT_NAME} requires an out of source buil
 # Copy library files to a lib sub-directory
 set(CMAKE_LIBRARY_OUTPUT_DIRECTORY "${CMAKE_BINARY_DIR}/lib")

+set(LIBSSSH_PC_REQUIRES_PRIVATE "")
+
 # search for libraries
 if (WITH_ZLIB)
    find_package(ZLIB REQUIRED)
@@ -49,32 +50,12 @@ endif (WITH_ZLIB)

 if (WITH_GCRYPT)
  find_package(GCrypt 1.5.0 REQUIRED)
-  if (NOT GCRYPT_FOUND)
-    message(FATAL_ERROR "Could not find GCrypt")
-  endif (NOT GCRYPT_FOUND)
+  message(WARNING "libgcrypt cryptographic backend is deprecated and will be removed in future releases.")
 elseif(WITH_MBEDTLS)
    find_package(MbedTLS REQUIRED)
-    if (NOT MBEDTLS_FOUND)
-      message(FATAL_ERROR "Could not find mbedTLS")
-    endif (NOT MBEDTLS_FOUND)
-else (WITH_GCRYPT)
-  find_package(OpenSSL 1.0.1)
-  if (OPENSSL_FOUND)
-    # On CMake < 3.16, OPENSSL_CRYPTO_LIBRARIES is usually a synonym for OPENSSL_CRYPTO_LIBRARY, but is not defined
-    # when building on Windows outside of Cygwin. We provide the synonym here, if FindOpenSSL didn't define it already.
-    if (NOT DEFINED OPENSSL_CRYPTO_LIBRARIES)
-      set(OPENSSL_CRYPTO_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
-    endif (NOT DEFINED OPENSSL_CRYPTO_LIBRARIES)
-  else (OPENSSL_FOUND)
-    find_package(GCrypt)
-    if (NOT GCRYPT_FOUND)
-      find_package(MbedTLS)
-      if (NOT MBEDTLS_FOUND)
-        message(FATAL_ERROR "Could not find OpenSSL, GCrypt or mbedTLS")
-      endif (NOT MBEDTLS_FOUND)
-    endif (NOT GCRYPT_FOUND)
-  endif (OPENSSL_FOUND)
-endif(WITH_GCRYPT)
+else()
+  find_package(OpenSSL 1.1.1 REQUIRED)
+endif()

 if (UNIT_TESTING)
    find_package(CMocka REQUIRED)
@@ -87,15 +68,9 @@ find_package(Threads)

 if (WITH_GSSAPI)
    find_package(GSSAPI)
+    list(APPEND LIBSSH_PC_REQUIRES_PRIVATE ${GSSAPI_PC_REQUIRES})
 endif (WITH_GSSAPI)

-if (WITH_PKCS11_URI)
-    find_package(softhsm)
-    if (NOT SOFTHSM_FOUND)
-        message(SEND_ERROR "Could not find softhsm module!")
-     endif (NOT SOFTHSM_FOUND)
-endif (WITH_PKCS11_URI)
-
 if (WITH_NACL)
    find_package(NaCl)
    if (NOT NACL_FOUND)
@@ -103,10 +78,6 @@ if (WITH_NACL)
    endif (NOT NACL_FOUND)
 endif (WITH_NACL)

-if (BSD OR SOLARIS OR OSX OR CYGWIN)
-    find_package(Argp)
-endif (BSD OR SOLARIS OR OSX OR CYGWIN)
-
 # Disable symbol versioning in non UNIX platforms
 if (UNIX)
    find_package(ABIMap 0.3.1)
@@ -118,6 +89,10 @@ endif (UNIX)
 include(ConfigureChecks.cmake)
 configure_file(config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/config.h)

+if (NOT HAVE_ARGP_PARSE)
+  find_package(Argp)
+endif (NOT HAVE_ARGP_PARSE)
+
 # check subdirectories
 add_subdirectory(doc)
 add_subdirectory(include)
@@ -125,7 +100,7 @@ add_subdirectory(src)

 # pkg-config file
 if (UNIX OR MINGW)
-configure_file(libssh.pc.cmake ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc)
+configure_file(libssh.pc.cmake ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc @ONLY)
 install(
  FILES
    ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc
@@ -216,16 +191,36 @@ if (WITH_SYMBOL_VERSIONING AND ABIMAP_FOUND)
    endif(UPDATE_ABI)
 endif (WITH_SYMBOL_VERSIONING AND ABIMAP_FOUND)

+# Coverage
+if (WITH_COVERAGE)
+    ENABLE_LANGUAGE(CXX)
+    include(CodeCoverage)
+    setup_target_for_coverage_lcov(
+        NAME "coverage"
+        EXECUTABLE make test
+        DEPENDENCIES ssh tests)
+    set(GCOVR_ADDITIONAL_ARGS --xml-pretty --exclude-unreachable-branches --print-summary)
+    setup_target_for_coverage_gcovr_xml(
+        NAME "coverage_xml"
+        EXECUTABLE make test
+        DEPENDENCIES ssh tests)
+endif (WITH_COVERAGE)
+
 add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source DEPENDS ${_SYMBOL_TARGET} VERBATIM)

-# Link compile database for clangd
-execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink
-                "${CMAKE_BINARY_DIR}/compile_commands.json"
-                "${CMAKE_SOURCE_DIR}/compile_commands.json")
+get_directory_property(hasParent PARENT_DIRECTORY)
+if(NOT(hasParent))
+  # Link compile database for clangd if we are the master project
+  execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink
+    "${CMAKE_BINARY_DIR}/compile_commands.json"
+    "${CMAKE_SOURCE_DIR}/compile_commands.json")
+endif()

 message(STATUS "********************************************")
 message(STATUS "********** ${PROJECT_NAME} build options : **********")

+message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
+message(STATUS "Coverage: ${WITH_COVERAGE}")
 message(STATUS "zlib support: ${WITH_ZLIB}")
 message(STATUS "libgcrypt support: ${WITH_GCRYPT}")
 message(STATUS "libmbedTLS support: ${WITH_MBEDTLS}")
@@ -235,13 +230,14 @@ message(STATUS "Server support : ${WITH_SERVER}")
 message(STATUS "GSSAPI support : ${WITH_GSSAPI}")
 message(STATUS "GEX support : ${WITH_GEX}")
 message(STATUS "Support insecure none cipher and MAC : ${WITH_INSECURE_NONE}")
+message(STATUS "Support exec : ${WITH_EXEC}")
 message(STATUS "Pcap debugging support : ${WITH_PCAP}")
 message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
 message(STATUS "Unit testing: ${UNIT_TESTING}")
 message(STATUS "Client code testing: ${CLIENT_TESTING}")
-message(STATUS "Blowfish cipher support: ${WITH_BLOWFISH_CIPHER}")
+message(STATUS "Blowfish cipher support: ${HAVE_BLOWFISH}")
 message(STATUS "PKCS #11 URI support: ${WITH_PKCS11_URI}")
-message(STATUS "DSA support: ${WITH_DSA}")
+message(STATUS "With PKCS #11 provider support: ${WITH_PKCS11_PROVIDER}")
 set(_SERVER_TESTING OFF)
 if (WITH_SERVER)
    set(_SERVER_TESTING ${SERVER_TESTING})
@@ -256,9 +252,15 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}")
 message(STATUS "Symbol versioning: ${WITH_SYMBOL_VERSIONING}")
 message(STATUS "Allow ABI break: ${WITH_ABI_BREAK}")
 message(STATUS "Release is final: ${WITH_FINAL}")
+if (WITH_HERMETIC_USR)
+    message(STATUS "User global client config: ${USR_GLOBAL_CLIENT_CONFIG}")
+endif ()
 message(STATUS "Global client config: ${GLOBAL_CLIENT_CONFIG}")
 if (WITH_SERVER)
-message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
+    if (WITH_HERMETIC_USR)
+        message(STATUS "User global bind config: ${USR_GLOBAL_BIND_CONFIG}")
+    endif ()
+    message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
 endif()
 message(STATUS "********************************************")

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -117,6 +117,25 @@ libssh Developer's Certificate of Origin for each patch, or inside each
 patch. Just the sign-off message is all that is required once we've
 received the initial email.

+## Continuous Integration
+
+Contributing patches through Merge Request workflow on Gitlab allows us to run
+various checks on various configuration as part of Gitlab CI. Unfortunately,
+some pipelines are slower (as they involve building dependencies) so the default
+timeout of 1 hour needs to be extended at least to 2 hours. This can be done in
+project settings of your libssh fork:
+
+https://docs.gitlab.com/ee/ci/pipelines/settings.html#set-a-limit-for-how-long-jobs-can-run
+
+Otherwise you will encounter errors like these, usually on visualstudio builds:
+
+```
+ERROR: Job failed: execution took longer than 1h0m0s seconds
+The script exceeded the maximum execution time set for the job
+```
+
+Note, that the built dependencies are cached so after successful build in your
+namespace, the rebuilds should be much faster.

 # Coding conventions in the libssh tree

@@ -274,7 +293,7 @@ This is bad:
     * This is a multi line comment,
     * with some more words...*/

-### Indention & Whitespace & 80 columns
+### Indentation & Whitespace & 80 columns

 To avoid confusion, indentations have to be 4 spaces. Do not use tabs!.  When
 wrapping parameters for function calls, align the parameter list with the first
@@ -478,6 +497,76 @@ Macros like `STATUS_NOT_OK_RETURN` that change control flow (return/goto/etc)
 from within the macro are considered bad, because they look like function calls
 that never change control flow. Please do not introduce them.

+### Switch/case indentation
+
+The `case` should not be indented to avoid wasting too much horizontal space.
+When the case block contains local variables that need to be wrapped in braces,
+they should not be indented again either.
+
+Good example:
+
+    switch (x) {
+    case 0:
+        do_stuff();
+        break;
+    case 1: {
+        int y;
+        do_stuff();
+        break;
+    }
+    default:
+        do_other_stuff();
+        break;
+    }
+
+Bad example:
+
+    switch (x) {
+        case 0:
+            do_stuff();
+            break;
+        case 1:
+            {
+                int y;
+                do_stuff();
+                break;
+            }
+        default:
+            do_other_stuff();
+            break;
+    }
+
+## ABI Versioning and Symbol Management
+
+To maintain [ABI](https://en.wikipedia.org/wiki/Application_binary_interface) stability
+and ensure backward compatibility, libssh uses **symbol versioning** to track and manage
+exported functions and variables. This allows libssh to introduce new symbols or modify
+existing functions in an ABI-compatible way.
+
+When introducing a new symbol:
+
+1. Use the `LIBSSH_API` macro to mark the symbol as part of the public API.
+2. If you have [abimap](https://github.com/ansasaki/abimap) installed, the new symbols are
+automatically generated in the `src/libssh_dev.map` file in the **build** directory and used automatically for building the updated library. But, depending on the version of `abimap` under use, you may face linker errors like: `unable to find version dependency LIBSSH_4_9_0`. In this case, you need to manually replace the existing `src/libssh.map` file with the generated `libssh_dev.map` file to update the symbol versioning.
+3. If you do not have abimap installed, the modified/added symbols must manually be added to the
+`src/libssh.map` file. The symbols must be added in the following format (assuming that 4_10_0 is the latest released version):
+
+```
+LIBSSH_AFTER_4_10_0
+{
+    global:
+        new_function;
+        new_variable;
+} LIBSSH_4_10_0;
+```
+4. After following either of the above steps, the library can be successfully built and
+tested without any linker errors.
+
+5. When submitting the patch, make sure that any new symbols have been added to `libssh.map` as described in step 3, so that the new additions may not be excluded from the next release due to human error.
+
+Also, to maintain ABI compatibility, existing symbols must not be removed. Instead, they can
+be marked as deprecated using the `LIBSSH_DEPRECATED` macro. This allows the symbol to be
+removed in a future release without breaking the ABI.

 Have fun and happy libssh hacking!

--- a/CPackConfig.cmake
+++ b/CPackConfig.cmake
@@ -10,7 +10,7 @@ set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})

 # SOURCE GENERATOR
 set(CPACK_SOURCE_GENERATOR "TXZ")
-set(CPACK_SOURCE_IGNORE_FILES "~$;[.]swp$;/[.]git/;/[.]clangd/;/[.]cache/;.gitignore;/build*;/obj*;tags;cscope.*;compile_commands.json;.*\.patch")
+set(CPACK_SOURCE_IGNORE_FILES "~$;[.]swp$;/[.]bare/;/[.]git/;/[.]git;/[.]clangd/;/[.]cache/;.gitignore;/build*;/obj*;tags;cscope.*;compile_commands.json;.*\.patch")
 set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")

 ### NSIS INSTALLER
--- a/CompilerChecks.cmake
+++ b/CompilerChecks.cmake
@@ -16,7 +16,6 @@ if (UNIX)
        endif()
    endif()

-    add_c_compiler_flag("-std=gnu99" SUPPORTED_COMPILER_FLAGS)
    add_c_compiler_flag("-Wpedantic" SUPPORTED_COMPILER_FLAGS)
    add_c_compiler_flag("-Wall" SUPPORTED_COMPILER_FLAGS)
    add_c_compiler_flag("-Wshadow" SUPPORTED_COMPILER_FLAGS)
@@ -43,6 +42,13 @@ if (UNIX)
    add_c_compiler_flag("-Wno-format-zero-length" SUPPORTED_COMPILER_FLAGS)
    add_c_compiler_flag("-Wmissing-field-initializers" SUPPORTED_COMPILER_FLAGS)
    add_c_compiler_flag("-Wsign-compare" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Wold-style-definition" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Werror=old-style-definition" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Wimplicit-int" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Werror=implicit-int" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Wint-conversion" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Werror=int-conversion" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Werror=unused-variable" SUPPORTED_COMPILER_FLAGS)

    check_c_compiler_flag("-Wformat" REQUIRED_FLAGS_WFORMAT)
    if (REQUIRED_FLAGS_WFORMAT)
@@ -70,7 +76,7 @@ if (UNIX)
    check_c_compiler_flag_ssp("-fstack-protector-strong" WITH_STACK_PROTECTOR_STRONG)
    if (WITH_STACK_PROTECTOR_STRONG)
        list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector-strong")
-        # This is needed as Solaris has a seperate libssp
+        # This is needed as Solaris has a separate libssp
        if (SOLARIS)
            list(APPEND SUPPORTED_LINKER_FLAGS "-fstack-protector-strong")
        endif()
@@ -78,7 +84,7 @@ if (UNIX)
        check_c_compiler_flag_ssp("-fstack-protector" WITH_STACK_PROTECTOR)
        if (WITH_STACK_PROTECTOR)
            list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector")
-            # This is needed as Solaris has a seperate libssp
+            # This is needed as Solaris has a separate libssp
            if (SOLARIS)
                list(APPEND SUPPORTED_LINKER_FLAGS "-fstack-protector")
            endif()
@@ -86,9 +92,12 @@ if (UNIX)
    endif (WITH_STACK_PROTECTOR_STRONG)

    if (NOT WINDOWS AND NOT CYGWIN)
-        check_c_compiler_flag_ssp("-fstack-clash-protection" WITH_STACK_CLASH_PROTECTION)
-        if (WITH_STACK_CLASH_PROTECTION)
-            list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-clash-protection")
+        # apple m* chips do not support this option
+        if (NOT ${CMAKE_SYSTEM_PROCESSOR} STREQUAL arm64)
+            check_c_compiler_flag_ssp("-fstack-clash-protection" WITH_STACK_CLASH_PROTECTION)
+            if (WITH_STACK_CLASH_PROTECTION)
+                list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-clash-protection")
+            endif()
        endif()
    endif()

--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -44,6 +44,8 @@ int main(void){ return 0; }
 endif(CMAKE_COMPILER_IS_GNUCC AND NOT MINGW AND NOT OS2)

 # HEADER FILES
+check_function_exists(argp_parse HAVE_ARGP_PARSE)
+
 set(CMAKE_REQUIRED_INCLUDES ${CMAKE_REQUIRED_INCLUDES} ${ARGP_INCLUDE_DIR})
 check_include_file(argp.h HAVE_ARGP_H)
 unset(CMAKE_REQUIRED_INCLUDES)
@@ -62,6 +64,7 @@ check_include_file(arpa/inet.h HAVE_ARPA_INET_H)
 check_include_file(byteswap.h HAVE_BYTESWAP_H)
 check_include_file(glob.h HAVE_GLOB_H)
 check_include_file(valgrind/valgrind.h HAVE_VALGRIND_VALGRIND_H)
+check_include_file(ifaddrs.h HAVE_IFADDRS_H)

 if (WIN32)
  check_include_file(io.h HAVE_IO_H)
@@ -75,74 +78,32 @@ endif (WIN32)

 if (OPENSSL_FOUND)
    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES OpenSSL::Crypto)
+
    check_include_file(openssl/des.h HAVE_OPENSSL_DES_H)
    if (NOT HAVE_OPENSSL_DES_H)
        message(FATAL_ERROR "Could not detect openssl/des.h")
    endif()

-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
    check_include_file(openssl/aes.h HAVE_OPENSSL_AES_H)
    if (NOT HAVE_OPENSSL_AES_H)
        message(FATAL_ERROR "Could not detect openssl/aes.h")
    endif()

    if (WITH_BLOWFISH_CIPHER)
-        set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-        check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
+        check_include_file(openssl/blowfish.h HAVE_BLOWFISH)
    endif()

-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
    check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
    check_include_file(openssl/ec.h HAVE_OPENSSL_EC_H)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
    check_include_file(openssl/ecdsa.h HAVE_OPENSSL_ECDSA_H)

-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(EVP_KDF_CTX_new_id HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_function_exists(EVP_KDF_CTX_new HAVE_OPENSSL_EVP_KDF_CTX_NEW)
    check_function_exists(FIPS_mode HAVE_OPENSSL_FIPS_MODE)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(RAND_priv_bytes HAVE_OPENSSL_RAND_PRIV_BYTES)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
-    check_function_exists(EVP_DigestSign HAVE_OPENSSL_EVP_DIGESTSIGN)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
-    check_function_exists(EVP_DigestVerify HAVE_OPENSSL_EVP_DIGESTVERIFY)
-
-    check_function_exists(OPENSSL_ia32cap_loc HAVE_OPENSSL_IA32CAP_LOC)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
-    check_symbol_exists(EVP_PKEY_ED25519 "openssl/evp.h" FOUND_OPENSSL_ED25519)
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(EVP_chacha20 HAVE_OPENSSL_EVP_CHACHA20)

-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
-    check_symbol_exists(EVP_PKEY_POLY1305 "openssl/evp.h" HAVE_OPENSSL_EVP_POLY1305)
-
-    if (HAVE_OPENSSL_EVP_DIGESTSIGN AND HAVE_OPENSSL_EVP_DIGESTVERIFY AND
-        FOUND_OPENSSL_ED25519)
-        set(HAVE_OPENSSL_ED25519 1)
-    endif()
-
-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
-    check_symbol_exists(EVP_PKEY_X25519 "openssl/evp.h" HAVE_OPENSSL_X25519)
-
    unset(CMAKE_REQUIRED_INCLUDES)
    unset(CMAKE_REQUIRED_LIBRARIES)
 endif()
@@ -159,13 +120,12 @@ if (NOT WITH_GCRYPT AND NOT WITH_MBEDTLS)
    if (HAVE_OPENSSL_ECC)
        set(HAVE_ECC 1)
    endif (HAVE_OPENSSL_ECC)
-endif ()

-if (WITH_DSA)
-    if (NOT WITH_MBEDTLS)
-        set(HAVE_DSA 1)
-    endif (NOT WITH_MBEDTLS)
-endif()
+    if (HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID OR HAVE_OPENSSL_EVP_KDF_CTX_NEW)
+        set(HAVE_OPENSSL_EVP_KDF_CTX 1)
+    endif (HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID OR HAVE_OPENSSL_EVP_KDF_CTX_NEW)
+
+endif ()

 # FUNCTIONS

@@ -266,6 +226,7 @@ if (GCRYPT_FOUND)
    endif (GCRYPT_VERSION VERSION_GREATER "1.4.6")
    if (NOT GCRYPT_VERSION VERSION_LESS "1.7.0")
        set(HAVE_GCRYPT_CHACHA_POLY 1)
+        set(HAVE_GCRYPT_CURVE25519 1)
    endif (NOT GCRYPT_VERSION VERSION_LESS "1.7.0")
 endif (GCRYPT_FOUND)

@@ -276,6 +237,17 @@ if (MBEDTLS_FOUND)
    set(CMAKE_REQUIRED_INCLUDES "${MBEDTLS_INCLUDE_DIR}/mbedtls")
    check_include_file(chacha20.h HAVE_MBEDTLS_CHACHA20_H)
    check_include_file(poly1305.h HAVE_MBEDTLS_POLY1305_H)
+    if (MBEDTLS_VERSION VERSION_LESS "3.0.0")
+        check_symbol_exists(MBEDTLS_ECP_DP_CURVE25519_ENABLED "config.h" HAVE_MBEDTLS_CURVE25519)
+    else()
+        check_symbol_exists(MBEDTLS_ECP_DP_CURVE25519_ENABLED "mbedtls_config.h" HAVE_MBEDTLS_CURVE25519)
+    endif()
+
+
+    if (WITH_BLOWFISH_CIPHER)
+        check_include_file(blowfish.h HAVE_BLOWFISH)
+    endif()
+
    unset(CMAKE_REQUIRED_INCLUDES)

 endif (MBEDTLS_FOUND)
@@ -311,7 +283,7 @@ int main(void) {
 # For detecting attributes we need to treat warnings as
 # errors
 if (UNIX OR MINGW)
-    # Get warnings for attributs
+    # Get warnings for attributes
    check_c_compiler_flag("-Wattributes" REQUIRED_FLAGS_WERROR)
    if (REQUIRED_FLAGS_WERROR)
        string(APPEND CMAKE_REQUIRED_FLAGS "-Wattributes ")
@@ -366,6 +338,23 @@ int main(void) {
    return 0;
 }" HAVE_FALLTHROUGH_ATTRIBUTE)

+check_c_source_compiles("
+#define WEAK __attribute__((weak))
+
+WEAK int sum(int a, int b)
+{
+    return a + b;
+}
+
+int main(void)
+{
+    int i = sum(2, 2);
+
+    (void)i;
+
+    return 0;
+}" HAVE_WEAK_ATTRIBUTE)
+
 if (NOT WIN32)
    check_c_source_compiles("
    #define __unused __attribute__((unused))
@@ -463,18 +452,22 @@ if (WITH_PKCS11_URI)
    if (WITH_GCRYPT)
        message(FATAL_ERROR "PKCS #11 is not supported for gcrypt.")
        set(WITH_PKCS11_URI 0)
-    endif()
-    if (WITH_MBEDTLS)
+    elseif (WITH_MBEDTLS)
        message(FATAL_ERROR "PKCS #11 is not supported for mbedcrypto")
        set(WITH_PKCS11_URI 0)
-    endif()
-endif()
-
-if (WITH_MBEDTLS)
-    if (WITH_DSA)
-        message(FATAL_ERROR "DSA is not supported with mbedTLS crypto")
-        set(HAVE_DSA 0)
-    endif()
+    elseif (OPENSSL_FOUND AND OPENSSL_VERSION VERSION_GREATER_EQUAL "3.0.0")
+        find_library(PKCS11_PROVIDER
+            NAMES
+                pkcs11.so
+            PATH_SUFFIXES
+                ossl-modules
+        )
+        if (NOT PKCS11_PROVIDER)
+            set(WITH_PKCS11_PROVIDER 0)
+            message(WARNING "Could not find pkcs11 provider! Falling back to engines")
+            message(WARNING "The support for engines is deprecated in OpenSSL and will be removed from libssh in the future releases.")
+        endif (NOT PKCS11_PROVIDER)
+    endif ()
 endif()

 # ENDIAN
--- a/DefineOptions.cmake
+++ b/DefineOptions.cmake
@@ -2,29 +2,32 @@ option(WITH_GSSAPI "Build with GSSAPI support" ON)
 option(WITH_ZLIB "Build with ZLIB support" ON)
 option(WITH_SFTP "Build with SFTP support" ON)
 option(WITH_SERVER "Build with SSH server support" ON)
-option(WITH_DEBUG_CRYPTO "Build with cryto debug output" OFF)
+option(WITH_DEBUG_CRYPTO "Build with crypto debug output" OFF)
 option(WITH_DEBUG_PACKET "Build with packet debug output" OFF)
 option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON)
-option(WITH_DSA "Build with DSA" OFF)
-option(WITH_GCRYPT "Compile against libgcrypt" OFF)
+option(WITH_GCRYPT "Compile against libgcrypt (deprecated)" OFF)
 option(WITH_MBEDTLS "Compile against libmbedtls" OFF)
 option(WITH_BLOWFISH_CIPHER "Compile with blowfish support" OFF)
 option(WITH_PCAP "Compile with Pcap generation support" ON)
 option(WITH_INTERNAL_DOC "Compile doxygen internal documentation" OFF)
 option(BUILD_SHARED_LIBS "Build shared libraries" ON)
 option(WITH_PKCS11_URI "Build with PKCS#11 URI support" OFF)
+option(WITH_PKCS11_PROVIDER "Use the PKCS#11 provider for accessing pkcs11 objects" OFF)
 option(UNIT_TESTING "Build with unit tests" OFF)
 option(CLIENT_TESTING "Build with client tests; requires openssh" OFF)
 option(SERVER_TESTING "Build with server tests; requires openssh and dropbear" OFF)
-option(WITH_BENCHMARKS "Build benchmarks tools" OFF)
+option(GSSAPI_TESTING "Build with GSSAPI tests; requires krb5-server,krb5-libs and krb5-workstation" OFF)
+option(WITH_BENCHMARKS "Build benchmarks tools; enables unit testing and client tests" OFF)
 option(WITH_EXAMPLES "Build examples" ON)
 option(WITH_NACL "Build with libnacl (curve25519)" ON)
 option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)
 option(WITH_ABI_BREAK "Allow ABI break" OFF)
 option(WITH_GEX "Enable DH Group exchange mechanisms" ON)
 option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not suitable for production!)" OFF)
+option(WITH_EXEC "Enable libssh to execute arbitrary commands from configuration files or options (match exec, proxy commands and OpenSSH-based proxy-jumps)." ON)
 option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
 option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
+option(WITH_HERMETIC_USR "Build with support for hermetic /usr/" OFF)

 if (WITH_ZLIB)
    set(WITH_LIBZ ON)
@@ -37,7 +40,7 @@ if (WITH_BENCHMARKS)
  set(CLIENT_TESTING ON)
 endif()

-if (UNIT_TESTING OR CLIENT_TESTING OR SERVER_TESTING)
+if (UNIT_TESTING OR CLIENT_TESTING OR SERVER_TESTING OR GSSAPI_TESTING)
  set(BUILD_STATIC_LIB ON)
 endif()

@@ -57,6 +60,15 @@ if (NOT GLOBAL_CLIENT_CONFIG)
  set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
 endif (NOT GLOBAL_CLIENT_CONFIG)

+if (WITH_HERMETIC_USR)
+  set(USR_GLOBAL_BIND_CONFIG "/usr${GLOBAL_BIND_CONFIG}")
+  set(USR_GLOBAL_CLIENT_CONFIG "/usr${GLOBAL_CLIENT_CONFIG}")
+endif (WITH_HERMETIC_USR)
+
 if (FUZZ_TESTING)
  set(WITH_INSECURE_NONE ON)
 endif (FUZZ_TESTING)
+
+if (WIN32)
+    set(WITH_EXEC 0)
+endif(WIN32)
--- a/19
+++ b/19
@@ -7,11 +7,13 @@
 In order to build libssh, you need to install several components:

 - A C compiler
- [CMake](https://www.cmake.org) >= 3.3.0
- [openssl](https://www.openssl.org) >= 1.0.1
-or
- [gcrypt](https://www.gnu.org/directory/Security/libgcrypt.html) >= 1.4
+- [CMake](https://www.cmake.org) >= 3.12.0
 - [libz](https://www.zlib.net) >= 1.2
+- [openssl](https://www.openssl.org) >= 1.1.1
+or
+- [gcrypt](https://www.gnu.org/directory/Security/libgcrypt.html) >= 1.5
+or
+- [Mbed TLS](https://www.trustedfirmware.org/projects/mbed-tls/)

 optional:
 - [cmocka](https://cmocka.org/) >= 1.1.0
@@ -19,6 +21,7 @@ optional:
 - [nss_wrapper](https://cwrap.org/) >= 1.1.2
 - [uid_wrapper](https://cwrap.org/) >= 1.2.0
 - [pam_wrapper](https://cwrap.org/) >= 1.0.1
+- [priv_wrapper](https://cwrap.org/) >= 1.0.0

 Note that these version numbers are version we know works correctly. If you
 build and run libssh successfully with an older version, please let us know.
@@ -35,14 +38,16 @@ First, you need to configure the compilation, using CMake. Go inside the
 `build` dir. Create it if it doesn't exist.

 GNU/Linux, MacOS X, MSYS/MinGW:
-
-    cmake -DUNIT_TESTING=ON -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug ..
+    cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug ..
    make

-On Windows you should choose a makefile gernerator with -G or use
+On Windows you should choose a makefile generator with -G or use

    cmake-gui.exe ..

+To enable building tests use -DUNIT_TESTING=ON. For this, the
+[cmocka](https://cmocka.org) dependency is required.
+
 To enable additional client tests against a local OpenSSH server, add the
 compile option -DCLIENT_TESTING=ON. These tests require an OpenSSH
 server package and some wrapper libraries (see optional requirements) to
--- a/cmake/Modules/AddCMockaTest.cmake
+++ b/cmake/Modules/AddCMockaTest.cmake
@@ -116,5 +116,10 @@ function(ADD_CMOCKA_TEST _TARGET_NAME)
    add_test(${_TARGET_NAME}
        ${TARGET_SYSTEM_EMULATOR} ${_TARGET_NAME}
    )
+    if (WITH_COVERAGE)
+        ENABLE_LANGUAGE(CXX)
+        include(CodeCoverage)
+        append_coverage_compiler_flags_to_target(${_TARGET_NAME})
+    endif (WITH_COVERAGE)

 endfunction (ADD_CMOCKA_TEST)
--- a/cmake/Modules/CodeCoverage.cmake
+++ b/cmake/Modules/CodeCoverage.cmake
@@ -0,0 +1,750 @@
+# Copyright (c) 2012 - 2017, Lars Bilke
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its contributors
+#    may be used to endorse or promote products derived from this software without
+#    specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# CHANGES:
+#
+# 2012-01-31, Lars Bilke
+# - Enable Code Coverage
+#
+# 2013-09-17, Joakim Söderberg
+# - Added support for Clang.
+# - Some additional usage instructions.
+#
+# 2016-02-03, Lars Bilke
+# - Refactored functions to use named parameters
+#
+# 2017-06-02, Lars Bilke
+# - Merged with modified version from github.com/ufz/ogs
+#
+# 2019-05-06, Anatolii Kurotych
+# - Remove unnecessary --coverage flag
+#
+# 2019-12-13, FeRD (Frank Dana)
+# - Deprecate COVERAGE_LCOVR_EXCLUDES and COVERAGE_GCOVR_EXCLUDES lists in favor
+#   of tool-agnostic COVERAGE_EXCLUDES variable, or EXCLUDE setup arguments.
+# - CMake 3.4+: All excludes can be specified relative to BASE_DIRECTORY
+# - All setup functions: accept BASE_DIRECTORY, EXCLUDE list
+# - Set lcov basedir with -b argument
+# - Add automatic --demangle-cpp in lcovr, if 'c++filt' is available (can be
+#   overridden with NO_DEMANGLE option in setup_target_for_coverage_lcovr().)
+# - Delete output dir, .info file on 'make clean'
+# - Remove Python detection, since version mismatches will break gcovr
+# - Minor cleanup (lowercase function names, update examples...)
+#
+# 2019-12-19, FeRD (Frank Dana)
+# - Rename Lcov outputs, make filtered file canonical, fix cleanup for targets
+#
+# 2020-01-19, Bob Apthorpe
+# - Added gfortran support
+#
+# 2020-02-17, FeRD (Frank Dana)
+# - Make all add_custom_target()s VERBATIM to auto-escape wildcard characters
+#   in EXCLUDEs, and remove manual escaping from gcovr targets
+#
+# 2021-01-19, Robin Mueller
+# - Add CODE_COVERAGE_VERBOSE option which will allow to print out commands which are run
+# - Added the option for users to set the GCOVR_ADDITIONAL_ARGS variable to supply additional
+#   flags to the gcovr command
+#
+# 2020-05-04, Mihchael Davis
+#     - Add -fprofile-abs-path to make gcno files contain absolute paths
+#     - Fix BASE_DIRECTORY not working when defined
+#     - Change BYPRODUCT from folder to index.html to stop ninja from complaining about double defines
+#
+# 2021-05-10, Martin Stump
+#     - Check if the generator is multi-config before warning about non-Debug builds
+#
+# 2022-02-22, Marko Wehle
+#     - Change gcovr output from -o <filename> for --xml <filename> and --html <filename> output respectively.
+#       This will allow for Multiple Output Formats at the same time by making use of GCOVR_ADDITIONAL_ARGS, e.g. GCOVR_ADDITIONAL_ARGS "--txt".
+#
+# 2022-09-28, Sebastian Mueller
+#     - fix append_coverage_compiler_flags_to_target to correctly add flags
+#     - replace "-fprofile-arcs -ftest-coverage" with "--coverage" (equivalent)
+#
+# USAGE:
+#
+# 1. Copy this file into your cmake modules path.
+#
+# 2. Add the following line to your CMakeLists.txt (best inside an if-condition
+#    using a CMake option() to enable it just optionally):
+#      include(CodeCoverage)
+#
+# 3. Append necessary compiler flags for all supported source files:
+#      append_coverage_compiler_flags()
+#    Or for specific target:
+#      append_coverage_compiler_flags_to_target(YOUR_TARGET_NAME)
+#
+# 3.a (OPTIONAL) Set appropriate optimization flags, e.g. -O0, -O1 or -Og
+#
+# 4. If you need to exclude additional directories from the report, specify them
+#    using full paths in the COVERAGE_EXCLUDES variable before calling
+#    setup_target_for_coverage_*().
+#    Example:
+#      set(COVERAGE_EXCLUDES
+#          '${PROJECT_SOURCE_DIR}/src/dir1/*'
+#          '/path/to/my/src/dir2/*')
+#    Or, use the EXCLUDE argument to setup_target_for_coverage_*().
+#    Example:
+#      setup_target_for_coverage_lcov(
+#          NAME coverage
+#          EXECUTABLE testrunner
+#          EXCLUDE "${PROJECT_SOURCE_DIR}/src/dir1/*" "/path/to/my/src/dir2/*")
+#
+# 4.a NOTE: With CMake 3.4+, COVERAGE_EXCLUDES or EXCLUDE can also be set
+#     relative to the BASE_DIRECTORY (default: PROJECT_SOURCE_DIR)
+#     Example:
+#       set(COVERAGE_EXCLUDES "dir1/*")
+#       setup_target_for_coverage_gcovr_html(
+#           NAME coverage
+#           EXECUTABLE testrunner
+#           BASE_DIRECTORY "${PROJECT_SOURCE_DIR}/src"
+#           EXCLUDE "dir2/*")
+#
+# 5. Use the functions described below to create a custom make target which
+#    runs your test executable and produces a code coverage report.
+#
+# 6. Build a Debug build:
+#      cmake -DCMAKE_BUILD_TYPE=Debug ..
+#      make
+#      make my_coverage_target
+#
+
+include(CMakeParseArguments)
+
+option(CODE_COVERAGE_VERBOSE "Verbose information" FALSE)
+
+# Check prereqs
+find_program( GCOV_PATH gcov )
+find_program( LCOV_PATH  NAMES lcov lcov.bat lcov.exe lcov.perl)
+find_program( FASTCOV_PATH NAMES fastcov fastcov.py )
+find_program( GENHTML_PATH NAMES genhtml genhtml.perl genhtml.bat )
+find_program( GCOVR_PATH gcovr PATHS ${CMAKE_SOURCE_DIR}/scripts/test)
+find_program( CPPFILT_PATH NAMES c++filt )
+
+if(NOT GCOV_PATH)
+    message(FATAL_ERROR "gcov not found! Aborting...")
+endif() # NOT GCOV_PATH
+
+# Check supported compiler (Clang, GNU and Flang)
+get_property(LANGUAGES GLOBAL PROPERTY ENABLED_LANGUAGES)
+foreach(LANG ${LANGUAGES})
+  if("${CMAKE_${LANG}_COMPILER_ID}" MATCHES "(Apple)?[Cc]lang")
+    if("${CMAKE_${LANG}_COMPILER_VERSION}" VERSION_LESS 3)
+      message(FATAL_ERROR "Clang version must be 3.0.0 or greater! Aborting...")
+    endif()
+  elseif(NOT "${CMAKE_${LANG}_COMPILER_ID}" MATCHES "GNU"
+         AND NOT "${CMAKE_${LANG}_COMPILER_ID}" MATCHES "(LLVM)?[Ff]lang")
+    message(FATAL_ERROR "Compiler is not GNU or Flang! Aborting...")
+  endif()
+endforeach()
+
+set(COVERAGE_COMPILER_FLAGS "-g --coverage -fprofile-update=atomic"
+    CACHE INTERNAL "")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "(GNU|Clang)")
+    include(CheckCXXCompilerFlag)
+    check_cxx_compiler_flag(-fprofile-abs-path HAVE_cxx_fprofile_abs_path)
+    if(HAVE_cxx_fprofile_abs_path)
+        set(COVERAGE_CXX_COMPILER_FLAGS "${COVERAGE_COMPILER_FLAGS} -fprofile-abs-path")
+    endif()
+endif()
+if(CMAKE_C_COMPILER_ID MATCHES "(GNU|Clang)")
+    include(CheckCCompilerFlag)
+    check_c_compiler_flag(-fprofile-abs-path HAVE_c_fprofile_abs_path)
+    if(HAVE_c_fprofile_abs_path)
+        set(COVERAGE_C_COMPILER_FLAGS "${COVERAGE_COMPILER_FLAGS} -fprofile-abs-path")
+    endif()
+endif()
+
+set(CMAKE_Fortran_FLAGS_COVERAGE
+    ${COVERAGE_COMPILER_FLAGS}
+    CACHE STRING "Flags used by the Fortran compiler during coverage builds."
+    FORCE )
+set(CMAKE_CXX_FLAGS_COVERAGE
+    ${COVERAGE_COMPILER_FLAGS}
+    CACHE STRING "Flags used by the C++ compiler during coverage builds."
+    FORCE )
+set(CMAKE_C_FLAGS_COVERAGE
+    ${COVERAGE_COMPILER_FLAGS}
+    CACHE STRING "Flags used by the C compiler during coverage builds."
+    FORCE )
+set(CMAKE_EXE_LINKER_FLAGS_COVERAGE
+    ""
+    CACHE STRING "Flags used for linking binaries during coverage builds."
+    FORCE )
+set(CMAKE_SHARED_LINKER_FLAGS_COVERAGE
+    ""
+    CACHE STRING "Flags used by the shared libraries linker during coverage builds."
+    FORCE )
+mark_as_advanced(
+    CMAKE_Fortran_FLAGS_COVERAGE
+    CMAKE_CXX_FLAGS_COVERAGE
+    CMAKE_C_FLAGS_COVERAGE
+    CMAKE_EXE_LINKER_FLAGS_COVERAGE
+    CMAKE_SHARED_LINKER_FLAGS_COVERAGE )
+
+get_property(GENERATOR_IS_MULTI_CONFIG GLOBAL PROPERTY GENERATOR_IS_MULTI_CONFIG)
+if(NOT (CMAKE_BUILD_TYPE STREQUAL "Debug" OR GENERATOR_IS_MULTI_CONFIG))
+    message(WARNING "Code coverage results with an optimised (non-Debug) build may be misleading")
+endif() # NOT (CMAKE_BUILD_TYPE STREQUAL "Debug" OR GENERATOR_IS_MULTI_CONFIG)
+
+if(CMAKE_C_COMPILER_ID STREQUAL "GNU" OR CMAKE_Fortran_COMPILER_ID STREQUAL "GNU")
+    link_libraries(gcov)
+endif()
+
+# Defines a target for running and collection code coverage information
+# Builds dependencies, runs the given executable and outputs reports.
+# NOTE! The executable should always have a ZERO as exit code otherwise
+# the coverage generation will not complete.
+#
+# setup_target_for_coverage_lcov(
+#     NAME testrunner_coverage                    # New target name
+#     EXECUTABLE testrunner -j ${PROCESSOR_COUNT} # Executable in PROJECT_BINARY_DIR
+#     DEPENDENCIES testrunner                     # Dependencies to build first
+#     BASE_DIRECTORY "../"                        # Base directory for report
+#                                                 #  (defaults to PROJECT_SOURCE_DIR)
+#     EXCLUDE "src/dir1/*" "src/dir2/*"           # Patterns to exclude (can be relative
+#                                                 #  to BASE_DIRECTORY, with CMake 3.4+)
+#     NO_DEMANGLE                                 # Don't demangle C++ symbols
+#                                                 #  even if c++filt is found
+# )
+function(setup_target_for_coverage_lcov)
+
+    set(options NO_DEMANGLE SONARQUBE)
+    set(oneValueArgs BASE_DIRECTORY NAME)
+    set(multiValueArgs EXCLUDE EXECUTABLE EXECUTABLE_ARGS DEPENDENCIES LCOV_ARGS GENHTML_ARGS)
+    cmake_parse_arguments(Coverage "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
+
+    if(NOT LCOV_PATH)
+        message(FATAL_ERROR "lcov not found! Aborting...")
+    endif() # NOT LCOV_PATH
+
+    if(NOT GENHTML_PATH)
+        message(FATAL_ERROR "genhtml not found! Aborting...")
+    endif() # NOT GENHTML_PATH
+
+    # Set base directory (as absolute path), or default to PROJECT_SOURCE_DIR
+    if(DEFINED Coverage_BASE_DIRECTORY)
+        get_filename_component(BASEDIR ${Coverage_BASE_DIRECTORY} ABSOLUTE)
+    else()
+        set(BASEDIR ${PROJECT_SOURCE_DIR})
+    endif()
+
+    # Collect excludes (CMake 3.4+: Also compute absolute paths)
+    set(LCOV_EXCLUDES "")
+    foreach(EXCLUDE ${Coverage_EXCLUDE} ${COVERAGE_EXCLUDES} ${COVERAGE_LCOV_EXCLUDES})
+        if(CMAKE_VERSION VERSION_GREATER 3.4)
+            get_filename_component(EXCLUDE ${EXCLUDE} ABSOLUTE BASE_DIR ${BASEDIR})
+        endif()
+        list(APPEND LCOV_EXCLUDES "${EXCLUDE}")
+    endforeach()
+    list(REMOVE_DUPLICATES LCOV_EXCLUDES)
+
+    # Conditional arguments
+    if(CPPFILT_PATH AND NOT ${Coverage_NO_DEMANGLE})
+      set(GENHTML_EXTRA_ARGS "--demangle-cpp")
+    endif()
+
+    # Setting up commands which will be run to generate coverage data.
+    # Cleanup lcov
+    set(LCOV_CLEAN_CMD
+        ${LCOV_PATH} ${Coverage_LCOV_ARGS} --gcov-tool ${GCOV_PATH} -directory .
+        -b ${BASEDIR} --zerocounters
+    )
+    # Create baseline to make sure untouched files show up in the report
+    set(LCOV_BASELINE_CMD
+        ${LCOV_PATH} ${Coverage_LCOV_ARGS} --gcov-tool ${GCOV_PATH} -c -i -d . -b
+        ${BASEDIR} -o ${Coverage_NAME}.base
+    )
+    # Run tests
+    set(LCOV_EXEC_TESTS_CMD
+        ${Coverage_EXECUTABLE} ${Coverage_EXECUTABLE_ARGS}
+    )
+    # Capturing lcov counters and generating report
+    set(LCOV_CAPTURE_CMD
+        ${LCOV_PATH} ${Coverage_LCOV_ARGS} --gcov-tool ${GCOV_PATH} --directory . -b
+        ${BASEDIR} --capture --output-file ${Coverage_NAME}.capture
+    )
+    # add baseline counters
+    set(LCOV_BASELINE_COUNT_CMD
+        ${LCOV_PATH} ${Coverage_LCOV_ARGS} --gcov-tool ${GCOV_PATH} -a ${Coverage_NAME}.base
+        -a ${Coverage_NAME}.capture --output-file ${Coverage_NAME}.total
+    )
+    # filter collected data to final coverage report
+    set(LCOV_FILTER_CMD
+        ${LCOV_PATH} ${Coverage_LCOV_ARGS} --gcov-tool ${GCOV_PATH} --remove
+        ${Coverage_NAME}.total ${LCOV_EXCLUDES} --output-file ${Coverage_NAME}.info
+    )
+    # Generate HTML output
+    set(LCOV_GEN_HTML_CMD
+        ${GENHTML_PATH} ${GENHTML_EXTRA_ARGS} ${Coverage_GENHTML_ARGS} -o
+        ${Coverage_NAME} ${Coverage_NAME}.info
+    )
+    if(${Coverage_SONARQUBE})
+        # Generate SonarQube output
+        set(GCOVR_XML_CMD
+            ${GCOVR_PATH} --sonarqube ${Coverage_NAME}_sonarqube.xml -r ${BASEDIR} ${GCOVR_ADDITIONAL_ARGS}
+            ${GCOVR_EXCLUDE_ARGS} --object-directory=${PROJECT_BINARY_DIR}
+        )
+        set(GCOVR_XML_CMD_COMMAND
+            COMMAND ${GCOVR_XML_CMD}
+        )
+        set(GCOVR_XML_CMD_BYPRODUCTS ${Coverage_NAME}_sonarqube.xml)
+        set(GCOVR_XML_CMD_COMMENT COMMENT "SonarQube code coverage info report saved in ${Coverage_NAME}_sonarqube.xml.")
+    endif()
+
+
+    if(CODE_COVERAGE_VERBOSE)
+        message(STATUS "Executed command report")
+        message(STATUS "Command to clean up lcov: ")
+        string(REPLACE ";" " " LCOV_CLEAN_CMD_SPACED "${LCOV_CLEAN_CMD}")
+        message(STATUS "${LCOV_CLEAN_CMD_SPACED}")
+
+        message(STATUS "Command to create baseline: ")
+        string(REPLACE ";" " " LCOV_BASELINE_CMD_SPACED "${LCOV_BASELINE_CMD}")
+        message(STATUS "${LCOV_BASELINE_CMD_SPACED}")
+
+        message(STATUS "Command to run the tests: ")
+        string(REPLACE ";" " " LCOV_EXEC_TESTS_CMD_SPACED "${LCOV_EXEC_TESTS_CMD}")
+        message(STATUS "${LCOV_EXEC_TESTS_CMD_SPACED}")
+
+        message(STATUS "Command to capture counters and generate report: ")
+        string(REPLACE ";" " " LCOV_CAPTURE_CMD_SPACED "${LCOV_CAPTURE_CMD}")
+        message(STATUS "${LCOV_CAPTURE_CMD_SPACED}")
+
+        message(STATUS "Command to add baseline counters: ")
+        string(REPLACE ";" " " LCOV_BASELINE_COUNT_CMD_SPACED "${LCOV_BASELINE_COUNT_CMD}")
+        message(STATUS "${LCOV_BASELINE_COUNT_CMD_SPACED}")
+
+        message(STATUS "Command to filter collected data: ")
+        string(REPLACE ";" " " LCOV_FILTER_CMD_SPACED "${LCOV_FILTER_CMD}")
+        message(STATUS "${LCOV_FILTER_CMD_SPACED}")
+
+        message(STATUS "Command to generate lcov HTML output: ")
+        string(REPLACE ";" " " LCOV_GEN_HTML_CMD_SPACED "${LCOV_GEN_HTML_CMD}")
+        message(STATUS "${LCOV_GEN_HTML_CMD_SPACED}")
+
+        if(${Coverage_SONARQUBE})
+            message(STATUS "Command to generate SonarQube XML output: ")
+            string(REPLACE ";" " " GCOVR_XML_CMD_SPACED "${GCOVR_XML_CMD}")
+            message(STATUS "${GCOVR_XML_CMD_SPACED}")
+        endif()
+    endif()
+
+    # Setup target
+    add_custom_target(${Coverage_NAME}
+        COMMAND ${LCOV_CLEAN_CMD}
+        COMMAND ${LCOV_BASELINE_CMD}
+        COMMAND ${LCOV_EXEC_TESTS_CMD}
+        COMMAND ${LCOV_CAPTURE_CMD}
+        COMMAND ${LCOV_BASELINE_COUNT_CMD}
+        COMMAND ${LCOV_FILTER_CMD}
+        COMMAND ${LCOV_GEN_HTML_CMD}
+        ${GCOVR_XML_CMD_COMMAND}
+
+        # Set output files as GENERATED (will be removed on 'make clean')
+        BYPRODUCTS
+            ${Coverage_NAME}.base
+            ${Coverage_NAME}.capture
+            ${Coverage_NAME}.total
+            ${Coverage_NAME}.info
+            ${GCOVR_XML_CMD_BYPRODUCTS}
+            ${Coverage_NAME}/index.html
+        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
+        DEPENDS ${Coverage_DEPENDENCIES}
+        VERBATIM # Protect arguments to commands
+        COMMENT "Resetting code coverage counters to zero.\nProcessing code coverage counters and generating report."
+    )
+
+    # Show where to find the lcov info report
+    add_custom_command(TARGET ${Coverage_NAME} POST_BUILD
+        COMMAND ;
+        COMMENT "Lcov code coverage info report saved in ${Coverage_NAME}.info."
+        ${GCOVR_XML_CMD_COMMENT}
+    )
+
+    # Show info where to find the report
+    add_custom_command(TARGET ${Coverage_NAME} POST_BUILD
+        COMMAND ;
+        COMMENT "Open ./${Coverage_NAME}/index.html in your browser to view the coverage report."
+    )
+
+endfunction() # setup_target_for_coverage_lcov
+
+# Defines a target for running and collection code coverage information
+# Builds dependencies, runs the given executable and outputs reports.
+# NOTE! The executable should always have a ZERO as exit code otherwise
+# the coverage generation will not complete.
+#
+# setup_target_for_coverage_gcovr_xml(
+#     NAME ctest_coverage                    # New target name
+#     EXECUTABLE ctest -j ${PROCESSOR_COUNT} # Executable in PROJECT_BINARY_DIR
+#     DEPENDENCIES executable_target         # Dependencies to build first
+#     BASE_DIRECTORY "../"                   # Base directory for report
+#                                            #  (defaults to PROJECT_SOURCE_DIR)
+#     EXCLUDE "src/dir1/*" "src/dir2/*"      # Patterns to exclude (can be relative
+#                                            #  to BASE_DIRECTORY, with CMake 3.4+)
+# )
+# The user can set the variable GCOVR_ADDITIONAL_ARGS to supply additional flags to the
+# GCVOR command.
+function(setup_target_for_coverage_gcovr_xml)
+
+    set(options NONE)
+    set(oneValueArgs BASE_DIRECTORY NAME)
+    set(multiValueArgs EXCLUDE EXECUTABLE EXECUTABLE_ARGS DEPENDENCIES)
+    cmake_parse_arguments(Coverage "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
+
+    if(NOT GCOVR_PATH)
+        message(FATAL_ERROR "gcovr not found! Aborting...")
+    endif() # NOT GCOVR_PATH
+
+    # Set base directory (as absolute path), or default to PROJECT_SOURCE_DIR
+    if(DEFINED Coverage_BASE_DIRECTORY)
+        get_filename_component(BASEDIR ${Coverage_BASE_DIRECTORY} ABSOLUTE)
+    else()
+        set(BASEDIR ${PROJECT_SOURCE_DIR})
+    endif()
+
+    # Collect excludes (CMake 3.4+: Also compute absolute paths)
+    set(GCOVR_EXCLUDES "")
+    foreach(EXCLUDE ${Coverage_EXCLUDE} ${COVERAGE_EXCLUDES} ${COVERAGE_GCOVR_EXCLUDES})
+        if(CMAKE_VERSION VERSION_GREATER 3.4)
+            get_filename_component(EXCLUDE ${EXCLUDE} ABSOLUTE BASE_DIR ${BASEDIR})
+        endif()
+        list(APPEND GCOVR_EXCLUDES "${EXCLUDE}")
+    endforeach()
+    list(REMOVE_DUPLICATES GCOVR_EXCLUDES)
+
+    # Combine excludes to several -e arguments
+    set(GCOVR_EXCLUDE_ARGS "")
+    foreach(EXCLUDE ${GCOVR_EXCLUDES})
+        list(APPEND GCOVR_EXCLUDE_ARGS "-e")
+        list(APPEND GCOVR_EXCLUDE_ARGS "${EXCLUDE}")
+    endforeach()
+
+    # Set up commands which will be run to generate coverage data
+    # Run tests
+    set(GCOVR_XML_EXEC_TESTS_CMD
+        ${Coverage_EXECUTABLE} ${Coverage_EXECUTABLE_ARGS}
+    )
+    # Running gcovr
+    set(GCOVR_XML_CMD
+        ${GCOVR_PATH} --xml ${Coverage_NAME}.xml -r ${BASEDIR} ${GCOVR_ADDITIONAL_ARGS}
+        ${GCOVR_EXCLUDE_ARGS} --object-directory=${PROJECT_BINARY_DIR}
+    )
+
+    if(CODE_COVERAGE_VERBOSE)
+        message(STATUS "Executed command report")
+
+        message(STATUS "Command to run tests: ")
+        string(REPLACE ";" " " GCOVR_XML_EXEC_TESTS_CMD_SPACED "${GCOVR_XML_EXEC_TESTS_CMD}")
+        message(STATUS "${GCOVR_XML_EXEC_TESTS_CMD_SPACED}")
+
+        message(STATUS "Command to generate gcovr XML coverage data: ")
+        string(REPLACE ";" " " GCOVR_XML_CMD_SPACED "${GCOVR_XML_CMD}")
+        message(STATUS "${GCOVR_XML_CMD_SPACED}")
+    endif()
+
+    add_custom_target(${Coverage_NAME}
+        COMMAND ${GCOVR_XML_EXEC_TESTS_CMD}
+        COMMAND ${GCOVR_XML_CMD}
+
+        BYPRODUCTS ${Coverage_NAME}.xml
+        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
+        DEPENDS ${Coverage_DEPENDENCIES}
+        VERBATIM # Protect arguments to commands
+        COMMENT "Running gcovr to produce Cobertura code coverage report."
+    )
+
+    # Show info where to find the report
+    add_custom_command(TARGET ${Coverage_NAME} POST_BUILD
+        COMMAND ;
+        COMMENT "Cobertura code coverage report saved in ${Coverage_NAME}.xml."
+    )
+endfunction() # setup_target_for_coverage_gcovr_xml
+
+# Defines a target for running and collection code coverage information
+# Builds dependencies, runs the given executable and outputs reports.
+# NOTE! The executable should always have a ZERO as exit code otherwise
+# the coverage generation will not complete.
+#
+# setup_target_for_coverage_gcovr_html(
+#     NAME ctest_coverage                    # New target name
+#     EXECUTABLE ctest -j ${PROCESSOR_COUNT} # Executable in PROJECT_BINARY_DIR
+#     DEPENDENCIES executable_target         # Dependencies to build first
+#     BASE_DIRECTORY "../"                   # Base directory for report
+#                                            #  (defaults to PROJECT_SOURCE_DIR)
+#     EXCLUDE "src/dir1/*" "src/dir2/*"      # Patterns to exclude (can be relative
+#                                            #  to BASE_DIRECTORY, with CMake 3.4+)
+# )
+# The user can set the variable GCOVR_ADDITIONAL_ARGS to supply additional flags to the
+# GCVOR command.
+function(setup_target_for_coverage_gcovr_html)
+
+    set(options NONE)
+    set(oneValueArgs BASE_DIRECTORY NAME)
+    set(multiValueArgs EXCLUDE EXECUTABLE EXECUTABLE_ARGS DEPENDENCIES)
+    cmake_parse_arguments(Coverage "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
+
+    if(NOT GCOVR_PATH)
+        message(FATAL_ERROR "gcovr not found! Aborting...")
+    endif() # NOT GCOVR_PATH
+
+    # Set base directory (as absolute path), or default to PROJECT_SOURCE_DIR
+    if(DEFINED Coverage_BASE_DIRECTORY)
+        get_filename_component(BASEDIR ${Coverage_BASE_DIRECTORY} ABSOLUTE)
+    else()
+        set(BASEDIR ${PROJECT_SOURCE_DIR})
+    endif()
+
+    # Collect excludes (CMake 3.4+: Also compute absolute paths)
+    set(GCOVR_EXCLUDES "")
+    foreach(EXCLUDE ${Coverage_EXCLUDE} ${COVERAGE_EXCLUDES} ${COVERAGE_GCOVR_EXCLUDES})
+        if(CMAKE_VERSION VERSION_GREATER 3.4)
+            get_filename_component(EXCLUDE ${EXCLUDE} ABSOLUTE BASE_DIR ${BASEDIR})
+        endif()
+        list(APPEND GCOVR_EXCLUDES "${EXCLUDE}")
+    endforeach()
+    list(REMOVE_DUPLICATES GCOVR_EXCLUDES)
+
+    # Combine excludes to several -e arguments
+    set(GCOVR_EXCLUDE_ARGS "")
+    foreach(EXCLUDE ${GCOVR_EXCLUDES})
+        list(APPEND GCOVR_EXCLUDE_ARGS "-e")
+        list(APPEND GCOVR_EXCLUDE_ARGS "${EXCLUDE}")
+    endforeach()
+
+    # Set up commands which will be run to generate coverage data
+    # Run tests
+    set(GCOVR_HTML_EXEC_TESTS_CMD
+        ${Coverage_EXECUTABLE} ${Coverage_EXECUTABLE_ARGS}
+    )
+    # Create folder
+    set(GCOVR_HTML_FOLDER_CMD
+        ${CMAKE_COMMAND} -E make_directory ${PROJECT_BINARY_DIR}/${Coverage_NAME}
+    )
+    # Running gcovr
+    set(GCOVR_HTML_CMD
+        ${GCOVR_PATH} --html ${Coverage_NAME}/index.html --html-details -r ${BASEDIR} ${GCOVR_ADDITIONAL_ARGS}
+        ${GCOVR_EXCLUDE_ARGS} --object-directory=${PROJECT_BINARY_DIR}
+    )
+
+    if(CODE_COVERAGE_VERBOSE)
+        message(STATUS "Executed command report")
+
+        message(STATUS "Command to run tests: ")
+        string(REPLACE ";" " " GCOVR_HTML_EXEC_TESTS_CMD_SPACED "${GCOVR_HTML_EXEC_TESTS_CMD}")
+        message(STATUS "${GCOVR_HTML_EXEC_TESTS_CMD_SPACED}")
+
+        message(STATUS "Command to create a folder: ")
+        string(REPLACE ";" " " GCOVR_HTML_FOLDER_CMD_SPACED "${GCOVR_HTML_FOLDER_CMD}")
+        message(STATUS "${GCOVR_HTML_FOLDER_CMD_SPACED}")
+
+        message(STATUS "Command to generate gcovr HTML coverage data: ")
+        string(REPLACE ";" " " GCOVR_HTML_CMD_SPACED "${GCOVR_HTML_CMD}")
+        message(STATUS "${GCOVR_HTML_CMD_SPACED}")
+    endif()
+
+    add_custom_target(${Coverage_NAME}
+        COMMAND ${GCOVR_HTML_EXEC_TESTS_CMD}
+        COMMAND ${GCOVR_HTML_FOLDER_CMD}
+        COMMAND ${GCOVR_HTML_CMD}
+
+        BYPRODUCTS ${PROJECT_BINARY_DIR}/${Coverage_NAME}/index.html  # report directory
+        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
+        DEPENDS ${Coverage_DEPENDENCIES}
+        VERBATIM # Protect arguments to commands
+        COMMENT "Running gcovr to produce HTML code coverage report."
+    )
+
+    # Show info where to find the report
+    add_custom_command(TARGET ${Coverage_NAME} POST_BUILD
+        COMMAND ;
+        COMMENT "Open ./${Coverage_NAME}/index.html in your browser to view the coverage report."
+    )
+
+endfunction() # setup_target_for_coverage_gcovr_html
+
+# Defines a target for running and collection code coverage information
+# Builds dependencies, runs the given executable and outputs reports.
+# NOTE! The executable should always have a ZERO as exit code otherwise
+# the coverage generation will not complete.
+#
+# setup_target_for_coverage_fastcov(
+#     NAME testrunner_coverage                    # New target name
+#     EXECUTABLE testrunner -j ${PROCESSOR_COUNT} # Executable in PROJECT_BINARY_DIR
+#     DEPENDENCIES testrunner                     # Dependencies to build first
+#     BASE_DIRECTORY "../"                        # Base directory for report
+#                                                 #  (defaults to PROJECT_SOURCE_DIR)
+#     EXCLUDE "src/dir1/" "src/dir2/"             # Patterns to exclude.
+#     NO_DEMANGLE                                 # Don't demangle C++ symbols
+#                                                 #  even if c++filt is found
+#     SKIP_HTML                                   # Don't create html report
+#     POST_CMD perl -i -pe s!${PROJECT_SOURCE_DIR}/!!g ctest_coverage.json  # E.g. for stripping source dir from file paths
+# )
+function(setup_target_for_coverage_fastcov)
+
+    set(options NO_DEMANGLE SKIP_HTML)
+    set(oneValueArgs BASE_DIRECTORY NAME)
+    set(multiValueArgs EXCLUDE EXECUTABLE EXECUTABLE_ARGS DEPENDENCIES FASTCOV_ARGS GENHTML_ARGS POST_CMD)
+    cmake_parse_arguments(Coverage "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
+
+    if(NOT FASTCOV_PATH)
+        message(FATAL_ERROR "fastcov not found! Aborting...")
+    endif()
+
+    if(NOT Coverage_SKIP_HTML AND NOT GENHTML_PATH)
+        message(FATAL_ERROR "genhtml not found! Aborting...")
+    endif()
+
+    # Set base directory (as absolute path), or default to PROJECT_SOURCE_DIR
+    if(Coverage_BASE_DIRECTORY)
+        get_filename_component(BASEDIR ${Coverage_BASE_DIRECTORY} ABSOLUTE)
+    else()
+        set(BASEDIR ${PROJECT_SOURCE_DIR})
+    endif()
+
+    # Collect excludes (Patterns, not paths, for fastcov)
+    set(FASTCOV_EXCLUDES "")
+    foreach(EXCLUDE ${Coverage_EXCLUDE} ${COVERAGE_EXCLUDES} ${COVERAGE_FASTCOV_EXCLUDES})
+        list(APPEND FASTCOV_EXCLUDES "${EXCLUDE}")
+    endforeach()
+    list(REMOVE_DUPLICATES FASTCOV_EXCLUDES)
+
+    # Conditional arguments
+    if(CPPFILT_PATH AND NOT ${Coverage_NO_DEMANGLE})
+        set(GENHTML_EXTRA_ARGS "--demangle-cpp")
+    endif()
+
+    # Set up commands which will be run to generate coverage data
+    set(FASTCOV_EXEC_TESTS_CMD ${Coverage_EXECUTABLE} ${Coverage_EXECUTABLE_ARGS})
+
+    set(FASTCOV_CAPTURE_CMD ${FASTCOV_PATH} ${Coverage_FASTCOV_ARGS} --gcov ${GCOV_PATH}
+        --search-directory ${BASEDIR}
+        --process-gcno
+        --output ${Coverage_NAME}.json
+        --exclude ${FASTCOV_EXCLUDES}
+    )
+
+    set(FASTCOV_CONVERT_CMD ${FASTCOV_PATH}
+        -C ${Coverage_NAME}.json --lcov --output ${Coverage_NAME}.info
+    )
+
+    if(Coverage_SKIP_HTML)
+        set(FASTCOV_HTML_CMD ";")
+    else()
+        set(FASTCOV_HTML_CMD ${GENHTML_PATH} ${GENHTML_EXTRA_ARGS} ${Coverage_GENHTML_ARGS}
+            -o ${Coverage_NAME} ${Coverage_NAME}.info
+        )
+    endif()
+
+    set(FASTCOV_POST_CMD ";")
+    if(Coverage_POST_CMD)
+        set(FASTCOV_POST_CMD ${Coverage_POST_CMD})
+    endif()
+
+    if(CODE_COVERAGE_VERBOSE)
+        message(STATUS "Code coverage commands for target ${Coverage_NAME} (fastcov):")
+
+        message("   Running tests:")
+        string(REPLACE ";" " " FASTCOV_EXEC_TESTS_CMD_SPACED "${FASTCOV_EXEC_TESTS_CMD}")
+        message("     ${FASTCOV_EXEC_TESTS_CMD_SPACED}")
+
+        message("   Capturing fastcov counters and generating report:")
+        string(REPLACE ";" " " FASTCOV_CAPTURE_CMD_SPACED "${FASTCOV_CAPTURE_CMD}")
+        message("     ${FASTCOV_CAPTURE_CMD_SPACED}")
+
+        message("   Converting fastcov .json to lcov .info:")
+        string(REPLACE ";" " " FASTCOV_CONVERT_CMD_SPACED "${FASTCOV_CONVERT_CMD}")
+        message("     ${FASTCOV_CONVERT_CMD_SPACED}")
+
+        if(NOT Coverage_SKIP_HTML)
+            message("   Generating HTML report: ")
+            string(REPLACE ";" " " FASTCOV_HTML_CMD_SPACED "${FASTCOV_HTML_CMD}")
+            message("     ${FASTCOV_HTML_CMD_SPACED}")
+        endif()
+        if(Coverage_POST_CMD)
+            message("   Running post command: ")
+            string(REPLACE ";" " " FASTCOV_POST_CMD_SPACED "${FASTCOV_POST_CMD}")
+            message("     ${FASTCOV_POST_CMD_SPACED}")
+        endif()
+    endif()
+
+    # Setup target
+    add_custom_target(${Coverage_NAME}
+
+        # Cleanup fastcov
+        COMMAND ${FASTCOV_PATH} ${Coverage_FASTCOV_ARGS} --gcov ${GCOV_PATH}
+            --search-directory ${BASEDIR}
+            --zerocounters
+
+        COMMAND ${FASTCOV_EXEC_TESTS_CMD}
+        COMMAND ${FASTCOV_CAPTURE_CMD}
+        COMMAND ${FASTCOV_CONVERT_CMD}
+        COMMAND ${FASTCOV_HTML_CMD}
+        COMMAND ${FASTCOV_POST_CMD}
+
+        # Set output files as GENERATED (will be removed on 'make clean')
+        BYPRODUCTS
+             ${Coverage_NAME}.info
+             ${Coverage_NAME}.json
+             ${Coverage_NAME}/index.html  # report directory
+
+        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
+        DEPENDS ${Coverage_DEPENDENCIES}
+        VERBATIM # Protect arguments to commands
+        COMMENT "Resetting code coverage counters to zero. Processing code coverage counters and generating report."
+    )
+
+    set(INFO_MSG "fastcov code coverage info report saved in ${Coverage_NAME}.info and ${Coverage_NAME}.json.")
+    if(NOT Coverage_SKIP_HTML)
+        string(APPEND INFO_MSG " Open ${PROJECT_BINARY_DIR}/${Coverage_NAME}/index.html in your browser to view the coverage report.")
+    endif()
+    # Show where to find the fastcov info report
+    add_custom_command(TARGET ${Coverage_NAME} POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E echo ${INFO_MSG}
+    )
+
+endfunction() # setup_target_for_coverage_fastcov
+
+function(append_coverage_compiler_flags)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${COVERAGE_COMPILER_FLAGS}" PARENT_SCOPE)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${COVERAGE_COMPILER_FLAGS}" PARENT_SCOPE)
+    set(CMAKE_Fortran_FLAGS "${CMAKE_Fortran_FLAGS} ${COVERAGE_COMPILER_FLAGS}" PARENT_SCOPE)
+    message(STATUS "Appending code coverage compiler flags: ${COVERAGE_COMPILER_FLAGS}")
+endfunction() # append_coverage_compiler_flags
+
+# Setup coverage for specific library
+function(append_coverage_compiler_flags_to_target name)
+    separate_arguments(_flag_list NATIVE_COMMAND "${COVERAGE_COMPILER_FLAGS}")
+    target_compile_options(${name} PRIVATE ${_flag_list})
+    if(CMAKE_C_COMPILER_ID STREQUAL "GNU" OR CMAKE_CXX_COMPILER_ID STREQUAL "GNU" OR CMAKE_Fortran_COMPILER_ID STREQUAL "GNU")
+        target_link_libraries(${name} PRIVATE gcov)
+    endif()
+endfunction()
--- a/cmake/Modules/DefineCMakeDefaults.cmake
+++ b/cmake/Modules/DefineCMakeDefaults.cmake
@@ -6,7 +6,7 @@ set(CMAKE_INCLUDE_CURRENT_DIR ON)

 # Put the include dirs which are in the source or build tree
 # before all other include dirs, so the headers in the sources
-# are prefered over the already installed ones
+# are preferred over the already installed ones
 # since cmake 2.4.1
 set(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON)

--- a/cmake/Modules/ExtractSymbols.cmake
+++ b/cmake/Modules/ExtractSymbols.cmake
@@ -50,15 +50,28 @@ file(READ ${HEADERS_LIST_FILE} HEADERS_LIST)

 set(symbols)
 foreach(header ${HEADERS_LIST})
+    file(READ ${header} header_content)

    # Filter only lines containing the FILTER_PATTERN
-    file(STRINGS ${header} contain_filter
-      REGEX "^.*${FILTER_PATTERN}.*[(]"
+    # separated from the function name with one optional newline
+    string(REGEX MATCHALL
+      "${FILTER_PATTERN}[^(\n]*\n?[^(\n]*[(]"
+      contain_filter
+      "${header_content}"
+    )
+
+    # Remove the optional newline now
+    string(REGEX REPLACE
+      "(.+)\n?(.*)"
+      "\\1\\2"
+      oneline
+      "${contain_filter}"
    )

    # Remove function-like macros
-    foreach(line ${contain_filter})
-        if (NOT ${line} MATCHES ".*#[ ]*define")
+    # and anything with two underscores that sounds suspicious
+    foreach(line ${oneline})
+        if (NOT ${line} MATCHES ".*(#[ ]*define|__)")
            list(APPEND not_macro ${line})
        endif()
    endforeach()
--- a/cmake/Modules/FindABIMap.cmake
+++ b/cmake/Modules/FindABIMap.cmake
@@ -220,13 +220,12 @@

 # Search for python which is required
 if (ABIMap_FIND_REQURIED)
-    find_package(PythonInterp REQUIRED)
+    find_package(Python REQUIRED)
 else()
-    find_package(PythonInterp)
+    find_package(Python)
 endif()

-
-if (PYTHONINTERP_FOUND)
+if (TARGET Python::Interpreter)
    # Search for abimap tool used to generate the map files
    find_program(ABIMAP_EXECUTABLE NAMES abimap DOC "path to the abimap executable")
    mark_as_advanced(ABIMAP_EXECUTABLE)
--- a/cmake/Modules/FindArgp.cmake
+++ b/cmake/Modules/FindArgp.cmake
@@ -1,4 +1,8 @@
 # - Try to find ARGP
+#
+# The argp can be either shipped as part of libc (ex. glibc) or as a separate
+# library that requires additional linking (ex. Windows, Mac, musl libc, ...)
+#
 # Once done this will define
 #
 #  ARGP_ROOT_DIR - Set this variable to the root installation of ARGP
@@ -60,7 +64,7 @@ if (ARGP_LIBRARY)
 endif (ARGP_LIBRARY)

 include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(ARGP DEFAULT_MSG ARGP_LIBRARIES ARGP_INCLUDE_DIR)
+find_package_handle_standard_args(Argp DEFAULT_MSG ARGP_LIBRARIES ARGP_INCLUDE_DIR)

 # show the ARGP_INCLUDE_DIR and ARGP_LIBRARIES variables only in the advanced view
 mark_as_advanced(ARGP_INCLUDE_DIR ARGP_LIBRARIES)
--- a/cmake/Modules/FindGCrypt.cmake
+++ b/cmake/Modules/FindGCrypt.cmake
@@ -39,6 +39,15 @@ find_path(GCRYPT_INCLUDE_DIR
        include
 )

+find_path(GCRYPT_ERROR_INCLUDE_DIR
+    NAMES
+        gpg-error.h
+    HINTS
+        ${_GCRYPT_ROOT_HINTS_AND_PATHS}
+    PATH_SUFFIXES
+        include
+)
+
 find_library(GCRYPT_LIBRARY
    NAMES
        gcrypt
@@ -56,8 +65,10 @@ find_library(GCRYPT_ERROR_LIBRARY
        libgpg-error6-0
    HINTS
        ${_GCRYPT_ROOT_HINTS_AND_PATHS}
+    PATH_SUFFIXES
+        lib        
 )
-set(GCRYPT_LIBRARIES ${GCRYPT_LIBRARY}  ${GCRYPT_ERROR_LIBRARY})
+set(GCRYPT_LIBRARIES ${GCRYPT_ERROR_LIBRARY} ${GCRYPT_LIBRARY})

 if (GCRYPT_INCLUDE_DIR)
    file(STRINGS "${GCRYPT_INCLUDE_DIR}/gcrypt.h" _gcrypt_version_str REGEX "^#define GCRYPT_VERSION \"[0-9]+\\.[0-9]+\\.[0-9]")
@@ -83,5 +94,25 @@ else (GCRYPT_VERSION)
        GCRYPT_LIBRARIES)
 endif (GCRYPT_VERSION)

-# show the GCRYPT_INCLUDE_DIRS and GCRYPT_LIBRARIES variables only in the advanced view
-mark_as_advanced(GCRYPT_INCLUDE_DIR GCRYPT_LIBRARIES)
+# show the GCRYPT_INCLUDE_DIRS, GCRYPT_LIBRARIES and GCRYPT_ERROR_INCLUDE_DIR variables only in the advanced view
+mark_as_advanced(GCRYPT_INCLUDE_DIR GCRYPT_ERROR_INCLUDE_DIR GCRYPT_LIBRARIES)
+
+if(GCRYPT_FOUND)
+  if(NOT TARGET libgcrypt::libgcrypt)
+      add_library(libgcrypt::libgcrypt UNKNOWN IMPORTED)
+      set_target_properties(libgcrypt::libgcrypt PROPERTIES
+                            INTERFACE_INCLUDE_DIRECTORIES "${GCRYPT_INCLUDE_DIR}"
+                            INTERFACE_LINK_LIBRARIES libgcrypt::libgcrypt
+                            IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+                            IMPORTED_LOCATION "${GCRYPT_LIBRARY}")
+  endif()
+  
+  if(NOT TARGET libgpg-error::libgpg-error)
+      add_library(libgpg-error::libgpg-error UNKNOWN IMPORTED)
+      set_target_properties(libgpg-error::libgpg-error PROPERTIES
+                            INTERFACE_INCLUDE_DIRECTORIES "${GCRYPT_ERROR_INCLUDE_DIR}"
+                            INTERFACE_LINK_LIBRARIES libgpg-error::libgpg-error
+                            IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+                            IMPORTED_LOCATION "${GCRYPT_ERROR_LIBRARY}")
+  endif()
+endif()
--- a/cmake/Modules/FindGSSAPI.cmake
+++ b/cmake/Modules/FindGSSAPI.cmake
@@ -5,12 +5,14 @@
 #  GSSAPI_ROOT_DIR - Set this variable to the root installation of GSSAPI
 #
 # Read-Only variables:
-#  GSSAPI_FLAVOR_MIT - set to TURE if MIT Kerberos has been found
+#  GSSAPI_FLAVOR_MIT - set to TRUE if MIT Kerberos has been found
 #  GSSAPI_FLAVOR_HEIMDAL - set to TRUE if Heimdal Keberos has been found
 #  GSSAPI_FOUND - system has GSSAPI
 #  GSSAPI_INCLUDE_DIR - the GSSAPI include directory
 #  GSSAPI_LIBRARIES - Link these to use GSSAPI
 #  GSSAPI_DEFINITIONS - Compiler switches required for using GSSAPI
+#  GSSAPI_PC_REQUIRES - pkg-config module name if found, needed for
+#                       Requires.private for static linking
 #
 #=============================================================================
 #  Copyright (c) 2013 Andreas Schneider <asn@cryptomilk.org>
@@ -24,12 +26,23 @@
 #=============================================================================
 #

+set(_mit_modname "mit-krb5-gssapi")
+set(_heimdal_modname "heimdal-gssapi")
+
+if(NOT _GSSAPI_ROOT_HINTS AND NOT _GSSAPI_ROOT_PATHS)
+    find_package(PkgConfig QUIET)
+    if (PKG_CONFIG_FOUND)
+        pkg_search_module(_GSSAPI ${_mit_modname} ${_heimdal_modname})
+    endif()
+endif()
+
 find_path(GSSAPI_ROOT_DIR
    NAMES
        include/gssapi.h
        include/gssapi/gssapi.h
    HINTS
        ${_GSSAPI_ROOT_HINTS}
+        "${_GSSAPI_INCLUDEDIR}"
    PATHS
        ${_GSSAPI_ROOT_PATHS}
 )
@@ -317,9 +330,15 @@ endif (GSSAPI_FLAVOR_HEIMDAL)
 include(FindPackageHandleStandardArgs)
 find_package_handle_standard_args(GSSAPI DEFAULT_MSG GSSAPI_LIBRARIES GSSAPI_INCLUDE_DIR)

-if (GSSAPI_INCLUDE_DIRS AND GSSAPI_LIBRARIES)
-    set(GSSAPI_FOUND TRUE)
-endif (GSSAPI_INCLUDE_DIRS AND GSSAPI_LIBRARIES)
+if(GSSAPI_FOUND)
+    if(_GSSAPI_FOUND) # via pkg-config
+        if (GSSAPI_FLAVOR_MIT)
+            set(GSSAPI_PC_REQUIRES ${_mit_modname})
+        elseif (GSSAPI_FLAVOR_HEIMDAL)
+            set(GSSAPI_PC_REQUIRES ${_heimdal_modname})
+        endif()
+    endif()
+endif()

-# show the GSSAPI_INCLUDE_DIRS and GSSAPI_LIBRARIES variables only in the advanced view
-mark_as_advanced(GSSAPI_INCLUDE_DIRS GSSAPI_LIBRARIES)
+# show the GSSAPI_INCLUDE_DIR and GSSAPI_LIBRARIES variables only in the advanced view
+mark_as_advanced(GSSAPI_INCLUDE_DIR GSSAPI_LIBRARIES)
--- a/cmake/Modules/FindMbedTLS.cmake
+++ b/cmake/Modules/FindMbedTLS.cmake
@@ -34,7 +34,7 @@ set(_MBEDTLS_ROOT_HINTS_AND_PATHS

 find_path(MBEDTLS_INCLUDE_DIR
    NAMES
-        mbedtls/config.h
+        mbedtls/ssl.h
    HINTS
        ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
    PATH_SUFFIXES
@@ -72,13 +72,23 @@ find_library(MBEDTLS_X509_LIBRARY
 set(MBEDTLS_LIBRARIES ${MBEDTLS_SSL_LIBRARY} ${MBEDTLS_CRYPTO_LIBRARY}
        ${MBEDTLS_X509_LIBRARY})

+# mbedtls 2.8
 if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _mbedtls_version_str REGEX
            "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")

-    string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*"
+    string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+\\.[0-9]+\\.[0-9]+).*$"
            "\\1" MBEDTLS_VERSION "${_mbedtls_version_str}")
-endif ()
+endif()
+
+# mbedtls 3.6
+if (NOT MBEDTLS_VERSION AND MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
+    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" _mbedtls_version_str REGEX
+            "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
+
+    string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+\\.[0-9]+\\.[0-9]+).*$"
+            "\\1" MBEDTLS_VERSION "${_mbedtls_version_str}")
+endif()

 include(FindPackageHandleStandardArgs)
 if (MBEDTLS_VERSION)
@@ -93,8 +103,8 @@ if (MBEDTLS_VERSION)
            in the system variable MBEDTLS_ROOT_DIR"
    )
 else (MBEDTLS_VERSION)
-    find_package_handle_standard_args(MBedTLS
-        "Could NOT find mbedTLS, try to set the path to mbedLS root folder in
+    find_package_handle_standard_args(MbedTLS
+        "Could NOT find mbedTLS, try to set the path to mbedTLS root folder in
        the system variable MBEDTLS_ROOT_DIR"
        MBEDTLS_INCLUDE_DIR
        MBEDTLS_LIBRARIES)
@@ -102,3 +112,32 @@ endif (MBEDTLS_VERSION)

 # show the MBEDTLS_INCLUDE_DIRS and MBEDTLS_LIBRARIES variables only in the advanced view
 mark_as_advanced(MBEDTLS_INCLUDE_DIR MBEDTLS_LIBRARIES)
+
+if(MBEDTLS_FOUND)
+  if(NOT TARGET MbedTLS::mbedcrypto)
+      add_library(MbedTLS::mbedcrypto UNKNOWN IMPORTED)
+      set_target_properties(MbedTLS::mbedcrypto PROPERTIES
+                            INTERFACE_INCLUDE_DIRECTORIES "${MBEDTLS_INCLUDE_DIR}"
+                            INTERFACE_LINK_LIBRARIES MbedTLS::mbedcrypto
+                            IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+                            IMPORTED_LOCATION "${MBEDTLS_CRYPTO_LIBRARY}")
+  endif()
+
+  if(NOT TARGET MbedTLS::mbedx509)
+      add_library(MbedTLS::mbedx509 UNKNOWN IMPORTED)
+      set_target_properties(MbedTLS::mbedx509 PROPERTIES
+                            INTERFACE_INCLUDE_DIRECTORIES "${MBEDTLS_INCLUDE_DIR}"
+                            INTERFACE_LINK_LIBRARIES MbedTLS::mbedx509
+                            IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+                            IMPORTED_LOCATION "${MBEDTLS_X509_LIBRARY}")
+  endif()
+
+  if(NOT TARGET MbedTLS::mbedtls)
+      add_library(MbedTLS::mbedtls UNKNOWN IMPORTED)
+      set_target_properties(MbedTLS::mbedtls PROPERTIES
+                            INTERFACE_INCLUDE_DIRECTORIES "${MBEDTLS_INCLUDE_DIR}"
+                            INTERFACE_LINK_LIBRARIES MbedTLS::mbedtls
+                            IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+                            IMPORTED_LOCATION "${MBEDTLS_LIBRARY}")
+  endif()
+endif()
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -9,9 +9,11 @@
 #cmakedefine SOURCEDIR "${SOURCEDIR}"

 /* Global bind configuration file path */
+#cmakedefine USR_GLOBAL_BIND_CONFIG "${USR_GLOBAL_BIND_CONFIG}"
 #cmakedefine GLOBAL_BIND_CONFIG "${GLOBAL_BIND_CONFIG}"

 /* Global client configuration file path */
+#cmakedefine USR_GLOBAL_CLIENT_CONFIG "${USR_GLOBAL_CLIENT_CONFIG}"
 #cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}"

 /************************** HEADER FILES *************************/
@@ -58,15 +60,15 @@
 /* Define to 1 if you have the <stdint.h> header file. */
 #cmakedefine HAVE_STDINT_H 1

+/* Define to 1 if you have the <ifaddrs.h> header file. */
+#cmakedefine HAVE_IFADDRS_H 1
+
 /* Define to 1 if you have the <openssl/aes.h> header file. */
 #cmakedefine HAVE_OPENSSL_AES_H 1

 /* Define to 1 if you have the <wspiapi.h> header file. */
 #cmakedefine HAVE_WSPIAPI_H 1

-/* Define to 1 if you have the <openssl/blowfish.h> header file. */
-#cmakedefine HAVE_OPENSSL_BLOWFISH_H 1
-
 /* Define to 1 if you have the <openssl/des.h> header file. */
 #cmakedefine HAVE_OPENSSL_DES_H 1

@@ -82,53 +84,38 @@
 /* Define to 1 if you have the <pthread.h> header file. */
 #cmakedefine HAVE_PTHREAD_H 1

-/* Define to 1 if you have eliptic curve cryptography in openssl */
+/* Define to 1 if you have elliptic curve cryptography in openssl */
 #cmakedefine HAVE_OPENSSL_ECC 1

-/* Define to 1 if you have eliptic curve cryptography in gcrypt */
+/* Define to 1 if mbedTLS supports curve25519 */
+#cmakedefine HAVE_MBEDTLS_CURVE25519 1
+
+/* Define to 1 if you have elliptic curve cryptography in gcrypt */
 #cmakedefine HAVE_GCRYPT_ECC 1

-/* Define to 1 if you have eliptic curve cryptography */
+/* Define to 1 if you have elliptic curve cryptography */
 #cmakedefine HAVE_ECC 1

-/* Define to 1 if you have DSA */
-#cmakedefine HAVE_DSA 1
-
-/* Define to 1 if you have gl_flags as a glob_t sturct member */
+/* Define to 1 if you have gl_flags as a glob_t struct member */
 #cmakedefine HAVE_GLOB_GL_FLAGS_MEMBER 1

-/* Define to 1 if you have OpenSSL with Ed25519 support */
-#cmakedefine HAVE_OPENSSL_ED25519 1
-
-/* Define to 1 if you have OpenSSL with X25519 support */
-#cmakedefine HAVE_OPENSSL_X25519 1
-
-/* Define to 1 if you have OpenSSL with Poly1305 support */
-#cmakedefine HAVE_OPENSSL_EVP_POLY1305 1
-
 /* Define to 1 if you have gcrypt with ChaCha20/Poly1305 support */
 #cmakedefine HAVE_GCRYPT_CHACHA_POLY 1

+/* Define to 1 if you have gcrypt with curve25519 support */
+#cmakedefine HAVE_GCRYPT_CURVE25519
+
 /*************************** FUNCTIONS ***************************/

 /* Define to 1 if you have the `EVP_chacha20' function. */
 #cmakedefine HAVE_OPENSSL_EVP_CHACHA20 1

-/* Define to 1 if you have the `EVP_KDF_CTX_new_id' function. */
-#cmakedefine HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID 1
+/* Define to 1 if you have the `EVP_KDF_CTX_new_id' or `EVP_KDF_CTX_new` function. */
+#cmakedefine HAVE_OPENSSL_EVP_KDF_CTX 1

 /* Define to 1 if you have the `FIPS_mode' function. */
 #cmakedefine HAVE_OPENSSL_FIPS_MODE 1

-/* Define to 1 if you have the `EVP_DigestSign' function. */
-#cmakedefine HAVE_OPENSSL_EVP_DIGESTSIGN 1
-
-/* Define to 1 if you have the `EVP_DigestVerify' function. */
-#cmakedefine HAVE_OPENSSL_EVP_DIGESTVERIFY 1
-
-/* Define to 1 if you have the `OPENSSL_ia32cap_loc' function. */
-#cmakedefine HAVE_OPENSSL_IA32CAP_LOC 1
-
 /* Define to 1 if you have the `snprintf' function. */
 #cmakedefine HAVE_SNPRINTF 1

@@ -201,6 +188,9 @@
 /* Define to 1 if you have the `cmocka_set_test_filter' function. */
 #cmakedefine HAVE_CMOCKA_SET_TEST_FILTER 1

+/* Define to 1 if we have support for blowfish */
+#cmakedefine HAVE_BLOWFISH 1
+
 /*************************** LIBRARIES ***************************/

 /* Define to 1 if you have the `crypto' library (-lcrypto). */
@@ -225,6 +215,7 @@

 #cmakedefine HAVE_FALLTHROUGH_ATTRIBUTE 1
 #cmakedefine HAVE_UNUSED_ATTRIBUTE 1
+#cmakedefine HAVE_WEAK_ATTRIBUTE 1

 #cmakedefine HAVE_CONSTRUCTOR_ATTRIBUTE 1
 #cmakedefine HAVE_DESTRUCTOR_ATTRIBUTE 1
@@ -251,9 +242,14 @@
 /* Define to 1 if you want to enable DH group exchange algorithms */
 #cmakedefine WITH_GEX 1

-/* Define to 1 if you want to enable none cipher and MAC */
+/* Define to 1 if you want to enable insecure none cipher and MAC */
 #cmakedefine WITH_INSECURE_NONE 1

+/* Define to 1 if you want to allow libssh to execute arbitrary commands from
+ * configuration files or options (match exec, proxy commands and OpenSSH-based
+ * proxy-jumps). */
+#cmakedefine WITH_EXEC 1
+
 /* Define to 1 if you want to enable blowfish cipher support */
 #cmakedefine WITH_BLOWFISH_CIPHER 1

@@ -275,6 +271,9 @@
 /* Define to 1 if you want to enable PKCS #11 URI support */
 #cmakedefine WITH_PKCS11_URI 1

+/* Define to 1 if we want to build a support for PKCS #11 provider. */
+#cmakedefine WITH_PKCS11_PROVIDER 1
+
 /*************************** ENDIAN *****************************/

 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -14,11 +14,13 @@ if (DOXYGEN_FOUND)
    set(DOXYGEN_OPTIMIZE_OUTPUT_FOR_C YES)
    set(DOXYGEN_MARKDOWN_SUPPORT YES)
    set(DOXYGEN_FULL_PATH_NAMES NO)
+    set(DOXYGEN_GENERATE_TAGFILE "tags.xml")

    set(DOXYGEN_PREDEFINED DOXYGEN
                           WITH_SERVER
                           WITH_SFTP
-                           PRINTF_ATTRIBUTE(x,y))
+                           PRINTF_ATTRIBUTE\(x,y\))
+    set(DOXYGEN_DOT_GRAPH_MAX_NODES 100)

    set(DOXYGEN_EXCLUDE ${CMAKE_CURRENT_SOURCE_DIR}/that_style)
    set(DOXYGEN_HTML_HEADER ${CMAKE_CURRENT_SOURCE_DIR}/that_style/header.html)
@@ -34,6 +36,44 @@ if (DOXYGEN_FOUND)
                                 ${CMAKE_CURRENT_SOURCE_DIR}/that_style/img/folderclosed.svg
                                 ${CMAKE_CURRENT_SOURCE_DIR}/that_style/img/folderopen.svg
                                 ${CMAKE_CURRENT_SOURCE_DIR}/that_style/js/striped_bg.js)
+     set(DOXYGEN_EXCLUDE_PATTERNS */src/external/* fe25519.h ge25519.h sc25519.h
+                                  blf.h)
+     set(DOXYGEN_EXCLUDE_SYMBOLS_STRUCTS chacha20_poly1305_keysched,dh_ctx,dh_ctx,dh_keypair,error_struct,
+                                         packet_struct,pem_get_password_struct,ssh_tokens_st,
+                                         sftp_attributes_struct,sftp_client_message_struct,
+                                         sftp_dir_struct,sftp_ext_struct,sftp_file_struct,sftp_message_struct,
+                                         sftp_packet_struct,sftp_request_queue_struct,sftp_session_struct,
+                                         sftp_status_message_struct,ssh_agent_state_struct,
+                                         ssh_agent_struct,ssh_auth_auto_state_struct,ssh_auth_request,
+                                         ssh_bind_config_keyword_table_s,ssh_bind_config_match_keyword_table_s,
+                                         ssh_bind_struct,ssh_buffer_struct,ssh_channel_callbacks_struct,
+                                         ssh_channel_read_termination_struct,ssh_channel_request,
+                                         ssh_channel_request_open,ssh_channel_struct,ssh_cipher_struct,
+                                         ssh_common_struct,ssh_config_keyword_table_s,
+                                         ssh_config_match_keyword_table_s,ssh_connector_struct,
+                                         ssh_counter_struct,ssh_crypto_struct,ssh_event_fd_wrapper,
+                                         ssh_event_struct,ssh_global_request,ssh_gssapi_struct,ssh_hmac_struct,
+                                         ssh_iterator,ssh_kbdint_struct,ssh_kex_struct,ssh_key_struct,
+                                         ssh_knownhosts_entry,ssh_list,ssh_mac_ctx_struct,ssh_message_struct,
+                                         ssh_packet_callbacks_struct,ssh_packet_header,ssh_poll_ctx_struct,
+                                         ssh_poll_handle_struct,ssh_pollfd_struct,ssh_private_key_struct,
+                                         ssh_public_key_struct,ssh_scp_struct,ssh_service_request,
+                                         ssh_session_struct,ssh_signature_struct,ssh_socket_struct,
+                                         ssh_string_struct,ssh_threads_callbacks_struct,ssh_timestamp,)
+     set(DOXYGEN_EXCLUDE_SYMBOLS_MACRO SSH_FXP*,SSH_SOCKET*,SERVERBANNER,SOCKOPT_TYPE_ARG4,SSH_FILEXFER*,
+                                       SSH_FXF*,SSH_S_*,SFTP_*,NSS_BUFLEN_PASSWD,CLOCK,MAX_LINE_SIZE,
+                                       PKCS11_URI,KNOWNHOSTS_MAXTYPES,)
+     set(DOXYGEN_EXCLUDE_SYMBOLS_TYPEDEFS sftp_attributes,sftp_client_message,sftp_dir,sftp_ext,sftp_file,
+                                          sftp_message,sftp_packet,sftp_request_queue,sftp_session,
+                                          sftp_status_message,sftp_statvfs_t,poll_fn,ssh_callback_int,
+                                          ssh_callback_data,ssh_callback_int_int,ssh_message_callback,
+                                          ssh_channel_callback_int,ssh_channel_callback_data,ssh_callbacks,
+                                          ssh_gssapi_select_oid_callback,ssh_gssapi_accept_sec_ctx_callback,
+                                          ssh_gssapi_verify_mic_callback,ssh_server_callbacks,ssh_socket_callbacks,
+                                          ssh_packet_callbacks,ssh_channel_callbacks,ssh_bind,ssh_bind_callbacks,)
+     set(DOXYGEN_EXCLUDE_SYMBOLS ${DOXYGEN_EXCLUDE_SYMBOLS_STRUCTS}
+                                 ${DOXYGEN_EXCLUDE_SYMBOLS_MACRO}
+                                 ${DOXYGEN_EXCLUDE_SYMBOLS_TYPEDEFS})

    # This updates the Doxyfile if we do changes here
    set(_doxyfile_template "${CMAKE_BINARY_DIR}/CMakeDoxyfile.in")
@@ -44,6 +84,8 @@ if (DOXYGEN_FOUND)
                     ${CMAKE_SOURCE_DIR}/include/libssh
                     ${CMAKE_SOURCE_DIR}/src
                     ${CMAKE_CURRENT_SOURCE_DIR})
+
+    add_custom_target(docs_coverage COMMAND ${CMAKE_SOURCE_DIR}/doc/doc_coverage.sh ${CMAKE_BINARY_DIR})
 endif() # DOXYGEN_FOUND

 endif() # CMAKE_VERSION
--- a/doc/authentication.dox
+++ b/doc/authentication.dox
@@ -105,7 +105,7 @@ Here is a small example of password authentication:
@code
 int authenticate_password(ssh_session session)
 {
-  char *password;
+  char *password = NULL;
  int rc;

  password = getpass("Enter your password: ");
@@ -218,7 +218,7 @@ int authenticate_kbdint(ssh_session session)
  rc = ssh_userauth_kbdint(session, NULL, NULL);
  while (rc == SSH_AUTH_INFO)
  {
-    const char *name, *instruction;
+    const char *name = NULL, *instruction = NULL;
    int nprompts, iprompt;

    name = ssh_userauth_kbdint_getname(session);
@@ -231,7 +231,7 @@ int authenticate_kbdint(ssh_session session)
      printf("%s\n", instruction);
    for (iprompt = 0; iprompt < nprompts; iprompt++)
    {
-      const char *prompt;
+      const char *prompt = NULL;
      char echo;

      prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo);
@@ -251,7 +251,7 @@ int authenticate_kbdint(ssh_session session)
      }
      else
      {
-        char *ptr;
+        char *ptr = NULL;

        ptr = getpass(prompt);
        if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0)
@@ -354,7 +354,7 @@ The following example shows how to retrieve and dispose the issue banner:
 int display_banner(ssh_session session)
 {
  int rc;
-  char *banner;
+  char *banner = NULL;

 /*
 *** Does not work without calling ssh_userauth_none() first ***
--- a/doc/command.dox
+++ b/doc/command.dox
@@ -22,7 +22,7 @@ a SSH session that uses this channel:
@code
 int show_remote_files(ssh_session session)
 {
-  ssh_channel channel;
+  ssh_channel channel = NULL;
  int rc;

  channel = ssh_channel_new(session);
@@ -91,4 +91,10 @@ that it used:
 }
@endcode

+Warning: In a single channel, only ONE command can be executed!
+If you want to executed multiple commands, allocate separate channels for
+them or consider opening interactive shell.
+Attempting to run multiple consecutive commands in one channel will fail.
+
+
 */
--- a/doc/curve25519-sha256@libssh.org.txt
+++ b/doc/curve25519-sha256@libssh.org.txt
@@ -3,13 +3,13 @@ curve25519-sha256@libssh.org.txt        Aris Adamantiadis <aris@badcode.be>

 1. Introduction

-This document describes the key exchange methode curve25519-sha256@libssh.org
+This document describes the key exchange method curve25519-sha256@libssh.org
 for SSH version 2 protocol. It is provided as an alternative to the existing
 key exchange mechanisms based on either Diffie-Hellman or Elliptic Curve Diffie-
 Hellman [RFC5656].
 The reason is the following : During summer of 2013, revelations from ex-
 consultant at NSA Edward Snowden gave proof that NSA willingly inserts backdoors
-into softwares, hardware components and published standards. While it is still
+into software, hardware components and published standards. While it is still
 believed that the mathematics behind ECC cryptography are still sound and solid,
 some people (including Bruce Schneier [SCHNEIER]), showed their lack of confidence
 in NIST-published curves such as nistp256, nistp384, nistp521, for which constant
@@ -42,8 +42,8 @@ The following is an overview of the key exchange process:
 Client                                                            Server
 ------                                                            ------
 Generate ephemeral key pair.
-SSH_MSG_KEX_ECDH_INIT          -------->                      
-                                            Verify that client public key 
+SSH_MSG_KEX_ECDH_INIT          -------->
+                                            Verify that client public key
                                            length is 32 bytes.
                                             Generate ephemeral key pair.
                                                   Compute shared secret.
@@ -55,7 +55,7 @@ Compute shared secret.
 Generate exchange hash.
 Verify server's signature.

-*   Optional but strongly recommanded as this protects against MITM attacks.
+*   Optional but strongly recommended as this protects against MITM attacks.

 This is implemented using the same messages as described in RFC5656 chapter 4

@@ -109,7 +109,7 @@ This number is calculated using the following procedure:
     side's public key and the local private key scalar.

     The whole 32 bytes of the number X are then converted into a big integer k.
-     This conversion follows the network byte order. This step differs from 
+     This conversion follows the network byte order. This step differs from
     RFC5656.

 [RFC5656]    https://tools.ietf.org/html/rfc5656
--- a/doc/doc_coverage.sh
+++ b/doc/doc_coverage.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+################################################################################
+# .doc_coverage.sh                                                             #
+# Script to detect overall documentation coverage of libssh. The script uses   #
+# doxygen to generate the documentation then parses it's output.               #
+#                                                                              #
+# maintainer: Norbert Pocs <npocs@redhat.com>                                  #
+################################################################################
+BUILD_DIR="$1"
+DOXYFILE_PATH="$BUILD_DIR/doc/Doxyfile.docs"
+INDEX_XML_PATH="$BUILD_DIR/doc/xml/index.xml"
+# filters
+F_EXCLUDE_FILES=' wrapper.h legacy.h crypto.h priv.h chacha.h curve25519.h '
+F_UNDOC_FUNC='(function).*is not documented'
+F_FUNC='kind="function"'
+F_HEADERS='libssh_8h_|group__libssh__'
+F_CUT_BEFORE='.*<name>'
+F_CUT_AFTER='<\/name><\/member>'
+# Doxygen options
+O_QUIET='QUIET=YES'
+O_GEN_XML='GENERATE_XML=YES'
+
+# check if build dir given
+if [ $# -eq 0 ]; then
+  echo "Please provide the build directory e.g.: ./build"
+  exit 255
+fi
+
+# modify doxyfile to our needs:
+# QUIET - less output
+# GENERATE_XML - xml needed to inspect all the functions
+# (note: the options are needed to be on separate lines)
+# We want to exclude irrelevant files
+MOD_DOXYFILE=$(cat "$DOXYFILE_PATH"; echo "$O_QUIET"; echo "$O_GEN_XML")
+MOD_DOXYFILE=${MOD_DOXYFILE//EXCLUDE_PATTERNS.*=/EXCLUDE_PATTERNS=$F_EXCLUDE_FILES/g}
+
+# call doxygen to get the warning messages
+# and also generate the xml for inspection
+DOXY_WARNINGS=$(echo "$MOD_DOXYFILE" | doxygen - 2>&1)
+
+# get the number of undocumented functions
+UNDOC_FUNC=$(echo "$DOXY_WARNINGS" | grep -cE "$F_UNDOC_FUNC")
+
+# filter out the lines consisting of functions of our interest
+FUNC_LINES=$(grep "$F_FUNC" "$INDEX_XML_PATH" | grep -E "$F_HEADERS")
+# cut the irrelevant information and leave just the function names
+ALL_FUNC=$(echo "$FUNC_LINES" | sed -e "s/$F_CUT_BEFORE//g" -e "s/$F_CUT_AFTER//")
+# remove duplicates and get the number of functions
+ALL_FUNC=$(echo "$ALL_FUNC" | sort - | uniq | wc -l)
+
+# percentage of the documented functions
+awk "BEGIN {printf \"Documentation coverage is %.2f%\n\", 100 - (${UNDOC_FUNC}/${ALL_FUNC}*100)}"
--- a/doc/forwarding.dox
+++ b/doc/forwarding.dox
@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server.
@code
 int direct_forwarding(ssh_session session)
 {
-  ssh_channel forwarding_channel;
+  ssh_channel forwarding_channel = NULL;
  int rc = SSH_ERROR;
  char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n";
  int nbytes, nwritten;
@@ -161,7 +161,7 @@ local libssh application, which handles them:
 int web_server(ssh_session session)
 {
  int rc;
-  ssh_channel channel;
+  ssh_channel channel = NULL;
  char buffer[256];
  int nbytes, nwritten;
  int port = 0;
--- a/doc/guided_tour.dox
+++ b/doc/guided_tour.dox
@@ -5,7 +5,7 @@
 A SSH session goes through the following steps:

 - Before connecting to the server, you can set up if you wish one or other
-   server public key authentication, i.e. DSA or RSA. You can choose
+   server public key authentication, i.e. RSA, ED25519 or ECDSA. You can choose
   cryptographic algorithms you trust and compression algorithms if any. You
   must of course set up the hostname.

@@ -15,7 +15,7 @@ A SSH session goes through the following steps:
   file.

 - The client must authenticate: the classical ways are password, or
-   public keys (from dsa and rsa key-pairs generated by openssh).
+   public keys (from ecdsa, ed25519 and rsa key-pairs generated by openssh).
   If a SSH agent is running, it is possible to use it.

 - Now that the user has been authenticated, you must open one or several
@@ -79,7 +79,7 @@ Here is a small example of how to use it:

 int main()
 {
-  ssh_session my_ssh_session;
+  ssh_session my_ssh_session = NULL;
  int verbosity = SSH_LOG_PROTOCOL;
  int port = 22;

@@ -126,7 +126,7 @@ Here's an example:

 int main()
 {
-  ssh_session my_ssh_session;
+  ssh_session my_ssh_session = NULL;
  int rc;

  my_ssh_session = ssh_new();
@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session)
    ssh_key srv_pubkey = NULL;
    size_t hlen;
    char buf[10];
-    char *hexa;
-    char *p;
+    char *hexa = NULL;
+    char *p = NULL;
    int cmp;
    int rc;

@@ -317,9 +317,9 @@ The example below shows an authentication with password:

 int main()
 {
-  ssh_session my_ssh_session;
+  ssh_session my_ssh_session = NULL;
  int rc;
-  char *password;
+  char *password = NULL;

  // Open session and set options
  my_ssh_session = ssh_new();
@@ -380,7 +380,7 @@ The example below shows how to execute a remote command:
@code
 int show_remote_processes(ssh_session session)
 {
-  ssh_channel channel;
+  ssh_channel channel = NULL;
  int rc;
  char buffer[256];
  int nbytes;
--- a/doc/introduction.dox
+++ b/doc/introduction.dox
@@ -14,8 +14,8 @@ libssh is a Free Software / Open Source project. The libssh library
 is distributed under LGPL license. The libssh project has nothing to do with
 "libssh2", which is a completely different and independent project.

-libssh can run on top of either libgcrypt or libcrypto,
-two general-purpose cryptographic libraries.
+libssh can run on top of either libcrypto, mbedtls or libgcrypt (deprecated)
+general-purpose cryptographic libraries.

 This tutorial concentrates for its main part on the "client" side of libssh.
 To learn how to accept incoming SSH connections (how to write a SSH server),
@@ -44,6 +44,10 @@ Table of contents:

@subpage libssh_tutor_threads

+@subpage libssh_tutor_pkcs11
+
+@subpage libssh_tutor_sftp_aio
+
@subpage libssh_tutor_todo

 */
--- a/doc/mainpage.dox
+++ b/doc/mainpage.dox
@@ -19,8 +19,8 @@ the interesting functions as you go.

 The libssh library provides:

- - <strong>Key Exchange Methods</strong>: <i>curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521</i>, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
- - <strong>Public Key Algorithms</strong>: ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-rsa, rsa-sha2-512, rsa-sha2-256,ssh-dss
+ - <strong>Key Exchange Methods</strong>: <i>sntrup761x25519-sha512@openssh.com, curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521</i>, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
+ - <strong>Public Key Algorithms</strong>: ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-rsa, rsa-sha2-512, rsa-sha2-256
 - <strong>Ciphers</strong>: <i>aes256-ctr, aes192-ctr, aes128-ctr</i>, aes256-cbc (rijndael-cbc@lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc
 - <strong>Compression Schemes</strong>: zlib, <i>zlib@openssh.com</i>, none
 - <strong>MAC hashes</strong>: hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-md5
@@ -33,7 +33,7 @@ The libssh library provides:
 - <strong>Thread-safe</strong>: Just don't share sessions
 - <strong>Non-blocking</strong>: it can be used both blocking and non-blocking
 - <strong>Your sockets</strong>: the app hands over the socket, or uses libssh sockets
- - <b>OpenSSL</b> or <b>gcrypt</b>: builds with either
+ - <b>OpenSSL</b>, <b>MBedTLS</b> or <b>gcrypt</b> (deprecated): builds with either

@section main-additional-features Additional Features

@@ -149,7 +149,7 @@ The libssh Team

@subsection main-rfc-secsh Secure Shell (SSH)

-The following RFC documents described SSH-2 protcol as an Internet standard.
+The following RFC documents described SSH-2 protocol as an Internet standard.

 - <a href="https://tools.ietf.org/html/rfc4250" target="_blank">RFC 4250</a>,
    The Secure Shell (SSH) Protocol Assigned Numbers
@@ -213,15 +213,15 @@ It was later modified and expanded by the following RFCs.
    Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol
 - <a href="https://tools.ietf.org/html/rfc8709" target="_blank">RFC 8709</a>,
    Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol
+ - <a href="https://tools.ietf.org/html/rfc8709" target="_blank">RFC 8731</a>,
+    Secure Shell (SSH) Key Exchange Method Using Curve25519 and Curve448
+ - <a href="https://tools.ietf.org/html/rfc9142" target="_blank">RFC 9142</a>,
+    Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)

 There are also drafts that are being currently developed and followed.

- - <a href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-kex-sha2-10" target="_blank">draft-ietf-curdle-ssh-kex-sha2-10</a>
-    Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)
- - <a href="https://tools.ietf.org/html/draft-miller-ssh-agent-03" target="_blank">draft-miller-ssh-agent-03</a>
+ - <a href="https://tools.ietf.org/html/draft-miller-ssh-agent-03" target="_blank">draft-miller-ssh-agent-08</a>
    SSH Agent Protocol
- - <a href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-12" target="_blank">draft-ietf-curdle-ssh-curves-12</a>
-    Secure Shell (SSH) Key Exchange Method using Curve25519 and Curve448

 Interesting cryptography documents:

--- a/doc/pkcs11.dox
+++ b/doc/pkcs11.dox
@@ -9,11 +9,11 @@ objects stored on the tokens can be uniquely identified is called PKCS #11 URI
 (Uniform Resource Identifier) and is defined in RFC 7512
 (https://tools.ietf.org/html/rfc7512).

-Pre-requisites:
+# Pre-requisites (OpenSSL < 3.0):

-OpenSSL defines an abstract layer called the "engine" to achieve cryptographic
-acceleration. The engine_pkcs11 module acts like an interface between the PKCS #11
-modules and the OpenSSL engine.
+OpenSSL 1.x defines an abstract layer called the "engine" to achieve
+cryptographic acceleration. The engine_pkcs11 module acts like an interface
+between the PKCS #11 modules and the OpenSSL application.

 To build and use libssh with PKCS #11 support:
 1. Enable the cmake option: $ cmake -DWITH_PKCS11_URI=ON
@@ -21,6 +21,23 @@ To build and use libssh with PKCS #11 support:
 3. Install and configure engine_pkcs11 (https://github.com/OpenSC/libp11).
 4. Plug in a working smart card or configure softhsm (https://www.opendnssec.org/softhsm).

+@warning The support for Engines was deprecated in OpenSSL 3.0 so this approach
+is deprecated in libssh 0.11.x.
+
+# Pre-requisites (OpenSSL 3.0.8+)
+
+The OpenSSL 3.0 is deprecating usage of low-level engines in favor of high-level
+"providers" to provide alternative implementation of cryptographic operations
+or acceleration.
+
+To build and use libssh with PKCS #11 support using OpenSSL providers:
+1. Install and configure pkcs11 provider (https://github.com/latchset/pkcs11-provider).
+2. Enable the cmake options: $ cmake -DWITH_PKCS11_URI=ON -DWITH_PKCS11_PROVIDER=ON
+3. Build with OpenSSL.
+4. Plug in a working smart card or configure softhsm (https://www.opendnssec.org/softhsm).
+
+# New API functions
+
 The functions  ssh_pki_import_pubkey_file() and ssh_pki_import_privkey_file() that
 import the public and private keys from files respectively are now modified to support
 PKCS #11 URIs. These functions automatically detect if the provided filename is a file path
@@ -31,7 +48,7 @@ corresponding to the PKCS #11 URI are loaded from the PKCS #11 device.
 If you wish to authenticate using public keys on your own, follow the steps mentioned under
 "Authentication with public keys" in Chapter 2 - A deeper insight into authentication.

-The function pki_uri_import() is used to populate the public/private ssh_key from the 
+The function pki_uri_import() is used to populate the public/private ssh_key from the
 engine with PKCS #11 URIs as the look up.

 Here is a minimalistic example of public key authentication using PKCS #11 URIs:
@@ -64,4 +81,6 @@ We recommend the users to provide a specific PKCS #11 URI so that it matches onl
 If the engine discovers multiple slots that could potentially contain the private keys referenced
 by the provided PKCS #11 URI, the engine will not try to authenticate.

+For testing, the SoftHSM PKCS#11 library is used.
+
 */
--- a/doc/sftp.dox
+++ b/doc/sftp.dox
@@ -139,7 +139,7 @@ Unlike its equivalent in the SCP subsystem, this function does NOT change the
 current directory to the newly created subdirectory.


-@subsection sftp_write Copying a file to the remote computer
+@subsection sftp_write Writing to a file on the remote computer

 You handle the contents of a remote file just like you would do with a
 local file: you open the file in a given mode, move the file pointer in it,
@@ -203,16 +203,14 @@ int sftp_helloworld(ssh_session session, sftp_session sftp)

@subsection sftp_read Reading a file from the remote computer

-The nice thing with reading a file over the network through SFTP is that it
-can be done both in a synchronous way or an asynchronous way. If you read the file
-asynchronously, your program can do something else while it waits for the
-results to come.
-
-Synchronous read is done with sftp_read().
+A synchronous read from a remote file is done using sftp_read(). This
+section describes how to download a remote file using sftp_read(). The
+next section will discuss more about synchronous/asynchronous read/write
+operations using libssh sftp API.

 Files are normally transferred in chunks. A good chunk size is 16 KB. The following
 example transfers the remote file "/etc/profile" in 16 KB chunks. For each chunk we
-request, sftp_read blocks till the data has been received:
+request, sftp_read() blocks till the data has been received:

@code
 // Good chunk size
@@ -273,87 +271,39 @@ int sftp_read_sync(ssh_session session, sftp_session sftp)
 }
@endcode

-Asynchronous read is done in two steps, first sftp_async_read_begin(), which
-returns a "request handle", and then sftp_async_read(), which uses that request handle.
-If the file has been opened in nonblocking mode, then sftp_async_read()
-might return SSH_AGAIN, which means that the request hasn't completed yet
-and that the function should be called again later on. Otherwise,
-sftp_async_read() waits for the data to come. To open a file in nonblocking mode,
-call sftp_file_set_nonblocking() right after you opened it. Default is blocking mode.
+@subsection sftp_aio Performing an asynchronous read/write on a file on the remote computer

-The example below reads a very big file in asynchronous, nonblocking, mode. Each
-time the data is not ready yet, a counter is incremented.
+sftp_read() performs a "synchronous" read operation on a remote file.
+This means that sftp_read() will first request the server to read some
+data from the remote file and then would wait until the server response
+containing data to read (or an error) arrives at the client side.

-@code
-// Good chunk size
-#define MAX_XFER_BUF_SIZE 16384
+sftp_write() performs a "synchronous" write operation on a remote file.
+This means that sftp_write() will first request the server to write some
+data to the remote file and then would wait until the server response
+containing information about the status of the write operation arrives at the
+client side.

-int sftp_read_async(ssh_session session, sftp_session sftp)
-{
-  int access_type;
-  sftp_file file;
-  char buffer[MAX_XFER_BUF_SIZE];
-  int async_request;
-  int nbytes;
-  long counter;
-  int rc;
+If your client program wants to do something other than waiting for the
+response after requesting a read/write, the synchronous sftp_read() and
+sftp_write() can't be used. In such a case the "asynchronous" sftp aio API
+should be used.

-  access_type = O_RDONLY;
-  file = sftp_open(sftp, "some_very_big_file",
-                   access_type, 0);
-  if (file == NULL) {
-    fprintf(stderr, "Can't open file for reading: %s\n",
-                     ssh_get_error(session));
-    return SSH_ERROR;
-  }
-  sftp_file_set_nonblocking(file);
+Please go through @ref libssh_tutor_sftp_aio for a detailed description
+of the sftp aio API.

-  async_request = sftp_async_read_begin(file, sizeof(buffer));
-  counter = 0L;
-  usleep(10000);
-  if (async_request >= 0) {
-    nbytes = sftp_async_read(file, buffer, sizeof(buffer),
-                             async_request);
-  } else {
-      nbytes = -1;
-  }
+The sftp aio API provides two categories of functions :
+  - sftp_aio_begin_*() : For requesting a read/write from the server.
+  - sftp_aio_wait_*() : For waiting for the response of a previously
+    issued read/write request from the server.

-  while (nbytes > 0 || nbytes == SSH_AGAIN) {
-    if (nbytes > 0) {
-      write(1, buffer, nbytes);
-      async_request = sftp_async_read_begin(file, sizeof(buffer));
-    } else {
-        counter++;
-    }
-    usleep(10000);
+Hence, the client program can call sftp_aio_begin_*() to request a read/write
+and then can perform any number of operations (other than waiting) before
+calling sftp_aio_wait_*() for waiting for the response of the previously
+issued request.

-    if (async_request >= 0) {
-      nbytes = sftp_async_read(file, buffer, sizeof(buffer),
-                               async_request);
-    } else {
-        nbytes = -1;
-    }
-  }
-
-  if (nbytes < 0) {
-    fprintf(stderr, "Error while reading file: %s\n",
-            ssh_get_error(session));
-    sftp_close(file);
-    return SSH_ERROR;
-  }
-
-  printf("The counter has reached value: %ld\n", counter);
-
-  rc = sftp_close(file);
-  if (rc != SSH_OK) {
-    fprintf(stderr, "Can't close the read file: %s\n",
-            ssh_get_error(session));
-    return rc;
-  }
-
-  return SSH_OK;
-}
-@endcode
+We call read/write operations performed in the manner described above as
+"asynchronous" read/write operations on a remote file.

@subsection sftp_ls Listing the contents of a directory

--- a/doc/sftp_aio.dox
+++ b/doc/sftp_aio.dox
@@ -0,0 +1,705 @@
+/**
+
+@page libssh_tutor_sftp_aio Chapter 10: The SFTP asynchronous I/O
+
+@section sftp_aio_api The SFTP asynchronous I/O
+
+NOTE : Please read @ref libssh_tutor_sftp before reading this page. The
+synchronous sftp_read() and sftp_write() have been described there.
+
+SFTP AIO stands for "SFTP Asynchronous Input/Output". This API contains
+functions which perform async read/write operations on remote files.
+
+File transfers performed using the asynchronous sftp aio API can be
+significantly faster than the file transfers performed using the synchronous
+sftp read/write API (see sftp_read() and sftp_write()).
+
+The sftp aio API functions are divided into two categories :
+  - sftp_aio_begin_*() [see sftp_aio_begin_read(), sftp_aio_begin_write()]:
+    These functions send a request for an i/o operation to the server and
+    provide the caller an sftp aio handle corresponding to the sent request.
+
+  - sftp_aio_wait_*() [see sftp_aio_wait_read(), sftp_aio_wait_write()]:
+    These functions wait for the server response corresponding to a previously
+    issued request. Which request ? the request corresponding to the sftp aio
+    handle supplied by the caller to these functions.
+
+Conceptually, you can think of the sftp aio handle as a request identifier.
+
+Technically, the sftp_aio_begin_*() functions dynamically allocate memory to
+store information about the i/o request they send and provide the caller a
+handle to this memory, we call this handle an sftp aio handle.
+
+sftp_aio_wait_*() functions use the information stored in that memory (handled
+by the caller supplied sftp aio handle) to identify a request, and then they
+wait for that request's response. These functions also release the memory
+handled by the caller supplied sftp aio handle (except when they return
+SSH_AGAIN).
+
+sftp_aio_free() can also be used to release the memory handled by an sftp aio
+handle but unlike the sftp_aio_wait_*() functions, it doesn't wait for a
+response. This should be used to release the memory corresponding to an sftp
+aio handle when some failure occurs. An example has been provided at the
+end of this page to show the usage of sftp_aio_free().
+
+To begin with, this tutorial will provide basic examples that describe the
+usage of sftp aio API to perform a single read/write operation.
+
+The later sections describe the usage of the sftp aio API to obtain faster file
+transfers as compared to the transfers performed using the synchronous sftp
+read/write API.
+
+On encountering an error, the sftp aio API functions set the sftp and ssh
+errors just like any other libssh sftp API function. These errors can be
+obtained using sftp_get_error(), ssh_get_error() and ssh_get_error_code().
+The code examples provided on this page ignore error handling for the sake of
+brevity.
+
+@subsection sftp_aio_read Using the sftp aio API for reading (a basic example)
+
+For performing an async read operation on a sftp file (see sftp_open()),
+the first step is to call sftp_aio_begin_read() to send a read request to the
+server. The caller is provided an sftp aio handle corresponding to the sent
+read request.
+
+The second step is to pass a pointer to this aio handle to
+sftp_aio_wait_read(), this function waits for the server response which
+indicates the success/failure of the read request. On success, the response
+indicates EOF or contains the data read from the sftp file.
+
+The following code example shows how a read operation can be performed
+on an sftp file using the sftp aio API.
+
+@code
+ssize_t read_chunk(sftp_file file, void *buf, size_t to_read)
+{
+    ssize_t bytes_requested, bytes_read;
+
+    // Variable to store an sftp aio handle
+    sftp_aio aio = NULL;
+
+    // Send a read request to the sftp server
+    bytes_requested = sftp_aio_begin_read(file, to_read, &aio);
+    if (bytes_requested == SSH_ERROR) {
+        // handle error
+    }
+
+    // Here its possible that (bytes_requested < to_read) as specified in
+    // the function documentation of sftp_aio_begin_read()
+
+    // Wait for the response of the read request corresponding to the
+    // sftp aio handle stored in the aio variable.
+    bytes_read = sftp_aio_wait_read(&aio, buf, to_read);
+    if (bytes_read == SSH_ERROR) {
+        // handle error
+    }
+
+    return bytes_read;
+}
+@endcode
+
+@subsection sftp_aio_write Using the sftp aio API for writing (a basic example)
+
+For performing an async write operation on a sftp file (see sftp_open()),
+the first step is to call sftp_aio_begin_write() to send a write request to
+the server. The caller is provided an sftp aio handle corresponding to the
+sent write request.
+
+The second step is to pass a pointer to this aio handle to
+sftp_aio_wait_write(), this function waits for the server response which
+indicates the success/failure of the write request.
+
+The following code example shows how a write operation can be performed on an
+sftp file using the sftp aio API.
+
+@code
+ssize_t write_chunk(sftp_file file, void *buf, size_t to_write)
+{
+    ssize_t bytes_requested, bytes_written;
+
+    // Variable to store an sftp aio handle
+    sftp_aio aio = NULL;
+
+    // Send a write request to the sftp server
+    bytes_requested = sftp_aio_begin_write(file, buf, to_write, &aio);
+    if (bytes_requested == SSH_ERROR) {
+        // handle error
+    }
+
+    // Here its possible that (bytes_requested < to_write) as specified in
+    // the function documentation of sftp_aio_begin_write()
+
+    // Wait for the response of the write request corresponding to
+    // the sftp aio handle stored in the aio variable.
+    bytes_written = sftp_aio_wait_write(&aio);
+    if (bytes_written == SSH_ERROR) {
+        // handle error
+    }
+
+    return bytes_written;
+}
+@endcode
+
+@subsection sftp_aio_actual_use Using the sftp aio API to speed up a transfer
+
+The above examples were provided to introduce the sftp aio API.
+This is not how the sftp aio API is intended to be used, because the
+above usage offers no advantage over the synchronous sftp read/write API
+which does the same thing i.e issue a request and then immediately wait for
+its response.
+
+The facility that the sftp aio API provides is that the user can do
+anything between issuing a request and getting the corresponding response.
+Any number of operations can be performed after calling sftp_aio_begin_*()
+[which issues a request] and before calling sftp_aio_wait_*() [which waits
+for a response]
+
+The code can leverage this feature by calling sftp_aio_begin_*() multiple times
+to issue multiple requests before calling sftp_aio_wait_*() to wait for the
+response of an earlier issued request. This approach will keep a certain number
+of requests outstanding at the client side.
+
+After issuing those requests, while the client code does something else (for
+example waiting for an outstanding request's response, processing an obtained
+response, issuing another request or any other operation the client wants
+to perform), at the same time :
+
+  - Some of those outstanding requests may be travelling over the
+    network towards the server.
+
+  - Some of the outstanding requests may have reached the server and may
+    be queued for processing at the server side.
+
+  - Some of the outstanding requests may have been processed and the
+    corresponding responses may be travelling over the network towards the
+    client.
+
+  - Some of the responses corresponding to the outstanding requests may
+    have already reached the client side.
+
+Clearly in this case, operations that the client performs and operations
+involved in transfer/processing of a outstanding request can occur in
+parallel. Also, operations involved in transfer/processing of two or more
+outstanding requests may also occur in parallel (for example when one request
+travels to the server, another request's response may be incoming towards the
+client). Such kind of parallelism makes the overall transfer faster as compared
+to a transfer performed using the synchronous sftp read/write API.
+
+When the synchronous sftp read/write API is used to perform a transfer,
+a strict sequence is followed:
+
+  - The client issues a single read/write request.
+  - Then waits for its response.
+  - On obtaining the response, the client processes it.
+  - After the processing ends, the client issues the next read/write request.
+
+A file transfer performed in this manner would be slower than the case where
+multiple read/write requests are kept outstanding at the client side. Because
+here at any given time, operations related to transfer/processing of only one
+request/response pair occurs. This is in contrast to the multiple outstanding
+requests scenario where operations related to transfer/processing of multiple
+request/response pairs may occur at the same time.
+
+Although it's true that keeping multiple requests outstanding can speed up a
+transfer, those outstanding requests come at a cost of increased memory
+consumption both at the client side and the server side. Hence care must be
+taken to use a reasonable limit for the number of requests kept outstanding.
+
+The further sections provide code examples to show how uploads/downloads
+can be performed using the sftp aio API and the concept of outstanding requests
+discussed in this section. In those code examples, error handling has been
+ignored and at some places pseudo code has been used for the sake of brevity.
+
+The complete code for performing uploads/downloads using the sftp aio API,
+can be found at https://gitlab.com/libssh/libssh-mirror/-/tree/master.
+
+  - libssh benchmarks for uploads performed using the sftp aio API [See
+    tests/benchmarks/bench_sftp.c]
+  - libssh benchmarks for downloads performed using the sftp aio API. [See
+    tests/benchmarks/bench_sftp.c]
+  - libssh sftp ft API code for performing a local to remote transfer (upload).
+    [See src/sftp_ft.c]
+  - libssh sftp ft API code for performing a remote to local transfer
+    (download). [See src/sftp_ft.c]
+
+@subsection sftp_aio_cap Capping applied by the sftp aio API
+
+Before the code examples for uploads and downloads, its important
+to know about the capping applied by the sftp aio API.
+
+sftp_aio_begin_read() caps the number of bytes the caller can request
+to read from the remote file. That cap is the value of the max_read_length
+field of the sftp_limits_t returned by sftp_limits(). Say that cap is LIM
+and the caller passes x as the number of bytes to read to
+sftp_aio_begin_read(), then (assuming no error occurs) :
+
+  - if x <= LIM, then sftp_aio_begin_read() will request the server
+    to read x bytes from the remote file, and will return x.
+
+  - if x > LIM, then sftp_aio_begin_read() will request the server
+    to read LIM bytes from the remote file and will return LIM.
+
+Hence to request server to read x bytes (> LIM), the caller would have
+to call sftp_aio_begin_read() multiple times, typically in a loop and
+break out of the loop when the summation of return values of the multiple
+sftp_aio_begin_read() calls becomes equal to x.
+
+For the sake of simplicity, the code example for download in the upcoming
+section would always ask sftp_aio_begin_read() to read x <= LIM bytes,
+so that its return value is guaranteed to be x, unless an error occurs.
+
+Similarly, sftp_aio_begin_write() caps the number of bytes the caller
+can request to write to the remote file. That cap is the value of
+max_write_length field of the sftp_limits_t returned by sftp_limits().
+Say that cap is LIM and the caller passes x as the number of bytes to
+write to sftp_aio_begin_write(), then (assuming no error occurs) :
+
+  - if x <= LIM, then sftp_aio_begin_write() will request the server
+    to write x bytes to the remote file, and will return x.
+
+  - if x > LIM, then sftp_aio_begin_write() will request the server
+    to write LIM bytes to the remote file and will return LIM.
+
+Hence to request server to write x bytes (> LIM), the caller would have
+to call sftp_aio_begin_write() multiple times, typically in a loop and
+break out of the loop when the summation of return values of the multiple
+sftp_aio_begin_write() calls becomes equal to x.
+
+For the sake of simplicity, the code example for upload in the upcoming
+section would always ask sftp_aio_begin_write() to write x <= LIM bytes,
+so that its return value is guaranteed to be x, unless an error occurs.
+
+@subsection sftp_aio_download_example Performing a download using the sftp aio API
+
+Terminologies used in the following code snippets :
+
+  - sftp : The sftp_session opened using sftp_new() and initialised using
+    sftp_init()
+
+  - file : The sftp file handle of the remote file to download data
+    from. (See sftp_open())
+
+  - file_size : the size of the sftp file to download. This size can be obtained
+    by statting the remote file to download (e.g by using sftp_stat())
+
+  - We will need to maintain a queue which will be used to store the sftp aio
+    handles corresponding to the outstanding requests.
+
+First, we issue the read requests while ensuring that their count
+doesn't exceed a particular limit decided by us, and the number of bytes
+requested don't exceed the size of the file to download.
+
+@code
+sftp_aio aio = NULL;
+
+// Chunk size to use for the transfer
+size_t chunk_size;
+
+// For the limits structure that would be used
+// by the code to set the chunk size
+sftp_limits_t lim = NULL;
+
+// Max number of requests to keep outstanding at a time
+size_t in_flight_requests = 5;
+
+// Number of bytes for which requests have been sent
+size_t total_bytes_requested = 0;
+
+// Number of bytes which have been downloaded
+size_t bytes_downloaded = 0;
+
+// Buffer to use for the download
+char *buffer = NULL;
+
+// Helper variables
+size_t to_read;
+ssize_t bytes_requested;
+
+// Get the sftp limits
+lim = sftp_limits(sftp);
+if (lim == NULL) {
+    // handle error
+}
+
+// Set the chunk size for download = the max limit for reading
+// The reason for this has been given in the "Capping applied by
+// the sftp aio API" section (Its to make the code simpler)
+//
+// Assigning a size_t type variable a uint64_t type value here,
+// theoretically could cause an overflow, but practically
+// max_read_length would never exceed SIZE_MAX so its okay.
+chunk_size = lim->max_read_length;
+
+buffer = malloc(chunk_size);
+if (buffer == NULL) {
+    // handle error
+}
+
+... // Code to open the remote file (to download) using sftp_open().
+... // Code to stat the remote file's file size.
+... // Code to open the local file in which downloaded data is to be stored.
+... // Code to initialize the queue which will be used to store sftp aio
+    // handles.
+
+for (i = 0;
+     i < in_flight_requests && total_bytes_requested < file_size;
+     ++i) {
+    to_read = file_size - total_bytes_requested;
+    if (to_read > chunk_size) {
+        to_read = chunk_size;
+    }
+
+    // Issue a read request
+    bytes_requested = sftp_aio_begin_read(file, to_read, &aio);
+    if (bytes_requested == SSH_ERROR) {
+        // handle error
+    }
+
+    if ((size_t)bytes_requested < to_read) {
+        // Should not happen for this code, as the to_read is <=
+        // max limit for reading (chunk size), so there is no reason
+        // for sftp_aio_begin_read() to return a lesser value.
+    }
+
+    total_bytes_requested += (size_t)bytes_requested;
+
+    // Pseudo code
+    ENQUEUE aio in the queue;
+}
+
+@endcode
+
+At this point, at max in_flight_requests number of requests may be
+outstanding. Now we wait for the response corresponding to the earliest
+issued outstanding request.
+
+On getting that response, we issue another read request if there are
+still some bytes in the sftp file (to download) for which we haven't sent the
+read request. (This happens when total_bytes_requested < file_size)
+
+This issuing of another read request (under a condition) is done to
+keep the number of outstanding requests equal to the value of the
+in_flight_requests variable.
+
+This process has to be repeated for every remaining outstanding request.
+
+@code
+while (the queue is not empty) {
+    // Pseudo code
+    aio = DEQUEUE an sftp aio handle from the queue of sftp aio handles;
+
+    // Wait for the response of the request corresponding to the aio
+    bytes_read = sftp_aio_wait_read(&aio, buffer, chunk_size);
+    if (bytes_read == SSH_ERROR) {
+        //handle error
+    }
+
+    bytes_downloaded += bytes_read;
+    if (bytes_read != chunk_size && bytes_downloaded != file_size) {
+        // A short read encountered on the remote file before reaching EOF,
+        // short read before reaching EOF should never happen for the sftp aio
+        // API which respects the max limit for reading. This probably
+        // indicates a bad server.
+    }
+
+    // Pseudo code
+    WRITE bytes_read bytes from the buffer into the local file
+    in which downloaded data is to be stored ;
+
+    if (total_bytes_requested == file_size) {
+        // no need to issue more read requests
+        continue;
+    }
+
+    // else issue a read request
+    to_read = file_size - total_bytes_requested;
+    if (to_read > chunk_size) {
+        to_read = chunk_size;
+    }
+
+    bytes_requested = sftp_aio_begin_read(file, to_read, &aio);
+    if (bytes_requested == SSH_ERROR) {
+        // handle error
+    }
+
+    if ((size_t)bytes_requested < to_read) {
+        // Should not happen for this code, as the to_read is <=
+        // max limit for reading (chunk size), so there is no reason
+        // for sftp_aio_begin_read() to return a lesser value.
+    }
+
+    total_bytes_requested += bytes_requested;
+
+    // Pseudo code
+    ENQUEUE aio in the queue;
+}
+
+free(buffer);
+sftp_limits_free(lim);
+
+... // Code to destroy the queue which was used to store the sftp aio
+    // handles.
+@endcode
+
+After exiting the while (the queue is not empty) loop, the download
+would've been complete (assuming no error occurs).
+
+@subsection sftp_aio_upload_example Performing an upload using the sftp aio API
+
+Terminologies used in the following code snippets :
+
+  - sftp : The sftp_session opened using sftp_new() and initialised using
+    sftp_init()
+
+  - file : The sftp file handle of the remote file in which uploaded data
+    is to be stored. (See sftp_open())
+
+  - file_size : The size of the local file to upload. This size can be
+    obtained by statting the local file to upload (e.g by using stat())
+
+  - We will need maintain a queue which will be used to store the sftp aio
+    handles corresponding to the outstanding requests.
+
+First, we issue the write requests while ensuring that their count
+doesn't exceed a particular limit decided by us, and the number of bytes
+requested to write don't exceed the size of the file to upload.
+
+@code
+sftp_aio aio = NULL;
+
+// The chunk size to use for the transfer
+size_t chunk_size;
+
+// For the limits structure that would be used by
+// the code to set the chunk size
+sftp_limits_t lim = NULL;
+
+// Max number of requests to keep outstanding at a time
+size_t in_flight_requests = 5;
+
+// Total number of bytes for which write requests have been sent
+size_t total_bytes_requested = 0;
+
+// Buffer to use for the upload
+char *buffer = NULL;
+
+// Helper variables
+size_t to_write;
+ssize_t bytes_requested;
+
+// Get the sftp limits
+lim = sftp_limits(sftp);
+if (lim == NULL) {
+    // handle error
+}
+
+// Set the chunk size for upload = the max limit for writing.
+// The reason for this has been given in the "Capping applied by
+// the sftp aio API" section (Its to make the code simpler)
+//
+// Assigning a size_t type variable a uint64_t type value here,
+// theoretically could cause an overflow, but practically
+// max_write_length would never exceed SIZE_MAX so its okay.
+chunk_size = lim->max_write_length;
+
+buffer = malloc(chunk_size);
+if (buffer == NULL) {
+    // handle error
+}
+
+... // Code to open the local file (to upload) [e.g using open(), fopen()].
+... // Code to stat the local file's file size [e.g using stat()].
+... // Code to open the remote file in which uploaded data will be stored [see
+    // sftp_open()].
+... // Code to initialize the queue which will be used to store sftp aio
+    // handles.
+
+for (i = 0;
+     i < in_flight_requests && total_bytes_requested < file_size;
+     ++i) {
+    to_write = file_size - total_bytes_requested;
+    if (to_write > chunk_size) {
+        to_write = chunk_size;
+    }
+
+    // Pseudo code
+    READ to_write bytes from the local file (to upload) into the buffer;
+
+    bytes_requested = sftp_aio_begin_write(file, buffer, to_write, &aio);
+    if (bytes_requested == SSH_ERROR) {
+        // handle error
+    }
+
+    if ((size_t)bytes_requested < to_write) {
+        // Should not happen for this code, as the to_write is <=
+        // max limit for writing (chunk size), so there is no reason
+        // for sftp_aio_begin_write() to return a lesser value.
+    }
+
+    total_bytes_requested += (size_t)bytes_requested;
+
+    // Pseudo code
+    ENQUEUE aio in the queue;
+}
+
+@endcode
+
+At this point, at max in_flight_requests number of requests may be
+outstanding. Now we wait for the response corresponding to the earliest
+issued outstanding request.
+
+On getting that response, we issue another write request if there are
+still some bytes in the local file (to upload) for which we haven't sent
+the write request. (This happens when total_bytes_requested < file_size)
+
+This issuing of another write request (under a condition) is done to
+keep the number of outstanding requests equal to the value of the
+in_flight_requests variable.
+
+This process has to be repeated for every remaining outstanding request.
+
+@code
+while (the queue is not empty) {
+    // Pseudo code
+    aio = DEQUEUE an sftp aio handle from the queue of sftp aio handles;
+
+    // Wait for the response of the request corresponding to the aio
+    bytes_written = sftp_aio_wait_write(&aio);
+    if (bytes_written == SSH_ERROR) {
+        // handle error
+    }
+
+    // sftp_aio_wait_write() won't report a short write, so no need
+    // to check for a short write here.
+
+    if (total_bytes_requested == file_size) {
+        // no need to issue more write requests
+        continue;
+    }
+
+    // else issue a write request
+    to_write = file_size - total_bytes_requested;
+    if (to_write > chunk_size) {
+        to_write = chunk_size;
+    }
+
+    // Pseudo code
+    READ to_write bytes from the local file (to upload) into a buffer;
+
+    bytes_requested = sftp_aio_begin_write(file, buffer, to_write, &aio);
+    if (bytes_requested == SSH_ERROR) {
+        // handle error
+    }
+
+    if ((size_t)bytes_requested < to_write) {
+        // Should not happen for this code, as the to_write is <=
+        // max limit for writing (chunk size), so there is no reason
+        // for sftp_aio_begin_write() to return a lesser value.
+    }
+
+    total_bytes_requested += (size_t)bytes_requested;
+
+    // Pseudo code
+    ENQUEUE aio in the queue;
+}
+
+free(buffer);
+
+... // Code to destroy the queue which was used to store the sftp aio
+    // handles.
+@endcode
+
+After exiting the while (the queue is not empty) loop, the upload
+would've been complete (assuming no error occurs).
+
+@subsection sftp_aio_free Example showing the usage of sftp_aio_free()
+
+The purpose of sftp_aio_free() was discussed at the beginning of this page,
+the following code example shows how it can be used during cleanup.
+
+@code
+void print_sftp_error(sftp_session sftp)
+{
+    if (sftp == NULL) {
+        return;
+    }
+
+    fprintf(stderr, "sftp error : %d\n", sftp_get_error(sftp));
+    fprintf(stderr, "ssh error : %s\n", ssh_get_error(sftp->session));
+}
+
+// Returns 0 on success, -1 on error
+int write_strings(sftp_file file)
+{
+    const char * strings[] = {
+        "This is the first string",
+        "This is the second string",
+        "This is the third string",
+        "This is the fourth string"
+    };
+
+    size_t string_count = sizeof(strings) / sizeof(strings[0]);
+    size_t i;
+
+    sftp_session sftp = NULL;
+    sftp_aio aio = NULL;
+
+    int rc;
+
+    if (file == NULL) {
+        return -1;
+    }
+
+    ... // Code to initialize the queue which will be used to store sftp aio
+        // handles
+
+    sftp = file->sftp;
+    for (i = 0; i < string_count; ++i) {
+        rc = sftp_aio_begin_write(file,
+                                  strings[i],
+                                  strlen(strings[i]),
+                                  &aio);
+        if (rc == SSH_ERROR) {
+            print_sftp_error(sftp);
+            goto err;
+        }
+
+        // Pseudo code
+        ENQUEUE aio in the queue of sftp aio handles
+    }
+
+    for (i = 0; i < string_count; ++i) {
+        // Pseudo code
+        aio = DEQUEUE an sftp aio handle from the queue of sftp aio handles;
+
+        rc = sftp_aio_wait_write(&aio);
+        if (rc == SSH_ERROR) {
+            print_sftp_error(sftp);
+            goto err;
+        }
+    }
+
+
+    ... // Code to destroy the queue in which sftp aio handles were
+        // stored
+
+    return 0;
+
+err:
+
+    while (queue is not empty) {
+        // Pseudo code
+        aio = DEQUEUE an sftp aio handle from the queue of sftp aio handles;
+
+        sftp_aio_free(aio);
+    }
+
+    ... // Code to destroy the queue in which sftp aio handles were
+        // stored.
+
+    return -1;
+}
+
+@endcode
+
+*/
--- a/doc/shell.dox
+++ b/doc/shell.dox
@@ -26,7 +26,7 @@ The code sample below achieves these tasks:
@code
 int shell_session(ssh_session session)
 {
-  ssh_channel channel;
+  ssh_channel channel = NULL;
  int rc;

  channel = ssh_channel_new(session);
@@ -65,8 +65,17 @@ to as a "pty", for "pseudo-teletype". The remote processes won't see the
 difference with a real text-oriented terminal.

 If needed, you request the pty with the function ssh_channel_request_pty().
-Then you define its dimensions (number of rows and columns)
-with ssh_channel_change_pty_size().
+If you want define its dimensions (number of rows and columns),
+call ssh_channel_request_pty_size() instead. It's also possible to change
+the dimensions after creating the pty with ssh_channel_change_pty_size().
+
+These two functions configure the pty using the same terminal modes that
+stdin has. If stdin isn't a TTY, they use default modes that configure
+the pty with in canonical mode and e.g. preserving CR and LF characters.
+If you want to change the terminal modes used by the pty (e.g. to change
+CRLF handling), use ssh_channel_request_pty_size_modes(). This function
+accepts an additional "modes" buffer that is expected to contain encoded
+terminal modes according to RFC 4254 section 8.

 Be your session interactive or not, the next step is to request a
 shell with ssh_channel_request_shell().
--- a/doc/that_style/that_style.css
+++ b/doc/that_style/that_style.css
@@ -303,7 +303,6 @@ span.lineno {
  padding-right: 4px;
  text-align: right;
  color: black;
-  height: 100px;
  white-space: pre;
  border-right: 3px solid #1d7567;
  background-color: #323232; }
--- a/examples/CMakeLists.txt
+++ b/examples/CMakeLists.txt
@@ -29,6 +29,12 @@ if (UNIX AND NOT WIN32)
        add_executable(samplesftp samplesftp.c ${examples_SRCS})
        target_compile_options(samplesftp PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
        target_link_libraries(samplesftp ssh::ssh)
+
+        if (WITH_SERVER)
+            add_executable(sample_sftpserver sample_sftpserver.c ${examples_SRCS})
+            target_compile_options(sample_sftpserver PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
+            target_link_libraries(sample_sftpserver ssh::ssh ${ARGP_LIBRARIES})
+        endif (WITH_SERVER)
    endif (WITH_SFTP)

    add_executable(ssh-client ssh_client.c ${examples_SRCS})
@@ -39,34 +45,34 @@ if (UNIX AND NOT WIN32)
    target_compile_options(ssh-X11-client PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
    target_link_libraries(ssh-X11-client ssh::ssh)

-    if (WITH_SERVER AND (ARGP_LIBRARY OR HAVE_ARGP_H))
+    if (WITH_SERVER AND (ARGP_LIBRARIES OR HAVE_ARGP_H))
        if (HAVE_LIBUTIL)
            add_executable(ssh_server_fork ssh_server.c)
            target_compile_options(ssh_server_fork PRIVATE ${DEFAULT_C_COMPILE_FLAGS} -DWITH_FORK)
-            target_link_libraries(ssh_server_fork ssh::ssh ${ARGP_LIBRARY} util)
+            target_link_libraries(ssh_server_fork ssh::ssh ${ARGP_LIBRARIES} util)

            add_executable(ssh_server_pthread ssh_server.c)
            target_compile_options(ssh_server_pthread PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(ssh_server_pthread ssh::ssh ${ARGP_LIBRARY} pthread util)
+            target_link_libraries(ssh_server_pthread ssh::ssh ${ARGP_LIBRARIES} pthread util)
        endif (HAVE_LIBUTIL)

        if (WITH_GSSAPI AND GSSAPI_FOUND)
            add_executable(proxy proxy.c)
            target_compile_options(proxy PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(proxy ssh::ssh ${ARGP_LIBRARY})
+            target_link_libraries(proxy ssh::ssh ${ARGP_LIBRARIES})

            add_executable(sshd_direct-tcpip sshd_direct-tcpip.c)
            target_compile_options(sshd_direct-tcpip PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(sshd_direct-tcpip ssh::ssh ${ARGP_LIBRARY})
+            target_link_libraries(sshd_direct-tcpip ssh::ssh ${ARGP_LIBRARIES})
        endif (WITH_GSSAPI AND GSSAPI_FOUND)

        add_executable(samplesshd-kbdint samplesshd-kbdint.c)
        target_compile_options(samplesshd-kbdint PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-        target_link_libraries(samplesshd-kbdint ssh::ssh ${ARGP_LIBRARY})
+        target_link_libraries(samplesshd-kbdint ssh::ssh ${ARGP_LIBRARIES})

        add_executable(keygen2 keygen2.c ${examples_SRCS})
        target_compile_options(keygen2 PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-        target_link_libraries(keygen2 ssh::ssh ${ARGP_LIBRARY})
+        target_link_libraries(keygen2 ssh::ssh ${ARGP_LIBRARIES})

    endif()
 endif (UNIX AND NOT WIN32)
@@ -75,9 +81,9 @@ if (WITH_SERVER)
    add_executable(samplesshd-cb samplesshd-cb.c)
    target_compile_options(samplesshd-cb PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
    target_link_libraries(samplesshd-cb ssh::ssh)
-    if (ARGP_LIBRARY OR HAVE_ARGP_H)
-        target_link_libraries(samplesshd-cb ${ARGP_LIBRARY})
-    endif(ARGP_LIBRARY OR HAVE_ARGP_H)
+    if (ARGP_LIBRARIES OR HAVE_ARGP_H)
+        target_link_libraries(samplesshd-cb ${ARGP_LIBRARIES})
+    endif(ARGP_LIBRARIES OR HAVE_ARGP_H)
 endif()

 add_executable(exec exec.c ${examples_SRCS})
--- a/examples/authentication.c
+++ b/examples/authentication.c
@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password)

    err = ssh_userauth_kbdint(session, NULL, NULL);
    while (err == SSH_AUTH_INFO) {
-        const char *instruction;
-        const char *name;
+        const char *instruction = NULL;
+        const char *name = NULL;
        char buffer[128];
        int i, n;

@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password)
        }

        for (i = 0; i < n; i++) {
-            const char *answer;
-            const char *prompt;
+            const char *answer = NULL;
+            const char *prompt = NULL;
            char echo;

            prompt = ssh_userauth_kbdint_getprompt(session, i, &echo);
@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password)
            }

            if (echo) {
-                char *p;
+                char *p = NULL;

                printf("%s", prompt);

@@ -66,7 +66,6 @@ int authenticate_kbdint(ssh_session session, const char *password)
                    return SSH_AUTH_ERROR;
                }

-                buffer[sizeof(buffer) - 1] = '\0';
                if ((p = strchr(buffer, '\n'))) {
                    *p = '\0';
                }
@@ -75,7 +74,7 @@ int authenticate_kbdint(ssh_session session, const char *password)
                    return SSH_AUTH_ERROR;
                }

-                memset(buffer, 0, strlen(buffer));
+                memset(buffer, 0, sizeof(buffer));
            } else {
                if (password && strstr(prompt, "Password:")) {
                    answer = password;
@@ -143,11 +142,11 @@ int authenticate_console(ssh_session session)
    int rc;
    int method;
    char password[128] = {0};
-    char *banner;
+    char *banner = NULL;

    // Try to authenticate
    rc = ssh_userauth_none(session, NULL);
-    if (rc == SSH_AUTH_ERROR) {
+    if (rc == SSH_AUTH_ERROR || !ssh_is_connected(session)) {
        error(session);
        return rc;
    }
@@ -156,7 +155,7 @@ int authenticate_console(ssh_session session)
    while (rc != SSH_AUTH_SUCCESS) {
        if (method & SSH_AUTH_METHOD_GSSAPI_MIC){
            rc = ssh_userauth_gssapi(session);
-            if(rc == SSH_AUTH_ERROR) {
+            if (rc == SSH_AUTH_ERROR || !ssh_is_connected(session)) {
                error(session);
                return rc;
            } else if (rc == SSH_AUTH_SUCCESS) {
@@ -166,7 +165,7 @@ int authenticate_console(ssh_session session)
        // Try to authenticate with public key first
        if (method & SSH_AUTH_METHOD_PUBLICKEY) {
            rc = ssh_userauth_publickey_auto(session, NULL, NULL);
-            if (rc == SSH_AUTH_ERROR) {
+            if (rc == SSH_AUTH_ERROR || !ssh_is_connected(session)) {
                error(session);
                return rc;
            } else if (rc == SSH_AUTH_SUCCESS) {
@@ -206,7 +205,7 @@ int authenticate_console(ssh_session session)
        // Try to authenticate with keyboard interactive";
        if (method & SSH_AUTH_METHOD_INTERACTIVE) {
            rc = authenticate_kbdint(session, NULL);
-            if (rc == SSH_AUTH_ERROR) {
+            if (rc == SSH_AUTH_ERROR || !ssh_is_connected(session)) {
                error(session);
                return rc;
            } else if (rc == SSH_AUTH_SUCCESS) {
@@ -221,7 +220,7 @@ int authenticate_console(ssh_session session)
        // Try to authenticate with password
        if (method & SSH_AUTH_METHOD_PASSWORD) {
            rc = ssh_userauth_password(session, NULL, password);
-            if (rc == SSH_AUTH_ERROR) {
+            if (rc == SSH_AUTH_ERROR || !ssh_is_connected(session)) {
                error(session);
                return rc;
            } else if (rc == SSH_AUTH_SUCCESS) {
--- a/examples/connect_ssh.c
+++ b/examples/connect_ssh.c
@@ -21,47 +21,50 @@ clients must be made or how a client should react.
 #include "examples_common.h"
 #include <stdio.h>

-ssh_session connect_ssh(const char *host, const char *user,int verbosity){
-  ssh_session session;
-  int auth=0;
+ssh_session connect_ssh(const char *host, const char *user, int verbosity)
+{
+    ssh_session session = NULL;
+    int auth = 0;

-  session=ssh_new();
-  if (session == NULL) {
-    return NULL;
-  }
-
-  if(user != NULL){
-    if (ssh_options_set(session, SSH_OPTIONS_USER, user) < 0) {
-      ssh_free(session);
-      return NULL;
+    session = ssh_new();
+    if (session == NULL) {
+        return NULL;
    }
-  }

-  if (ssh_options_set(session, SSH_OPTIONS_HOST, host) < 0) {
-    ssh_free(session);
-    return NULL;
-  }
-  ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
-  if(ssh_connect(session)){
-    fprintf(stderr,"Connection failed : %s\n",ssh_get_error(session));
+    if (user != NULL) {
+        if (ssh_options_set(session, SSH_OPTIONS_USER, user) < 0) {
+            ssh_free(session);
+            return NULL;
+        }
+    }
+
+    if (ssh_options_set(session, SSH_OPTIONS_HOST, host) < 0) {
+        ssh_free(session);
+        return NULL;
+    }
+    ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
+    if (ssh_connect(session)) {
+        fprintf(stderr, "Connection failed : %s\n", ssh_get_error(session));
+        ssh_disconnect(session);
+        ssh_free(session);
+        return NULL;
+    }
+    if (verify_knownhost(session) < 0) {
+        ssh_disconnect(session);
+        ssh_free(session);
+        return NULL;
+    }
+    auth = authenticate_console(session);
+    if (auth == SSH_AUTH_SUCCESS) {
+        return session;
+    } else if (auth == SSH_AUTH_DENIED) {
+        fprintf(stderr, "Authentication failed\n");
+    } else {
+        fprintf(stderr,
+                "Error while authenticating : %s\n",
+                ssh_get_error(session));
+    }
    ssh_disconnect(session);
    ssh_free(session);
    return NULL;
-  }
-  if(verify_knownhost(session)<0){
-    ssh_disconnect(session);
-    ssh_free(session);
-    return NULL;
-  }
-  auth=authenticate_console(session);
-  if(auth==SSH_AUTH_SUCCESS){
-    return session;
-  } else if(auth==SSH_AUTH_DENIED){
-    fprintf(stderr,"Authentication failed\n");
-  } else {
-    fprintf(stderr,"Error while authenticating : %s\n",ssh_get_error(session));
-  }
-  ssh_disconnect(session);
-  ssh_free(session);
-  return NULL;
 }
--- a/examples/examples_common.h
+++ b/examples/examples_common.h
@@ -16,7 +16,7 @@ clients must be made or how a client should react.
 #include <libssh/libssh.h>

 /** Zero a structure */
-#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
+#define ZERO_STRUCT(x) memset(&(x), 0, sizeof(x))

 int authenticate_console(ssh_session session);
 int authenticate_kbdint(ssh_session session, const char *password);
--- a/examples/exec.c
+++ b/examples/exec.c
@@ -5,8 +5,8 @@
 #include "examples_common.h"

 int main(void) {
-    ssh_session session;
-    ssh_channel channel;
+    ssh_session session = NULL;
+    ssh_channel channel = NULL;
    char buffer[256];
    int rbytes, wbytes, total = 0;
    int rc;
--- a/examples/keygen.c
+++ b/examples/keygen.c
@@ -27,14 +27,14 @@ int main(void)
    rv = ssh_pki_generate(SSH_KEYTYPE_ED25519, 0, &key);
    if (rv != SSH_OK) {
        fprintf(stderr, "Failed to generate private key");
-	return -1;
+        return -1;
    }

-    /* Write it to a file testkey in the current dirrectory */
+    /* Write it to a file testkey in the current directory */
    rv = ssh_pki_export_privkey_file(key, NULL, NULL, NULL, "testkey");
    if (rv != SSH_OK) {
        fprintf(stderr, "Failed to write private key file");
-	return -1;
+        return -1;
    }

    return 0;
--- a/examples/keygen2.c
+++ b/examples/keygen2.c
@@ -38,6 +38,8 @@ struct arguments_st {
    unsigned long bits;
    char *file;
    char *passphrase;
+    char *format;
+    int action_list;
 };

 static struct argp_option options[] = {
@@ -51,7 +53,6 @@ static struct argp_option options[] = {
                 "Accepted values are: "
                 "1024, 2048, 3072 (default), 4096, and 8192 for TYPE=\"rsa\"; "
                 "256 (default), 384, and 521 for TYPE=\"ecdsa\"; "
-                 "1024 (default) and 2048 for TYPE=\"dsa\"; "
                 "can be omitted for TYPE=\"ed25519\" "
                 "(it will be ignored if provided).\n",
        .group = 0
@@ -85,7 +86,25 @@ static struct argp_option options[] = {
        .flags = 0,
        .doc   = "The type of the key to be generated. "
                 "Accepted values are: "
-                 "\"rsa\", \"ecdsa\", \"ed25519\", and \"dsa\".\n",
+                 "\"rsa\", \"ecdsa\", and \"ed25519\".\n",
+        .group = 0
+    },
+    {
+        .name  = "list",
+        .key   = 'l',
+        .arg   = NULL,
+        .flags = 0,
+        .doc   = "List the Fingerprint of the given key\n",
+        .group = 0
+    },
+    {
+        .name  = "format",
+        .key   = 'm',
+        .arg   = "FORMAT",
+        .flags = 0,
+        .doc   = "Write the file in specific format. The supported values are "
+                "'PEM'and 'OpenSSH' file format. By default Ed25519 "
+                "keys are exported in OpenSSH format and others in PEM.\n",
        .group = 0
    },
    {
@@ -144,9 +163,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state)
            if (!strcmp(arg, "rsa")) {
                arguments->type = SSH_KEYTYPE_RSA;
            }
-            else if (!strcmp(arg, "dsa")) {
-                arguments->type = SSH_KEYTYPE_DSS;
-            }
            else if (!strcmp(arg, "ecdsa")) {
                arguments->type = SSH_KEYTYPE_ECDSA;
            }
@@ -160,6 +176,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state)
                goto end;
            }
            break;
+        case 'l':
+            arguments->action_list = 1;
+            break;
+        case 'm':
+            arguments->format = strdup(arg);
+            break;
        case ARGP_KEY_ARG:
            if (state->arg_num > 0) {
                /* Too many arguments. */
@@ -185,98 +207,80 @@ static int validate_args(struct arguments_st *args)
        return EINVAL;
    }

-    switch(args->type) {
-        case SSH_KEYTYPE_RSA:
-            switch(args->bits) {
-                case 0:
-                    /* If not provided, use default value */
-                    args->bits = 3072;
-                    break;
-                case 1024:
-                case 2048:
-                case 3072:
-                case 4096:
-                case 8192:
-                    break;
-                default:
-                    fprintf(stderr, "Error: Invalid bits parameter provided\n");
-                    rc = EINVAL;
-                    break;
-            }
-
-            if (args->file == NULL) {
-                args->file = strdup("id_rsa");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
+    /* no other arguments needed for listing key fingerprints */
+    if (args->action_list) {
+        return 0;
+    }

+    switch (args->type) {
+    case SSH_KEYTYPE_RSA:
+        switch (args->bits) {
+        case 0:
+            /* If not provided, use default value */
+            args->bits = 3072;
            break;
-        case SSH_KEYTYPE_ECDSA:
-            switch(args->bits) {
-                case 0:
-                    /* If not provided, use default value */
-                    args->bits = 256;
-                    break;
-                case 256:
-                case 384:
-                case 521:
-                    break;
-                default:
-                    fprintf(stderr, "Error: Invalid bits parameter provided\n");
-                    rc = EINVAL;
-                    break;
-            }
-            if (args->file == NULL) {
-                args->file = strdup("id_ecdsa");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
-
-            break;
-        case SSH_KEYTYPE_DSS:
-            switch(args->bits) {
-                case 0:
-                    /* If not provided, use default value */
-                    args->bits = 1024;
-                    break;
-                case 1024:
-                case 2048:
-                    break;
-                default:
-                    fprintf(stderr, "Error: Invalid bits parameter provided\n");
-                    rc = EINVAL;
-                    break;
-            }
-            if (args->file == NULL) {
-                args->file = strdup("id_dsa");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
-
-            break;
-        case SSH_KEYTYPE_ED25519:
-            /* Ignore value and overwrite with a zero */
-            args->bits = 0;
-
-            if (args->file == NULL) {
-                args->file = strdup("id_ed25519");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
-
+        case 1024:
+        case 2048:
+        case 3072:
+        case 4096:
+        case 8192:
            break;
        default:
-            fprintf(stderr, "Error: unknown key type\n");
+            fprintf(stderr, "Error: Invalid bits parameter provided\n");
            rc = EINVAL;
            break;
+        }
+
+        if (args->file == NULL) {
+            args->file = strdup("id_rsa");
+            if (args->file == NULL) {
+                rc = ENOMEM;
+                break;
+            }
+        }
+
+        break;
+    case SSH_KEYTYPE_ECDSA:
+        switch (args->bits) {
+        case 0:
+            /* If not provided, use default value */
+            args->bits = 256;
+            break;
+        case 256:
+        case 384:
+        case 521:
+            break;
+        default:
+            fprintf(stderr, "Error: Invalid bits parameter provided\n");
+            rc = EINVAL;
+            break;
+        }
+        if (args->file == NULL) {
+            args->file = strdup("id_ecdsa");
+            if (args->file == NULL) {
+                rc = ENOMEM;
+                break;
+            }
+        }
+
+        break;
+    case SSH_KEYTYPE_ED25519:
+        /* Ignore value and overwrite with a zero */
+        args->bits = 0;
+
+        if (args->file == NULL) {
+            args->file = strdup("id_ed25519");
+            if (args->file == NULL) {
+                rc = ENOMEM;
+                break;
+            }
+        }
+
+        break;
+    default:
+        fprintf(stderr, "Error: unknown key type\n");
+        rc = EINVAL;
+        break;
    }

    return rc;
@@ -289,6 +293,32 @@ static char doc[] = "Generate an SSH key pair. "
 /* Our argp parser */
 static struct argp argp = {options, parse_opt, NULL, doc, NULL, NULL, NULL};

+static void
+list_fingerprint(char *file)
+{
+    ssh_key key = NULL;
+    unsigned char *hash = NULL;
+    size_t hlen = 0;
+    int rc;
+
+    rc = ssh_pki_import_privkey_file(file, NULL, NULL, NULL, &key);
+    if (rc != SSH_OK) {
+        fprintf(stderr, "Failed to import private key %s\n", file);
+        return;
+    }
+
+    rc = ssh_get_publickey_hash(key, SSH_PUBLICKEY_HASH_SHA256, &hash, &hlen);
+    if (rc != SSH_OK) {
+        fprintf(stderr, "Failed to get key fingerprint\n");
+        ssh_key_free(key);
+        return;
+    }
+    ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
+
+    ssh_clean_pubkey_hash(&hash);
+    ssh_key_free(key);
+}
+
 int main(int argc, char *argv[])
 {
    ssh_key key = NULL;
@@ -302,6 +332,7 @@ int main(int argc, char *argv[])
        .bits = 0,
        .file = NULL,
        .passphrase = NULL,
+        .action_list = 0,
    };

    if (argc < 2) {
@@ -319,6 +350,16 @@ int main(int argc, char *argv[])
        goto end;
    }

+    if (arguments.file == NULL) {
+        fprintf(stderr, "Error: Missing argument file\n");
+        goto end;
+    }
+
+    if (arguments.action_list) {
+        list_fingerprint(arguments.file);
+        goto end;
+    }
+
    errno = 0;
    rc = open(arguments.file, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR);
    if (rc < 0) {
@@ -361,8 +402,36 @@ int main(int argc, char *argv[])
    }

    /* Write the private key */
-    rc = ssh_pki_export_privkey_file(key, arguments.passphrase, NULL, NULL,
-                                     arguments.file);
+    if (arguments.format != NULL) {
+        if (strcasecmp(arguments.format, "PEM") == 0) {
+            rc = ssh_pki_export_privkey_file_format(key,
+                                                    arguments.passphrase,
+                                                    NULL,
+                                                    NULL,
+                                                    arguments.file,
+                                                    SSH_FILE_FORMAT_PEM);
+        } else if (strcasecmp(arguments.format, "OpenSSH") == 0) {
+            rc = ssh_pki_export_privkey_file_format(key,
+                                                    arguments.passphrase,
+                                                    NULL,
+                                                    NULL,
+                                                    arguments.file,
+                                                    SSH_FILE_FORMAT_OPENSSH);
+        } else {
+            rc = ssh_pki_export_privkey_file_format(key,
+                                                    arguments.passphrase,
+                                                    NULL,
+                                                    NULL,
+                                                    arguments.file,
+                                                    SSH_FILE_FORMAT_DEFAULT);
+        }
+    } else {
+        rc = ssh_pki_export_privkey_file(key,
+                                         arguments.passphrase,
+                                         NULL,
+                                         NULL,
+                                         arguments.file);
+    }
    if (rc != SSH_OK) {
        fprintf(stderr, "Error: Failed to write private key file");
        goto end;
--- a/examples/knownhosts.c
+++ b/examples/knownhosts.c
@@ -38,7 +38,7 @@ int verify_knownhost(ssh_session session)
    char buf[10];
    unsigned char *hash = NULL;
    size_t hlen;
-    ssh_key srv_pubkey;
+    ssh_key srv_pubkey = NULL;
    int rc;

    rc = ssh_get_server_publickey(session, &srv_pubkey);
--- a/examples/libssh_scp.c
+++ b/examples/libssh_scp.c
@@ -26,9 +26,9 @@ program.
 #define BUF_SIZE 16384
 #endif

-static char **sources;
+static char **sources = NULL;
 static int nsources;
-static char *destination;
+static char *destination = NULL;
 static int verbosity = 0;

 struct location {
@@ -114,9 +114,14 @@ static void location_free(struct location *loc)
    }
 }

-static struct location *parse_location(char *loc) {
-    struct location *location;
-    char *ptr;
+static struct location *parse_location(char *loc)
+{
+    struct location *location = NULL;
+    char *ptr = NULL;
+
+    if (loc == NULL) {
+        return NULL;
+    }

    location = malloc(sizeof(struct location));
    if (location == NULL) {
@@ -229,11 +234,11 @@ static int open_location(struct location *loc, int flag) {
            return -1;
        }
        return 0;
-    } else {
+    } else if (loc->path != NULL) {
        loc->file = fopen(loc->path, flag == READ ? "r":"w");
        if (!loc->file) {
            if (errno == EISDIR) {
-                if (loc->path != NULL && chdir(loc->path)) {
+                if (chdir(loc->path)) {
                    fprintf(stderr,
                            "Error changing directory to %s: %s\n",
                            loc->path, strerror(errno));
--- a/examples/proxy.c
+++ b/examples/proxy.c
@@ -35,8 +35,8 @@ clients must be made or how a client should react.
 static int authenticated=0;
 static int tries = 0;
 static int error = 0;
-static ssh_channel chan=NULL;
-static char *username;
+static ssh_channel chan = NULL;
+static char *username = NULL;
 static ssh_gssapi_creds client_creds = NULL;

 static int auth_password(ssh_session session, const char *user,
@@ -142,20 +142,12 @@ static struct argp_option options[] = {
        .doc   = "Set the host key.",
        .group = 0
    },
-    {
-        .name  = "dsakey",
-        .key   = 'd',
-        .arg   = "FILE",
-        .flags = 0,
-        .doc   = "Set the dsa key.",
-        .group = 0
-    },
    {
        .name  = "rsakey",
        .key   = 'r',
        .arg   = "FILE",
        .flags = 0,
-        .doc   = "Set the rsa key.",
+        .doc   = "Set the rsa host key (deprecated alias to 'k').",
        .group = 0
    },
    {
@@ -180,15 +172,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
        case 'p':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
            break;
-        case 'd':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
-            break;
+        case 'r':
+            /* deprecated */
        case 'k':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
            break;
-        case 'r':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, arg);
-            break;
        case 'v':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "3");
            break;
@@ -216,11 +204,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
 static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
 #endif /* HAVE_ARGP_H */

-int main(int argc, char **argv){
-    ssh_session session;
-    ssh_bind sshbind;
-    ssh_event mainloop;
-    ssh_session client_session;
+int main(int argc, char **argv)
+{
+    ssh_session session = NULL;
+    ssh_bind sshbind = NULL;
+    ssh_event mainloop = NULL;
+    ssh_session client_session = NULL;

    struct ssh_server_callbacks_struct cb = {
        .userdata = NULL,
@@ -231,13 +220,13 @@ int main(int argc, char **argv){

    char buf[BUF_SIZE];
    char host[128]="";
-    char *ptr;
+    char *ptr = NULL;
    int i,r, rc;

    sshbind=ssh_bind_new();
    session=ssh_new();

-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, "sshd_rsa");
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, "sshd_rsa");

 #ifdef HAVE_ARGP_H
    /*
@@ -348,4 +337,3 @@ int main(int argc, char **argv){
    ssh_finalize();
    return 0;
 }
-
--- a/examples/sample_sftpserver.c
+++ b/examples/sample_sftpserver.c
@@ -0,0 +1,515 @@
+/* This is a sample implementation of a libssh based SSH server */
+/*
+Copyright 2014 Audrius Butkevicius
+
+This file is part of the SSH Library
+
+You are free to copy this file, modify it in any way, consider it being public
+domain. This does not apply to the rest of the library though, but it is
+allowed to cut-and-paste working code from this file to any license of
+program.
+The goal is to show the API in action.
+*/
+
+#include "config.h"
+
+#include <libssh/callbacks.h>
+#include <libssh/server.h>
+#include <libssh/sftp.h>
+#include <libssh/sftpserver.h>
+
+#include <poll.h>
+#ifdef HAVE_ARGP_H
+#include <argp.h>
+#endif
+#include <fcntl.h>
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+#ifdef HAVE_PTY_H
+#include <pty.h>
+#endif
+#include <signal.h>
+#include <stdlib.h>
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdbool.h>
+
+/* below are for sftp */
+#include <sys/statvfs.h>
+#include <errno.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <time.h>
+#include <inttypes.h>
+
+#ifndef KEYS_FOLDER
+#ifdef _WIN32
+#define KEYS_FOLDER
+#else
+#define KEYS_FOLDER "/etc/ssh/"
+#endif
+#endif
+
+#define USER "myuser"
+#define PASS "mypassword"
+#define BUF_SIZE 1048576
+#define SESSION_END (SSH_CLOSED | SSH_CLOSED_ERROR)
+
+static void set_default_keys(ssh_bind sshbind,
+                             int rsa_already_set,
+                             int ecdsa_already_set)
+{
+    if (!rsa_already_set)
+    {
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY,
+                             KEYS_FOLDER "ssh_host_rsa_key");
+    }
+    if (!ecdsa_already_set)
+    {
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY,
+                             KEYS_FOLDER "ssh_host_ecdsa_key");
+    }
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY,
+                         KEYS_FOLDER "ssh_host_ed25519_key");
+}
+#define DEF_STR_SIZE 1024
+char authorizedkeys[DEF_STR_SIZE] = {0};
+#ifdef HAVE_ARGP_H
+const char *argp_program_version = "libssh sftp server example " SSH_STRINGIFY(LIBSSH_VERSION);
+const char *argp_program_bug_address = "<libssh@libssh.org>";
+
+/* Program documentation. */
+static char doc[] = "Sftp server implemented with libssh -- a Secure Shell protocol implementation";
+
+/* A description of the arguments we accept. */
+static char args_doc[] = "BINDADDR";
+
+/* The options we understand. */
+static struct argp_option options[] = {
+    {.name = "port",
+     .key = 'p',
+     .arg = "PORT",
+     .flags = 0,
+     .doc = "Set the port to bind.",
+     .group = 0},
+    {.name = "hostkey",
+     .key = 'k',
+     .arg = "FILE",
+     .flags = 0,
+     .doc = "Set a host key.  Can be used multiple times.  "
+            "Implies no default keys.",
+     .group = 0},
+    {.name = "rsakey",
+     .key = 'r',
+     .arg = "FILE",
+     .flags = 0,
+     .doc = "Set the rsa key.",
+     .group = 0},
+    {.name = "ecdsakey",
+     .key = 'e',
+     .arg = "FILE",
+     .flags = 0,
+     .doc = "Set the ecdsa key.",
+     .group = 0},
+    {.name = "authorizedkeys",
+     .key = 'a',
+     .arg = "FILE",
+     .flags = 0,
+     .doc = "Set the authorized keys file.",
+     .group = 0},
+    {.name = "no-default-keys",
+     .key = 'n',
+     .arg = NULL,
+     .flags = 0,
+     .doc = "Do not set default key locations.",
+     .group = 0},
+    {.name = "verbose",
+     .key = 'v',
+     .arg = NULL,
+     .flags = 0,
+     .doc = "Get verbose output.",
+     .group = 0},
+    {NULL, 0, NULL, 0, NULL, 0}};
+
+/* Parse a single option. */
+static error_t parse_opt(int key, char *arg, struct argp_state *state)
+{
+    /* Get the input argument from argp_parse, which we
+     * know is a pointer to our arguments structure. */
+    ssh_bind sshbind = state->input;
+    static int no_default_keys = 0;
+    static int rsa_already_set = 0, ecdsa_already_set = 0;
+
+    switch (key)
+    {
+    case 'n':
+        no_default_keys = 1;
+        break;
+    case 'p':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
+        break;
+    case 'k':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
+        /* We can't track the types of keys being added with this
+           option, so let's ensure we keep the keys we're adding
+           by just not setting the default keys */
+        no_default_keys = 1;
+        break;
+    case 'r':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
+        rsa_already_set = 1;
+        break;
+    case 'e':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
+        ecdsa_already_set = 1;
+        break;
+    case 'a':
+        strncpy(authorizedkeys, arg, DEF_STR_SIZE - 1);
+        break;
+    case 'v':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR,
+                             "3");
+        break;
+    case ARGP_KEY_ARG:
+        if (state->arg_num >= 1)
+        {
+            /* Too many arguments. */
+            argp_usage(state);
+        }
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDADDR, arg);
+        break;
+    case ARGP_KEY_END:
+        if (state->arg_num < 1)
+        {
+            /* Not enough arguments. */
+            argp_usage(state);
+        }
+
+        if (!no_default_keys)
+        {
+            set_default_keys(sshbind,
+                             rsa_already_set,
+                             ecdsa_already_set);
+        }
+
+        break;
+    default:
+        return ARGP_ERR_UNKNOWN;
+    }
+    return 0;
+}
+
+/* Our argp parser. */
+static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+#endif /* HAVE_ARGP_H */
+
+/* A userdata struct for channel. */
+struct channel_data_struct
+{
+    /* Event which is used to poll the above descriptors. */
+    ssh_event event;
+    sftp_session sftp;
+};
+
+/* A userdata struct for session. */
+struct session_data_struct
+{
+    /* Pointer to the channel the session will allocate. */
+    ssh_channel channel;
+    int auth_attempts;
+    int authenticated;
+};
+
+static int auth_password(ssh_session session, const char *user,
+                         const char *pass, void *userdata)
+{
+    struct session_data_struct *sdata = (struct session_data_struct *)userdata;
+
+    (void)session;
+
+    if (strcmp(user, USER) == 0 && strcmp(pass, PASS) == 0)
+    {
+        sdata->authenticated = 1;
+        return SSH_AUTH_SUCCESS;
+    }
+
+    sdata->auth_attempts++;
+    return SSH_AUTH_DENIED;
+}
+
+static int auth_publickey(ssh_session session,
+                          const char *user,
+                          struct ssh_key_struct *pubkey,
+                          char signature_state,
+                          void *userdata)
+{
+    struct session_data_struct *sdata = (struct session_data_struct *)userdata;
+
+    (void)session;
+    (void)user;
+
+    if (signature_state == SSH_PUBLICKEY_STATE_NONE)
+    {
+        return SSH_AUTH_SUCCESS;
+    }
+
+    if (signature_state != SSH_PUBLICKEY_STATE_VALID)
+    {
+        return SSH_AUTH_DENIED;
+    }
+
+    // valid so far.  Now look through authorized keys for a match
+    if (authorizedkeys[0])
+    {
+        ssh_key key = NULL;
+        int result;
+        struct stat buf;
+
+        if (stat(authorizedkeys, &buf) == 0)
+        {
+            result = ssh_pki_import_pubkey_file(authorizedkeys, &key);
+            if ((result != SSH_OK) || (key == NULL))
+            {
+                fprintf(stderr,
+                        "Unable to import public key file %s\n",
+                        authorizedkeys);
+            }
+            else
+            {
+                result = ssh_key_cmp(key, pubkey, SSH_KEY_CMP_PUBLIC);
+                ssh_key_free(key);
+                if (result == 0)
+                {
+                    sdata->authenticated = 1;
+                    return SSH_AUTH_SUCCESS;
+                }
+            }
+        }
+    }
+
+    // no matches
+    sdata->authenticated = 0;
+    return SSH_AUTH_DENIED;
+}
+
+static ssh_channel channel_open(ssh_session session, void *userdata)
+{
+    struct session_data_struct *sdata = (struct session_data_struct *)userdata;
+
+    sdata->channel = ssh_channel_new(session);
+    return sdata->channel;
+}
+
+static void handle_session(ssh_event event, ssh_session session)
+{
+    int n;
+
+    /* Our struct holding information about the channel. */
+    struct channel_data_struct cdata = {
+        .sftp = NULL,
+    };
+
+    /* Our struct holding information about the session. */
+    struct session_data_struct sdata = {
+        .channel = NULL,
+        .auth_attempts = 0,
+        .authenticated = 0,
+    };
+
+    struct ssh_channel_callbacks_struct channel_cb = {
+        .userdata = &(cdata.sftp),
+        .channel_data_function = sftp_channel_default_data_callback,
+        .channel_subsystem_request_function = sftp_channel_default_subsystem_request,
+    };
+
+    struct ssh_server_callbacks_struct server_cb = {
+        .userdata = &sdata,
+        .auth_password_function = auth_password,
+        .channel_open_request_session_function = channel_open,
+    };
+
+    if (authorizedkeys[0])
+    {
+        server_cb.auth_pubkey_function = auth_publickey;
+        ssh_set_auth_methods(session, SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY);
+    }
+    else
+        ssh_set_auth_methods(session, SSH_AUTH_METHOD_PASSWORD);
+
+    ssh_callbacks_init(&server_cb);
+    ssh_callbacks_init(&channel_cb);
+
+    ssh_set_server_callbacks(session, &server_cb);
+
+    if (ssh_handle_key_exchange(session) != SSH_OK)
+    {
+        fprintf(stderr, "%s\n", ssh_get_error(session));
+        return;
+    }
+
+    ssh_event_add_session(event, session);
+
+    n = 0;
+    while (sdata.authenticated == 0 || sdata.channel == NULL) {
+        /* If the user has used up all attempts, or if he hasn't been able to
+         * authenticate in 10 seconds (n * 100ms), disconnect. */
+        if (sdata.auth_attempts >= 3 || n >= 100) {
+            return;
+        }
+
+        if (ssh_event_dopoll(event, 100) == SSH_ERROR) {
+            fprintf(stderr, "%s\n", ssh_get_error(session));
+            return;
+        }
+        n++;
+    }
+
+    ssh_set_channel_callbacks(sdata.channel, &channel_cb);
+
+    do {
+        /* Poll the main event which takes care of the session, the channel and
+         * even our child process's stdout/stderr (once it's started). */
+        if (ssh_event_dopoll(event, -1) == SSH_ERROR) {
+            ssh_channel_close(sdata.channel);
+        }
+
+        /* If child process's stdout/stderr has been registered with the event,
+         * or the child process hasn't started yet, continue. */
+        if (cdata.event != NULL) {
+            continue;
+        }
+        /* FIXME The server keeps hanging in the poll above when the client
+         * closes the channel */
+    } while (ssh_channel_is_open(sdata.channel));
+
+    ssh_channel_send_eof(sdata.channel);
+    ssh_channel_close(sdata.channel);
+
+    /* Wait up to 5 seconds for the client to terminate the session. */
+    for (n = 0; n < 50 && (ssh_get_status(session) & SESSION_END) == 0; n++) {
+        ssh_event_dopoll(event, 100);
+    }
+}
+
+/* SIGCHLD handler for cleaning up dead children. */
+static void sigchld_handler(int signo)
+{
+    (void)signo;
+
+    while (waitpid(-1, NULL, WNOHANG) > 0)
+        ;
+}
+
+int main(int argc, char **argv)
+{
+    ssh_bind sshbind = NULL;
+    ssh_session session = NULL;
+    ssh_event event = NULL;
+    struct sigaction sa;
+    int rc;
+
+    /* Set up SIGCHLD handler. */
+    sa.sa_handler = sigchld_handler;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = SA_RESTART | SA_NOCLDSTOP;
+    if (sigaction(SIGCHLD, &sa, NULL) != 0)
+    {
+        fprintf(stderr, "Failed to register SIGCHLD handler\n");
+        return 1;
+    }
+
+    rc = ssh_init();
+    if (rc < 0)
+    {
+        fprintf(stderr, "ssh_init failed\n");
+        goto exit;
+    }
+
+    sshbind = ssh_bind_new();
+    if (sshbind == NULL)
+    {
+        fprintf(stderr, "ssh_bind_new failed\n");
+        goto exit;
+    }
+
+#ifdef HAVE_ARGP_H
+    argp_parse(&argp, argc, argv, 0, 0, sshbind);
+#else
+    (void)argc;
+    (void)argv;
+
+    set_default_keys(sshbind, 0, 0);
+#endif /* HAVE_ARGP_H */
+
+    if (ssh_bind_listen(sshbind) < 0)
+    {
+        fprintf(stderr, "%s\n", ssh_get_error(sshbind));
+        goto exit;
+    }
+
+    while (1)
+    {
+        session = ssh_new();
+        if (session == NULL)
+        {
+            fprintf(stderr, "Failed to allocate session\n");
+            continue;
+        }
+
+        /* Blocks until there is a new incoming connection. */
+        if (ssh_bind_accept(sshbind, session) != SSH_ERROR)
+        {
+            switch (fork())
+            {
+            case 0:
+                /* Remove the SIGCHLD handler inherited from parent. */
+                sa.sa_handler = SIG_DFL;
+                sigaction(SIGCHLD, &sa, NULL);
+                /* Remove socket binding, which allows us to restart the
+                 * parent process, without terminating existing sessions. */
+                ssh_bind_free(sshbind);
+
+                event = ssh_event_new();
+                if (event != NULL)
+                {
+                    /* Blocks until the SSH session ends by either
+                     * child process exiting, or client disconnecting. */
+                    handle_session(event, session);
+                    ssh_event_free(event);
+                }
+                else
+                {
+                    fprintf(stderr, "Could not create polling context\n");
+                }
+                ssh_disconnect(session);
+                ssh_free(session);
+
+                exit(0);
+            case -1:
+                fprintf(stderr, "Failed to fork\n");
+            }
+        }
+        else
+        {
+            fprintf(stderr, "%s\n", ssh_get_error(sshbind));
+        }
+        /* Since the session has been passed to a child fork, do some cleaning
+         * up at the parent process. */
+        ssh_disconnect(session);
+        ssh_free(session);
+    }
+
+exit:
+    ssh_bind_free(sshbind);
+    ssh_finalize();
+    return 0;
+}
--- a/examples/samplesftp.c
+++ b/examples/samplesftp.c
@@ -33,21 +33,18 @@ clients must be made or how a client should react.
 #define BUF_SIZE 65536
 #endif

-static int verbosity;
-static char *destination;
-
 static void do_sftp(ssh_session session) {
    sftp_session sftp = sftp_new(session);
    sftp_dir dir;
    sftp_attributes file;
    sftp_statvfs_t sftpstatvfs;
    struct statvfs sysstatvfs;
-    sftp_file fichier;
+    sftp_file source;
    sftp_file to;
    int len = 1;
    unsigned int i;
    char data[BUF_SIZE] = {0};
-    char *lnk;
+    char *lnk = NULL;

    unsigned int count;

@@ -86,6 +83,7 @@ static void do_sftp(ssh_session session) {
        goto end;
    }
    printf("readlink /tmp/sftp_symlink_test: %s\n", lnk);
+    ssh_string_free_char(lnk);

    sftp_unlink(sftp, "/tmp/sftp_symlink_test");

@@ -173,7 +171,7 @@ static void do_sftp(ssh_session session) {
        sftp_attributes_free(file);
    }

-    /* when file = NULL, an error has occured OR the directory listing is end of
+    /* when file = NULL, an error has occurred OR the directory listing is end of
     * file */
    if (!sftp_dir_eof(dir)) {
        fprintf(stderr, "Error: %s\n", ssh_get_error(session));
@@ -188,8 +186,8 @@ static void do_sftp(ssh_session session) {
    /* the small buffer size was intended to stress the library. of course, you
     * can use a buffer till 20kbytes without problem */

-    fichier = sftp_open(sftp, "/usr/bin/ssh", O_RDONLY, 0);
-    if (!fichier) {
+    source = sftp_open(sftp, "/usr/bin/ssh", O_RDONLY, 0);
+    if (!source) {
        fprintf(stderr, "Error opening /usr/bin/ssh: %s\n",
                ssh_get_error(session));
        goto end;
@@ -200,16 +198,16 @@ static void do_sftp(ssh_session session) {
    if (!to) {
        fprintf(stderr, "Error opening ssh-copy for writing: %s\n",
                ssh_get_error(session));
-        sftp_close(fichier);
+        sftp_close(source);
        goto end;
    }

-    while ((len = sftp_read(fichier, data, 4096)) > 0) {
+    while ((len = sftp_read(source, data, 4096)) > 0) {
        if (sftp_write(to, data, len) != len) {
            fprintf(stderr, "Error writing %d bytes: %s\n",
                    len, ssh_get_error(session));
            sftp_close(to);
-            sftp_close(fichier);
+            sftp_close(source);
            goto end;
        }
    }
@@ -219,10 +217,10 @@ static void do_sftp(ssh_session session) {
        fprintf(stderr, "Error reading file: %s\n", ssh_get_error(session));
    }

-    sftp_close(fichier);
+    sftp_close(source);
    sftp_close(to);
-    printf("fichiers ferm\n");
-    to = sftp_open(sftp, "/tmp/grosfichier", O_WRONLY|O_CREAT, 0644);
+    printf("file closed\n");
+    to = sftp_open(sftp, "/tmp/large_file", O_WRONLY|O_CREAT, 0644);

    for (i = 0; i < 1000; ++i) {
        len = sftp_write(to, data, sizeof(data));
@@ -243,50 +241,63 @@ static void usage(const char *argv0) {
    fprintf(stderr, "Usage : %s [-v] remotehost\n"
            "sample sftp test client - libssh-%s\n"
            "Options :\n"
+            "  -l user : log in as user\n"
+            "  -p port : connect to port\n"
            "  -v : increase log verbosity\n",
            argv0,
            ssh_version(0));
    exit(0);
 }

-static int opts(int argc, char **argv) {
-    int i;
+int main(int argc, char **argv)
+{
+    ssh_session session = NULL;
+    char *destination = NULL;
+    int auth = 0;
+    int state;

-    while ((i = getopt(argc, argv, "v")) != -1) {
-        switch(i) {
-        case 'v':
-            verbosity++;
-            break;
-        default:
-            fprintf(stderr, "unknown option %c\n", optopt);
-            usage(argv[0]);
-            return -1;
-        }
-    }
+    ssh_init();
+    session = ssh_new();

-    destination = argv[optind];
-    if (destination == NULL) {
+    if (ssh_options_getopt(session, &argc, argv)) {
+        fprintf(stderr,
+                "Error parsing command line: %s\n",
+                ssh_get_error(session));
+        ssh_free(session);
+        ssh_finalize();
        usage(argv[0]);
+        return EXIT_FAILURE;
+    }
+    if (argc < 1) {
+        usage(argv[0]);
+        return EXIT_FAILURE;
+    }
+    destination = argv[1];
+
+    if (ssh_options_set(session, SSH_OPTIONS_HOST, destination) < 0) {
        return -1;
    }
-    return 0;
-}
-
-int main(int argc, char **argv) {
-    ssh_session session;
-
-    if (opts(argc, argv) < 0) {
-        return EXIT_FAILURE;
+    if (ssh_connect(session)) {
+        fprintf(stderr, "Connection failed : %s\n", ssh_get_error(session));
+        return -1;
    }

-    session = connect_ssh(destination, NULL, verbosity);
-    if (session == NULL) {
-        return EXIT_FAILURE;
+    state = verify_knownhost(session);
+    if (state != 0) {
+        return -1;
+    }
+
+    auth = authenticate_console(session);
+    if (auth != SSH_AUTH_SUCCESS) {
+        return -1;
    }

    do_sftp(session);
    ssh_disconnect(session);
    ssh_free(session);
+
+    ssh_finalize();
+
    return 0;
 }

--- a/examples/samplesshd-cb.c
+++ b/examples/samplesshd-cb.c
@@ -172,20 +172,12 @@ static struct argp_option options[] = {
        .doc   = "Set the host key.",
        .group = 0
    },
-    {
-        .name  = "dsakey",
-        .key   = 'd',
-        .arg   = "FILE",
-        .flags = 0,
-        .doc   = "Set the dsa key.",
-        .group = 0
-    },
    {
        .name  = "rsakey",
        .key   = 'r',
        .arg   = "FILE",
        .flags = 0,
-        .doc   = "Set the rsa key.",
+        .doc   = "Set the rsa key (deprecated alias for 'k').",
        .group = 0
    },
    {
@@ -218,15 +210,10 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
        case 'p':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
            break;
-        case 'd':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
-            break;
+        case 'r':
        case 'k':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
            break;
-        case 'r':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, arg);
-            break;
        case 'v':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "3");
            break;
@@ -257,10 +244,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
 static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
 #endif /* HAVE_ARGP_H */

-int main(int argc, char **argv){
-    ssh_session session;
-    ssh_bind sshbind;
-    ssh_event mainloop;
+int main(int argc, char **argv)
+{
+    ssh_session session = NULL;
+    ssh_bind sshbind = NULL;
+    ssh_event mainloop = NULL;
    struct ssh_server_callbacks_struct cb = {
        .userdata = NULL,
        .auth_none_function = auth_none,
@@ -278,8 +266,7 @@ int main(int argc, char **argv){
    sshbind=ssh_bind_new();
    session=ssh_new();

-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, KEYS_FOLDER "ssh_host_dsa_key");
-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key");
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, KEYS_FOLDER "ssh_host_rsa_key");

 #ifdef HAVE_ARGP_H
    /*
@@ -353,4 +340,3 @@ int main(int argc, char **argv){
    ssh_finalize();
    return 0;
 }
-
--- a/examples/samplesshd-kbdint.c
+++ b/examples/samplesshd-kbdint.c
@@ -112,20 +112,12 @@ static struct argp_option options[] = {
    .doc   = "Set the host key.",
    .group = 0
  },
-  {
-    .name  = "dsakey",
-    .key   = 'd',
-    .arg   = "FILE",
-    .flags = 0,
-    .doc   = "Set the dsa key.",
-    .group = 0
-  },
  {
    .name  = "rsakey",
    .key   = 'r',
    .arg   = "FILE",
    .flags = 0,
-    .doc   = "Set the rsa key.",
+    .doc   = "Set the rsa key (deprecated alias for 'k').",
    .group = 0
  },
  {
@@ -151,15 +143,10 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
      ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
      port = atoi(arg);
      break;
-    case 'd':
-      ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
-      break;
+    case 'r':
    case 'k':
      ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
      break;
-    case 'r':
-      ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, arg);
-      break;
    case 'v':
      ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "3");
      break;
@@ -187,8 +174,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
 static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
 #endif /* HAVE_ARGP_H */

-static const char *name;
-static const char *instruction;
+static const char *name = NULL;
+static const char *instruction = NULL;
 static const char *prompts[2];
 static char echo[] = { 1, 0 };

@@ -292,11 +279,12 @@ static int authenticate(ssh_session session) {
    return 0;
 }

-int main(int argc, char **argv){
-    ssh_session session;
-    ssh_bind sshbind;
-    ssh_message message;
-    ssh_channel chan=0;
+int main(int argc, char **argv)
+{
+    ssh_session session = NULL;
+    ssh_bind sshbind = NULL;
+    ssh_message message = NULL;
+    ssh_channel chan = NULL;
    char buf[BUF_SIZE];
    int auth=0;
    int shell=0;
@@ -306,10 +294,8 @@ int main(int argc, char **argv){
    sshbind=ssh_bind_new();
    session=ssh_new();

-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY,
-                                            KEYS_FOLDER "ssh_host_dsa_key");
-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY,
-                                            KEYS_FOLDER "ssh_host_rsa_key");
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY,
+                         KEYS_FOLDER "ssh_host_rsa_key");

 #ifdef HAVE_ARGP_H
    /*
@@ -369,9 +355,9 @@ int main(int argc, char **argv){
        }
    } while(!chan);

-    if(!chan) {
-        printf("Error: cleint did not ask for a channel session (%s)\n",
-                                                    ssh_get_error(session));
+    if (!chan) {
+        printf("Error: client did not ask for a channel session (%s)\n",
+               ssh_get_error(session));
        ssh_finalize();
        return 1;
    }
@@ -426,4 +412,3 @@ int main(int argc, char **argv){
    ssh_finalize();
    return 0;
 }
-
--- a/examples/scp_download.c
+++ b/examples/scp_download.c
@@ -32,151 +32,163 @@ static const char *createcommand =
    "cd /tmp/libssh_tests && date > a && date > b && mkdir c && date > d";
 static char *host = NULL;

-static void usage(const char *argv0){
-  fprintf(stderr,"Usage : %s [options] host\n"
-      "sample tiny scp downloader client - libssh-%s\n"
-	  "This program will create files in /tmp and try to fetch them\n",
-//      "Options :\n",
-//      "  -r : use RSA to verify host public key\n",
-      argv0,
-      ssh_version(0));
-  exit(0);
+static void usage(const char *argv0)
+{
+    fprintf(stderr,
+            "Usage : %s [options] host\n"
+            "sample tiny scp downloader client - libssh-%s\n"
+            "This program will create files in /tmp and try to fetch them\n",
+            argv0,
+            ssh_version(0));
+    exit(0);
 }

-static int opts(int argc, char **argv){
-  int i;
-  while((i=getopt(argc,argv,"v"))!=-1){
-    switch(i){
-      case 'v':
-        verbosity++;
-        break;
-      default:
-        fprintf(stderr,"unknown option %c\n",optopt);
+static int opts(int argc, char **argv)
+{
+    int i;
+
+    while ((i = getopt(argc, argv, "v")) != -1) {
+        switch (i) {
+        case 'v':
+            verbosity++;
+            break;
+        default:
+            fprintf(stderr, "unknown option %c\n", optopt);
+            usage(argv[0]);
+            return -1;
+        }
+    }
+    host = argv[optind];
+    if (host == NULL)
        usage(argv[0]);
+    return 0;
+}
+
+static void create_files(ssh_session session)
+{
+    ssh_channel channel = ssh_channel_new(session);
+    char buffer[1];
+    int rc;
+
+    if (channel == NULL) {
+        fprintf(stderr, "Error creating channel: %s\n", ssh_get_error(session));
+        exit(EXIT_FAILURE);
+    }
+    if (ssh_channel_open_session(channel) != SSH_OK) {
+        fprintf(stderr, "Error creating channel: %s\n", ssh_get_error(session));
+        ssh_channel_free(channel);
+        exit(EXIT_FAILURE);
+    }
+    if (ssh_channel_request_exec(channel, createcommand) != SSH_OK) {
+        fprintf(stderr,
+                "Error executing command: %s\n",
+                ssh_get_error(session));
+        ssh_channel_close(channel);
+        ssh_channel_free(channel);
+        exit(EXIT_FAILURE);
+    }
+    while (!ssh_channel_is_eof(channel)) {
+        rc = ssh_channel_read(channel, buffer, 1, 1);
+        if (rc != 1) {
+            fprintf(stderr, "Error reading from channel\n");
+            ssh_channel_close(channel);
+            ssh_channel_free(channel);
+            return;
+        }
+
+        rc = write(1, buffer, 1);
+        if (rc < 0) {
+            fprintf(stderr, "Error writing to buffer\n");
+            ssh_channel_close(channel);
+            ssh_channel_free(channel);
+            return;
+        }
+    }
+    ssh_channel_close(channel);
+    ssh_channel_free(channel);
+}
+
+static int fetch_files(ssh_session session)
+{
+    int size;
+    char buffer[BUF_SIZE];
+    int mode;
+    char *filename = NULL;
+    int r;
+    ssh_scp scp = ssh_scp_new(session,
+                              SSH_SCP_READ | SSH_SCP_RECURSIVE,
+                              "/tmp/libssh_tests/*");
+    if (ssh_scp_init(scp) != SSH_OK) {
+        fprintf(stderr, "error initializing scp: %s\n", ssh_get_error(session));
+        ssh_scp_free(scp);
        return -1;
    }
-  }
-  host = argv[optind];
-  if(host == NULL)
-	  usage(argv[0]);
-  return 0;
+    printf("Trying to download 3 files (a,b,d) and 1 directory (c)\n");
+    do {
+        r = ssh_scp_pull_request(scp);
+        switch (r) {
+        case SSH_SCP_REQUEST_NEWFILE:
+            size = ssh_scp_request_get_size(scp);
+            filename = strdup(ssh_scp_request_get_filename(scp));
+            mode = ssh_scp_request_get_permissions(scp);
+            printf("downloading file %s, size %d, perms 0%o\n",
+                   filename,
+                   size,
+                   mode);
+            free(filename);
+            ssh_scp_accept_request(scp);
+            r = ssh_scp_read(scp, buffer, sizeof(buffer));
+            if (r == SSH_ERROR) {
+                fprintf(stderr,
+                        "Error reading scp: %s\n",
+                        ssh_get_error(session));
+                ssh_scp_close(scp);
+                ssh_scp_free(scp);
+                return -1;
+            }
+            printf("done\n");
+            break;
+        case SSH_ERROR:
+            fprintf(stderr, "Error: %s\n", ssh_get_error(session));
+            ssh_scp_close(scp);
+            ssh_scp_free(scp);
+            return -1;
+        case SSH_SCP_REQUEST_WARNING:
+            fprintf(stderr, "Warning: %s\n", ssh_scp_request_get_warning(scp));
+            break;
+        case SSH_SCP_REQUEST_NEWDIR:
+            filename = strdup(ssh_scp_request_get_filename(scp));
+            mode = ssh_scp_request_get_permissions(scp);
+            printf("downloading directory %s, perms 0%o\n", filename, mode);
+            free(filename);
+            ssh_scp_accept_request(scp);
+            break;
+        case SSH_SCP_REQUEST_ENDDIR:
+            printf("End of directory\n");
+            break;
+        case SSH_SCP_REQUEST_EOF:
+            printf("End of requests\n");
+            goto end;
+        }
+    } while (1);
+end:
+    ssh_scp_close(scp);
+    ssh_scp_free(scp);
+    return 0;
 }

-static void create_files(ssh_session session){
-	ssh_channel channel=ssh_channel_new(session);
-	char buffer[1];
-        int rc;
-
-	if(channel == NULL){
-		fprintf(stderr,"Error creating channel: %s\n",ssh_get_error(session));
-		exit(EXIT_FAILURE);
-	}
-	if(ssh_channel_open_session(channel) != SSH_OK){
-		fprintf(stderr,"Error creating channel: %s\n",ssh_get_error(session));
-		ssh_channel_free(channel);
-		exit(EXIT_FAILURE);
-	}
-	if(ssh_channel_request_exec(channel,createcommand) != SSH_OK){
-		fprintf(stderr,"Error executing command: %s\n",ssh_get_error(session));
-		ssh_channel_close(channel);
-		ssh_channel_free(channel);
-		exit(EXIT_FAILURE);
-	}
-	while(!ssh_channel_is_eof(channel)){
-		rc = ssh_channel_read(channel,buffer,1,1);
-                if (rc != 1) {
-                    fprintf(stderr, "Error reading from channel\n");
-                    ssh_channel_close(channel);
-                    ssh_channel_free(channel);
-                    return;
-                }
-
-                rc = write(1, buffer, 1);
-                if (rc < 0) {
-                    fprintf(stderr, "Error writing to buffer\n");
-                    ssh_channel_close(channel);
-                    ssh_channel_free(channel);
-                    return;
-                }
-	}
-	ssh_channel_close(channel);
-	ssh_channel_free(channel);
-}
-
-
-static int fetch_files(ssh_session session){
-  int size;
-  char buffer[BUF_SIZE];
-  int mode;
-  char *filename;
-  int r;
-  ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*");
-  if(ssh_scp_init(scp) != SSH_OK){
-	  fprintf(stderr,"error initializing scp: %s\n",ssh_get_error(session));
-	  ssh_scp_free(scp);
-	  return -1;
-  }
-  printf("Trying to download 3 files (a,b,d) and 1 directory (c)\n");
-  do {
-
-	  r=ssh_scp_pull_request(scp);
-	  switch(r){
-	  case SSH_SCP_REQUEST_NEWFILE:
-		  size=ssh_scp_request_get_size(scp);
-		  filename=strdup(ssh_scp_request_get_filename(scp));
-		  mode=ssh_scp_request_get_permissions(scp);
-		  printf("downloading file %s, size %d, perms 0%o\n",filename,size,mode);
-		  free(filename);
-		  ssh_scp_accept_request(scp);
-		  r=ssh_scp_read(scp,buffer,sizeof(buffer));
-		  if(r==SSH_ERROR){
-			  fprintf(stderr,"Error reading scp: %s\n",ssh_get_error(session));
-			  ssh_scp_close(scp);
-			  ssh_scp_free(scp);
-			  return -1;
-		  }
-		  printf("done\n");
-		  break;
-	  case SSH_ERROR:
-		  fprintf(stderr,"Error: %s\n",ssh_get_error(session));
-		  ssh_scp_close(scp);
-		  ssh_scp_free(scp);
-		  return -1;
-	  case SSH_SCP_REQUEST_WARNING:
-		  fprintf(stderr,"Warning: %s\n",ssh_scp_request_get_warning(scp));
-		  break;
-	  case SSH_SCP_REQUEST_NEWDIR:
-		  filename=strdup(ssh_scp_request_get_filename(scp));
-		  mode=ssh_scp_request_get_permissions(scp);
-		  printf("downloading directory %s, perms 0%o\n",filename,mode);
-		  free(filename);
-		  ssh_scp_accept_request(scp);
-		  break;
-	  case SSH_SCP_REQUEST_ENDDIR:
-		  printf("End of directory\n");
-		  break;
-	  case SSH_SCP_REQUEST_EOF:
-		  printf("End of requests\n");
-		  goto end;
-	  }
-  } while (1);
-  end:
-  ssh_scp_close(scp);
-  ssh_scp_free(scp);
-  return 0;
-}
-
-int main(int argc, char **argv){
-  ssh_session session;
-  if(opts(argc,argv)<0)
-    return EXIT_FAILURE;
-  session=connect_ssh(host,NULL,verbosity);
-  if(session == NULL)
-	  return EXIT_FAILURE;
-  create_files(session);
-  fetch_files(session);
-  ssh_disconnect(session);
-  ssh_free(session);
-  ssh_finalize();
-  return 0;
+int main(int argc, char **argv)
+{
+    ssh_session session = NULL;
+    if (opts(argc, argv) < 0)
+        return EXIT_FAILURE;
+    session = connect_ssh(host, NULL, verbosity);
+    if (session == NULL)
+        return EXIT_FAILURE;
+    create_files(session);
+    fetch_files(session);
+    ssh_disconnect(session);
+    ssh_free(session);
+    ssh_finalize();
+    return 0;
 }
--- a/examples/senddata.c
+++ b/examples/senddata.c
@@ -5,60 +5,60 @@

 #define LIMIT 0x100000000UL

-int main(void) {
-  ssh_session session;
-  ssh_channel channel;
-  char buffer[1024*1024];
-  int rc;
-  uint64_t total=0;
-  uint64_t lastshown=4096;
-  session = connect_ssh("localhost", NULL, 0);
-  if (session == NULL) {
-    return 1;
-  }
-
-  channel = ssh_channel_new(session);
-  if (channel == NULL) {
-    ssh_disconnect(session);
-    return 1;
-  }
-
-  rc = ssh_channel_open_session(channel);
-  if (rc < 0) {
-    ssh_channel_close(channel);
-    ssh_disconnect(session);
-    return 1;
-  }
-
-  rc = ssh_channel_request_exec(channel, "cat > /dev/null");
-  if (rc < 0) {
-    ssh_channel_close(channel);
-    ssh_disconnect(session);
-    return 1;
-  }
-
-
-  while ((rc = ssh_channel_write(channel, buffer, sizeof(buffer))) > 0) {
-    total += rc;
-    if(total/2 >= lastshown){
-      printf("written %llx\n", (long long unsigned int) total);
-      lastshown=total;
+int main(void)
+{
+    ssh_session session = NULL;
+    ssh_channel channel = NULL;
+    char buffer[1024 * 1024] = {0};
+    int rc;
+    uint64_t total = 0;
+    uint64_t lastshown = 4096;
+    session = connect_ssh("localhost", NULL, 0);
+    if (session == NULL) {
+        return 1;
    }
-    if(total > LIMIT)
-      break;
-  }
-    
-  if (rc < 0) {
-    printf("error : %s\n",ssh_get_error(session));
+
+    channel = ssh_channel_new(session);
+    if (channel == NULL) {
+        ssh_disconnect(session);
+        return 1;
+    }
+
+    rc = ssh_channel_open_session(channel);
+    if (rc < 0) {
+        ssh_channel_close(channel);
+        ssh_disconnect(session);
+        return 1;
+    }
+
+    rc = ssh_channel_request_exec(channel, "cat > /dev/null");
+    if (rc < 0) {
+        ssh_channel_close(channel);
+        ssh_disconnect(session);
+        return 1;
+    }
+
+    while ((rc = ssh_channel_write(channel, buffer, sizeof(buffer))) > 0) {
+        total += rc;
+        if (total / 2 >= lastshown) {
+            printf("written %llx\n", (long long unsigned int)total);
+            lastshown = total;
+        }
+        if (total > LIMIT)
+            break;
+    }
+
+    if (rc < 0) {
+        printf("error : %s\n", ssh_get_error(session));
+        ssh_channel_close(channel);
+        ssh_disconnect(session);
+        return 1;
+    }
+
+    ssh_channel_send_eof(channel);
    ssh_channel_close(channel);
+
    ssh_disconnect(session);
-    return 1;
-  }

-  ssh_channel_send_eof(channel);
-  ssh_channel_close(channel);
-
-  ssh_disconnect(session);
-
-  return 0;
+    return 0;
 }
--- a/examples/ssh_X11_client.c
+++ b/examples/ssh_X11_client.c
--- a/examples/ssh_client.c
+++ b/examples/ssh_client.c
@@ -53,7 +53,7 @@ static struct termios terminal;

 static char *pcap_file = NULL;

-static char *proxycommand;
+static char *proxycommand = NULL;

 static int auth_callback(const char *prompt,
                         char *buf,
@@ -94,7 +94,6 @@ static void usage(void)
            "Options :\n"
            "  -l user : log in as user\n"
            "  -p port : connect to port\n"
-            "  -d : use DSS to verify host public key\n"
            "  -r : use RSA to verify host public key\n"
            "  -F file : parse configuration file instead of default one\n"
 #ifdef WITH_PCAP
@@ -252,7 +251,7 @@ static void select_loop(ssh_session session,ssh_channel channel)

 static void shell(ssh_session session)
 {
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    struct termios terminal_local;
    int interactive=isatty(0);

@@ -298,25 +297,41 @@ static void shell(ssh_session session)
 static void batch_shell(ssh_session session)
 {
    ssh_channel channel;
-    char buffer[PATH_MAX];
-    size_t i;
-    int s = 0;
-
-    for (i = 0; i < MAXCMD && cmds[i]; ++i) {
-        s += snprintf(buffer + s, sizeof(buffer) - s, "%s ", cmds[i]);
-    }
+    char *buffer = NULL;
+    size_t i, s, n;

    channel = ssh_channel_new(session);
    if (channel == NULL) {
        return;
    }

-    ssh_channel_open_session(channel);
-    if (ssh_channel_request_exec(channel, buffer)) {
-        printf("Error executing '%s' : %s\n", buffer, ssh_get_error(session));
+    n = 0;
+    for (i = 0; i < MAXCMD && cmds[i]; ++i) {
+        /* Including space after cmds[i] */
+        n += strlen(cmds[i]) + 1;
+    }
+    /* Trailing \0 */
+    n += 1;
+
+    buffer = malloc(n);
+    if (buffer == NULL) {
        ssh_channel_free(channel);
        return;
    }
+
+    s = 0;
+    for (i = 0; i < MAXCMD && cmds[i]; ++i) {
+        s += snprintf(buffer + s, n - s, "%s ", cmds[i]);
+    }
+
+    ssh_channel_open_session(channel);
+    if (ssh_channel_request_exec(channel, buffer)) {
+        printf("Error executing '%s' : %s\n", buffer, ssh_get_error(session));
+        free(buffer);
+        ssh_channel_free(channel);
+        return;
+    }
+    free(buffer);
    select_loop(session, channel);
    ssh_channel_free(channel);
 }
@@ -324,7 +339,7 @@ static void batch_shell(ssh_session session)
 static int client(ssh_session session)
 {
    int auth = 0;
-    char *banner;
+    char *banner = NULL;
    int state;

    if (user) {
@@ -408,7 +423,7 @@ static void cleanup_pcap(void)

 int main(int argc, char **argv)
 {
-    ssh_session session;
+    ssh_session session = NULL;

    ssh_init();
    session = ssh_new();
--- a/examples/ssh_server.c
+++ b/examples/ssh_server.c
@@ -45,36 +45,10 @@ The goal is to show the API in action.
 #define BUF_SIZE 1048576
 #endif

-#ifndef KEYS_FOLDER
-#ifdef _WIN32
-#define KEYS_FOLDER
-#else
-#define KEYS_FOLDER "/etc/ssh/"
-#endif
-#endif
-
 #define SESSION_END (SSH_CLOSED | SSH_CLOSED_ERROR)
 #define SFTP_SERVER_PATH "/usr/lib/sftp-server"
+#define AUTH_KEYS_MAX_LINE_SIZE 2048

-static void set_default_keys(ssh_bind sshbind,
-                             int rsa_already_set,
-                             int dsa_already_set,
-                             int ecdsa_already_set) {
-    if (!rsa_already_set) {
-        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY,
-                             KEYS_FOLDER "ssh_host_rsa_key");
-    }
-    if (!dsa_already_set) {
-        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY,
-                             KEYS_FOLDER "ssh_host_dsa_key");
-    }
-    if (!ecdsa_already_set) {
-        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY,
-                             KEYS_FOLDER "ssh_host_ecdsa_key");
-    }
-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY,
-                         KEYS_FOLDER "ssh_host_ed25519_key");
-}
 #define DEF_STR_SIZE 1024
 char authorizedkeys[DEF_STR_SIZE] = {0};
 char username[128] = "myuser";
@@ -109,20 +83,12 @@ static struct argp_option options[] = {
                 "Implies no default keys.",
        .group = 0
    },
-    {
-        .name  = "dsakey",
-        .key   = 'd',
-        .arg   = "FILE",
-        .flags = 0,
-        .doc   = "Set the dsa key.",
-        .group = 0
-    },
    {
        .name  = "rsakey",
        .key   = 'r',
        .arg   = "FILE",
        .flags = 0,
-        .doc   = "Set the rsa key.",
+        .doc   = "Set the rsa key (deprecated alias for 'k').",
        .group = 0
    },
    {
@@ -130,7 +96,7 @@ static struct argp_option options[] = {
        .key   = 'e',
        .arg   = "FILE",
        .flags = 0,
-        .doc   = "Set the ecdsa key.",
+        .doc   = "Set the ecdsa key (deprecated alias for 'k').",
        .group = 0
    },
    {
@@ -157,14 +123,6 @@ static struct argp_option options[] = {
        .doc   = "Set expected password.",
        .group = 0
    },
-    {
-        .name  = "no-default-keys",
-        .key   = 'n',
-        .arg   = NULL,
-        .flags = 0,
-        .doc   = "Do not set default key locations.",
-        .group = 0
-    },
    {
        .name  = "verbose",
        .key   = 'v',
@@ -177,75 +135,53 @@ static struct argp_option options[] = {
 };

 /* Parse a single option. */
-static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+static error_t
+parse_opt(int key, char *arg, struct argp_state *state)
+{
    /* Get the input argument from argp_parse, which we
     * know is a pointer to our arguments structure. */
    ssh_bind sshbind = state->input;
-    static int no_default_keys = 0;
-    static int rsa_already_set = 0, dsa_already_set = 0, ecdsa_already_set = 0;

    switch (key) {
-        case 'n':
-            no_default_keys = 1;
-            break;
-        case 'p':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
-            break;
-        case 'd':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
-            dsa_already_set = 1;
-            break;
-        case 'k':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
-            /* We can't track the types of keys being added with this
-               option, so let's ensure we keep the keys we're adding
-               by just not setting the default keys */
-            no_default_keys = 1;
-            break;
-        case 'r':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, arg);
-            rsa_already_set = 1;
-            break;
-        case 'e':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY, arg);
-            ecdsa_already_set = 1;
-            break;
-        case 'a':
-            strncpy(authorizedkeys, arg, DEF_STR_SIZE-1);
-            break;
-        case 'u':
-            strncpy(username, arg, sizeof(username) - 1);
-            break;
-        case 'P':
-            strncpy(password, arg, sizeof(password) - 1);
-            break;
-        case 'v':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR,
-                                 "3");
-            break;
-        case ARGP_KEY_ARG:
-            if (state->arg_num >= 1) {
-                /* Too many arguments. */
-                argp_usage (state);
-            }
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDADDR, arg);
-            break;
-        case ARGP_KEY_END:
-            if (state->arg_num < 1) {
-                /* Not enough arguments. */
-                argp_usage (state);
-            }
-
-            if (!no_default_keys) {
-                set_default_keys(sshbind,
-                                 rsa_already_set,
-                                 dsa_already_set,
-                                 ecdsa_already_set);
-            }
-
-            break;
-        default:
-            return ARGP_ERR_UNKNOWN;
+    case 'p':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
+        break;
+    case 'k':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
+        break;
+    case 'r':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
+        break;
+    case 'e':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
+        break;
+    case 'a':
+        strncpy(authorizedkeys, arg, DEF_STR_SIZE - 1);
+        break;
+    case 'u':
+        strncpy(username, arg, sizeof(username) - 1);
+        break;
+    case 'P':
+        strncpy(password, arg, sizeof(password) - 1);
+        break;
+    case 'v':
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "3");
+        break;
+    case ARGP_KEY_ARG:
+        if (state->arg_num >= 1) {
+            /* Too many arguments. */
+            argp_usage(state);
+        }
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDADDR, arg);
+        break;
+    case ARGP_KEY_END:
+        if (state->arg_num < 1) {
+            /* Not enough arguments. */
+            argp_usage(state);
+        }
+        break;
+    default:
+        return ARGP_ERR_UNKNOWN;
    }
    return 0;
 }
@@ -253,33 +189,20 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
 /* Our argp parser. */
 static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
 #else
-static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
-    int no_default_keys = 0;
-    int rsa_already_set = 0;
-    int dsa_already_set = 0;
-    int ecdsa_already_set = 0;
+static int
+parse_opt(int argc, char **argv, ssh_bind sshbind)
+{
    int key;

-    while((key = getopt(argc, argv, "a:d:e:k:np:P:r:u:v")) != -1) {
-        if (key == 'n') {
-            no_default_keys = 1;
-        } else if (key == 'p') {
+    while((key = getopt(argc, argv, "a:e:k:p:P:r:u:v")) != -1) {
+        if (key == 'p') {
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, optarg);
-        } else if (key == 'd') {
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, optarg);
-            dsa_already_set = 1;
        } else if (key == 'k') {
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, optarg);
-            /* We can't track the types of keys being added with this
-            option, so let's ensure we keep the keys we're adding
-            by just not setting the default keys */
-            no_default_keys = 1;
        } else if (key == 'r') {
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, optarg);
-            rsa_already_set = 1;
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, optarg);
        } else if (key == 'e') {
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY, optarg);
-            ecdsa_already_set = 1;
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, optarg);
        } else if (key == 'a') {
            strncpy(authorizedkeys, optarg, DEF_STR_SIZE-1);
        } else if (key == 'u') {
@@ -299,14 +222,12 @@ static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
               "libssh %s -- a Secure Shell protocol implementation\n"
               "\n"
               "  -a, --authorizedkeys=FILE  Set the authorized keys file.\n"
-               "  -d, --dsakey=FILE          Set the dsa key.\n"
-               "  -e, --ecdsakey=FILE        Set the ecdsa key.\n"
+               "  -e, --ecdsakey=FILE        Set the ecdsa key (deprecated alias for 'k').\n"
               "  -k, --hostkey=FILE         Set a host key.  Can be used multiple times.\n"
               "                             Implies no default keys.\n"
-               "  -n, --no-default-keys      Do not set default key locations.\n"
               "  -p, --port=PORT            Set the port to bind.\n"
               "  -P, --pass=PASSWORD        Set expected password.\n"
-               "  -r, --rsakey=FILE          Set the rsa key.\n"
+               "  -r, --rsakey=FILE          Set the rsa key (deprecated alias for 'k').\n"
               "  -u, --user=USERNAME        Set expected username.\n"
               "  -v, --verbose              Get verbose output.\n"
               "  -?, --help                 Give this help list\n"
@@ -326,13 +247,6 @@ static int parse_opt(int argc, char **argv, ssh_bind sshbind) {

    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDADDR, argv[optind]);

-    if (!no_default_keys) {
-        set_default_keys(sshbind,
-                         rsa_already_set,
-                         dsa_already_set,
-                         ecdsa_already_set);
-    }
-
    return 0;
 }
 #endif /* HAVE_ARGP_H */
@@ -363,49 +277,74 @@ struct session_data_struct {
    int authenticated;
 };

-static int data_function(ssh_session session, ssh_channel channel, void *data,
-                         uint32_t len, int is_stderr, void *userdata) {
-    struct channel_data_struct *cdata = (struct channel_data_struct *) userdata;
+static int
+data_function(ssh_session session,
+              ssh_channel channel,
+              void *data,
+              uint32_t len,
+              int is_stderr,
+              void *userdata)
+{
+    struct channel_data_struct *cdata = (struct channel_data_struct *)userdata;

-    (void) session;
-    (void) channel;
-    (void) is_stderr;
+    (void)session;
+    (void)channel;
+    (void)is_stderr;

    if (len == 0 || cdata->pid < 1 || kill(cdata->pid, 0) < 0) {
        return 0;
    }

-    return write(cdata->child_stdin, (char *) data, len);
+    return write(cdata->child_stdin, (char *)data, len);
 }

-static int pty_request(ssh_session session, ssh_channel channel,
-                       const char *term, int cols, int rows, int py, int px,
-                       void *userdata) {
+static int
+pty_request(ssh_session session,
+            ssh_channel channel,
+            const char *term,
+            int cols,
+            int rows,
+            int py,
+            int px,
+            void *userdata)
+{
    struct channel_data_struct *cdata = (struct channel_data_struct *)userdata;
+    int rc;

-    (void) session;
-    (void) channel;
-    (void) term;
+    (void)session;
+    (void)channel;
+    (void)term;

    cdata->winsize->ws_row = rows;
    cdata->winsize->ws_col = cols;
    cdata->winsize->ws_xpixel = px;
    cdata->winsize->ws_ypixel = py;

-    if (openpty(&cdata->pty_master, &cdata->pty_slave, NULL, NULL,
-                cdata->winsize) != 0) {
+    rc = openpty(&cdata->pty_master,
+                 &cdata->pty_slave,
+                 NULL,
+                 NULL,
+                 cdata->winsize);
+    if (rc != 0) {
        fprintf(stderr, "Failed to open pty\n");
        return SSH_ERROR;
    }
    return SSH_OK;
 }

-static int pty_resize(ssh_session session, ssh_channel channel, int cols,
-                      int rows, int py, int px, void *userdata) {
+static int
+pty_resize(ssh_session session,
+           ssh_channel channel,
+           int cols,
+           int rows,
+           int py,
+           int px,
+           void *userdata)
+{
    struct channel_data_struct *cdata = (struct channel_data_struct *)userdata;

-    (void) session;
-    (void) channel;
+    (void)session;
+    (void)channel;

    cdata->winsize->ws_row = rows;
    cdata->winsize->ws_col = cols;
@@ -419,30 +358,36 @@ static int pty_resize(ssh_session session, ssh_channel channel, int cols,
    return SSH_ERROR;
 }

-static int exec_pty(const char *mode, const char *command,
-                    struct channel_data_struct *cdata) {
-    switch(cdata->pid = fork()) {
-        case -1:
-            close(cdata->pty_master);
-            close(cdata->pty_slave);
-            fprintf(stderr, "Failed to fork\n");
-            return SSH_ERROR;
-        case 0:
-            close(cdata->pty_master);
-            if (login_tty(cdata->pty_slave) != 0) {
-                exit(1);
-            }
-            execl("/bin/sh", "sh", mode, command, NULL);
-            exit(0);
-        default:
-            close(cdata->pty_slave);
-            /* pty fd is bi-directional */
-            cdata->child_stdout = cdata->child_stdin = cdata->pty_master;
+static int
+exec_pty(const char *mode,
+         const char *command,
+         struct channel_data_struct *cdata)
+{
+    cdata->pid = fork();
+    switch (cdata->pid) {
+    case -1:
+        close(cdata->pty_master);
+        close(cdata->pty_slave);
+        fprintf(stderr, "Failed to fork\n");
+        return SSH_ERROR;
+    case 0:
+        close(cdata->pty_master);
+        if (login_tty(cdata->pty_slave) != 0) {
+            exit(1);
+        }
+        execl("/bin/sh", "sh", mode, command, NULL);
+        exit(0);
+    default:
+        close(cdata->pty_slave);
+        /* pty fd is bi-directional */
+        cdata->child_stdout = cdata->child_stdin = cdata->pty_master;
    }
    return SSH_OK;
 }

-static int exec_nopty(const char *command, struct channel_data_struct *cdata) {
+static int
+exec_nopty(const char *command, struct channel_data_struct *cdata)
+{
    int in[2], out[2], err[2];

    /* Do the plumbing to be able to talk with the child process. */
@@ -456,23 +401,24 @@ static int exec_nopty(const char *command, struct channel_data_struct *cdata) {
        goto stderr_failed;
    }

-    switch(cdata->pid = fork()) {
-        case -1:
-            goto fork_failed;
-        case 0:
-            /* Finish the plumbing in the child process. */
-            close(in[1]);
-            close(out[0]);
-            close(err[0]);
-            dup2(in[0], STDIN_FILENO);
-            dup2(out[1], STDOUT_FILENO);
-            dup2(err[1], STDERR_FILENO);
-            close(in[0]);
-            close(out[1]);
-            close(err[1]);
-            /* exec the requested command. */
-            execl("/bin/sh", "sh", "-c", command, NULL);
-            exit(0);
+    cdata->pid = fork();
+    switch (cdata->pid) {
+    case -1:
+        goto fork_failed;
+    case 0:
+        /* Finish the plumbing in the child process. */
+        close(in[1]);
+        close(out[0]);
+        close(err[0]);
+        dup2(in[0], STDIN_FILENO);
+        dup2(out[1], STDOUT_FILENO);
+        dup2(err[1], STDERR_FILENO);
+        close(in[0]);
+        close(out[1]);
+        close(err[1]);
+        /* exec the requested command. */
+        execl("/bin/sh", "sh", "-c", command, NULL);
+        exit(0);
    }

    close(in[0]);
@@ -498,15 +444,18 @@ stdin_failed:
    return SSH_ERROR;
 }

-static int exec_request(ssh_session session, ssh_channel channel,
-                        const char *command, void *userdata) {
-    struct channel_data_struct *cdata = (struct channel_data_struct *) userdata;
+static int
+exec_request(ssh_session session,
+             ssh_channel channel,
+             const char *command,
+             void *userdata)
+{
+    struct channel_data_struct *cdata = (struct channel_data_struct *)userdata;

+    (void)session;
+    (void)channel;

-    (void) session;
-    (void) channel;
-
-    if(cdata->pid > 0) {
+    if (cdata->pid > 0) {
        return SSH_ERROR;
    }

@@ -516,14 +465,15 @@ static int exec_request(ssh_session session, ssh_channel channel,
    return exec_nopty(command, cdata);
 }

-static int shell_request(ssh_session session, ssh_channel channel,
-                         void *userdata) {
-    struct channel_data_struct *cdata = (struct channel_data_struct *) userdata;
+static int
+shell_request(ssh_session session, ssh_channel channel, void *userdata)
+{
+    struct channel_data_struct *cdata = (struct channel_data_struct *)userdata;

-    (void) session;
-    (void) channel;
+    (void)session;
+    (void)channel;

-    if(cdata->pid > 0) {
+    if (cdata->pid > 0) {
        return SSH_ERROR;
    }

@@ -534,20 +484,28 @@ static int shell_request(ssh_session session, ssh_channel channel,
    return SSH_OK;
 }

-static int subsystem_request(ssh_session session, ssh_channel channel,
-                             const char *subsystem, void *userdata) {
-    /* subsystem requests behave simillarly to exec requests. */
+static int
+subsystem_request(ssh_session session,
+                  ssh_channel channel,
+                  const char *subsystem,
+                  void *userdata)
+{
+    /* subsystem requests behave similarly to exec requests. */
    if (strcmp(subsystem, "sftp") == 0) {
        return exec_request(session, channel, SFTP_SERVER_PATH, userdata);
    }
    return SSH_ERROR;
 }

-static int auth_password(ssh_session session, const char *user,
-                         const char *pass, void *userdata) {
-    struct session_data_struct *sdata = (struct session_data_struct *) userdata;
+static int
+auth_password(ssh_session session,
+              const char *user,
+              const char *pass,
+              void *userdata)
+{
+    struct session_data_struct *sdata = (struct session_data_struct *)userdata;

-    (void) session;
+    (void)session;

    if (strcmp(user, username) == 0 && strcmp(pass, password) == 0) {
        sdata->authenticated = 1;
@@ -558,16 +516,26 @@ static int auth_password(ssh_session session, const char *user,
    return SSH_AUTH_DENIED;
 }

-static int auth_publickey(ssh_session session,
-                          const char *user,
-                          struct ssh_key_struct *pubkey,
-                          char signature_state,
-                          void *userdata)
+static int
+auth_publickey(ssh_session session,
+               const char *user,
+               struct ssh_key_struct *pubkey,
+               char signature_state,
+               void *userdata)
 {
-    struct session_data_struct *sdata = (struct session_data_struct *) userdata;
+    struct session_data_struct *sdata = (struct session_data_struct *)userdata;
+    ssh_key key = NULL;
+    FILE *fp = NULL;
+    char line[AUTH_KEYS_MAX_LINE_SIZE] = {0};
+    char *p = NULL;
+    const char *q = NULL;
+    unsigned int lineno = 0;
+    int result;
+    int i;
+    enum ssh_keytypes_e type;

-    (void) user;
-    (void) session;
+    (void)user;
+    (void)session;

    if (signature_state == SSH_PUBLICKEY_STATE_NONE) {
        return SSH_AUTH_SUCCESS;
@@ -577,45 +545,107 @@ static int auth_publickey(ssh_session session,
        return SSH_AUTH_DENIED;
    }

-    // valid so far.  Now look through authorized keys for a match
-    if (authorizedkeys[0]) {
-        ssh_key key = NULL;
-        int result;
-        struct stat buf;
-
-        if (stat(authorizedkeys, &buf) == 0) {
-            result = ssh_pki_import_pubkey_file( authorizedkeys, &key );
-            if ((result != SSH_OK) || (key==NULL)) {
-                fprintf(stderr,
-                        "Unable to import public key file %s\n",
-                        authorizedkeys);
-            } else {
-                result = ssh_key_cmp( key, pubkey, SSH_KEY_CMP_PUBLIC );
-                ssh_key_free(key);
-                if (result == 0) {
-                    sdata->authenticated = 1;
-                    return SSH_AUTH_SUCCESS;
-                }
-            }
-        }
+    fp = fopen(authorizedkeys, "r");
+    if (fp == NULL) {
+        fprintf(stderr, "Error: opening authorized keys file %s failed, reason: %s\n",
+                authorizedkeys, strerror(errno));
+        return SSH_AUTH_DENIED;
    }

-    // no matches
-    sdata->authenticated = 0;
+    while (fgets(line, sizeof(line), fp)) {
+        lineno++;
+
+        /* Skip leading whitespace and ignore comments */
+        p = line;
+
+        for (i = 0; i < AUTH_KEYS_MAX_LINE_SIZE; i++) {
+            if (!isspace((int)p[i])) {
+                break;
+            }
+        }
+
+        if (i >= AUTH_KEYS_MAX_LINE_SIZE) {
+            fprintf(stderr,
+                    "warning: The line %d in %s too long! Skipping.\n",
+                    lineno,
+                    authorizedkeys);
+            continue;
+        }
+
+        if (p[i] == '#' || p[i] == '\0' || p[i] == '\n') {
+            continue;
+        }
+
+        q = &p[i];
+        for (; i < AUTH_KEYS_MAX_LINE_SIZE; i++) {
+            if (isspace((int)p[i])) {
+                p[i] = '\0';
+                break;
+            }
+        }
+
+        type = ssh_key_type_from_name(q);
+
+        i++;
+        if (i >= AUTH_KEYS_MAX_LINE_SIZE) {
+            fprintf(stderr,
+                    "warning: The line %d in %s too long! Skipping.\n",
+                    lineno,
+                    authorizedkeys);
+            continue;
+        }
+
+        q = &p[i];
+        for (; i < AUTH_KEYS_MAX_LINE_SIZE; i++) {
+            if (isspace((int)p[i])) {
+                p[i] = '\0';
+                break;
+            }
+        }
+
+        result = ssh_pki_import_pubkey_base64(q, type, &key);
+        if (result != SSH_OK) {
+            fprintf(stderr,
+                    "Warning: Cannot import key on line no. %d in authorized keys file: %s\n",
+                    lineno,
+                    authorizedkeys);
+            continue;
+        }
+
+        result = ssh_key_cmp(key, pubkey, SSH_KEY_CMP_PUBLIC);
+        ssh_key_free(key);
+        if (result == 0) {
+            sdata->authenticated = 1;
+            fclose(fp);
+            return SSH_AUTH_SUCCESS;
+        }
+    }
+    if (ferror(fp) != 0) {
+        fprintf(stderr,
+                "Error: Reading from authorized keys file %s failed, reason: %s\n",
+                authorizedkeys, strerror(errno));
+    }
+    fclose(fp);
+
+    /* no matches */
    return SSH_AUTH_DENIED;
 }

-static ssh_channel channel_open(ssh_session session, void *userdata) {
-    struct session_data_struct *sdata = (struct session_data_struct *) userdata;
+static ssh_channel
+channel_open(ssh_session session, void *userdata)
+{
+    struct session_data_struct *sdata = (struct session_data_struct *)userdata;

    sdata->channel = ssh_channel_new(session);
    return sdata->channel;
 }

-static int process_stdout(socket_t fd, int revents, void *userdata) {
+static int
+process_stdout(socket_t fd, int revents, void *userdata)
+{
    char buf[BUF_SIZE];
    int n = -1;
-    ssh_channel channel = (ssh_channel) userdata;
+    ssh_channel channel = (ssh_channel)userdata;

    if (channel != NULL && (revents & POLLIN) != 0) {
        n = read(fd, buf, BUF_SIZE);
@@ -627,10 +657,12 @@ static int process_stdout(socket_t fd, int revents, void *userdata) {
    return n;
 }

-static int process_stderr(socket_t fd, int revents, void *userdata) {
+static int
+process_stderr(socket_t fd, int revents, void *userdata)
+{
    char buf[BUF_SIZE];
    int n = -1;
-    ssh_channel channel = (ssh_channel) userdata;
+    ssh_channel channel = (ssh_channel)userdata;

    if (channel != NULL && (revents & POLLIN) != 0) {
        n = read(fd, buf, BUF_SIZE);
@@ -642,7 +674,9 @@ static int process_stderr(socket_t fd, int revents, void *userdata) {
    return n;
 }

-static void handle_session(ssh_event event, ssh_session session) {
+static void
+handle_session(ssh_event event, ssh_session session)
+{
    int n;
    int rc = 0;

@@ -755,8 +789,8 @@ static void handle_session(ssh_event event, ssh_session session) {
                ssh_channel_close(sdata.channel);
            }
        }
-    } while(ssh_channel_is_open(sdata.channel) &&
-            (cdata.pid == 0 || waitpid(cdata.pid, &rc, WNOHANG) == 0));
+    } while (ssh_channel_is_open(sdata.channel) &&
+             (cdata.pid == 0 || waitpid(cdata.pid, &rc, WNOHANG) == 0));

    close(cdata.pty_master);
    close(cdata.child_stdin);
@@ -789,12 +823,14 @@ static void handle_session(ssh_event event, ssh_session session) {

 #ifdef WITH_FORK
 /* SIGCHLD handler for cleaning up dead children. */
-static void sigchld_handler(int signo) {
-    (void) signo;
+static void sigchld_handler(int signo)
+{
+    (void)signo;
    while (waitpid(-1, NULL, WNOHANG) > 0);
 }
 #else
-static void *session_thread(void *arg) {
+static void *session_thread(void *arg)
+{
    ssh_session session = arg;
    ssh_event event;

@@ -813,9 +849,10 @@ static void *session_thread(void *arg) {
 }
 #endif

-int main(int argc, char **argv) {
-    ssh_bind sshbind;
-    ssh_session session;
+int main(int argc, char **argv)
+{
+    ssh_bind sshbind = NULL;
+    ssh_session session = NULL;
    int rc;
 #ifdef WITH_FORK
    struct sigaction sa;
@@ -853,7 +890,8 @@ int main(int argc, char **argv) {
    }
 #endif /* HAVE_ARGP_H */

-    if(ssh_bind_listen(sshbind) < 0) {
+    rc = ssh_bind_listen(sshbind);
+    if (rc < 0) {
        fprintf(stderr, "%s\n", ssh_get_error(sshbind));
        ssh_bind_free(sshbind);
        ssh_finalize();
@@ -868,34 +906,36 @@ int main(int argc, char **argv) {
        }

        /* Blocks until there is a new incoming connection. */
-        if(ssh_bind_accept(sshbind, session) != SSH_ERROR) {
+        rc = ssh_bind_accept(sshbind, session);
+        if (rc != SSH_ERROR) {
 #ifdef WITH_FORK
            ssh_event event;

-            switch(fork()) {
-                case 0:
-                    /* Remove the SIGCHLD handler inherited from parent. */
-                    sa.sa_handler = SIG_DFL;
-                    sigaction(SIGCHLD, &sa, NULL);
-                    /* Remove socket binding, which allows us to restart the
-                     * parent process, without terminating existing sessions. */
-                    ssh_bind_free(sshbind);
+            pid_t pid = fork();
+            switch (pid) {
+            case 0:
+                /* Remove the SIGCHLD handler inherited from parent. */
+                sa.sa_handler = SIG_DFL;
+                sigaction(SIGCHLD, &sa, NULL);
+                /* Remove socket binding, which allows us to restart the
+                 * parent process, without terminating existing sessions. */
+                ssh_bind_free(sshbind);

-                    event = ssh_event_new();
-                    if (event != NULL) {
-                        /* Blocks until the SSH session ends by either
-                         * child process exiting, or client disconnecting. */
-                        handle_session(event, session);
-                        ssh_event_free(event);
-                    } else {
-                        fprintf(stderr, "Could not create polling context\n");
-                    }
-                    ssh_disconnect(session);
-                    ssh_free(session);
+                event = ssh_event_new();
+                if (event != NULL) {
+                    /* Blocks until the SSH session ends by either
+                     * child process exiting, or client disconnecting. */
+                    handle_session(event, session);
+                    ssh_event_free(event);
+                } else {
+                    fprintf(stderr, "Could not create polling context\n");
+                }
+                ssh_disconnect(session);
+                ssh_free(session);

-                    exit(0);
-                case -1:
-                    fprintf(stderr, "Failed to fork\n");
+                exit(0);
+            case -1:
+                fprintf(stderr, "Failed to fork\n");
            }
 #else
            pthread_t tid;
--- a/examples/sshd_direct-tcpip.c
+++ b/examples/sshd_direct-tcpip.c
@@ -15,7 +15,7 @@ clients must be made or how a client should react.

 /*
 Example:
-  ./sshd_direct-tcpip -v -p 2022 -d serverkey.dsa -r serverkey.rsa 127.0.0.1
+  ./sshd_direct-tcpip -v -p 2022 -r serverkey.rsa 127.0.0.1
 */

 #include "config.h"
@@ -27,6 +27,9 @@ clients must be made or how a client should react.
 #ifdef HAVE_ARGP_H
 #include <argp.h>
 #endif
+#ifndef _WIN32
+#include <netinet/in.h>
+#endif
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <stdbool.h>
@@ -91,8 +94,11 @@ cleanup_push(struct cleanup_node_struct** head_ref,
 {
    // Allocate memory for node
    struct cleanup_node_struct *new_node = malloc(sizeof *new_node);
+    if (new_node == NULL) {
+        return;
+    }

-    if (head_ref != NULL) {
+    if (*head_ref != NULL) {
        new_node->next = *head_ref;
    } else {
        new_node->next = NULL;
@@ -197,7 +203,7 @@ subsystem_request(UNUSED_PARAM(ssh_session session),
                  UNUSED_PARAM(void *userdata))
 {
    _ssh_log(SSH_LOG_PROTOCOL,
-             "=== subsystem_request", "Channel subsystem reqeuest: %s",
+             "=== subsystem_request", "Channel subsystem request: %s",
             subsystem);
    return 0;
 }
@@ -293,7 +299,7 @@ my_channel_eof_function(ssh_session session,

    _ssh_log(SSH_LOG_PROTOCOL,
             "=== my_channel_eof_function",
-             "Got EOF on channel. Shuting down write on socket (fd = %d).",
+             "Got EOF on channel. Shutting down write on socket (fd = %d).",
             *event_fd_data->p_fd);

    stack_socket_close(session, event_fd_data);
@@ -355,7 +361,7 @@ my_fd_data_function(UNUSED_PARAM(socket_t fd),
 {
    struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
    ssh_channel channel = event_fd_data->channel;
-    ssh_session session;
+    ssh_session session = NULL;
    int len, i, wr;
    char buf[BUF_SIZE];
    int blocking;
@@ -449,8 +455,8 @@ open_tcp_socket(ssh_message msg)
 {
    struct sockaddr_in sin;
    int forwardsock = -1;
-    struct hostent *host;
-    const char *dest_hostname;
+    struct hostent *host = NULL;
+    const char *dest_hostname = NULL;
    int dest_port;

    forwardsock = socket(AF_INET, SOCK_STREAM, 0);
@@ -493,8 +499,8 @@ message_callback(UNUSED_PARAM(ssh_session session),
                 UNUSED_PARAM(void *userdata))
 {
    ssh_channel channel;
-    int socket_fd, *pFd;
-    struct ssh_channel_callbacks_struct *cb_chan;
+    int socket_fd, *pFd = NULL;
+    struct ssh_channel_callbacks_struct *cb_chan = NULL;
    struct event_fd_data_struct *event_fd_data;

    _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d",
@@ -520,7 +526,7 @@ message_callback(UNUSED_PARAM(ssh_session session),
                }

                pFd = malloc(sizeof *pFd);
-                cb_chan = malloc(sizeof *cb_chan);
+                cb_chan = calloc(1, sizeof *cb_chan);
                event_fd_data = malloc(sizeof *event_fd_data);
                if (pFd == NULL || cb_chan == NULL || event_fd_data == NULL) {
                    SAFE_FREE(pFd);
@@ -583,20 +589,12 @@ static struct argp_option options[] = {
        .doc   = "Set the host key.",
        .group = 0
    },
-    {
-        .name  = "dsakey",
-        .key   = 'd',
-        .arg   = "FILE",
-        .flags = 0,
-        .doc   = "Set the dsa key.",
-        .group = 0
-    },
    {
        .name  = "rsakey",
        .key   = 'r',
        .arg   = "FILE",
        .flags = 0,
-        .doc   = "Set the rsa key.",
+        .doc   = "Set the rsa key (deprecated alias for 'k').",
        .group = 0
    },
    {
@@ -623,15 +621,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
        case 'p':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
            break;
-        case 'd':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
-            break;
+        case 'r':
        case 'k':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
            break;
-        case 'r':
-            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, arg);
-            break;
        case 'v':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "1");
            break;
@@ -662,8 +655,8 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
 int
 main(int argc, char **argv)
 {
-    ssh_session session;
-    ssh_bind sshbind;
+    ssh_session session = NULL;
+    ssh_bind sshbind = NULL;
    struct ssh_server_callbacks_struct cb = {
        .userdata = NULL,
        .auth_password_function = auth_password,
@@ -682,8 +675,7 @@ main(int argc, char **argv)
    session = ssh_new();
    mainloop = ssh_event_new();

-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, KEYS_FOLDER "ssh_host_dsa_key");
-    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key");
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, KEYS_FOLDER "ssh_host_rsa_key");

 #ifdef HAVE_ARGP_H
    /*
--- a/examples/sshnetcat.c
+++ b/examples/sshnetcat.c
@@ -39,222 +39,237 @@ clients must be made or how a client should react.
 #define BUF_SIZE 4096
 #endif

-char *host;
-const char *desthost="localhost";
-const char *port="22";
+char *host = NULL;
+const char *desthost = "localhost";
+const char *port = "22";

 #ifdef WITH_PCAP
 #include <libssh/pcap.h>
-char *pcap_file=NULL;
+char *pcap_file = NULL;
 #endif

 static void usage(void)
 {
-  fprintf(stderr,"Usage : sshnetcat [user@]host forwarded_host forwarded_port\n");
-  exit(1);
+    fprintf(stderr,
+            "Usage : sshnetcat [user@]host forwarded_host forwarded_port\n");
+    exit(1);
 }

-static int opts(int argc, char **argv){
+static int opts(int argc, char **argv)
+{
    int i;
-    while((i=getopt(argc,argv,"P:"))!=-1){
-        switch(i){
+    while ((i = getopt(argc, argv, "P:")) != -1) {
+        switch (i) {
 #ifdef WITH_PCAP
-        	case 'P':
-        		pcap_file=optarg;
-        		break;
+        case 'P':
+            pcap_file = optarg;
+            break;
 #endif
-            default:
-                fprintf(stderr,"unknown option %c\n",optopt);
-                usage();
+        default:
+            fprintf(stderr, "unknown option %c\n", optopt);
+            usage();
        }
    }
-    if(optind < argc)
-        host=argv[optind++];
-    if(optind < argc)
-        desthost=argv[optind++];
-    if(optind < argc)
-        port=argv[optind++];
-    if(host==NULL)
+    if (optind < argc)
+        host = argv[optind++];
+    if (optind < argc)
+        desthost = argv[optind++];
+    if (optind < argc)
+        port = argv[optind++];
+    if (host == NULL)
        usage();
    return 0;
 }

-static void select_loop(ssh_session session,ssh_channel channel){
-	fd_set fds;
-	struct timeval timeout;
-	char buffer[BUF_SIZE];
-	/* channels will be set to the channels to poll.
-	 * outchannels will contain the result of the poll
-	 */
-	ssh_channel channels[2], outchannels[2];
-	int lus;
-	int eof=0;
-	int maxfd;
-	int ret;
-	while(channel){
-		do{
+static void select_loop(ssh_session session, ssh_channel channel)
+{
+    fd_set fds;
+    struct timeval timeout;
+    char buffer[BUF_SIZE];
+    /* channels will be set to the channels to poll.
+     * outchannels will contain the result of the poll
+     */
+    ssh_channel channels[2], outchannels[2];
+    int lus;
+    int eof = 0;
+    int maxfd;
+    int ret;
+    while (channel) {
+        do {
            int fd;

            ZERO_STRUCT(fds);
-			FD_ZERO(&fds);
-			if(!eof)
-				FD_SET(0,&fds);
-			timeout.tv_sec=30;
-			timeout.tv_usec=0;
+            FD_ZERO(&fds);
+            if (!eof)
+                FD_SET(0, &fds);
+            timeout.tv_sec = 30;
+            timeout.tv_usec = 0;

            fd = ssh_get_fd(session);
            if (fd == -1) {
-                fprintf(stderr, "Error getting the session file descriptor: %s\n",
-                                ssh_get_error(session));
+                fprintf(stderr,
+                        "Error getting the session file descriptor: %s\n",
+                        ssh_get_error(session));
                return;
            }
            FD_SET(fd, &fds);
            maxfd = fd + 1;

-			channels[0]=channel; // set the first channel we want to read from
-			channels[1]=NULL;
-			ret=ssh_select(channels,outchannels,maxfd,&fds,&timeout);
-			if(ret==EINTR)
-				continue;
-			if(FD_ISSET(0,&fds)){
-				lus=read(0,buffer,sizeof(buffer));
-				if(lus)
-					ssh_channel_write(channel,buffer,lus);
-				else {
-					eof=1;
-					ssh_channel_send_eof(channel);
-				}
-			}
-			if(channel && ssh_channel_is_closed(channel)){
-				ssh_channel_free(channel);
-				channel=NULL;
-				channels[0]=NULL;
-			}
-			if(outchannels[0]){
-				while(channel && ssh_channel_is_open(channel) && ssh_channel_poll(channel,0)){
-					lus = ssh_channel_read(channel,buffer,sizeof(buffer),0);
-					if(lus==-1){
-						fprintf(stderr, "Error reading channel: %s\n",
-								ssh_get_error(session));
-						return;
-					}
-					if(lus==0){
-						ssh_channel_free(channel);
-						channel=channels[0]=NULL;
-					} else {
-						ret = write(1, buffer, lus);
-						if (ret < 0) {
-							fprintf(stderr, "Error writing to stdin: %s",
-								strerror(errno));
-							return;
-						}
-					}
-				}
-				while(channel && ssh_channel_is_open(channel) && ssh_channel_poll(channel,1)){ /* stderr */
-					lus = ssh_channel_read(channel, buffer, sizeof(buffer), 1);
-					if(lus==-1){
-						fprintf(stderr, "Error reading channel: %s\n",
-								ssh_get_error(session));
-						return;
-					}
-					if(lus==0){
-						ssh_channel_free(channel);
-						channel=channels[0]=NULL;
-					} else {
-						ret = write(2, buffer, lus);
-						if (ret < 0) {
-							fprintf(stderr, "Error writing to stderr: %s",
-								strerror(errno));
-							return;
-						}
+            channels[0] = channel; // set the first channel we want to read from
+            channels[1] = NULL;
+            ret = ssh_select(channels, outchannels, maxfd, &fds, &timeout);
+            if (ret == EINTR)
+                continue;
+            if (FD_ISSET(0, &fds)) {
+                lus = read(0, buffer, sizeof(buffer));
+                if (lus)
+                    ssh_channel_write(channel, buffer, lus);
+                else {
+                    eof = 1;
+                    ssh_channel_send_eof(channel);
+                }
+            }
+            if (channel && ssh_channel_is_closed(channel)) {
+                ssh_channel_free(channel);
+                channel = NULL;
+                channels[0] = NULL;
+            }
+            if (outchannels[0]) {
+                while (channel && ssh_channel_is_open(channel) &&
+                       ssh_channel_poll(channel, 0)) {
+                    lus = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+                    if (lus == -1) {
+                        fprintf(stderr,
+                                "Error reading channel: %s\n",
+                                ssh_get_error(session));
+                        return;
                    }
-				}
-			}
-			if(channel && ssh_channel_is_closed(channel)){
-				ssh_channel_free(channel);
-				channel=NULL;
-			}
-		} while (ret==EINTR || ret==SSH_EINTR);
-
-	}
+                    if (lus == 0) {
+                        ssh_channel_free(channel);
+                        channel = channels[0] = NULL;
+                    } else {
+                        ret = write(1, buffer, lus);
+                        if (ret < 0) {
+                            fprintf(stderr,
+                                    "Error writing to stdin: %s",
+                                    strerror(errno));
+                            return;
+                        }
+                    }
+                }
+                while (channel && ssh_channel_is_open(channel) &&
+                       ssh_channel_poll(channel, 1)) { /* stderr */
+                    lus = ssh_channel_read(channel, buffer, sizeof(buffer), 1);
+                    if (lus == -1) {
+                        fprintf(stderr,
+                                "Error reading channel: %s\n",
+                                ssh_get_error(session));
+                        return;
+                    }
+                    if (lus == 0) {
+                        ssh_channel_free(channel);
+                        channel = channels[0] = NULL;
+                    } else {
+                        ret = write(2, buffer, lus);
+                        if (ret < 0) {
+                            fprintf(stderr,
+                                    "Error writing to stderr: %s",
+                                    strerror(errno));
+                            return;
+                        }
+                    }
+                }
+            }
+            if (channel && ssh_channel_is_closed(channel)) {
+                ssh_channel_free(channel);
+                channel = NULL;
+            }
+        } while (ret == EINTR || ret == SSH_EINTR);
+    }
 }

-static void forwarding(ssh_session session){
+static void forwarding(ssh_session session)
+{
    ssh_channel channel;
    int r;
    channel = ssh_channel_new(session);
    r = ssh_channel_open_forward(channel, desthost, atoi(port), "localhost", 22);
-    if(r<0) {
-        printf("error forwarding port : %s\n",ssh_get_error(session));
+    if (r < 0) {
+        printf("error forwarding port : %s\n", ssh_get_error(session));
        return;
    }
-    select_loop(session,channel);
+    select_loop(session, channel);
 }

-static int client(ssh_session session){
-  int auth=0;
-  char *banner;
-  int state;
+static int client(ssh_session session)
+{
+    int auth = 0;
+    char *banner = NULL;
+    int state;

-  if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0)
-    return -1;
-  ssh_options_parse_config(session, NULL);
+    if (ssh_options_set(session, SSH_OPTIONS_HOST, host) < 0)
+        return -1;
+    ssh_options_parse_config(session, NULL);

-  if(ssh_connect(session)){
-      fprintf(stderr,"Connection failed : %s\n",ssh_get_error(session));
-      return -1;
-  }
-  state=verify_knownhost(session);
-  if (state != 0)
-  	return -1;
-  ssh_userauth_none(session, NULL);
-  banner=ssh_get_issue_banner(session);
-  if(banner){
-      printf("%s\n",banner);
-      free(banner);
-  }
-  auth=authenticate_console(session);
-  if(auth != SSH_AUTH_SUCCESS){
-  	return -1;
-  }
- 	forwarding(session);
-  return 0;
+    if (ssh_connect(session)) {
+        fprintf(stderr, "Connection failed : %s\n", ssh_get_error(session));
+        return -1;
+    }
+    state = verify_knownhost(session);
+    if (state != 0)
+        return -1;
+    ssh_userauth_none(session, NULL);
+    banner = ssh_get_issue_banner(session);
+    if (banner) {
+        printf("%s\n", banner);
+        free(banner);
+    }
+    auth = authenticate_console(session);
+    if (auth != SSH_AUTH_SUCCESS) {
+        return -1;
+    }
+    forwarding(session);
+    return 0;
 }

 #ifdef WITH_PCAP
 ssh_pcap_file pcap;
 void set_pcap(ssh_session session);
-void set_pcap(ssh_session session){
-	if(!pcap_file)
-		return;
-	pcap=ssh_pcap_file_new();
-	if(ssh_pcap_file_open(pcap,pcap_file) == SSH_ERROR){
-		printf("Error opening pcap file\n");
-		ssh_pcap_file_free(pcap);
-		pcap=NULL;
-		return;
-	}
-	ssh_set_pcap_file(session,pcap);
+void set_pcap(ssh_session session)
+{
+    if (!pcap_file)
+        return;
+    pcap = ssh_pcap_file_new();
+    if (ssh_pcap_file_open(pcap, pcap_file) == SSH_ERROR) {
+        printf("Error opening pcap file\n");
+        ssh_pcap_file_free(pcap);
+        pcap = NULL;
+        return;
+    }
+    ssh_set_pcap_file(session, pcap);
 }

 void cleanup_pcap(void);
-void cleanup_pcap(){
-	ssh_pcap_file_free(pcap);
-	pcap=NULL;
+void cleanup_pcap(void)
+{
+    ssh_pcap_file_free(pcap);
+    pcap = NULL;
 }
 #endif

-int main(int argc, char **argv){
-    ssh_session session;
+int main(int argc, char **argv)
+{
+    ssh_session session = NULL;

    session = ssh_new();

-    if(ssh_options_getopt(session, &argc, argv)) {
-      fprintf(stderr, "error parsing command line :%s\n",
-          ssh_get_error(session));
-      usage();
+    if (ssh_options_getopt(session, &argc, argv)) {
+        fprintf(stderr,
+                "error parsing command line :%s\n",
+                ssh_get_error(session));
+        usage();
    }
-    opts(argc,argv);
+    opts(argc, argv);
 #ifdef WITH_PCAP
    set_pcap(session);
 #endif
--- a/include/libssh/CMakeLists.txt
+++ b/include/libssh/CMakeLists.txt
@@ -20,6 +20,13 @@ if (WITH_SERVER)
    ${libssh_HDRS}
    server.h
  )
+
+  if (WITH_SFTP)
+    set(libssh_HDRS
+        ${libssh_HDRS}
+        sftpserver.h
+    )
+  endif (WITH_SFTP)
 endif (WITH_SERVER)

 install(
--- a/include/libssh/agent.h
+++ b/include/libssh/agent.h
@@ -70,6 +70,10 @@
 #define SSH_AGENT_RSA_SHA2_256                   0x02
 #define SSH_AGENT_RSA_SHA2_512                   0x04

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct ssh_agent_struct {
  struct ssh_socket_struct *sock;
  ssh_buffer ident;
@@ -115,4 +119,8 @@ ssh_string ssh_agent_sign_data(ssh_session session,
                               const ssh_key pubkey,
                               struct ssh_buffer_struct *data);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* __AGENT_H */
--- a/include/libssh/auth.h
+++ b/include/libssh/auth.h
@@ -23,6 +23,10 @@
 #include "config.h"
 #include "libssh/callbacks.h"

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_userauth_banner);
 SSH_PACKET_CALLBACK(ssh_packet_userauth_failure);
 SSH_PACKET_CALLBACK(ssh_packet_userauth_success);
@@ -100,4 +104,8 @@ enum ssh_auth_service_state_e {
  SSH_AUTH_SERVICE_DENIED,
 };

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* AUTH_H_ */
--- a/include/libssh/bignum.h
+++ b/include/libssh/bignum.h
@@ -25,9 +25,17 @@
 #include "libssh/libgcrypt.h"
 #include "libssh/libmbedcrypto.h"

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 bignum ssh_make_string_bn(ssh_string string);
 ssh_string ssh_make_bignum_string(bignum num);
+ssh_string ssh_make_padded_bignum_string(bignum num, size_t pad_len);
 void ssh_print_bignum(const char *which, const_bignum num);

+#ifdef __cplusplus
+}
+#endif

 #endif /* BIGNUM_H_ */
--- a/include/libssh/bind.h
+++ b/include/libssh/bind.h
@@ -25,6 +25,10 @@
 #include "libssh/kex.h"
 #include "libssh/session.h"

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct ssh_bind_struct {
  struct ssh_common_struct common; /* stuff common to ssh_bind and ssh_session */
  struct ssh_bind_callbacks_struct *bind_callbacks;
@@ -35,11 +39,9 @@ struct ssh_bind_struct {
  char *wanted_methods[SSH_KEX_METHODS];
  char *banner;
  char *ecdsakey;
-  char *dsakey;
  char *rsakey;
  char *ed25519key;
  ssh_key ecdsa;
-  ssh_key dsa;
  ssh_key rsa;
  ssh_key ed25519;
  char *bindaddr;
@@ -57,5 +59,8 @@ struct ssh_bind_struct {
 struct ssh_poll_handle_struct *ssh_bind_get_poll(struct ssh_bind_struct
    *sshbind);

+#ifdef __cplusplus
+}
+#endif

 #endif /* BIND_H_ */
--- a/include/libssh/bind_config.h
+++ b/include/libssh/bind_config.h
@@ -28,6 +28,10 @@

 #include "libssh/server.h"

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 enum ssh_bind_config_opcode_e {
    /* Known but not allowed in Match block */
    BIND_CFG_NOT_ALLOWED_IN_MATCH = -4,
@@ -71,4 +75,8 @@ int ssh_bind_config_parse_file(ssh_bind sshbind, const char *filename);
 */
 int ssh_bind_config_parse_string(ssh_bind bind, const char *input);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* BIND_CONFIG_H_ */
--- a/include/libssh/blf.h
+++ b/include/libssh/blf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: blf.h,v 1.7 2007/03/14 17:59:41 grunk Exp $ */
+/* $OpenBSD: blf.h,v 1.8 2021/11/29 01:04:45 djm Exp $ */
 /*
 * Blowfish - a fast block cipher designed by Bruce Schneier
 *
@@ -13,10 +13,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Niels Provos.
- * 4. The name of the author may not be used to endorse or promote products
+ * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
@@ -49,6 +46,10 @@
 #define BLF_MAXKEYLEN ((BLF_N-2)*4)	/* 448 bits */
 #define BLF_MAXUTILIZED ((BLF_N+2)*4)	/* 576 bits */

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* Blowfish context */
 typedef struct BlowfishContext {
 	uint32_t S[4][256];	/* S-Boxes */
@@ -84,4 +85,9 @@ void ssh_blf_cbc_decrypt(ssh_blf_ctx *, uint8_t *, uint8_t *, uint32_t);
 uint32_t Blowfish_stream2word(const uint8_t *, uint16_t , uint16_t *);

 #endif /* !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) */
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _BLF_H */
--- a/include/libssh/buffer.h
+++ b/include/libssh/buffer.h
@@ -27,6 +27,10 @@

 #define SSH_BUFFER_PACK_END ((uint32_t) 0x4f65feb3)

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void ssh_buffer_set_secure(ssh_buffer buffer);
 int ssh_buffer_add_ssh_string(ssh_buffer buffer, ssh_string string);
 int ssh_buffer_add_u8(ssh_buffer buffer, uint8_t data);
@@ -38,10 +42,6 @@ int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len);

 void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len);
 int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, uint32_t len);
-int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
-                       const char *format,
-                       size_t argc,
-                       va_list ap);
 int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
                     const char *format,
                     size_t argc,
@@ -74,4 +74,8 @@ ssh_string ssh_buffer_get_ssh_string(ssh_buffer buffer);
 uint32_t ssh_buffer_pass_bytes_end(ssh_buffer buffer, uint32_t len);
 uint32_t ssh_buffer_pass_bytes(ssh_buffer buffer, uint32_t len);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* BUFFER_H_ */
--- a/include/libssh/callbacks.h
+++ b/include/libssh/callbacks.h
@@ -27,6 +27,7 @@

 #include <libssh/libssh.h>
 #include <string.h>
+#include <stdbool.h>

 #ifdef __cplusplus
 extern "C" {
@@ -81,9 +82,9 @@ typedef void (*ssh_log_callback) (ssh_session session, int priority,
 *
 * @param priority  Priority of the log, the smaller being the more important.
 *
- * @param function  The function name calling the the logging fucntions.
+ * @param function  The function name calling the logging functions.
 *
- * @param message   The actual message
+ * @param buffer   The actual message
 *
 * @param userdata Userdata to be passed to the callback function.
 */
@@ -117,6 +118,8 @@ typedef void (*ssh_global_request_callback) (ssh_session session,
 * sends back an X11 connection attempt. This is a client-side API
 * @param session current session handler
 * @param userdata Userdata to be passed to the callback function.
+ * @param originator_address    IP address of the machine who sent the request
+ * @param originator_port   port number of the machine who sent the request
 * @returns a valid ssh_channel handle if the request is to be allowed
 * @returns NULL if the request should not be allowed
 * @warning The channel pointer returned by this callback must be closed by the application.
@@ -136,6 +139,26 @@ typedef ssh_channel (*ssh_channel_open_request_x11_callback) (ssh_session sessio
 typedef ssh_channel (*ssh_channel_open_request_auth_agent_callback) (ssh_session session,
      void *userdata);

+/**
+ * @brief Handles an SSH new channel open "forwarded-tcpip" request. This
+ * happens when the server forwards an incoming TCP connection on a port it was
+ * previously requested to listen on. This is a client-side API
+ * @param session current session handler
+ * @param destination_address the address that the TCP connection connected to
+ * @param destination_port the port that the TCP connection connected to
+ * @param originator_address the originator IP address
+ * @param originator_port the originator port
+ * @param userdata Userdata to be passed to the callback function.
+ * @returns a valid ssh_channel handle if the request is to be allowed
+ * @returns NULL if the request should not be allowed
+ * @warning The channel pointer returned by this callback must be closed by the
+ * application.
+ */
+typedef ssh_channel (*ssh_channel_open_request_forwarded_tcpip_callback) (ssh_session session,
+      const char *destination_address, int destination_port,
+      const char *originator_address, int originator_port,
+      void *userdata);
+
 /**
 * The structure to replace libssh functions with appropriate callbacks.
 */
@@ -169,6 +192,11 @@ struct ssh_callbacks_struct {
  /** This function will be called when an incoming "auth-agent" request is received.
   */
  ssh_channel_open_request_auth_agent_callback channel_open_request_auth_agent_function;
+  /**
+   * This function will be called when an incoming "forwarded-tcpip"
+   * request is received.
+   */
+  ssh_channel_open_request_forwarded_tcpip_callback channel_open_request_forwarded_tcpip_function;
 };
 typedef struct ssh_callbacks_struct *ssh_callbacks;

@@ -255,6 +283,7 @@ typedef ssh_channel (*ssh_channel_open_request_session_callback) (ssh_session se

 /*
 * @brief handle the beginning of a GSSAPI authentication, server side.
+ *        Callback should select the oid and also acquire the server credential.
 * @param session current session handler
 * @param user the username of the client
 * @param n_oid number of available oids
@@ -268,7 +297,7 @@ typedef ssh_string (*ssh_gssapi_select_oid_callback) (ssh_session session, const
 		int n_oid, ssh_string *oids, void *userdata);

 /*
- * @brief handle the negociation of a security context, server side.
+ * @brief handle the negotiation of a security context, server side.
 * @param session current session handler
 * @param[in] input_token input token provided by client
 * @param[out] output_token output of the gssapi accept_sec_context method,
@@ -296,6 +325,28 @@ typedef int (*ssh_gssapi_accept_sec_ctx_callback) (ssh_session session,
 typedef int (*ssh_gssapi_verify_mic_callback) (ssh_session session,
 		ssh_string mic, void *mic_buffer, size_t mic_buffer_size, void *userdata);

+/**
+ * @brief Handles an SSH new channel open "direct-tcpip" request. This
+ * happens when the client forwards an incoming TCP connection on a port it
+ * wants to forward to the destination. This is a server-side API
+ * @param session current session handler
+ * @param destination_address the address that the TCP connection connected to
+ * @param destination_port the port that the TCP connection connected to
+ * @param originator_address the originator IP address
+ * @param originator_port the originator port
+ * @param userdata Userdata to be passed to the callback function.
+ * @returns a valid ssh_channel handle if the request is to be allowed
+ * @returns NULL if the request should not be allowed
+ * @warning The channel pointer returned by this callback must be closed by the
+ * application.
+ */
+typedef ssh_channel (*ssh_channel_open_request_direct_tcpip_callback)(
+    ssh_session session,
+    const char *destination_address,
+    int destination_port,
+    const char *originator_address,
+    int originator_port,
+    void *userdata);

 /**
 * This structure can be used to implement a libssh server, with appropriate callbacks.
@@ -337,6 +388,7 @@ struct ssh_server_callbacks_struct {
   */
  ssh_channel_open_request_session_callback channel_open_request_session_function;
  /** This function will be called when a new gssapi authentication is attempted.
+   * This should select the oid and acquire credential for the server.
   */
  ssh_gssapi_select_oid_callback gssapi_select_oid_function;
  /** This function will be called when a gssapi token comes in.
@@ -345,6 +397,12 @@ struct ssh_server_callbacks_struct {
  /* This function will be called when a MIC needs to be verified.
   */
  ssh_gssapi_verify_mic_callback gssapi_verify_mic_function;
+  /**
+   * This function will be called when an incoming "direct-tcpip"
+   * request is received.
+   */
+  ssh_channel_open_request_direct_tcpip_callback
+      channel_open_request_direct_tcpip_function;
 };
 typedef struct ssh_server_callbacks_struct *ssh_server_callbacks;

@@ -397,7 +455,7 @@ struct ssh_socket_callbacks_struct {
   */
  ssh_callback_int_int exception;
  /** This function is called when the ssh_socket_connect was used on the socket
-   * on nonblocking state, and the connection successed.
+   * on nonblocking state, and the connection succeeded.
   */
  ssh_callback_int_int connected;
 };
@@ -625,6 +683,7 @@ typedef void (*ssh_channel_signal_callback) (ssh_session session,
 * @brief SSH channel exit status callback. Called when a channel has received an exit status
 * @param session Current session handler
 * @param channel the actual channel
+ * @param exit_status Exit status of the ran command
 * @param userdata Userdata to be passed to the callback function.
 */
 typedef void (*ssh_channel_exit_status_callback) (ssh_session session,
@@ -637,7 +696,7 @@ typedef void (*ssh_channel_exit_status_callback) (ssh_session session,
 * @param session Current session handler
 * @param channel the actual channel
 * @param signal the signal name (without the SIG prefix)
- * @param core a boolean telling wether a core has been dumped or not
+ * @param core a boolean telling whether a core has been dumped or not
 * @param errmsg the description of the exception
 * @param lang the language of the description (format: RFC 3066)
 * @param userdata Userdata to be passed to the callback function.
@@ -652,12 +711,13 @@ typedef void (*ssh_channel_exit_signal_callback) (ssh_session session,

 /**
 * @brief SSH channel PTY request from a client.
+ * @param session the session
 * @param channel the channel
 * @param term The type of terminal emulation
 * @param width width of the terminal, in characters
 * @param height height of the terminal, in characters
 * @param pxwidth width of the terminal, in pixels
- * @param pxheight height of the terminal, in pixels
+ * @param pwheight height of the terminal, in pixels
 * @param userdata Userdata to be passed to the callback function.
 * @returns 0 if the pty request is accepted
 * @returns -1 if the request is denied
@@ -671,6 +731,7 @@ typedef int (*ssh_channel_pty_request_callback) (ssh_session session,

 /**
 * @brief SSH channel Shell request from a client.
+ * @param session the session
 * @param channel the channel
 * @param userdata Userdata to be passed to the callback function.
 * @returns 0 if the shell request is accepted
@@ -683,6 +744,7 @@ typedef int (*ssh_channel_shell_request_callback) (ssh_session session,
 * @brief SSH auth-agent-request from the client. This request is
 * sent by a client when agent forwarding is available.
 * Server is free to ignore this callback, no answer is expected.
+ * @param session the session
 * @param channel the channel
 * @param userdata Userdata to be passed to the callback function.
 */
@@ -694,7 +756,12 @@ typedef void (*ssh_channel_auth_agent_req_callback) (ssh_session session,
 * @brief SSH X11 request from the client. This request is
 * sent by a client when X11 forwarding is requested(and available).
 * Server is free to ignore this callback, no answer is expected.
+ * @param session the session
 * @param channel the channel
+ * @param single_connection If true, only one channel should be forwarded
+ * @param auth_protocol The X11 authentication method to be used
+ * @param auth_cookie   Authentication cookie encoded hexadecimal
+ * @param screen_number Screen number
 * @param userdata Userdata to be passed to the callback function.
 */
 typedef void (*ssh_channel_x11_req_callback) (ssh_session session,
@@ -706,11 +773,12 @@ typedef void (*ssh_channel_x11_req_callback) (ssh_session session,
                                            void *userdata);
 /**
 * @brief SSH channel PTY windows change (terminal size) from a client.
+ * @param session the session
 * @param channel the channel
 * @param width width of the terminal, in characters
 * @param height height of the terminal, in characters
 * @param pxwidth width of the terminal, in pixels
- * @param pxheight height of the terminal, in pixels
+ * @param pwheight height of the terminal, in pixels
 * @param userdata Userdata to be passed to the callback function.
 * @returns 0 if the pty request is accepted
 * @returns -1 if the request is denied
@@ -723,6 +791,7 @@ typedef int (*ssh_channel_pty_window_change_callback) (ssh_session session,

 /**
 * @brief SSH channel Exec request from a client.
+ * @param session the session
 * @param channel the channel
 * @param command the shell command to be executed
 * @param userdata Userdata to be passed to the callback function.
@@ -736,6 +805,7 @@ typedef int (*ssh_channel_exec_request_callback) (ssh_session session,

 /**
 * @brief SSH channel environment request from a client.
+ * @param session the session
 * @param channel the channel
 * @param env_name name of the environment value to be set
 * @param env_value value of the environment value to be set
@@ -752,6 +822,7 @@ typedef int (*ssh_channel_env_request_callback) (ssh_session session,
                                            void *userdata);
 /**
 * @brief SSH channel subsystem request from a client.
+ * @param session the session
 * @param channel the channel
 * @param subsystem the subsystem required
 * @param userdata Userdata to be passed to the callback function.
@@ -766,6 +837,8 @@ typedef int (*ssh_channel_subsystem_request_callback) (ssh_session session,
 /**
 * @brief SSH channel write will not block (flow control).
 *
+ * @param session the session
+ *
 * @param channel the channel
 *
 * @param[in] bytes size of the remote window in bytes. Writing as much data
@@ -780,6 +853,28 @@ typedef int (*ssh_channel_write_wontblock_callback) (ssh_session session,
                                                     uint32_t bytes,
                                                     void *userdata);

+/**
+ * @brief SSH channel open callback. Called when a channel open succeeds or fails.
+ * @param session Current session handler
+ * @param channel the actual channel
+ * @param is_success is 1 when the open succeeds, and 0 otherwise.
+ * @param userdata Userdata to be passed to the callback function.
+ */
+typedef void (*ssh_channel_open_resp_callback) (ssh_session session,
+                                                ssh_channel channel,
+                                                bool is_success,
+                                                void *userdata);
+
+/**
+ * @brief SSH channel request response callback. Called when a response to the pending request is received.
+ * @param session Current session handler
+ * @param channel the actual channel
+ * @param userdata Userdata to be passed to the callback function.
+ */
+typedef void (*ssh_channel_request_resp_callback) (ssh_session session,
+                                                   ssh_channel channel,
+                                                   void *userdata);
+
 struct ssh_channel_callbacks_struct {
  /** DON'T SET THIS use ssh_callbacks_init() instead. */
  size_t size;
@@ -847,6 +942,14 @@ struct ssh_channel_callbacks_struct {
   * not to block.
   */
  ssh_channel_write_wontblock_callback channel_write_wontblock_function;
+  /**
+   * This functions will be called when the channel has received a channel open confirmation or failure.
+   */
+  ssh_channel_open_resp_callback channel_open_response_function;
+  /**
+   * This functions will be called when the channel has received the response to the pending request.
+   */
+  ssh_channel_request_resp_callback channel_request_response_function;
 };

 typedef struct ssh_channel_callbacks_struct *ssh_channel_callbacks;
@@ -917,7 +1020,7 @@ LIBSSH_API int ssh_remove_channel_callbacks(ssh_channel channel,

 /** @} */

-/** @group libssh_threads
+/** @addtogroup libssh_threads
 * @{
 */

@@ -983,13 +1086,14 @@ LIBSSH_API struct ssh_threads_callbacks_struct *ssh_threads_get_pthread(void);
 * @see ssh_threads_set_callbacks
 */
 LIBSSH_API struct ssh_threads_callbacks_struct *ssh_threads_get_noop(void);
+/** @} */

 /**
 * @brief Set the logging callback function.
 *
 * @param[in]  cb  The callback to set.
 *
- * @return         0 on success, < 0 on errror.
+ * @return         0 on success, < 0 on error.
 */
 LIBSSH_API int ssh_set_log_callback(ssh_logging_callback cb);

@@ -1000,7 +1104,45 @@ LIBSSH_API int ssh_set_log_callback(ssh_logging_callback cb);
 */
 LIBSSH_API ssh_logging_callback ssh_get_log_callback(void);

-/** @} */
+/**
+ * @brief SSH proxyjump before connection callback. Called before calling
+ * ssh_connect()
+ * @param session Jump session handler
+ * @param userdata Userdata to be passed to the callback function.
+ *
+ * @return         0 on success, < 0 on error.
+ */
+typedef int (*ssh_jump_before_connection_callback)(ssh_session session,
+                                                   void *userdata);
+
+/**
+ * @brief SSH proxyjump verify knownhost callback. Verify the host.
+ *        If not specified default function will be used.
+ * @param session Jump session handler
+ * @param userdata Userdata to be passed to the callback function.
+ *
+ * @return         0 on success, < 0 on error.
+ */
+typedef int (*ssh_jump_verify_knownhost_callback)(ssh_session session,
+                                                  void *userdata);
+
+/**
+ * @brief SSH proxyjump user authentication callback. Authenticate the user.
+ * @param session Jump session handler
+ * @param userdata Userdata to be passed to the callback function.
+ *
+ * @return         0 on success, < 0 on error.
+ */
+typedef int (*ssh_jump_authenticate_callback)(ssh_session session,
+                                              void *userdata);
+
+struct ssh_jump_callbacks_struct {
+    void *userdata;
+    ssh_jump_before_connection_callback before_connection;
+    ssh_jump_verify_knownhost_callback verify_knownhost;
+    ssh_jump_authenticate_callback authenticate;
+};
+
 #ifdef __cplusplus
 }
 #endif
--- a/include/libssh/chacha.h
+++ b/include/libssh/chacha.h
@@ -18,6 +18,10 @@ struct chacha_ctx {
 #define CHACHA_CTRLEN     8
 #define CHACHA_STATELEN   (CHACHA_NONCELEN+CHACHA_CTRLEN)

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void chacha_keysetup(struct chacha_ctx *x, const uint8_t *k, uint32_t kbits)
 #ifdef HAVE_GCC_BOUNDED_ATTRIBUTE
    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)))
@@ -37,4 +41,8 @@ void chacha_encrypt_bytes(struct chacha_ctx *x, const uint8_t *m,
 #endif
    ;

+#ifdef __cplusplus
+}
+#endif
+
 #endif    /* CHACHA_H */
--- a/include/libssh/channels.h
+++ b/include/libssh/channels.h
@@ -22,6 +22,10 @@
 #define CHANNELS_H_
 #include "libssh/priv.h"

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /**  @internal
 * Describes the different possible states in a
 * outgoing (client) channel request
@@ -35,7 +39,7 @@ enum ssh_channel_request_state_e {
 	SSH_CHANNEL_REQ_STATE_ACCEPTED,
 	/** A request has been replied and refused */
 	SSH_CHANNEL_REQ_STATE_DENIED,
-	/** A request has been replied and an error happend */
+	/** A request has been replied and an error happened */
 	SSH_CHANNEL_REQ_STATE_ERROR
 };

@@ -76,7 +80,12 @@ struct ssh_channel_struct {
    ssh_buffer stdout_buffer;
    ssh_buffer stderr_buffer;
    void *userarg;
-    int exit_status;
+    struct {
+        bool status;
+        uint32_t code;
+        char *signal;
+        bool core_dumped;
+    } exit;
    enum ssh_channel_request_state_e request_state;
    struct ssh_list *callbacks; /* list of ssh_channel_callbacks */

@@ -109,4 +118,8 @@ int ssh_global_request(ssh_session session,
                       ssh_buffer buffer,
                       int reply);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* CHANNELS_H_ */
--- a/include/libssh/config.h
+++ b/include/libssh/config.h
@@ -62,6 +62,10 @@ enum ssh_config_opcode_e {
    SOC_PUBKEYACCEPTEDKEYTYPES,
    SOC_REKEYLIMIT,
    SOC_IDENTITYAGENT,
+    SOC_IDENTITIESONLY,
+    SOC_CONTROLMASTER,
+    SOC_CONTROLPATH,
+    SOC_CERTIFICATE,

    SOC_MAX /* Keep this one last in the list */
 };
--- a/include/libssh/config_parser.h
+++ b/include/libssh/config_parser.h
@@ -26,6 +26,13 @@
 #ifndef CONFIG_PARSER_H_
 #define CONFIG_PARSER_H_

+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "libssh/libssh.h"
+#include <stdbool.h>
+
 char *ssh_config_get_cmd(char **str);

 char *ssh_config_get_token(char **str);
@@ -45,13 +52,35 @@ int ssh_config_get_yesno(char **str, int notfound);
 *                       be stored or NULL if we do not care about the result.
 * @param[out]  port     Pointer to the location, where the new port will
 *                       be stored or NULL if we do not care about the result.
+ * @param[in]   ignore_port Set to true if we should not attempt to parse
+ *                       port number.
 *
 * @returns     SSH_OK if the provided string is in format of SSH URI,
 *              SSH_ERROR on failure
 */
 int ssh_config_parse_uri(const char *tok,
-        char **username,
-        char **hostname,
-        char **port);
+                         char **username,
+                         char **hostname,
+                         char **port,
+                         bool ignore_port);
+
+/**
+ * @brief: Parse the ProxyJump configuration line and if parsing,
+ * stores the result in the configuration option
+ *
+ * @param[in]   session    The ssh session
+ * @param[in]   s          The string to be parsed.
+ * @param[in]   do_parsing Whether to parse or not.
+ *
+ * @returns     SSH_OK if the provided string is formatted and parsed correctly
+ *              SSH_ERROR on failure
+ */
+int ssh_config_parse_proxy_jump(ssh_session session,
+                                const char *s,
+                                bool do_parsing);
+
+#ifdef __cplusplus
+}
+#endif

 #endif /* LIBSSH_CONFIG_H_ */
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -45,10 +45,11 @@
 #ifdef HAVE_OPENSSL_ECDH_H
 #include <openssl/ecdh.h>
 #endif
+#include "libssh/curve25519.h"
 #include "libssh/dh.h"
 #include "libssh/ecdh.h"
 #include "libssh/kex.h"
-#include "libssh/curve25519.h"
+#include "libssh/sntrup761.h"

 #define DIGEST_MAX_LEN 64

@@ -56,39 +57,41 @@
 #define AES_GCM_IVLEN  12

 enum ssh_key_exchange_e {
-  /* diffie-hellman-group1-sha1 */
-  SSH_KEX_DH_GROUP1_SHA1=1,
-  /* diffie-hellman-group14-sha1 */
-  SSH_KEX_DH_GROUP14_SHA1,
+    /* diffie-hellman-group1-sha1 */
+    SSH_KEX_DH_GROUP1_SHA1 = 1,
+    /* diffie-hellman-group14-sha1 */
+    SSH_KEX_DH_GROUP14_SHA1,
 #ifdef WITH_GEX
-  /* diffie-hellman-group-exchange-sha1 */
-  SSH_KEX_DH_GEX_SHA1,
-  /* diffie-hellman-group-exchange-sha256 */
-  SSH_KEX_DH_GEX_SHA256,
+    /* diffie-hellman-group-exchange-sha1 */
+    SSH_KEX_DH_GEX_SHA1,
+    /* diffie-hellman-group-exchange-sha256 */
+    SSH_KEX_DH_GEX_SHA256,
 #endif /* WITH_GEX */
-  /* ecdh-sha2-nistp256 */
-  SSH_KEX_ECDH_SHA2_NISTP256,
-  /* ecdh-sha2-nistp384 */
-  SSH_KEX_ECDH_SHA2_NISTP384,
-  /* ecdh-sha2-nistp521 */
-  SSH_KEX_ECDH_SHA2_NISTP521,
-  /* curve25519-sha256@libssh.org */
-  SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG,
-  /* curve25519-sha256 */
-  SSH_KEX_CURVE25519_SHA256,
-  /* diffie-hellman-group16-sha512 */
-  SSH_KEX_DH_GROUP16_SHA512,
-  /* diffie-hellman-group18-sha512 */
-  SSH_KEX_DH_GROUP18_SHA512,
-  /* diffie-hellman-group14-sha256 */
-  SSH_KEX_DH_GROUP14_SHA256,
+    /* ecdh-sha2-nistp256 */
+    SSH_KEX_ECDH_SHA2_NISTP256,
+    /* ecdh-sha2-nistp384 */
+    SSH_KEX_ECDH_SHA2_NISTP384,
+    /* ecdh-sha2-nistp521 */
+    SSH_KEX_ECDH_SHA2_NISTP521,
+    /* curve25519-sha256@libssh.org */
+    SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG,
+    /* curve25519-sha256 */
+    SSH_KEX_CURVE25519_SHA256,
+    /* diffie-hellman-group16-sha512 */
+    SSH_KEX_DH_GROUP16_SHA512,
+    /* diffie-hellman-group18-sha512 */
+    SSH_KEX_DH_GROUP18_SHA512,
+    /* diffie-hellman-group14-sha256 */
+    SSH_KEX_DH_GROUP14_SHA256,
+    /* sntrup761x25519-sha512@openssh.com */
+    SSH_KEX_SNTRUP761X25519_SHA512_OPENSSH_COM,
 };

 enum ssh_cipher_e {
    SSH_NO_CIPHER=0,
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
    SSH_BLOWFISH_CBC,
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
    SSH_3DES_CBC,
    SSH_AES128_CBC,
    SSH_AES192_CBC,
@@ -111,11 +114,7 @@ struct ssh_crypto_struct {
 #endif /* WITH_GEX */
 #ifdef HAVE_ECDH
 #ifdef HAVE_OPENSSL_ECC
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * #if OPENSSL_VERSION_NUMBER < 0x30000000L
- */
-#if 1
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
    EC_KEY *ecdh_privkey;
 #else
    EVP_PKEY *ecdh_privkey;
@@ -129,9 +128,20 @@ struct ssh_crypto_struct {
    ssh_string ecdh_server_pubkey;
 #endif
 #ifdef HAVE_CURVE25519
+#ifdef HAVE_LIBCRYPTO
+    EVP_PKEY *curve25519_privkey;
+#elif defined(HAVE_GCRYPT_CURVE25519)
+    gcry_sexp_t curve25519_privkey;
+#else
    ssh_curve25519_privkey curve25519_privkey;
+#endif
    ssh_curve25519_pubkey curve25519_client_pubkey;
    ssh_curve25519_pubkey curve25519_server_pubkey;
+#endif
+#ifdef HAVE_SNTRUP761
+    ssh_sntrup761_privkey sntrup761_privkey;
+    ssh_sntrup761_pubkey sntrup761_client_pubkey;
+    ssh_sntrup761_ciphertext sntrup761_ciphertext;
 #endif
    ssh_string dh_server_signature; /* information used by dh_handshake. */
    size_t session_id_len;
@@ -216,12 +226,22 @@ struct ssh_cipher_struct {
    void (*cleanup)(struct ssh_cipher_struct *cipher);
 };

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 const struct ssh_cipher_struct *ssh_get_chacha20poly1305_cipher(void);
 int sshkdf_derive_key(struct ssh_crypto_struct *crypto,
                      unsigned char *key, size_t key_len,
-                      int key_type, unsigned char *output,
+                      uint8_t key_type, unsigned char *output,
                      size_t requested_len);

 int secure_memcmp(const void *s1, const void *s2, size_t n);

+void compress_cleanup(struct ssh_crypto_struct *crypto);
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _CRYPTO_H_ */
--- a/include/libssh/curve25519.h
+++ b/include/libssh/curve25519.h
@@ -33,6 +33,10 @@
 #define crypto_scalarmult crypto_scalarmult_curve25519
 #else

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #define CURVE25519_PUBKEY_SIZE 32
 #define CURVE25519_PRIVKEY_SIZE 32
 int crypto_scalarmult_base(unsigned char *q, const unsigned char *n);
@@ -46,11 +50,19 @@ int crypto_scalarmult(unsigned char *q, const unsigned char *n, const unsigned c
 typedef unsigned char ssh_curve25519_pubkey[CURVE25519_PUBKEY_SIZE];
 typedef unsigned char ssh_curve25519_privkey[CURVE25519_PRIVKEY_SIZE];

+int ssh_curve25519_init(ssh_session session);
+int curve25519_do_create_k(ssh_session session, ssh_curve25519_pubkey k);
+int ssh_curve25519_create_k(ssh_session session, ssh_curve25519_pubkey k);

 int ssh_client_curve25519_init(ssh_session session);
+void ssh_client_curve25519_remove_callbacks(ssh_session session);

 #ifdef WITH_SERVER
 void ssh_server_curve25519_init(ssh_session session);
 #endif /* WITH_SERVER */

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* CURVE25519_H_ */
--- a/include/libssh/dh-gex.h
+++ b/include/libssh/dh-gex.h
@@ -23,10 +23,19 @@
 #ifndef SRC_DH_GEX_H_
 #define SRC_DH_GEX_H_

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 int ssh_client_dhgex_init(ssh_session session);
+void ssh_client_dhgex_remove_callbacks(ssh_session session);

 #ifdef WITH_SERVER
 void ssh_server_dhgex_init(ssh_session session);
 #endif /* WITH_SERVER */

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* SRC_DH_GEX_H_ */
--- a/include/libssh/dh.h
+++ b/include/libssh/dh.h
@@ -30,6 +30,10 @@ struct dh_ctx;
 #define DH_CLIENT_KEYPAIR 0
 #define DH_SERVER_KEYPAIR 1

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* functions implemented by crypto backends */
 int ssh_dh_init_common(struct ssh_crypto_struct *crypto);
 void ssh_dh_cleanup(struct ssh_crypto_struct *crypto);
@@ -53,7 +57,7 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
                            bignum *priv, bignum *pub);
 #endif /* OPENSSL_VERSION_NUMBER */
 int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
-                            const bignum priv, const bignum pub);
+                            bignum priv, bignum pub);

 int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
                                 bignum *dest);
@@ -73,8 +77,10 @@ int ssh_dh_get_current_server_publickey_blob(ssh_session session,
 ssh_key ssh_dh_get_next_server_publickey(ssh_session session);
 int ssh_dh_get_next_server_publickey_blob(ssh_session session,
                                          ssh_string *pubkey_blob);
+int dh_handshake(ssh_session session);

 int ssh_client_dh_init(ssh_session session);
+void ssh_client_dh_remove_callbacks(ssh_session session);
 #ifdef WITH_SERVER
 void ssh_server_dh_init(ssh_session session);
 #endif /* WITH_SERVER */
@@ -82,4 +88,8 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet);
 int ssh_fallback_group(uint32_t pmax, bignum *p, bignum *g);
 bool ssh_dh_is_known_group(bignum modulus, bignum generator);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* DH_H_ */
--- a/include/libssh/ecdh.h
+++ b/include/libssh/ecdh.h
@@ -42,9 +42,14 @@
 #define HAVE_ECDH 1
 #endif

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 extern struct ssh_packet_callbacks_struct ssh_ecdh_client_callbacks;
 /* Backend-specific functions.  */
 int ssh_client_ecdh_init(ssh_session session);
+void ssh_client_ecdh_remove_callbacks(ssh_session session);
 int ecdh_build_k(ssh_session session);

 #ifdef WITH_SERVER
@@ -53,4 +58,8 @@ void ssh_server_ecdh_init(ssh_session session);
 SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init);
 #endif /* WITH_SERVER */

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* ECDH_H_ */
--- a/include/libssh/ed25519.h
+++ b/include/libssh/ed25519.h
@@ -24,10 +24,10 @@

 /**
 * @defgroup ed25519 ed25519 API
- * @internal
 * @brief API for DJB's ed25519
 *
- * @{ */
+ * @{
+ */

 #define ED25519_PK_LEN 32
 #define ED25519_SK_LEN 64
@@ -37,6 +37,10 @@ typedef uint8_t ed25519_pubkey[ED25519_PK_LEN];
 typedef uint8_t ed25519_privkey[ED25519_SK_LEN];
 typedef uint8_t ed25519_signature[ED25519_SIG_LEN];

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /** @internal
 * @brief generate an ed25519 key pair
 * @param[out] pk generated public key
@@ -76,4 +80,8 @@ int crypto_sign_ed25519_open(
    const ed25519_pubkey pk);

 /** @} */
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* ED25519_H_ */
--- a/include/libssh/fe25519.h
+++ b/include/libssh/fe25519.h
@@ -33,6 +33,10 @@ typedef struct {
  uint32_t v[32];
 } fe25519;

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void fe25519_freeze(fe25519 *r);

 void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
@@ -65,4 +69,8 @@ void fe25519_invert(fe25519 *r, const fe25519 *x);

 void fe25519_pow2523(fe25519 *r, const fe25519 *x);

+#ifdef __cplusplus
+}
+#endif
+
 #endif
--- a/include/libssh/ge25519.h
+++ b/include/libssh/ge25519.h
@@ -28,6 +28,10 @@ typedef struct
  fe25519 t;
 } ge25519;

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 extern const ge25519 ge25519_base;

 int ge25519_unpackneg_vartime(ge25519 *r, const unsigned char p[32]);
@@ -40,4 +44,8 @@ void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const sc25

 void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);

+#ifdef __cplusplus
+}
+#endif
+
 #endif
--- a/include/libssh/gssapi.h
+++ b/include/libssh/gssapi.h
@@ -22,13 +22,45 @@
 #define GSSAPI_H_

 #include "config.h"
+#ifdef WITH_GSSAPI
 #include "session.h"
+#include <gssapi/gssapi.h>

 /* all OID begin with the tag identifier + length */
 #define SSH_OID_TAG 06

 typedef struct ssh_gssapi_struct *ssh_gssapi;

+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** current state of an GSSAPI authentication */
+enum ssh_gssapi_state_e {
+    SSH_GSSAPI_STATE_NONE, /* no status */
+    SSH_GSSAPI_STATE_RCV_TOKEN, /* Expecting a token */
+    SSH_GSSAPI_STATE_RCV_MIC, /* Expecting a MIC */
+};
+
+struct ssh_gssapi_struct{
+    enum ssh_gssapi_state_e state; /* current state */
+    struct gss_OID_desc_struct mech; /* mechanism being elected for auth */
+    gss_cred_id_t server_creds; /* credentials of server */
+    gss_cred_id_t client_creds; /* creds delegated by the client */
+    gss_ctx_id_t ctx; /* the authentication context */
+    gss_name_t client_name; /* Identity of the client */
+    char *user; /* username of client */
+    char *canonic_user; /* canonic form of the client's username */
+    char *service; /* name of the service */
+    struct {
+        gss_name_t server_name; /* identity of server */
+        OM_uint32 flags; /* flags used for init context */
+        gss_OID oid; /* mech being used for authentication */
+        gss_cred_id_t creds; /* creds used to initialize context */
+        gss_cred_id_t client_deleg_creds; /* delegated creds (const, not freeable) */
+    } client;
+};
+
 #ifdef WITH_SERVER
 int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n_oid, ssh_string *oids);
 SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server);
@@ -40,6 +72,15 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client);
 SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response);


+int ssh_gssapi_init(ssh_session session);
+void ssh_gssapi_log_error(int verb, const char *msg_a, int maj_stat, int min_stat);
 int ssh_gssapi_auth_mic(ssh_session session);
+void ssh_gssapi_free(ssh_session session);
+char *ssh_gssapi_name_to_char(gss_name_t name);

+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WITH_GSSAPI */
 #endif /* GSSAPI_H */
--- a/include/libssh/kex.h
+++ b/include/libssh/kex.h
@@ -31,22 +31,31 @@ struct ssh_kex_struct {
    char *methods[SSH_KEX_METHODS];
 };

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_kexinit);

-int ssh_send_kex(ssh_session session, int server_kex);
+int ssh_send_kex(ssh_session session);
 void ssh_list_kex(struct ssh_kex_struct *kex);
 int ssh_set_client_kex(ssh_session session);
+int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex);
 int ssh_kex_select_methods(ssh_session session);
 int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
 char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
 char *ssh_keep_fips_algos(enum ssh_kex_types_e algo, const char *list);
+char *ssh_add_to_default_algos(enum ssh_kex_types_e algo, const char *list);
+char *ssh_remove_from_default_algos(enum ssh_kex_types_e algo,
+                                    const char *list);
+char *ssh_prefix_default_algos(enum ssh_kex_types_e algo, const char *list);
 char **ssh_space_tokenize(const char *chain);
 int ssh_get_kex1(ssh_session session);
 char *ssh_find_matching(const char *in_d, const char *what_d);
-const char *ssh_kex_get_supported_method(uint32_t algo);
-const char *ssh_kex_get_default_methods(uint32_t algo);
-const char *ssh_kex_get_fips_methods(uint32_t algo);
-const char *ssh_kex_get_description(uint32_t algo);
+const char *ssh_kex_get_supported_method(enum ssh_kex_types_e type);
+const char *ssh_kex_get_default_methods(enum ssh_kex_types_e type);
+const char *ssh_kex_get_fips_methods(enum ssh_kex_types_e type);
+const char *ssh_kex_get_description(enum ssh_kex_types_e type);
 char *ssh_client_select_hostkeys(ssh_session session);
 int ssh_send_rekex(ssh_session session);
 int server_set_kex(ssh_session session);
@@ -56,4 +65,8 @@ int ssh_hashbufin_add_cookie(ssh_session session, unsigned char *cookie);
 int ssh_hashbufout_add_cookie(ssh_session session);
 int ssh_generate_session_keys(ssh_session session);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* KEX_H_ */
--- a/include/libssh/keys.h
+++ b/include/libssh/keys.h
@@ -29,42 +29,36 @@ struct ssh_public_key_struct {
    int type;
    const char *type_c; /* Don't free it ! it is static */
 #if defined(HAVE_LIBGCRYPT)
-    gcry_sexp_t dsa_pub;
    gcry_sexp_t rsa_pub;
 #elif defined(HAVE_LIBCRYPTO)
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    DSA *dsa_pub;
-    RSA *rsa_pub;
-#else /* OPENSSL_VERSION_NUMBER */
    EVP_PKEY *key_pub;
-#endif
 #elif defined(HAVE_LIBMBEDCRYPTO)
    mbedtls_pk_context *rsa_pub;
-    void *dsa_pub;
 #endif
 };

 struct ssh_private_key_struct {
    int type;
 #if defined(HAVE_LIBGCRYPT)
-    gcry_sexp_t dsa_priv;
    gcry_sexp_t rsa_priv;
 #elif defined(HAVE_LIBCRYPTO)
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    DSA *dsa_priv;
-    RSA *rsa_priv;
-#else
    EVP_PKEY *key_priv;
-#endif /* OPENSSL_VERSION_NUMBER */
 #elif defined(HAVE_LIBMBEDCRYPTO)
    mbedtls_pk_context *rsa_priv;
-    void *dsa_priv;
 #endif
 };

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 const char *ssh_type_to_char(int type);
 int ssh_type_from_name(const char *name);

 ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* KEYS_H_ */
--- a/include/libssh/knownhosts.h
+++ b/include/libssh/knownhosts.h
@@ -22,6 +22,10 @@
 #ifndef SSH_KNOWNHOSTS_H_
 #define SSH_KNOWNHOSTS_H_

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct ssh_list *ssh_known_hosts_get_algorithms(ssh_session session);
 char *ssh_known_hosts_get_algorithms_names(ssh_session session);
 enum ssh_known_hosts_e
@@ -29,4 +33,8 @@ ssh_session_get_known_hosts_entry_file(ssh_session session,
                                       const char *filename,
                                       struct ssh_knownhosts_entry **pentry);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* SSH_KNOWNHOSTS_H_ */
--- a/include/libssh/legacy.h
+++ b/include/libssh/legacy.h
@@ -31,6 +31,10 @@
 typedef struct ssh_private_key_struct* ssh_private_key;
 typedef struct ssh_public_key_struct* ssh_public_key;

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 LIBSSH_API int ssh_auth_list(ssh_session session);
 LIBSSH_API int ssh_userauth_offer_pubkey(ssh_session session, const char *username, int type, ssh_string publickey);
 LIBSSH_API int ssh_userauth_pubkey(ssh_session session, const char *username, ssh_string publickey, ssh_private_key privatekey);
@@ -117,4 +121,8 @@ SSH_DEPRECATED LIBSSH_API size_t string_len(ssh_string str);
 SSH_DEPRECATED LIBSSH_API ssh_string string_new(size_t size);
 SSH_DEPRECATED LIBSSH_API char *string_to_char(ssh_string str);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* LEGACY_H_ */
--- a/include/libssh/libcrypto.h
+++ b/include/libssh/libcrypto.h
@@ -25,13 +25,14 @@

 #ifdef HAVE_LIBCRYPTO

-#include <openssl/dsa.h>
+#include "libssh/libssh.h"
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 #include <openssl/md5.h>
 #include <openssl/hmac.h>
 #include <openssl/evp.h>
 #include <openssl/crypto.h>
+#include <openssl/ec.h>

 typedef EVP_MD_CTX* SHACTX;
 typedef EVP_MD_CTX* SHA256CTX;
@@ -39,11 +40,6 @@ typedef EVP_MD_CTX* SHA384CTX;
 typedef EVP_MD_CTX* SHA512CTX;
 typedef EVP_MD_CTX* MD5CTX;
 typedef EVP_MD_CTX* HMACCTX;
-#ifdef HAVE_ECC
-typedef EVP_MD_CTX *EVPCTX;
-#else
-typedef void *EVPCTX;
-#endif

 #define SHA_DIGEST_LEN SHA_DIGEST_LENGTH
 #define SHA256_DIGEST_LEN SHA256_DIGEST_LENGTH
@@ -58,8 +54,15 @@ typedef void *EVPCTX;
 #define EVP_DIGEST_LEN EVP_MAX_MD_SIZE
 #endif

+/* Use ssh_crypto_free() to release memory allocated by bignum_bn2dec(),
+   bignum_bn2hex() and other functions that use crypto-library functions that
+   are documented to allocate memory that needs to be de-allocate with
+   OPENSSL_free. */
+#define ssh_crypto_free(x) OPENSSL_free(x)
+
 #include <openssl/bn.h>
 #include <openssl/opensslv.h>
+
 typedef BIGNUM*  bignum;
 typedef const BIGNUM* const_bignum;
 typedef BN_CTX* bignum_CTX;
@@ -116,6 +119,17 @@ typedef BN_CTX* bignum_CTX;
 #define ssh_fips_mode() false
 #endif

+ssh_string pki_key_make_ecpoint_string(const EC_GROUP *g, const EC_POINT *p);
+int pki_key_ecgroup_name_to_nid(const char *group);
+
+#if defined(WITH_PKCS11_URI)
+#if defined(WITH_PKCS11_PROVIDER)
+int pki_load_pkcs11_provider(void);
+#else
+ENGINE *pki_get_engine(void);
+#endif
+#endif /* WITH_PKCS11_PROVIDER */
+
 #endif /* HAVE_LIBCRYPTO */

 #endif /* LIBCRYPTO_H_ */
--- a/include/libssh/libgcrypt.h
+++ b/include/libssh/libgcrypt.h
@@ -32,7 +32,6 @@ typedef gcry_md_hd_t SHA384CTX;
 typedef gcry_md_hd_t SHA512CTX;
 typedef gcry_md_hd_t MD5CTX;
 typedef gcry_md_hd_t HMACCTX;
-typedef gcry_md_hd_t EVPCTX;
 #define SHA_DIGEST_LENGTH 20
 #define SHA_DIGEST_LEN SHA_DIGEST_LENGTH
 #define MD5_DIGEST_LEN 16
@@ -49,6 +48,8 @@ typedef gcry_md_hd_t EVPCTX;

 #define EVP_DIGEST_LEN EVP_MAX_MD_SIZE

+#define ssh_crypto_free(x) gcry_free(x)
+
 typedef gcry_mpi_t bignum;
 typedef const struct gcry_mpi *const_bignum;
 typedef void* bignum_CTX;
@@ -104,6 +105,10 @@ int ssh_gcry_rand_range(bignum rnd, bignum max);
    } while(0)
 /* Helper functions for data conversions.  */

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* Extract an MPI from the given s-expression SEXP named NAME which is
   encoded using INFORMAT and store it in a newly allocated ssh_string
   encoded using OUTFORMAT.  */
@@ -114,6 +119,10 @@ ssh_string ssh_sexp_extract_mpi(const gcry_sexp_t sexp,

 #define ssh_fips_mode() false

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* HAVE_LIBGCRYPT */

 #endif /* LIBGCRYPT_H_ */
--- a/include/libssh/libmbedcrypto.h
+++ b/include/libssh/libmbedcrypto.h
@@ -34,6 +34,7 @@
 #include <mbedtls/cipher.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/ctr_drbg.h>
+#include <mbedtls/platform.h>

 typedef mbedtls_md_context_t *SHACTX;
 typedef mbedtls_md_context_t *SHA256CTX;
@@ -41,7 +42,6 @@ typedef mbedtls_md_context_t *SHA384CTX;
 typedef mbedtls_md_context_t *SHA512CTX;
 typedef mbedtls_md_context_t *MD5CTX;
 typedef mbedtls_md_context_t *HMACCTX;
-typedef mbedtls_md_context_t *EVPCTX;

 #define SHA_DIGEST_LENGTH 20
 #define SHA_DIGEST_LEN SHA_DIGEST_LENGTH
@@ -59,6 +59,8 @@ typedef mbedtls_md_context_t *EVPCTX;

 #define EVP_DIGEST_LEN EVP_MAX_MD_SIZE

+#define ssh_crypto_free(x) mbedtls_free(x)
+
 typedef mbedtls_mpi *bignum;
 typedef const mbedtls_mpi *const_bignum;
 typedef void* bignum_CTX;
@@ -73,9 +75,13 @@ struct mbedtls_ecdsa_sig {
    bignum s;
 };

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 bignum ssh_mbedcry_bn_new(void);
 void ssh_mbedcry_bn_free(bignum num);
-unsigned char *ssh_mbedcry_bn2num(const_bignum num, int radix);
+char *ssh_mbedcry_bn2num(const_bignum num, int radix);
 int ssh_mbedcry_rand(bignum rnd, int bits, int top, int bottom);
 int ssh_mbedcry_is_bit_set(bignum num, size_t pos);
 int ssh_mbedcry_rand_range(bignum dest, bignum max);
@@ -101,7 +107,7 @@ int ssh_mbedcry_hex2bn(bignum *dest, char *data);
    } while(0)
 #define bignum_bn2dec(num) ssh_mbedcry_bn2num(num, 10)
 #define bignum_dec2bn(data, bn) mbedtls_mpi_read_string(bn, 10, data)
-#define bignum_bn2hex(num, dest) (*dest)=ssh_mbedcry_bn2num(num, 16)
+#define bignum_bn2hex(num, dest) (*dest)=(unsigned char *)ssh_mbedcry_bn2num(num, 16)
 #define bignum_hex2bn(data, dest) ssh_mbedcry_hex2bn(dest, data)
 #define bignum_rand(rnd, bits) ssh_mbedcry_rand((rnd), (bits), 0, 1)
 #define bignum_rand_range(rnd, max) ssh_mbedcry_rand_range(rnd, max)
@@ -123,7 +129,7 @@ int ssh_mbedcry_hex2bn(bignum *dest, char *data);
        *(dest) = bignum_new(); \
    } \
    if (*(dest) != NULL) { \
-        mbedtls_mpi_copy(orig, *(dest)); \
+        mbedtls_mpi_copy(*(dest), orig); \
    } \
    } while(0)

@@ -136,5 +142,9 @@ ssh_string make_ecpoint_string(const mbedtls_ecp_group *g, const

 #define ssh_fips_mode() false

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* HAVE_LIBMBEDCRYPTO */
 #endif /* LIBMBEDCRYPTO_H_ */
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -1,7 +1,7 @@
 /*
 * This file is part of the SSH Library
 *
- * Copyright (c) 2003-2022 by Aris Adamantiadis and the libssh team
+ * Copyright (c) 2003-2025 by Aris Adamantiadis and the libssh team
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
@@ -49,19 +49,15 @@
  #endif
 #endif

+#include <inttypes.h>
 #include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>

 #ifdef _MSC_VER
-  /* Visual Studio hasn't inttypes.h so it doesn't know uint32_t */
-  typedef int int32_t;
-  typedef unsigned int uint32_t;
-  typedef unsigned short uint16_t;
-  typedef unsigned char uint8_t;
-  typedef unsigned long long uint64_t;
  typedef int mode_t;
 #else /* _MSC_VER */
  #include <unistd.h>
-  #include <inttypes.h>
  #include <sys/types.h>
 #endif /* _MSC_VER */

@@ -82,7 +78,7 @@
 #define PRINTF_ATTRIBUTE(a,b)
 #endif /* __GNUC__ */

-#ifdef __GNUC__
+#if !defined(SSH_SUPPRESS_DEPRECATED) && defined(__GNUC__)
 #define SSH_DEPRECATED __attribute__ ((deprecated))
 #else
 #define SSH_DEPRECATED
@@ -196,7 +192,8 @@ enum ssh_global_requests_e {
 	SSH_GLOBAL_REQUEST_UNKNOWN=0,
 	SSH_GLOBAL_REQUEST_TCPIP_FORWARD,
 	SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD,
-	SSH_GLOBAL_REQUEST_KEEPALIVE
+	SSH_GLOBAL_REQUEST_KEEPALIVE,
+	SSH_GLOBAL_REQUEST_NO_MORE_SESSIONS
 };

 enum ssh_publickey_state_e {
@@ -277,12 +274,12 @@ enum ssh_error_types_e {
 /* some types for keys */
 enum ssh_keytypes_e{
  SSH_KEYTYPE_UNKNOWN=0,
-  SSH_KEYTYPE_DSS=1,
+  SSH_KEYTYPE_DSS=1, /* deprecated */
  SSH_KEYTYPE_RSA,
  SSH_KEYTYPE_RSA1,
  SSH_KEYTYPE_ECDSA, /* deprecated */
  SSH_KEYTYPE_ED25519,
-  SSH_KEYTYPE_DSS_CERT01,
+  SSH_KEYTYPE_DSS_CERT01, /* deprecated */
  SSH_KEYTYPE_RSA_CERT01,
  SSH_KEYTYPE_ECDSA_P256,
  SSH_KEYTYPE_ECDSA_P384,
@@ -299,7 +296,8 @@ enum ssh_keytypes_e{

 enum ssh_keycmp_e {
  SSH_KEY_CMP_PUBLIC = 0,
-  SSH_KEY_CMP_PRIVATE
+  SSH_KEY_CMP_PRIVATE = 1,
+  SSH_KEY_CMP_CERTIFICATE = 2,
 };

 #define SSH_ADDRSTRLEN 46
@@ -328,16 +326,16 @@ enum {
 	/** No logging at all
 	 */
 	SSH_LOG_NOLOG=0,
-	/** Only warnings
+	/** Only unrecoverable errors
 	 */
 	SSH_LOG_WARNING,
-	/** High level protocol information
+	/** Information for the users
 	 */
 	SSH_LOG_PROTOCOL,
-	/** Lower level protocol infomations, packet level
+	/** Debug information, to see what is going on
 	 */
 	SSH_LOG_PACKET,
-	/** Every function path
+	/** Trace information and recoverable error messages
 	 */
 	SSH_LOG_FUNCTIONS
 };
@@ -353,61 +351,75 @@ enum {

 /** No logging at all */
 #define SSH_LOG_NONE 0
-/** Show only warnings */
+/** Show only fatal warnings */
 #define SSH_LOG_WARN 1
 /** Get some information what's going on */
 #define SSH_LOG_INFO 2
-/** Get detailed debuging information **/
+/** Get detailed debugging information **/
 #define SSH_LOG_DEBUG 3
 /** Get trace output, packet information, ... */
 #define SSH_LOG_TRACE 4

 /** @} */

+enum ssh_control_master_options_e {
+  SSH_CONTROL_MASTER_NO,
+  SSH_CONTROL_MASTER_AUTO,
+  SSH_CONTROL_MASTER_YES,
+  SSH_CONTROL_MASTER_ASK,
+  SSH_CONTROL_MASTER_AUTOASK
+};
+
 enum ssh_options_e {
-  SSH_OPTIONS_HOST,
-  SSH_OPTIONS_PORT,
-  SSH_OPTIONS_PORT_STR,
-  SSH_OPTIONS_FD,
-  SSH_OPTIONS_USER,
-  SSH_OPTIONS_SSH_DIR,
-  SSH_OPTIONS_IDENTITY,
-  SSH_OPTIONS_ADD_IDENTITY,
-  SSH_OPTIONS_KNOWNHOSTS,
-  SSH_OPTIONS_TIMEOUT,
-  SSH_OPTIONS_TIMEOUT_USEC,
-  SSH_OPTIONS_SSH1,
-  SSH_OPTIONS_SSH2,
-  SSH_OPTIONS_LOG_VERBOSITY,
-  SSH_OPTIONS_LOG_VERBOSITY_STR,
-  SSH_OPTIONS_CIPHERS_C_S,
-  SSH_OPTIONS_CIPHERS_S_C,
-  SSH_OPTIONS_COMPRESSION_C_S,
-  SSH_OPTIONS_COMPRESSION_S_C,
-  SSH_OPTIONS_PROXYCOMMAND,
-  SSH_OPTIONS_BINDADDR,
-  SSH_OPTIONS_STRICTHOSTKEYCHECK,
-  SSH_OPTIONS_COMPRESSION,
-  SSH_OPTIONS_COMPRESSION_LEVEL,
-  SSH_OPTIONS_KEY_EXCHANGE,
-  SSH_OPTIONS_HOSTKEYS,
-  SSH_OPTIONS_GSSAPI_SERVER_IDENTITY,
-  SSH_OPTIONS_GSSAPI_CLIENT_IDENTITY,
-  SSH_OPTIONS_GSSAPI_DELEGATE_CREDENTIALS,
-  SSH_OPTIONS_HMAC_C_S,
-  SSH_OPTIONS_HMAC_S_C,
-  SSH_OPTIONS_PASSWORD_AUTH,
-  SSH_OPTIONS_PUBKEY_AUTH,
-  SSH_OPTIONS_KBDINT_AUTH,
-  SSH_OPTIONS_GSSAPI_AUTH,
-  SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
-  SSH_OPTIONS_NODELAY,
-  SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
-  SSH_OPTIONS_PROCESS_CONFIG,
-  SSH_OPTIONS_REKEY_DATA,
-  SSH_OPTIONS_REKEY_TIME,
-  SSH_OPTIONS_RSA_MIN_SIZE,
-  SSH_OPTIONS_IDENTITY_AGENT,
+    SSH_OPTIONS_HOST,
+    SSH_OPTIONS_PORT,
+    SSH_OPTIONS_PORT_STR,
+    SSH_OPTIONS_FD,
+    SSH_OPTIONS_USER,
+    SSH_OPTIONS_SSH_DIR,
+    SSH_OPTIONS_IDENTITY,
+    SSH_OPTIONS_ADD_IDENTITY,
+    SSH_OPTIONS_KNOWNHOSTS,
+    SSH_OPTIONS_TIMEOUT,
+    SSH_OPTIONS_TIMEOUT_USEC,
+    SSH_OPTIONS_SSH1,
+    SSH_OPTIONS_SSH2,
+    SSH_OPTIONS_LOG_VERBOSITY,
+    SSH_OPTIONS_LOG_VERBOSITY_STR,
+    SSH_OPTIONS_CIPHERS_C_S,
+    SSH_OPTIONS_CIPHERS_S_C,
+    SSH_OPTIONS_COMPRESSION_C_S,
+    SSH_OPTIONS_COMPRESSION_S_C,
+    SSH_OPTIONS_PROXYCOMMAND,
+    SSH_OPTIONS_BINDADDR,
+    SSH_OPTIONS_STRICTHOSTKEYCHECK,
+    SSH_OPTIONS_COMPRESSION,
+    SSH_OPTIONS_COMPRESSION_LEVEL,
+    SSH_OPTIONS_KEY_EXCHANGE,
+    SSH_OPTIONS_HOSTKEYS,
+    SSH_OPTIONS_GSSAPI_SERVER_IDENTITY,
+    SSH_OPTIONS_GSSAPI_CLIENT_IDENTITY,
+    SSH_OPTIONS_GSSAPI_DELEGATE_CREDENTIALS,
+    SSH_OPTIONS_HMAC_C_S,
+    SSH_OPTIONS_HMAC_S_C,
+    SSH_OPTIONS_PASSWORD_AUTH,
+    SSH_OPTIONS_PUBKEY_AUTH,
+    SSH_OPTIONS_KBDINT_AUTH,
+    SSH_OPTIONS_GSSAPI_AUTH,
+    SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
+    SSH_OPTIONS_NODELAY,
+    SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+    SSH_OPTIONS_PROCESS_CONFIG,
+    SSH_OPTIONS_REKEY_DATA,
+    SSH_OPTIONS_REKEY_TIME,
+    SSH_OPTIONS_RSA_MIN_SIZE,
+    SSH_OPTIONS_IDENTITY_AGENT,
+    SSH_OPTIONS_IDENTITIES_ONLY,
+    SSH_OPTIONS_CONTROL_MASTER,
+    SSH_OPTIONS_CONTROL_PATH,
+    SSH_OPTIONS_CERTIFICATE,
+    SSH_OPTIONS_PROXYJUMP,
+    SSH_OPTIONS_PROXYJUMP_CB_LIST_APPEND,
 };

 enum {
@@ -445,8 +457,19 @@ LIBSSH_API int ssh_blocking_flush(ssh_session session, int timeout);
 LIBSSH_API ssh_channel ssh_channel_accept_x11(ssh_channel channel, int timeout_ms);
 LIBSSH_API int ssh_channel_change_pty_size(ssh_channel channel,int cols,int rows);
 LIBSSH_API int ssh_channel_close(ssh_channel channel);
+#define SSH_CHANNEL_FREE(x)      \
+    do {                         \
+        if ((x) != NULL) {       \
+            ssh_channel_free(x); \
+            (x) = NULL;          \
+        }                        \
+    } while (0)
 LIBSSH_API void ssh_channel_free(ssh_channel channel);
-LIBSSH_API int ssh_channel_get_exit_status(ssh_channel channel);
+LIBSSH_API int ssh_channel_get_exit_state(ssh_channel channel,
+                                          uint32_t *pexit_code,
+                                          char **pexit_signal,
+                                          int *pcore_dumped);
+SSH_DEPRECATED LIBSSH_API int ssh_channel_get_exit_status(ssh_channel channel);
 LIBSSH_API ssh_session ssh_channel_get_session(ssh_channel channel);
 LIBSSH_API int ssh_channel_is_closed(ssh_channel channel);
 LIBSSH_API int ssh_channel_is_eof(ssh_channel channel);
@@ -470,6 +493,8 @@ LIBSSH_API int ssh_channel_request_exec(ssh_channel channel, const char *cmd);
 LIBSSH_API int ssh_channel_request_pty(ssh_channel channel);
 LIBSSH_API int ssh_channel_request_pty_size(ssh_channel channel, const char *term,
    int cols, int rows);
+LIBSSH_API int ssh_channel_request_pty_size_modes(ssh_channel channel, const char *term,
+    int cols, int rows, const unsigned char* modes, size_t modes_len);
 LIBSSH_API int ssh_channel_request_shell(ssh_channel channel);
 LIBSSH_API int ssh_channel_request_send_signal(ssh_channel channel, const char *signum);
 LIBSSH_API int ssh_channel_request_send_break(ssh_channel channel, uint32_t length);
@@ -533,6 +558,7 @@ LIBSSH_API socket_t ssh_get_fd(ssh_session session);
 LIBSSH_API char *ssh_get_hexa(const unsigned char *what, size_t len);
 LIBSSH_API char *ssh_get_issue_banner(ssh_session session);
 LIBSSH_API int ssh_get_openssh_version(ssh_session session);
+LIBSSH_API int ssh_request_no_more_sessions(ssh_session session);

 LIBSSH_API int ssh_get_server_publickey(ssh_session session, ssh_key *key);

@@ -676,6 +702,12 @@ typedef int (*ssh_auth_callback) (const char *prompt, char *buf, size_t len,

 /** @} */

+enum ssh_file_format_e {
+    SSH_FILE_FORMAT_DEFAULT = 0,
+    SSH_FILE_FORMAT_OPENSSH,
+    SSH_FILE_FORMAT_PEM,
+};
+
 LIBSSH_API ssh_key ssh_key_new(void);
 #define SSH_KEY_FREE(x) \
    do { if ((x) != NULL) { ssh_key_free(x); x = NULL; } } while(0)
@@ -702,6 +734,13 @@ LIBSSH_API int ssh_pki_export_privkey_base64(const ssh_key privkey,
                                             ssh_auth_callback auth_fn,
                                             void *auth_data,
                                             char **b64_key);
+LIBSSH_API int
+ssh_pki_export_privkey_base64_format(const ssh_key privkey,
+                                     const char *passphrase,
+                                     ssh_auth_callback auth_fn,
+                                     void *auth_data,
+                                     char **b64_key,
+                                     enum ssh_file_format_e format);
 LIBSSH_API int ssh_pki_import_privkey_file(const char *filename,
                                           const char *passphrase,
                                           ssh_auth_callback auth_fn,
@@ -712,6 +751,13 @@ LIBSSH_API int ssh_pki_export_privkey_file(const ssh_key privkey,
                                           ssh_auth_callback auth_fn,
                                           void *auth_data,
                                           const char *filename);
+LIBSSH_API int
+ssh_pki_export_privkey_file_format(const ssh_key privkey,
+                                   const char *passphrase,
+                                   ssh_auth_callback auth_fn,
+                                   void *auth_data,
+                                   const char *filename,
+                                   enum ssh_file_format_e format);

 LIBSSH_API int ssh_pki_copy_cert_to_privkey(const ssh_key cert_key,
                                            ssh_key privkey);
@@ -767,10 +813,8 @@ LIBSSH_API int ssh_userauth_try_publickey(ssh_session session,
 LIBSSH_API int ssh_userauth_publickey(ssh_session session,
                                      const char *username,
                                      const ssh_key privkey);
-#ifndef _WIN32
 LIBSSH_API int ssh_userauth_agent(ssh_session session,
                                  const char *username);
-#endif
 LIBSSH_API int ssh_userauth_publickey_auto_get_current_identity(ssh_session session,
                                                                char** value);
 LIBSSH_API int ssh_userauth_publickey_auto(ssh_session session,
@@ -831,6 +875,7 @@ LIBSSH_API const char* ssh_get_cipher_in(ssh_session session);
 LIBSSH_API const char* ssh_get_cipher_out(ssh_session session);
 LIBSSH_API const char* ssh_get_hmac_in(ssh_session session);
 LIBSSH_API const char* ssh_get_hmac_out(ssh_session session);
+LIBSSH_API const char *ssh_get_supported_methods(enum ssh_kex_types_e type);

 LIBSSH_API ssh_buffer ssh_buffer_new(void);
 LIBSSH_API void ssh_buffer_free(ssh_buffer buffer);
@@ -843,6 +888,27 @@ LIBSSH_API void *ssh_buffer_get(ssh_buffer buffer);
 LIBSSH_API uint32_t ssh_buffer_get_len(ssh_buffer buffer);
 LIBSSH_API int ssh_session_set_disconnect_message(ssh_session session, const char *message);

+/* SSHSIG hashes data independently from the key used, so we use a new enum
+   to avoid confusion. See
+   https://gitlab.com/jas/ietf-sshsig-format/-/blob/cc70a225cbd695d5a6f20aaebdb4b92b0818e43a/ietf-sshsig-format.md#L137
+ */
+enum sshsig_digest_e {
+    SSHSIG_DIGEST_SHA2_256 = 0,
+    SSHSIG_DIGEST_SHA2_512 = 1,
+};
+
+LIBSSH_API int sshsig_sign(const void *data,
+                           size_t data_length,
+                           ssh_key privkey,
+                           const char *sig_namespace,
+                           enum sshsig_digest_e hash_alg,
+                           char **signature);
+LIBSSH_API int sshsig_verify(const void *data,
+                             size_t data_length,
+                             const char *signature,
+                             const char *sig_namespace,
+                             ssh_key *sign_key);
+
 #ifndef LIBSSH_LEGACY_0_4
 #include "libssh/legacy.h"
 #endif
--- a/include/libssh/libsshpp.hpp
+++ b/include/libssh/libsshpp.hpp
@@ -498,8 +498,22 @@ public:
    return_throwable;
  }

-  int getExitStatus(){
-    return ssh_channel_get_exit_status(channel);
+  /*
+   * @deprecated Please use getExitState()
+   */
+  int getExitStatus() {
+        uint32_t exit_status = (uint32_t)-1;
+        ssh_channel_get_exit_state(channel, &exit_status, NULL, NULL);
+        return exit_status;
+  }
+  void_throwable getExitState(uint32_t & pexit_code,
+                              char **pexit_signal,
+                              int & pcore_dumped) {
+      ssh_throw(ssh_channel_get_exit_state(channel,
+                                           &pexit_code,
+                                           pexit_signal,
+                                           &pcore_dumped));
+      return_throwable;
  }
  Session &getSession(){
    return *session;
@@ -587,9 +601,12 @@ public:
    ssh_throw(err);
    return_throwable;
  }
-  void_throwable requestPty(const char *term=NULL, int cols=0, int rows=0){
+  void_throwable requestPty(const char *term=NULL, int cols=0, int rows=0,
+      const unsigned char* modes=NULL, size_t modes_len=0){
    int err;
-    if(term != NULL && cols != 0 && rows != 0)
+    if(term != NULL && cols != 0 && rows != 0 && modes != NULL)
+      err=ssh_channel_request_pty_size_modes(channel,term,cols,rows,modes,modes_len);
+    else if(term != NULL && cols != 0 && rows != 0)
      err=ssh_channel_request_pty_size(channel,term,cols,rows);
    else
      err=ssh_channel_request_pty(channel);
--- a/include/libssh/messages.h
+++ b/include/libssh/messages.h
@@ -28,6 +28,7 @@ struct ssh_auth_request {
    int method;
    char *password;
    struct ssh_key_struct *pubkey;
+    struct ssh_key_struct *server_pubkey;
    char *sigtype;
    enum ssh_publickey_state_e signature_state;
    char kbdint_response;
@@ -92,6 +93,10 @@ struct ssh_message_struct {
    struct ssh_global_request global_request;
 };

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_channel_open);
 SSH_PACKET_CALLBACK(ssh_packet_global_request);

@@ -104,4 +109,8 @@ int ssh_message_handle_channel_request(ssh_session session, ssh_channel channel,
    const char *request, uint8_t want_reply);
 ssh_message ssh_message_pop_head(ssh_session session);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* MESSAGES_H_ */
--- a/include/libssh/misc.h
+++ b/include/libssh/misc.h
@@ -21,6 +21,26 @@
 #ifndef MISC_H_
 #define MISC_H_

+#ifdef _WIN32
+
+# ifdef _MSC_VER
+#  ifndef _SSIZE_T_DEFINED
+#   undef ssize_t
+#   include <BaseTsd.h>
+    typedef _W64 SSIZE_T ssize_t;
+#   define _SSIZE_T_DEFINED
+#  endif /* _SSIZE_T_DEFINED */
+# endif /* _MSC_VER */
+
+#else
+#include <sys/types.h>
+#include <stdbool.h>
+#endif /* _WIN32 */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* in misc.c */
 /* gets the user home dir. */
 char *ssh_get_user_home_dir(void);
@@ -46,6 +66,12 @@ struct ssh_iterator {
  const void *data;
 };

+struct ssh_jump_info_struct {
+    char *hostname;
+    char *username;
+    int port;
+};
+
 struct ssh_timestamp {
  long seconds;
  long useconds;
@@ -75,19 +101,20 @@ const void *_ssh_list_pop_head(struct ssh_list *list);

 /** @brief fetch the head element of a list and remove it from list
 * @param type type of the element to return
- * @param list the ssh_list to use
+ * @param ssh_list the ssh_list to use
 * @return the first element of the list, or NULL if the list is empty
 */
 #define ssh_list_pop_head(type, ssh_list)\
  ((type)_ssh_list_pop_head(ssh_list))

+#define SSH_LIST_FREE(x) \
+    do { if ((x) != NULL) { ssh_list_free(x); (x) = NULL; } } while(0)
+
 int ssh_make_milliseconds(unsigned long sec, unsigned long usec);
 void ssh_timestamp_init(struct ssh_timestamp *ts);
 int ssh_timeout_elapsed(struct ssh_timestamp *ts, int timeout);
 int ssh_timeout_update(struct ssh_timestamp *ts, int timeout);

-int ssh_match_group(const char *group, const char *object);
-
 void uint64_inc(unsigned char *counter);

 void ssh_log_hexdump(const char *descr, const unsigned char *what, size_t len);
@@ -96,7 +123,21 @@ int ssh_mkdirs(const char *pathname, mode_t mode);

 int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len);
 int ssh_newline_vis(const char *string, char *buf, size_t buf_len);
-int ssh_tmpname(char *template);
+int ssh_tmpname(char *name);

 char *ssh_strreplace(const char *src, const char *pattern, const char *repl);
+
+ssize_t ssh_readn(int fd, void *buf, size_t nbytes);
+ssize_t ssh_writen(int fd, const void *buf, size_t nbytes);
+
+int ssh_check_hostname_syntax(const char *hostname);
+int ssh_check_username_syntax(const char *username);
+
+void ssh_proxyjumps_free(struct ssh_list *proxy_jump_list);
+bool ssh_libssh_proxy_jumps(void);
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* MISC_H_ */
--- a/include/libssh/options.h
+++ b/include/libssh/options.h
@@ -21,11 +21,23 @@
 #ifndef _OPTIONS_H
 #define _OPTIONS_H

+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int ssh_config_parse(ssh_session session, FILE *fp, bool global);
 int ssh_config_parse_file(ssh_session session, const char *filename);
 int ssh_config_parse_string(ssh_session session, const char *input);
 int ssh_options_set_algo(ssh_session session,
                         enum ssh_kex_types_e algo,
-                         const char *list);
+                         const char *list,
+                         char **place);
 int ssh_options_apply(ssh_session session);

+char *ssh_options_get_algo(ssh_session session, enum ssh_kex_types_e algo);
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _OPTIONS_H */
--- a/include/libssh/packet.h
+++ b/include/libssh/packet.h
@@ -51,9 +51,14 @@ enum ssh_packet_filter_result_e {

 int ssh_packet_send(ssh_session session);

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_unimplemented);
 SSH_PACKET_CALLBACK(ssh_packet_disconnect_callback);
 SSH_PACKET_CALLBACK(ssh_packet_ignore_callback);
+SSH_PACKET_CALLBACK(ssh_packet_debug_callback);
 SSH_PACKET_CALLBACK(ssh_packet_dh_reply);
 SSH_PACKET_CALLBACK(ssh_packet_newkeys);
 SSH_PACKET_CALLBACK(ssh_packet_service_accept);
@@ -63,6 +68,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
 SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
 #endif

+int ssh_packet_send_newkeys(ssh_session session);
 int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum);
 int ssh_packet_parse_type(ssh_session session);
 //int packet_flush(ssh_session session, int enforce_blocking);
@@ -88,4 +94,8 @@ int ssh_packet_set_newkeys(ssh_session session,
 struct ssh_crypto_struct *ssh_packet_get_current_crypto(ssh_session session,
        enum ssh_crypto_direction_e direction);

+#ifdef __cplusplus
+}
+#endif
+
 #endif /* PACKET_H_ */
--- a/include/libssh/pcap.h
+++ b/include/libssh/pcap.h
@@ -27,6 +27,10 @@
 #ifdef WITH_PCAP
 typedef struct ssh_pcap_context_struct* ssh_pcap_context;

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 int ssh_pcap_file_write_packet(ssh_pcap_file pcap, ssh_buffer packet, uint32_t original_len);

 ssh_pcap_context ssh_pcap_context_new(ssh_session session);
@@ -41,5 +45,9 @@ int ssh_pcap_context_write(ssh_pcap_context,enum ssh_pcap_direction direction, v
 		uint32_t len, uint32_t origlen);


+#ifdef __cplusplus
+}
+#endif
+
 #endif /* WITH_PCAP */
 #endif /* PCAP_H_ */
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -33,8 +33,8 @@
 #include <openssl/evp.h>
 #endif
 #include "libssh/crypto.h"
-#ifdef HAVE_OPENSSL_ED25519
-/* If using OpenSSL implementation, define the signature lenght which would be
+#ifdef HAVE_LIBCRYPTO
+/* If using OpenSSL implementation, define the signature length which would be
 * defined in libssh/ed25519.h otherwise */
 #define ED25519_SIG_LEN 64
 #else
@@ -51,44 +51,40 @@
 #define SSH_KEY_FLAG_PRIVATE 0x0002
 #define SSH_KEY_FLAG_PKCS11_URI 0x0004

+/* Constants matching the Lightweight Secure Shell Signature Format */
+/* https://datatracker.ietf.org/doc/draft-josefsson-sshsig-format */
+#define SSHSIG_VERSION            0x01
+#define SSHSIG_MAGIC_PREAMBLE     "SSHSIG"
+#define SSHSIG_MAGIC_PREAMBLE_LEN (sizeof(SSHSIG_MAGIC_PREAMBLE) - 1)
+#define SSHSIG_BEGIN_SIGNATURE    "-----BEGIN SSH SIGNATURE-----"
+#define SSHSIG_END_SIGNATURE      "-----END SSH SIGNATURE-----"
+#define SSHSIG_LINE_LENGTH        76
+
 struct ssh_key_struct {
    enum ssh_keytypes_e type;
    int flags;
    const char *type_c; /* Don't free it ! it is static */
    int ecdsa_nid;
 #if defined(HAVE_LIBGCRYPT)
-    gcry_sexp_t dsa;
    gcry_sexp_t rsa;
    gcry_sexp_t ecdsa;
 #elif defined(HAVE_LIBMBEDCRYPTO)
-    mbedtls_pk_context *rsa;
+    mbedtls_pk_context *pk;
    mbedtls_ecdsa_context *ecdsa;
-    void *dsa;
 #elif defined(HAVE_LIBCRYPTO)
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    DSA *dsa;
-    RSA *rsa;
-#endif /* OPENSSL_VERSION_NUMBER */
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * Move into the #if above
- */
-# if defined(HAVE_OPENSSL_ECC)
-    EC_KEY *ecdsa;
-# else
-    void *ecdsa;
-# endif /* HAVE_OPENSSL_EC_H */
-    EVP_PKEY *key; /* Saving the OpenSSL context here to save time while converting*/
-#endif /* HAVE_LIBGCRYPT */
-#ifdef HAVE_OPENSSL_ED25519
+    /* This holds either ENGINE/PROVIDER key for PKCS#11 support
+     * or just key in high-level format */
+    EVP_PKEY *key;
+    /* keep this around for FIPS mode so we can parse the public keys. We won't
+     * be able to use them nor use the private keys though */
    uint8_t *ed25519_pubkey;
-    uint8_t *ed25519_privkey;
-#else
+#endif /* HAVE_LIBGCRYPT */
+#ifndef HAVE_LIBCRYPTO
    ed25519_pubkey *ed25519_pubkey;
    ed25519_privkey *ed25519_privkey;
-#endif
+#endif /* HAVE_LIBCRYPTO */
    ssh_string sk_application;
-    void *cert;
+    ssh_buffer cert;
    enum ssh_keytypes_e cert_type;
 };

@@ -97,16 +93,15 @@ struct ssh_signature_struct {
    enum ssh_digest_e hash_type;
    const char *type_c;
 #if defined(HAVE_LIBGCRYPT)
-    gcry_sexp_t dsa_sig;
    gcry_sexp_t rsa_sig;
    gcry_sexp_t ecdsa_sig;
 #elif defined(HAVE_LIBMBEDCRYPTO)
    ssh_string rsa_sig;
    struct mbedtls_ecdsa_sig ecdsa_sig;
 #endif /* HAVE_LIBGCRYPT */
-#ifndef HAVE_OPENSSL_ED25519
+#ifndef HAVE_LIBCRYPTO
    ed25519_signature *ed25519_sig;
-#endif
+#endif /* HAVE_LIBGCRYPT */
    ssh_string raw_sig;

    /* Security Key specific additions */
@@ -116,6 +111,10 @@ struct ssh_signature_struct {

 typedef struct ssh_signature_struct *ssh_signature;

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* SSH Key Functions */
 void ssh_key_clean (ssh_key key);

@@ -132,12 +131,11 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name);
    ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521)

 #define is_cert_type(kt)\
-      ((kt) == SSH_KEYTYPE_DSS_CERT01 ||\
-       (kt) == SSH_KEYTYPE_RSA_CERT01 ||\
-       (kt) == SSH_KEYTYPE_SK_ECDSA_CERT01 ||\
-       (kt) == SSH_KEYTYPE_SK_ED25519_CERT01 ||\
-      ((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\
-       (kt) <= SSH_KEYTYPE_ED25519_CERT01))
+    ((kt) == SSH_KEYTYPE_RSA_CERT01 ||\
+     (kt) == SSH_KEYTYPE_SK_ECDSA_CERT01 ||\
+     (kt) == SSH_KEYTYPE_SK_ED25519_CERT01 ||\
+    ((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\
+     (kt) <= SSH_KEYTYPE_ED25519_CERT01))

 /* SSH Signature Functions */
 ssh_signature ssh_signature_new(void);
@@ -165,6 +163,10 @@ int ssh_pki_import_pubkey_blob(const ssh_string key_blob,
 int ssh_pki_import_cert_blob(const ssh_string cert_blob,
                             ssh_key *pkey);

+/* SSH Private Key Functions */
+int ssh_pki_export_privkey_blob(const ssh_key key,
+                                ssh_string *pblob);
+

 /* SSH Signing Functions */
 ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf,
@@ -187,7 +189,13 @@ bool ssh_key_size_allowed(ssh_session session, ssh_key key);
 int ssh_key_size(ssh_key key);

 /* PKCS11 URI function to check if filename is a path or a PKCS11 URI */
+#ifdef WITH_PKCS11_URI
 bool ssh_pki_is_uri(const char *filename);
 char *ssh_pki_export_pub_uri_from_priv_uri(const char *priv_uri);
+#endif /* WITH_PKCS11_URI */
+
+#ifdef __cplusplus
+}
+#endif

 #endif /* PKI_H_ */
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -23,6 +23,10 @@

 #include "libssh/pki.h"

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* defined in bcrypt_pbkdf.c */
 int bcrypt_pbkdf(const char *pass,
                 size_t passlen,
@@ -34,8 +38,6 @@ int bcrypt_pbkdf(const char *pass,

 #define RSA_HEADER_BEGIN "-----BEGIN RSA PRIVATE KEY-----"
 #define RSA_HEADER_END "-----END RSA PRIVATE KEY-----"
-#define DSA_HEADER_BEGIN "-----BEGIN DSA PRIVATE KEY-----"
-#define DSA_HEADER_END "-----END DSA PRIVATE KEY-----"
 #define ECDSA_HEADER_BEGIN "-----BEGIN EC PRIVATE KEY-----"
 #define ECDSA_HEADER_END "-----END EC PRIVATE KEY-----"
 #define OPENSSH_HEADER_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----"
@@ -49,6 +51,8 @@ enum ssh_key_e {
  SSH_KEY_PRIVATE
 };

+void pki_key_clean(ssh_key key);
+
 int pki_key_ecdsa_nid_from_name(const char *name);
 const char *pki_key_ecdsa_nid_to_name(int nid);
 const char *ssh_key_signature_to_char(enum ssh_keytypes_e type,
@@ -59,7 +63,6 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
 /* SSH Key Functions */
 ssh_key pki_key_dup(const ssh_key key, int demote);
 int pki_key_generate_rsa(ssh_key key, int parameter);
-int pki_key_generate_dss(ssh_key key, int parameter);
 int pki_key_generate_ecdsa(ssh_key key, int parameter);
 int pki_key_generate_ed25519(ssh_key key);

@@ -85,24 +88,13 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type,
                              ssh_key *pkey);

 /* SSH Public Key Functions */
-int pki_pubkey_build_dss(ssh_key key,
-                         ssh_string p,
-                         ssh_string q,
-                         ssh_string g,
-                         ssh_string pubkey);
 int pki_pubkey_build_rsa(ssh_key key,
                         ssh_string e,
                         ssh_string n);
 int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e);
-ssh_string pki_publickey_to_blob(const ssh_key key);
+ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type);

 /* SSH Private Key Functions */
-int pki_privkey_build_dss(ssh_key key,
-                          ssh_string p,
-                          ssh_string q,
-                          ssh_string g,
-                          ssh_string pubkey,
-                          ssh_string privkey);
 int pki_privkey_build_rsa(ssh_key key,
                          ssh_string n,
                          ssh_string e,
@@ -114,7 +106,6 @@ int pki_privkey_build_ecdsa(ssh_key key,
                            int nid,
                            ssh_string e,
                            ssh_string exp);
-ssh_string pki_publickey_to_blob(const ssh_key key);

 /* SSH Signature Functions */
 ssh_signature pki_sign_data(const ssh_key privkey,
@@ -140,20 +131,24 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey,
                               const unsigned char *hash,
                               size_t hlen,
                               enum ssh_digest_e hash_type);
+#ifndef HAVE_LIBCRYPTO
 int pki_ed25519_sign(const ssh_key privkey, ssh_signature sig,
        const unsigned char *hash, size_t hlen);
 int pki_ed25519_verify(const ssh_key pubkey, ssh_signature sig,
        const unsigned char *hash, size_t hlen);
+#endif /* HAVE_LIBCRYPTO */
 int pki_ed25519_key_cmp(const ssh_key k1,
                const ssh_key k2,
                enum ssh_keycmp_e what);
-int pki_ed25519_key_dup(ssh_key new, const ssh_key key);
+int pki_ed25519_key_dup(ssh_key new_key, const ssh_key key);
 int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key);
+int pki_ed25519_private_key_to_blob(ssh_buffer buffer, const ssh_key privkey);
 ssh_string pki_ed25519_signature_to_blob(ssh_signature sig);
 int pki_signature_from_ed25519_blob(ssh_signature sig, ssh_string sig_blob);
 int pki_privkey_build_ed25519(ssh_key key,
                              ssh_string pubkey,
                              ssh_string privkey);
+int pki_pubkey_build_ed25519(ssh_key key, ssh_string pubkey);

 /* PKI Container OpenSSH */
 ssh_key ssh_pki_openssh_pubkey_import(const char *text_key);
@@ -162,8 +157,14 @@ ssh_key ssh_pki_openssh_privkey_import(const char *text_key,
 ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey,
        const char *passphrase, ssh_auth_callback auth_fn, void *auth_data);

+#ifdef WITH_PKCS11_URI
 /* URI Function */
 int pki_uri_import(const char *uri_name, ssh_key *key, enum ssh_key_e key_type);
+#endif /* WITH_PKCS11_URI */

 bool ssh_key_size_allowed_rsa(int min_size, ssh_key key);
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* PKI_PRIV_H_ */
--- a/Show More
+++ b/Show More