Relase 0.9.6

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
ChangeLog: Fix release date of 0.9.5
2026-02-04 20:30:38 +09:00 · 2021-08-19 09:49:25 +02:00 · 2021-08-18 19:53:10 +02:00 · 2021-08-18 14:16:23 +02:00 · 2021-08-18 14:16:18 +02:00 · 2021-08-17 18:33:24 +02:00
238 changed files with 37007 additions and 9764 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@
 *.swp
 *~$
 cscope.*
+compile_commands.json
+/.clangd
 tags
 /build
 /obj*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,13 +5,16 @@ variables:
  TUMBLEWEED_BUILD: buildenv-tumbleweed
  MINGW_BUILD: buildenv-mingw

-# torture_auth fails on centos7 docker images, so we don't use -DCLIENT_TESTING=ON
-centos7/openssl_1.0.x/x86-64:
+# pkd tests fail on CentOS7 docker images, so we don't use -DSERVER_TESTING=ON
+centos7/openssl_1.0.x/x86_64:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD
  script:
-  - mkdir -p obj && cd obj && cmake3 -DUNIT_TESTING=ON -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON
-    -DWITH_PCAP=ON .. && make -j$(nproc) && ctest --output-on-failure
+  - mkdir -p obj && cd obj && cmake3
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON .. &&
+    make -j$(nproc) && ctest --output-on-failure
  tags:
  - shared
  except:
@@ -22,12 +25,16 @@ centos7/openssl_1.0.x/x86-64:
    paths:
      - obj/

-fedora/openssl_1.1.x/x86-64:
+fedora/openssl_1.1.x/x86_64:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
    -DPICKY_DEVELOPER=ON
+    -DWITH_BLOWFISH_CIPHER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DWITH_DEBUG_CRYPTO=ON
+    -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON
    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON .. &&
    make -j$(nproc) && ctest --output-on-failure
  tags:
@@ -40,13 +47,37 @@ fedora/openssl_1.1.x/x86-64:
    paths:
      - obj/

-fedora/openssl_1.1.x/x86-64/release:
+fedora/openssl_1.1.x/x86_64/fips:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_BUILD_TYPE=Release
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
+  - echo 1 > /etc/system-fips
+  - update-crypto-policies --set FIPS
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
    -DPICKY_DEVELOPER=ON
+    -DWITH_BLOWFISH_CIPHER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON
    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON .. &&
+    make -j$(nproc) && OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
+
+fedora/openssl_1.1.x/x86_64/minimal:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  script:
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=OFF -DWITH_SERVER=OFF -DWITH_ZLIB=OFF -DWITH_PCAP=OFF
+    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DWITH_GEX=OFF .. &&
    make -j$(nproc) && ctest --output-on-failure
  tags:
  - shared
@@ -66,7 +97,8 @@ fedora/address-sanitizer:
  script:
  - mkdir -p obj && cd obj && cmake
    -DCMAKE_BUILD_TYPE=AddressSanitizer
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
    -DUNIT_TESTING=ON .. &&
    make -j$(nproc) && ctest --output-on-failure
  tags:
@@ -79,12 +111,35 @@ fedora/address-sanitizer:
    paths:
      - obj/

+# This is disabled as it report OpenSSL issues
+# It also has ethe same issues with cwrap as AddressSanitizer
+.fedora/memory-sanitizer:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  script:
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=MemorySanitizer
+    -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON ..
+    && make -j$(nproc) && ctest --output-on-failure
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
+
 fedora/undefined-sanitizer:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
  - mkdir -p obj && cd obj && cmake
-    -DCMAKE_C_FLAGS="-fsanitize=undefined -fsanitize=null -fsanitize=alignment -fno-sanitize-recover"
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
+    -DCMAKE_BUILD_TYPE=UndefinedSanitizer
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON ..
    && make -j$(nproc) && ctest --output-on-failure
  tags:
@@ -97,16 +152,28 @@ fedora/undefined-sanitizer:
    paths:
      - obj/

-fedora/static-analysis:
+fedora/csbuild:
+  variables:
+      GIT_DEPTH: "100"
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
-  - export CCC_CC=clang
-  - export CCC_CXX=clang++
-  - mkdir -p obj && cd obj && scan-build cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON
-    -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang .. &&
-    scan-build --status-bugs -o scan make -j$(nproc)
+  - |
+    if [[ -z "$CI_COMMIT_BEFORE_SHA" ]]; then
+        export CI_COMMIT_BEFORE_SHA=$(git rev-parse "${CI_COMMIT_SHA}~20")
+    fi
+
+    # Check if the commit exists in this branch
+    # This is not the case for a force push
+    git branch --contains $CI_COMMIT_BEFORE_SHA 2>/dev/null || export CI_COMMIT_BEFORE_SHA=$(git rev-parse "${CI_COMMIT_SHA}~20")
+
+    export CI_COMMIT_RANGE="$CI_COMMIT_BEFORE_SHA..$CI_COMMIT_SHA"
+
+  - csbuild
+    --build-dir=obj-csbuild
+    --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON @SRCDIR@ && make clean && make -j$(nproc)"
+    --git-commit-range $CI_COMMIT_RANGE
+    --color
+    --print-current --print-fixed
  tags:
  - shared
  except:
@@ -115,38 +182,43 @@ fedora/static-analysis:
    expire_in: 1 week
    when: on_failure
    paths:
-      - obj/scan
+      - obj-csbuild/

 # That is a specific runner that we cannot enable universally.
 # We restrict it to builds under the $BUILD_IMAGES_PROJECT project.
-freebsd/x86-64:
+freebsd/x86_64:
  image:
  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
    -DUNIT_TESTING=ON .. &&
    make && ctest --output-on-failure
  tags:
  - freebsd
+  - private
  except:
  - tags
  only:
  - branches@libssh/libssh-mirror
  - branches@cryptomilk/libssh-mirror
+  - branches@jjelen/libssh-mirror
  artifacts:
    expire_in: 1 week
    when: on_failure
    paths:
      - obj/

-fedora/libgcrypt/x86-64:
+fedora/libgcrypt/x86_64:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON
-    -DWITH_GCRYPT=ON .. &&
+    -DWITH_GCRYPT=ON -DWITH_DEBUG_CRYPTO=ON .. &&
    make -j$(nproc) && ctest --output-on-failure
  tags:
  - shared
@@ -158,14 +230,15 @@ fedora/libgcrypt/x86-64:
    paths:
      - obj/

-fedora/mbedtls/x86-64:
+fedora/mbedtls/x86_64:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON
-    -DPICKY_DEVELOPER=ON
-    -DWITH_MBEDTLS=ON .. &&
+    -DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON .. &&
    make -j$(nproc) && ctest --output-on-failure
  tags:
  - shared
@@ -177,14 +250,63 @@ fedora/mbedtls/x86-64:
    paths:
      - obj/

-tumbleweed/openssl_1.1.x/x86-64:
+# Unit testing only, no client and pkd testing, because cwrap is not available
+# for MinGW
+fedora/mingw64:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
+  script:
+  - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
+  - export WINEDEBUG=-all
+  - mkdir -p obj && cd obj && mingw64-cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON .. &&
+    make -j$(nproc) &&
+    ctest --output-on-failure
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
+
+# Unit testing only, no client and pkd testing, because cwrap is not available
+# for MinGW
+fedora/mingw32:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
+  script:
+  - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin
+  - export WINEDEBUG=-all
+  - mkdir -p obj && cd obj && mingw32-cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON .. &&
+    make -j$(nproc) &&
+    ctest --output-on-failure
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
+
+tumbleweed/openssl_1.1.x/x86_64/gcc:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
    -DPICKY_DEVELOPER=ON
-    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON .. &&
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config
+    -DUNIT_TESTING=ON -DSERVER_TESTING=ON .. &&
    make -j$(nproc) && ctest --output-on-failure
  tags:
  - shared
@@ -196,14 +318,79 @@ tumbleweed/openssl_1.1.x/x86-64:
    paths:
      - obj/

-tumbleweed/openssl_1.1.x/x86-64/release:
+tumbleweed/openssl_1.1.x/x86/gcc:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_BUILD_TYPE=Release
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_TOOLCHAIN_FILE=../cmake/Toolchain-cross-m32.cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
    -DPICKY_DEVELOPER=ON
-    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON .. &&
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON .. &&
+    make -j$(nproc) && ctest --output-on-failure
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
+
+tumbleweed/openssl_1.1.x/x86_64/gcc7:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
+  script:
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config
+    -DUNIT_TESTING=ON -DSERVER_TESTING=ON .. &&
+    make -j$(nproc) && ctest --output-on-failure
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
+
+tumbleweed/openssl_1.1.x/x86/gcc7:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
+  script:
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_TOOLCHAIN_FILE=../cmake/Toolchain-cross-m32.cmake
+    -DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON .. &&
+    make -j$(nproc) && ctest --output-on-failure
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - obj/
+
+tumbleweed/openssl_1.1.x/x86_64/clang:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
+  script:
+  - mkdir -p obj && cd obj && cmake
+    -DCMAKE_BUILD_TYPE=RelWithDebInfo
+    -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config
+    -DUNIT_TESTING=ON
+    -DSERVER_TESTING=ON .. &&
    make -j$(nproc) && ctest --output-on-failure
  tags:
  - shared
@@ -229,32 +416,15 @@ tumbleweed/docs:
    paths:
      - obj/

-tumbleweed/openssl_1.1.x/x86:
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
-  script:
-  - mkdir -p obj && cd obj && cmake -DCMAKE_TOOLCHAIN_FILE=../cmake/Toolchain-cross-m32.cmake
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DPICKY_DEVELOPER=ON
-    -DUNIT_TESTING=ON .. &&
-    make -j$(nproc) && ctest --output-on-failure
-  tags:
-  - shared
-  except:
-  - tags
-  artifacts:
-    expire_in: 1 week
-    when: on_failure
-    paths:
-      - obj/
-
 tumbleweed/undefined-sanitizer:
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
  script:
  - mkdir -p obj && cd obj && cmake
-    -DCMAKE_C_FLAGS="-fsanitize=undefined -fsanitize=null -fsanitize=alignment -fno-sanitize-recover"
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON ..
-    && make -j$(nproc) && ctest --output-on-failure
+    -DCMAKE_BUILD_TYPE=UndefinedSanitizer
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON -DSERVER_TESTING=ON .. &&
+    make -j$(nproc) && ctest --output-on-failure
  tags:
  - shared
  except:
@@ -270,10 +440,12 @@ tumbleweed/static-analysis:
  script:
  - export CCC_CC=clang
  - export CCC_CXX=clang++
-  - mkdir -p obj && cd obj && scan-build cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON
-    -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang .. &&
+  - mkdir -p obj && cd obj && scan-build cmake
+    -DCMAKE_BUILD_TYPE=Debug
+    -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++
+    -DPICKY_DEVELOPER=ON
+    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+    -DUNIT_TESTING=ON -DSERVER_TESTING=ON .. &&
    scan-build --status-bugs -o scan make -j$(nproc)
  tags:
  - shared
@@ -285,22 +457,31 @@ tumbleweed/static-analysis:
    paths:
      - obj/scan

-# Unit testing only, no client and pkd testing, because cwrap is not available
-# for MinGW
-mingw64:
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
+###############################################################################
+#                           Visual Studio builds                              #
+###############################################################################
+.vs:
+  stage: test
+  cache:
+    key: vcpkg.${CI_JOB_NAME}
+    paths:
+      - .vcpkg
+  variables:
+    ErrorActionPreference: STOP
  script:
-  - Xvfb :1 -screen 0 1024x768x16 -ac +extension GLX +render -noreset -nolisten tcp &
-  - export DISPLAY=:1
-  - mkdir -p obj && cd obj && mingw64-cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DPICKY_DEVELOPER=ON
-    -DUNIT_TESTING=ON .. &&
-    make -j$(nproc)
-  - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
+  - $env:VCPKG_DEFAULT_TRIPLET="x64-windows"
+  - mkdir -p obj; if ($?) {cd obj}; if (! $?) {exit 1}
+  - cmake
+      -A x64
+      -DCMAKE_TOOLCHAIN_FILE="$env:VCPKG_TOOLCHAIN_FILE"
+      -DPICKY_DEVELOPER=ON
+      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+      -DUNIT_TESTING=ON ..
+  - cmake --build .
  - ctest --output-on-failure
  tags:
-  - shared
+  - windows
+  - shared-windows
  except:
  - tags
  artifacts:
@@ -308,27 +489,36 @@ mingw64:
    when: on_failure
    paths:
      - obj/
+  before_script:
+  - choco install --no-progress -y cmake
+  - $env:Path += ';C:\Program Files\CMake\bin'
+  - If (!(test-path .vcpkg\archives)) { mkdir -p .vcpkg\archives }
+  - $env:VCPKG_DEFAULT_BINARY_CACHE="$PWD\.vcpkg\archives"
+  - echo $env:VCPKG_DEFAULT_BINARY_CACHE
+  - $env:VCPKG_DEFAULT_TRIPLET="$TRIPLET-windows"
+  - vcpkg install cmocka
+  - vcpkg install openssl
+  - vcpkg install zlib
+  - vcpkg integrate install
+  - mkdir -p obj; if ($?) {cd obj}; if (! $?) {exit 1}
+  - cmake
+      -A $PLATFORM
+      -DCMAKE_TOOLCHAIN_FILE=C:/vcpkg/scripts/buildsystems/vcpkg.cmake
+      -DPICKY_DEVELOPER=ON
+      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
+      -DUNIT_TESTING=ON ..
+  # The Windows runners are broken for last month
+  # https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/gcp/windows-containers/-/issues/40
+  allow_failure: true

-# Unit testing only, no client and pkd testing, because cwrap is not available
-# for MinGW
-mingw32:
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
-  script:
-  - Xvfb :1 -screen 0 1024x768x16 -ac +extension GLX +render -noreset -nolisten tcp &
-  - export DISPLAY=:1
-  - mkdir -p obj && cd obj && mingw32-cmake -DCMAKE_BUILD_TYPE=Debug
-    -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON --DWITH_PCAP=ON
-    -DPICKY_DEVELOPER=ON
-    -DUNIT_TESTING=ON .. &&
-    make -j$(nproc)
-  - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin
-  - ctest --output-on-failure
-  tags:
-  - shared
-  except:
-  - tags
-  artifacts:
-    expire_in: 1 week
-    when: on_failure
-    paths:
-      - obj/
+visualstudio/x86_64:
+  extends: .vs
+  variables:
+    PLATFORM: "x64"
+    TRIPLET: "x64"
+
+visualstudio/x86:
+  extends: .vs
+  variables:
+    PLATFORM: "win32"
+    TRIPLET: "x86"
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -10,7 +10,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)

-project(libssh VERSION 0.8.8 LANGUAGES C)
+project(libssh VERSION 0.9.6 LANGUAGES C)

 # global needed variable
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -22,16 +22,16 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 #     Increment AGE. Set REVISION to 0
 #   If the source code was changed, but there were no interface changes:
 #     Increment REVISION.
-set(LIBRARY_VERSION "4.7.5")
+set(LIBRARY_VERSION "4.8.7")
 set(LIBRARY_SOVERSION "4")

 # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked

 # add definitions
 include(DefinePlatformDefaults)
-include(DefineInstallationPaths)
 include(DefineOptions.cmake)
 include(CPackConfig.cmake)
+include(GNUInstallDirs)

 include(CompilerChecks.cmake)

@@ -59,7 +59,13 @@ elseif(WITH_MBEDTLS)
    endif (NOT MBEDTLS_FOUND)
 else (WITH_GCRYPT)
  find_package(OpenSSL)
-  if (NOT OPENSSL_FOUND)
+  if (OPENSSL_FOUND)
+    # On CMake < 3.16, OPENSSL_CRYPTO_LIBRARIES is usually a synonym for OPENSSL_CRYPTO_LIBRARY, but is not defined
+    # when building on Windows outside of Cygwin. We provide the synonym here, if FindOpenSSL didn't define it already.
+    if (NOT DEFINED OPENSSL_CRYPTO_LIBRARIES)
+      set(OPENSSL_CRYPTO_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+    endif (NOT DEFINED OPENSSL_CRYPTO_LIBRARIES)
+  else (OPENSSL_FOUND)
    find_package(GCrypt)
    if (NOT GCRYPT_FOUND)
      find_package(MbedTLS)
@@ -67,9 +73,13 @@ else (WITH_GCRYPT)
        message(FATAL_ERROR "Could not find OpenSSL, GCrypt or mbedTLS")
      endif (NOT MBEDTLS_FOUND)
    endif (NOT GCRYPT_FOUND)
-  endif (NOT OPENSSL_FOUND)
+  endif (OPENSSL_FOUND)
 endif(WITH_GCRYPT)

+if (UNIT_TESTING)
+    find_package(CMocka REQUIRED)
+endif ()
+
 # Find out if we have threading available
 set(CMAKE_THREAD_PREFER_PTHREADS ON)
 set(THREADS_PREFER_PTHREAD_FLAG ON)
@@ -113,7 +123,7 @@ install(
  FILES
    ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc
  DESTINATION
-    ${LIB_INSTALL_DIR}/pkgconfig
+    ${CMAKE_INSTALL_LIBDIR}/pkgconfig
  COMPONENT
    pkgconfig
 )
@@ -129,30 +139,21 @@ write_basic_package_version_file(libssh-config-version.cmake
                                 VERSION ${PROJECT_VERSION}
                                 COMPATIBILITY SameMajorVersion)

-# libssh-config.cmake
-configure_package_config_file(${PROJECT_NAME}-config.cmake.in
-                              ${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}-config.cmake
-                              INSTALL_DESTINATION ${CMAKE_INSTALL_DIR}/${PROJECT_NAME}
-                              PATH_VARS INCLUDE_INSTALL_DIR LIB_INSTALL_DIR)
-
 install(
    FILES
-        ${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}-config.cmake
        ${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}-config-version.cmake
    DESTINATION
-        ${CMAKE_INSTALL_DIR}/${PROJECT_NAME}
+        ${CMAKE_INSTALL_LIBDIR}/cmake/${PROJECT_NAME}
    COMPONENT
-        devel
-)
+        devel)

 if (WITH_EXAMPLES)
    add_subdirectory(examples)
 endif (WITH_EXAMPLES)

 if (UNIT_TESTING)
-  find_package(CMocka REQUIRED)
-  include(AddCMockaTest)
-  add_subdirectory(tests)
+    include(AddCMockaTest)
+    add_subdirectory(tests)
 endif (UNIT_TESTING)

 ### SOURCE PACKAGE
@@ -208,7 +209,12 @@ if (WITH_SYMBOL_VERSIONING AND ABIMAP_FOUND)
    endif(UPDATE_ABI)
 endif (WITH_SYMBOL_VERSIONING AND ABIMAP_FOUND)

-add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source DEPENDS ${_SYMBOL_TARGET})
+add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source DEPENDS ${_SYMBOL_TARGET} VERBATIM)
+
+# Link compile database for clangd
+execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink
+                "${CMAKE_BINARY_DIR}/compile_commands.json"
+                "${CMAKE_SOURCE_DIR}/compile_commands.json")

 message(STATUS "********************************************")
 message(STATUS "********** ${PROJECT_NAME} build options : **********")
@@ -220,10 +226,12 @@ message(STATUS "libnacl support: ${WITH_NACL}")
 message(STATUS "SFTP support: ${WITH_SFTP}")
 message(STATUS "Server support : ${WITH_SERVER}")
 message(STATUS "GSSAPI support : ${WITH_GSSAPI}")
+message(STATUS "GEX support : ${WITH_GEX}")
 message(STATUS "Pcap debugging support : ${WITH_PCAP}")
-message(STATUS "With static library: ${WITH_STATIC_LIB}")
+message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
 message(STATUS "Unit testing: ${UNIT_TESTING}")
 message(STATUS "Client code testing: ${CLIENT_TESTING}")
+message(STATUS "Blowfish cipher support: ${WITH_BLOWFISH_CIPHER}")
 set(_SERVER_TESTING OFF)
 if (WITH_SERVER)
    set(_SERVER_TESTING ${SERVER_TESTING})
@@ -238,5 +246,9 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}")
 message(STATUS "Symbol versioning: ${WITH_SYMBOL_VERSIONING}")
 message(STATUS "Allow ABI break: ${WITH_ABI_BREAK}")
 message(STATUS "Release is final: ${WITH_FINAL}")
+message(STATUS "Global client config: ${GLOBAL_CLIENT_CONFIG}")
+if (WITH_SERVER)
+message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
+endif()
 message(STATUS "********************************************")

--- a/CPackConfig.cmake
+++ b/CPackConfig.cmake
@@ -23,7 +23,7 @@ if (WIN32)
        set(CPACK_GENERATOR "${CPACK_GENERATOR};NSIS")
        set(CPACK_NSIS_DISPLAY_NAME "The SSH Library")
        set(CPACK_NSIS_COMPRESSOR "/SOLID zlib")
-        set(CPACK_NSIS_MENU_LINKS "http://www.libssh.org/" "libssh homepage")
+        set(CPACK_NSIS_MENU_LINKS "https://www.libssh.org/" "libssh homepage")
    endif (NSIS_MAKE)
 endif (WIN32)

--- a/81
+++ b/81
@@ -1,8 +1,87 @@
 ChangeLog
 ==========

-version 0.8.8 (released 2019-12-10)
+version 0.9.6 (released 2021-08-26)
+  * CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with
+    different key exchange mechanism
+  * Fix several memory leaks on error paths
+  * Reset pending_call_state on disconnect
+  * Fix handshake bug with AEAD ciphers and no HMAC overlap
+  * Use OPENSSL_CRYPTO_LIBRARIES in CMake
+  * Ignore request success and failure message if they are not expected
+  * Support more identity files in configuration
+  * Avoid setting compiler flags directly in CMake
+  * Support build directories with special characters
+  * Include stdlib.h to avoid crash in Windows
+  * Fix sftp_new_channel constructs an invalid object
+  * Fix Ninja multiple rules error
+  * Several tests fixes
+
+version 0.9.5 (released 2020-09-10)
+  * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
+  * Improve handling of library initialization (T222)
+  * Fix parsing of subsecond times in SFTP (T219)
+  * Make the documentation reproducible
+  * Remove deprecated API usage in OpenSSL
+  * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
+  * Define version in one place (T226)
+  * Prevent invalid free when using different C runtimes than OpenSSL (T229)
+  * Compatibility improvements to testsuite
+
+version 0.9.4 (released 2020-04-09)
+  * Fixed CVE-2020-1730 - Possible DoS in client and server when handling
+    AES-CTR keys with OpenSSL
+  * Added diffie-hellman-group14-sha256
+  * Fixed serveral possible memory leaks
+
+version 0.9.3 (released 2019-12-10)
  * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
+  * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
+  * SSH-01-006 General: Various unchecked Null-derefs cause DOS
+  * SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
+  * SSH-01-010 SSH: Deprecated hash function in fingerprinting
+  * SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
+  * SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
+  * SSH-01-001 State Machine: Initial machine states should be set explicitly
+  * SSH-01-002 Kex: Differently bound macros used to iterate same array
+  * SSH-01-005 Code-Quality: Integer sign confusion during assignments
+  * SSH-01-008 SCP: Protocol Injection via unescaped File Names
+  * SSH-01-009 SSH: Update documentation which RFCs are implemented
+  * SSH-01-012 PKI: Information leak via uninitialized stack buffer
+
+version 0.9.2 (released 2019-11-07)
+  * Fixed libssh-config.cmake
+  * Fixed issues with rsa algorithm negotiation (T191)
+  * Fixed detection of OpenSSL ed25519 support (T197)
+
+version 0.9.1 (released 2019-10-25)
+  * Added support for Ed25519 via OpenSSL
+  * Added support for X25519 via OpenSSL
+  * Added support for localuser in Match keyword
+  * Fixed Match keyword to be case sensitive
+  * Fixed compilation with LibreSSL
+  * Fixed error report of channel open (T75)
+  * Fixed sftp documentation (T137)
+  * Fixed known_hosts parsing (T156)
+  * Fixed build issue with MinGW (T157)
+  * Fixed build with gcc 9 (T164)
+  * Fixed deprecation issues (T165)
+  * Fixed known_hosts directory creation (T166)
+
+version 0.9.0 (released 2019-06-28)
+  * Added support for AES-GCM
+  * Added improved rekeying support
+  * Added performance improvements
+  * Disabled blowfish support by default
+  * Fixed several ssh config parsing issues
+  * Added support for DH Group Exchange KEX
+  * Added support for Encrypt-then-MAC mode
+  * Added support for parsing server side configuration file
+  * Added support for ECDSA/Ed25519 certificates
+  * Added FIPS 140-2 compatibility
+  * Improved known_hosts parsing
+  * Improved documentation
+  * Improved OpenSSL API usage for KEX, DH, and signatures

 version 0.8.7 (released 2019-02-25)
  * Fixed handling extension flags in the server implementation
--- a/CompilerChecks.cmake
+++ b/CompilerChecks.cmake
@@ -41,6 +41,8 @@ if (UNIX)
    add_c_compiler_flag("-Werror=strict-overflow" SUPPORTED_COMPILER_FLAGS)
    add_c_compiler_flag("-Wstrict-overflow=2" SUPPORTED_COMPILER_FLAGS)
    add_c_compiler_flag("-Wno-format-zero-length" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Wmissing-field-initializers" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Wsign-compare" SUPPORTED_COMPILER_FLAGS)

    check_c_compiler_flag("-Wformat" REQUIRED_FLAGS_WFORMAT)
    if (REQUIRED_FLAGS_WFORMAT)
@@ -51,7 +53,10 @@ if (UNIX)
    add_c_compiler_flag("-Werror=format-security" SUPPORTED_COMPILER_FLAGS)

    # Allow zero for a variadic macro argument
-    add_c_compiler_flag("-Wno-gnu-zero-variadic-macro-arguments" SUPPORTED_COMPILER_FLAGS)
+    string(TOLOWER "${CMAKE_C_COMPILER_ID}" _C_COMPILER_ID)
+    if ("${_C_COMPILER_ID}" STREQUAL "clang")
+        add_c_compiler_flag("-Wno-gnu-zero-variadic-macro-arguments" SUPPORTED_COMPILER_FLAGS)
+    endif()

    add_c_compiler_flag("-fno-common" SUPPORTED_COMPILER_FLAGS)

@@ -65,10 +70,18 @@ if (UNIX)
    check_c_compiler_flag_ssp("-fstack-protector-strong" WITH_STACK_PROTECTOR_STRONG)
    if (WITH_STACK_PROTECTOR_STRONG)
        list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector-strong")
+        # This is needed as Solaris has a seperate libssp
+        if (SOLARIS)
+            list(APPEND SUPPORTED_LINKER_FLAGS "-fstack-protector-strong")
+        endif()
    else (WITH_STACK_PROTECTOR_STRONG)
        check_c_compiler_flag_ssp("-fstack-protector" WITH_STACK_PROTECTOR)
        if (WITH_STACK_PROTECTOR)
            list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector")
+            # This is needed as Solaris has a seperate libssp
+            if (SOLARIS)
+                list(APPEND SUPPORTED_LINKER_FLAGS "-fstack-protector")
+            endif()
        endif()
    endif (WITH_STACK_PROTECTOR_STRONG)

@@ -82,6 +95,8 @@ if (UNIX)
        add_c_compiler_flag("-Wno-error=tautological-compare" SUPPORTED_COMPILER_FLAGS)
    endif()

+    add_c_compiler_flag("-Wno-deprecated-declarations" DEPRECATION_COMPILER_FLAGS)
+
    # Unset CMAKE_REQUIRED_FLAGS
    unset(CMAKE_REQUIRED_FLAGS)
 endif()
@@ -100,3 +115,8 @@ if (OSX)
 endif()

 set(DEFAULT_C_COMPILE_FLAGS ${SUPPORTED_COMPILER_FLAGS} CACHE INTERNAL "Default C Compiler Flags" FORCE)
+set(DEFAULT_LINK_FLAGS ${SUPPORTED_LINKER_FLAGS} CACHE INTERNAL "Default C Linker Flags" FORCE)
+
+if (DEPRECATION_COMPILER_FLAGS)
+    set(DEFAULT_C_NO_DEPRECATION_FLAGS ${DEPRECATION_COMPILER_FLAGS} CACHE INTERNAL "Default no deprecation flags" FORCE)
+endif()
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -9,10 +9,7 @@ include(TestBigEndian)

 set(PACKAGE ${PROJECT_NAME})
 set(VERSION ${PROJECT_VERSION})
-set(DATADIR ${DATA_INSTALL_DIR})
-set(LIBDIR ${LIB_INSTALL_DIR})
-set(PLUGINDIR "${PLUGIN_INSTALL_DIR}-${LIBRARY_SOVERSION}")
-set(SYSCONFDIR ${SYSCONF_INSTALL_DIR})
+set(SYSCONFDIR ${CMAKE_INSTALL_SYSCONFDIR})

 set(BINARYDIR ${CMAKE_BINARY_DIR})
 set(SOURCEDIR ${CMAKE_SOURCE_DIR})
@@ -64,6 +61,7 @@ check_include_file(sys/param.h HAVE_SYS_PARAM_H)
 check_include_file(arpa/inet.h HAVE_ARPA_INET_H)
 check_include_file(byteswap.h HAVE_BYTESWAP_H)
 check_include_file(glob.h HAVE_GLOB_H)
+check_include_file(valgrind/valgrind.h HAVE_VALGRIND_VALGRIND_H)

 if (WIN32)
  check_include_file(io.h HAVE_IO_H)
@@ -88,8 +86,10 @@ if (OPENSSL_FOUND)
        message(FATAL_ERROR "Could not detect openssl/aes.h")
    endif()

-    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
+    if (WITH_BLOWFISH_CIPHER)
+        set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+        check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
+    endif()

    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
    check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H)
@@ -101,29 +101,64 @@ if (OPENSSL_FOUND)
    check_include_file(openssl/ecdsa.h HAVE_OPENSSL_ECDSA_H)

    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(EVP_aes_128_ctr HAVE_OPENSSL_EVP_AES_CTR)

    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(EVP_aes_128_cbc HAVE_OPENSSL_EVP_AES_CBC)

    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_function_exists(EVP_aes_128_gcm HAVE_OPENSSL_EVP_AES_GCM)
+
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(CRYPTO_THREADID_set_callback HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK)

    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(CRYPTO_ctr128_encrypt HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT)

    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(EVP_CIPHER_CTX_new HAVE_OPENSSL_EVP_CIPHER_CTX_NEW)

    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_function_exists(EVP_KDF_CTX_new_id HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID)
+
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_function_exists(FIPS_mode HAVE_OPENSSL_FIPS_MODE)
+
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
    check_function_exists(RAND_priv_bytes HAVE_OPENSSL_RAND_PRIV_BYTES)

+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_function_exists(EVP_DigestSign HAVE_OPENSSL_EVP_DIGESTSIGN)
+
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_function_exists(EVP_DigestVerify HAVE_OPENSSL_EVP_DIGESTVERIFY)
+
+    check_function_exists(OPENSSL_ia32cap_loc HAVE_OPENSSL_IA32CAP_LOC)
+
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_symbol_exists(EVP_PKEY_ED25519 "openssl/evp.h" FOUND_OPENSSL_ED25519)
+
+    if (HAVE_OPENSSL_EVP_DIGESTSIGN AND HAVE_OPENSSL_EVP_DIGESTVERIFY AND
+        FOUND_OPENSSL_ED25519)
+        set(HAVE_OPENSSL_ED25519 1)
+    endif()
+
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_symbol_exists(EVP_PKEY_X25519 "openssl/evp.h" HAVE_OPENSSL_X25519)
+
    unset(CMAKE_REQUIRED_INCLUDES)
    unset(CMAKE_REQUIRED_LIBRARIES)
 endif()
@@ -254,6 +289,14 @@ if (CMAKE_USE_PTHREADS_INIT)
    set(HAVE_PTHREAD 1)
 endif (CMAKE_USE_PTHREADS_INIT)

+if (UNIT_TESTING)
+    if (CMOCKA_FOUND)
+        set(CMAKE_REQUIRED_LIBRARIES ${CMOCKA_LIBRARIES})
+        check_function_exists(cmocka_set_test_filter HAVE_CMOCKA_SET_TEST_FILTER)
+        unset(CMAKE_REQUIRED_LIBRARIES)
+    endif ()
+endif ()
+
 # OPTIONS
 check_c_source_compiles("
 __thread int tls;
@@ -272,19 +315,19 @@ int main(void) {
 ###########################################################
 # For detecting attributes we need to treat warnings as
 # errors
-if (UNIX)
+if (UNIX OR MINGW)
    # Get warnings for attributs
-    check_c_compiler_flag("-Wattributs" REQUIRED_FLAGS_WERROR)
+    check_c_compiler_flag("-Wattributes" REQUIRED_FLAGS_WERROR)
    if (REQUIRED_FLAGS_WERROR)
-        set(CMAKE_REQUIRED_FLAGS "-Wattributes")
+        string(APPEND CMAKE_REQUIRED_FLAGS "-Wattributes ")
    endif()

    # Turn warnings into errors
    check_c_compiler_flag("-Werror" REQUIRED_FLAGS_WERROR)
    if (REQUIRED_FLAGS_WERROR)
-        set(CMAKE_REQUIRED_FLAGS "-Werror")
+        string(APPEND CMAKE_REQUIRED_FLAGS "-Werror ")
    endif()
-endif (UNIX)
+endif ()

 check_c_source_compiles("
 void test_constructor_attribute(void) __attribute__ ((constructor));
@@ -328,6 +371,28 @@ int main(void) {
    return 0;
 }" HAVE_FALLTHROUGH_ATTRIBUTE)

+if (NOT WIN32)
+    check_c_source_compiles("
+    #define __unused __attribute__((unused))
+
+    static int do_nothing(int i __unused)
+    {
+        return 0;
+    }
+
+    int main(void)
+    {
+        int i;
+
+        i = do_nothing(5);
+        if (i > 5) {
+            return 1;
+        }
+
+        return 0;
+    }" HAVE_UNUSED_ATTRIBUTE)
+endif()
+
 check_c_source_compiles("
 #include <string.h>

@@ -340,18 +405,6 @@ int main(void)
    return 0;
 }" HAVE_GCC_VOLATILE_MEMORY_PROTECTION)

-check_c_source_compiles("
-#include <stdio.h>
-#define __VA_NARG__(...) (__VA_NARG_(_0, ## __VA_ARGS__, __RSEQ_N()) - 1)
-#define __VA_NARG_(...) __VA_ARG_N(__VA_ARGS__)
-#define __VA_ARG_N( _1, _2, _3, _4, _5, _6, _7, _8, _9,_10,N,...) N
-#define __RSEQ_N() 10, 9,  8,  7,  6,  5,  4,  3,  2,  1,  0
-#define myprintf(format, ...) printf((format), __VA_NARG__(__VA_ARGS__), __VA_ARGS__)
-int main(void) {
-    myprintf(\"%d %d %d %d\",1,2,3);
-    return 0;
-}" HAVE_GCC_NARG_MACRO)
-
 check_c_source_compiles("
 #include <stdio.h>
 int main(void) {
@@ -366,6 +419,8 @@ int main(void) {
    return 0;
 }" HAVE_COMPILER__FUNCTION__)

+# This is only available with OpenBSD's gcc implementation */
+if (OPENBSD)
 check_c_source_compiles("
 #define ARRAY_LEN 16
 void test_attr(const unsigned char *k)
@@ -374,6 +429,7 @@ void test_attr(const unsigned char *k)
 int main(void) {
    return 0;
 }" HAVE_GCC_BOUNDED_ATTRIBUTE)
+endif(OPENBSD)

 # Stop treating warnings as errors
 unset(CMAKE_REQUIRED_FLAGS)
--- a/DefineOptions.cmake
+++ b/DefineOptions.cmake
@@ -2,14 +2,15 @@ option(WITH_GSSAPI "Build with GSSAPI support" ON)
 option(WITH_ZLIB "Build with ZLIB support" ON)
 option(WITH_SFTP "Build with SFTP support" ON)
 option(WITH_SERVER "Build with SSH server support" ON)
-option(WITH_STATIC_LIB "Build with a static library" OFF)
 option(WITH_DEBUG_CRYPTO "Build with cryto debug output" OFF)
 option(WITH_DEBUG_PACKET "Build with packet debug output" OFF)
 option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON)
 option(WITH_GCRYPT "Compile against libgcrypt" OFF)
 option(WITH_MBEDTLS "Compile against libmbedtls" OFF)
+option(WITH_BLOWFISH_CIPHER "Compile with blowfish support" OFF)
 option(WITH_PCAP "Compile with Pcap generation support" ON)
 option(WITH_INTERNAL_DOC "Compile doxygen internal documentation" OFF)
+option(BUILD_SHARED_LIBS "Build shared libraries" ON)
 option(UNIT_TESTING "Build with unit tests" OFF)
 option(CLIENT_TESTING "Build with client tests; requires openssh" OFF)
 option(SERVER_TESTING "Build with server tests; requires openssh and dropbear" OFF)
@@ -18,6 +19,7 @@ option(WITH_EXAMPLES "Build examples" ON)
 option(WITH_NACL "Build with libnacl (curve25519)" ON)
 option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)
 option(WITH_ABI_BREAK "Allow ABI break" OFF)
+option(WITH_GEX "Enable DH Group exchange mechanisms" ON)
 option(FUZZ_TESTING "Build with fuzzer for the server" OFF)
 option(PICKY_DEVELOPER "Build with picky developer flags" OFF)

@@ -32,13 +34,9 @@ if (WITH_BENCHMARKS)
  set(CLIENT_TESTING ON)
 endif()

-if (WITH_STATIC_LIB)
-    set(BUILD_STATIC_LIB ON)
-endif (WITH_STATIC_LIB)
-
-if (UNIT_TESTING)
+if (UNIT_TESTING OR CLIENT_TESTING OR SERVER_TESTING)
  set(BUILD_STATIC_LIB ON)
-endif (UNIT_TESTING)
+endif()

 if (WITH_NACL)
  set(WITH_NACL ON)
@@ -47,3 +45,11 @@ endif (WITH_NACL)
 if (WITH_ABI_BREAK)
  set(WITH_SYMBOL_VERSIONING ON)
 endif (WITH_ABI_BREAK)
+
+if (NOT GLOBAL_BIND_CONFIG)
+  set(GLOBAL_BIND_CONFIG "/etc/ssh/libssh_server_config")
+endif (NOT GLOBAL_BIND_CONFIG)
+
+if (NOT GLOBAL_CLIENT_CONFIG)
+  set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
+endif (NOT GLOBAL_CLIENT_CONFIG)
--- a/19
+++ b/19
@@ -7,13 +7,14 @@
 In order to build libssh, you need to install several components:

 - A C compiler
- [CMake](http://www.cmake.org) >= 2.6.0.
- [openssl](http://www.openssl.org) >= 0.9.8
+- [CMake](https://www.cmake.org) >= 2.6.0.
+- [openssl](https://www.openssl.org) >= 0.9.8
 or
- [gcrypt](http://www.gnu.org/directory/Security/libgcrypt.html) >= 1.4
+- [gcrypt](https://www.gnu.org/directory/Security/libgcrypt.html) >= 1.4
+- [libz](https://www.zlib.net) >= 1.2

 optional:
- [libz](http://www.zlib.net) >= 1.2
+- [cmocka](https://cmocka.org/) >= 1.1.0
 - [socket_wrapper](https://cwrap.org/) >= 1.1.5
 - [nss_wrapper](https://cwrap.org/) >= 1.1.2
 - [uid_wrapper](https://cwrap.org/) >= 1.2.0
@@ -22,12 +23,12 @@ optional:
 Note that these version numbers are version we know works correctly. If you
 build and run libssh successfully with an older version, please let us know.

-Windows binaries known to be working:
+For Windows use vcpkg:

- http://www.slproweb.com/products/Win32OpenSSL.html
- http://zlib.net/ -> zlib compiled DLL
+https://github.com/Microsoft/vcpkg

-We installed them in C:\Program Files
+which you can use to install openssl and zlib. libssh itself is also part of
+vcpkg!

 ## Building
 First, you need to configure the compilation, using CMake. Go inside the
@@ -116,4 +117,4 @@ This document is written using [Markdown][] syntax, making it possible to
 provide usable information in both plain text and HTML format. Whenever
 modifying this document please use [Markdown][] syntax.

-[markdown]: http://www.daringfireball.net/projects/markdown
+[markdown]: https://www.daringfireball.net/projects/markdown
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ If you ask yourself how to compile libssh, please read INSTALL before anything.
 3* Where ?
 -_-_-_-_-_-_

-http://www.libssh.org
+https://www.libssh.org

 4* Contributing
 -_-_-_-_-_-_-_-_-_
--- a/README.CodingStyle
+++ b/README.CodingStyle
@@ -60,7 +60,7 @@ following to $HOME/.vimrc:

 You can use the Vim gitmodline plugin to store this in the git config:

-    http://git.cryptomilk.org/projects/vim-gitmodeline.git/
+    https://git.cryptomilk.org/projects/vim-gitmodeline.git/

 For Vim, the following settings in $HOME/.vimrc will also deal with
 displaying trailing whitespace:
--- a/4
+++ b/4
@@ -23,7 +23,7 @@ much easier to work with individuals who have ownership than corporate
 legal departments if we ever need to make reasonable compromises with
 people using and working with libssh.

-We track the ownership of every part of libssh via http://git.libssh.org,
+We track the ownership of every part of libssh via https://git.libssh.org,
 our source code control system, so we know the provenance of every piece
 of code that is committed to libssh.

@@ -85,7 +85,7 @@ By making a contribution to this project, I certify that:
    Free Software Foundation; either version 2.1 of
    the License, or (at the option of the project) any later version.

-    http://www.gnu.org/licenses/lgpl-2.1.html
+    https://www.gnu.org/licenses/lgpl-2.1.html


 We will maintain a copy of that email as a record that you have the
--- a/cmake/Modules/AddCMockaTest.cmake
+++ b/cmake/Modules/AddCMockaTest.cmake
@@ -1,11 +1,63 @@
-# - add_cmocka_test(test_name test_source linklib1 ... linklibN)
-
+#
 # Copyright (c) 2007      Daniel Gollub <dgollub@suse.de>
 # Copyright (c) 2007-2018 Andreas Schneider <asn@cryptomilk.org>
+# Copyright (c) 2018      Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 #
 # Redistribution and use is allowed according to the terms of the BSD license.
 # For details see the accompanying COPYING-CMAKE-SCRIPTS file.

+#.rst:
+# AddCMockaTest
+# -------------
+#
+# This file provides a function to add a test
+#
+# Functions provided
+# ------------------
+#
+# ::
+#
+#   add_cmocka_test(target_name
+#                   SOURCES src1 src2 ... srcN
+#                   [COMPILE_OPTIONS opt1 opt2 ... optN]
+#                   [LINK_LIBRARIES lib1 lib2 ... libN]
+#                   [LINK_OPTIONS lopt1 lop2 .. loptN]
+#                  )
+#
+# ``target_name``:
+#   Required, expects the name of the test which will be used to define a target
+#
+# ``SOURCES``:
+#   Required, expects one or more source files names
+#
+# ``COMPILE_OPTIONS``:
+#   Optional, expects one or more options to be passed to the compiler
+#
+# ``LINK_LIBRARIES``:
+#   Optional, expects one or more libraries to be linked with the test
+#   executable.
+#
+# ``LINK_OPTIONS``:
+#   Optional, expects one or more options to be passed to the linker
+#
+#
+# Example:
+#
+# .. code-block:: cmake
+#
+#   add_cmocka_test(my_test
+#                   SOURCES my_test.c other_source.c
+#                   COMPILE_OPTIONS -g -Wall
+#                   LINK_LIBRARIES mylib
+#                   LINK_OPTIONS -Wl,--enable-syscall-fixup
+#                  )
+#
+# Where ``my_test`` is the name of the test, ``my_test.c`` and
+# ``other_source.c`` are sources for the binary, ``-g -Wall`` are compiler
+# options to be used, ``mylib`` is a target of a library to be linked, and
+# ``-Wl,--enable-syscall-fixup`` is an option passed to the linker.
+#
+
 enable_testing()
 include(CTest)

@@ -17,10 +69,52 @@ if (CMAKE_CROSSCOMPILING)
    endif()
 endif()

-function(ADD_CMOCKA_TEST _testName _testSource)
-    add_executable(${_testName} ${_testSource})
+function(ADD_CMOCKA_TEST _TARGET_NAME)

-    target_link_libraries(${_testName} ${ARGN})
+    set(one_value_arguments
+    )
+
+    set(multi_value_arguments
+        SOURCES
+        COMPILE_OPTIONS
+        LINK_LIBRARIES
+        LINK_OPTIONS
+    )
+
+    cmake_parse_arguments(_add_cmocka_test
+        ""
+        "${one_value_arguments}"
+        "${multi_value_arguments}"
+        ${ARGN}
+    )
+
+    if (NOT DEFINED _add_cmocka_test_SOURCES)
+        message(FATAL_ERROR "No sources provided for target ${_TARGET_NAME}")
+    endif()
+
+    add_executable(${_TARGET_NAME} ${_add_cmocka_test_SOURCES})
+
+    if (DEFINED _add_cmocka_test_COMPILE_OPTIONS)
+        target_compile_options(${_TARGET_NAME}
+            PRIVATE ${_add_cmocka_test_COMPILE_OPTIONS}
+        )
+    endif()
+
+    if (DEFINED _add_cmocka_test_LINK_LIBRARIES)
+        target_link_libraries(${_TARGET_NAME}
+            PRIVATE ${_add_cmocka_test_LINK_LIBRARIES}
+        )
+    endif()
+
+    if (DEFINED _add_cmocka_test_LINK_OPTIONS)
+        set_target_properties(${_TARGET_NAME}
+            PROPERTIES LINK_FLAGS
+            ${_add_cmocka_test_LINK_OPTIONS}
+        )
+    endif()
+
+    add_test(${_TARGET_NAME}
+        ${TARGET_SYSTEM_EMULATOR} ${_TARGET_NAME}
+    )

-    add_test(${_testName} ${TARGET_SYSTEM_EMULATOR} ${CMAKE_CURRENT_BINARY_DIR}/${_testName}${CMAKE_EXECUTABLE_SUFFIX})
 endfunction (ADD_CMOCKA_TEST)
--- a/cmake/Modules/DefineCompilerFlags.cmake
+++ b/cmake/Modules/DefineCompilerFlags.cmake
@@ -1,8 +1,8 @@
 if (UNIX AND NOT WIN32)
    # Activate with: -DCMAKE_BUILD_TYPE=Profiling
-    set(CMAKE_C_FLAGS_PROFILING "-g -O0 -fprofile-arcs -ftest-coverage"
+    set(CMAKE_C_FLAGS_PROFILING "-O0 -g -fprofile-arcs -ftest-coverage"
        CACHE STRING "Flags used by the C compiler during PROFILING builds.")
-    set(CMAKE_CXX_FLAGS_PROFILING "-g -O0 -fprofile-arcs -ftest-coverage"
+    set(CMAKE_CXX_FLAGS_PROFILING "-O0 -g -fprofile-arcs -ftest-coverage"
        CACHE STRING "Flags used by the CXX compiler during PROFILING builds.")
    set(CMAKE_SHARED_LINKER_FLAGS_PROFILING "-fprofile-arcs -ftest-coverage"
        CACHE STRING "Flags used by the linker during the creation of shared libraries during PROFILING builds.")
@@ -22,4 +22,28 @@ if (UNIX AND NOT WIN32)
        CACHE STRING "Flags used by the linker during the creation of shared libraries during ADDRESSSANITIZER builds.")
    set(CMAKE_EXEC_LINKER_FLAGS_ADDRESSSANITIZER "-fsanitize=address"
        CACHE STRING "Flags used by the linker during ADDRESSSANITIZER builds.")
+
+    # Activate with: -DCMAKE_BUILD_TYPE=MemorySanitizer
+    set(CMAKE_C_FLAGS_MEMORYSANITIZER "-g -O2 -fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer"
+        CACHE STRING "Flags used by the C compiler during MEMORYSANITIZER builds.")
+    set(CMAKE_CXX_FLAGS_MEMORYSANITIZER "-g -O2 -fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer"
+        CACHE STRING "Flags used by the CXX compiler during MEMORYSANITIZER builds.")
+    set(CMAKE_SHARED_LINKER_FLAGS_MEMORYSANITIZER "-fsanitize=memory"
+        CACHE STRING "Flags used by the linker during the creation of shared libraries during MEMORYSANITIZER builds.")
+    set(CMAKE_MODULE_LINKER_FLAGS_MEMORYSANITIZER "-fsanitize=memory"
+        CACHE STRING "Flags used by the linker during the creation of shared libraries during MEMORYSANITIZER builds.")
+    set(CMAKE_EXEC_LINKER_FLAGS_MEMORYSANITIZER "-fsanitize=memory"
+        CACHE STRING "Flags used by the linker during MEMORYSANITIZER builds.")
+
+    # Activate with: -DCMAKE_BUILD_TYPE=UndefinedSanitizer
+    set(CMAKE_C_FLAGS_UNDEFINEDSANITIZER "-g -O1 -fsanitize=undefined -fsanitize=null -fsanitize=alignment -fno-sanitize-recover"
+        CACHE STRING "Flags used by the C compiler during UNDEFINEDSANITIZER builds.")
+    set(CMAKE_CXX_FLAGS_UNDEFINEDSANITIZER "-g -O1 -fsanitize=undefined -fsanitize=null -fsanitize=alignment -fno-sanitize-recover"
+        CACHE STRING "Flags used by the CXX compiler during UNDEFINEDSANITIZER builds.")
+    set(CMAKE_SHARED_LINKER_FLAGS_UNDEFINEDSANITIZER "-fsanitize=undefined"
+        CACHE STRING "Flags used by the linker during the creation of shared libraries during UNDEFINEDSANITIZER builds.")
+    set(CMAKE_MODULE_LINKER_FLAGS_UNDEFINEDSANITIZER "-fsanitize=undefined"
+        CACHE STRING "Flags used by the linker during the creation of shared libraries during UNDEFINEDSANITIZER builds.")
+    set(CMAKE_EXEC_LINKER_FLAGS_UNDEFINEDSANITIZER "-fsanitize=undefined"
+        CACHE STRING "Flags used by the linker during UNDEFINEDSANITIZER builds.")
 endif()
--- a/cmake/Modules/DefineInstallationPaths.cmake
+++ b/cmake/Modules/DefineInstallationPaths.cmake
@@ -1,109 +0,0 @@
-if (UNIX OR OS2)
-  IF (NOT APPLICATION_NAME)
-    MESSAGE(STATUS "${PROJECT_NAME} is used as APPLICATION_NAME")
-    SET(APPLICATION_NAME ${PROJECT_NAME})
-  ENDIF (NOT APPLICATION_NAME)
-
-  # Suffix for Linux
-  SET(LIB_SUFFIX
-    CACHE STRING "Define suffix of directory name (32/64)"
-  )
-
-  SET(EXEC_INSTALL_PREFIX
-    "${CMAKE_INSTALL_PREFIX}"
-    CACHE PATH  "Base directory for executables and libraries"
-  )
-  SET(SHARE_INSTALL_PREFIX
-    "${CMAKE_INSTALL_PREFIX}/share"
-    CACHE PATH "Base directory for files which go to share/"
-  )
-  SET(DATA_INSTALL_PREFIX
-    "${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}"
-    CACHE PATH "The parent directory where applications can install their data")
-
-  # The following are directories where stuff will be installed to
-  SET(BIN_INSTALL_DIR
-    "${EXEC_INSTALL_PREFIX}/bin"
-    CACHE PATH "The ${APPLICATION_NAME} binary install dir (default prefix/bin)"
-  )
-  SET(SBIN_INSTALL_DIR
-    "${EXEC_INSTALL_PREFIX}/sbin"
-    CACHE PATH "The ${APPLICATION_NAME} sbin install dir (default prefix/sbin)"
-  )
-  SET(LIB_INSTALL_DIR
-    "${EXEC_INSTALL_PREFIX}/lib${LIB_SUFFIX}"
-    CACHE PATH "The subdirectory relative to the install prefix where libraries will be installed (default is prefix/lib)"
-  )
-  SET(LIBEXEC_INSTALL_DIR
-    "${EXEC_INSTALL_PREFIX}/libexec"
-    CACHE PATH "The subdirectory relative to the install prefix where libraries will be installed (default is prefix/libexec)"
-  )
-  SET(PLUGIN_INSTALL_DIR
-    "${LIB_INSTALL_DIR}/${APPLICATION_NAME}"
-    CACHE PATH "The subdirectory relative to the install prefix where plugins will be installed (default is prefix/lib/${APPLICATION_NAME})"
-  )
-  SET(INCLUDE_INSTALL_DIR
-    "${CMAKE_INSTALL_PREFIX}/include"
-    CACHE PATH "The subdirectory to the header prefix (default prefix/include)"
-  )
-
-  set(CMAKE_INSTALL_DIR
-    "${LIB_INSTALL_DIR}/cmake"
-    CACHE PATH "The subdirectory to install cmake config files")
-
-  SET(DATA_INSTALL_DIR
-    "${DATA_INSTALL_PREFIX}"
-    CACHE PATH "The parent directory where applications can install their data (default prefix/share/${APPLICATION_NAME})"
-  )
-  SET(HTML_INSTALL_DIR
-    "${DATA_INSTALL_PREFIX}/doc/HTML"
-    CACHE PATH "The HTML install dir for documentation (default data/doc/html)"
-  )
-  SET(ICON_INSTALL_DIR
-    "${DATA_INSTALL_PREFIX}/icons"
-    CACHE PATH "The icon install dir (default data/icons/)"
-  )
-  SET(SOUND_INSTALL_DIR
-    "${DATA_INSTALL_PREFIX}/sounds"
-    CACHE PATH "The install dir for sound files (default data/sounds)"
-  )
-
-  SET(LOCALE_INSTALL_DIR
-    "${SHARE_INSTALL_PREFIX}/locale"
-    CACHE PATH "The install dir for translations (default prefix/share/locale)"
-  )
-
-  SET(XDG_APPS_DIR
-    "${SHARE_INSTALL_PREFIX}/applications/"
-    CACHE PATH "The XDG apps dir"
-  )
-  SET(XDG_DIRECTORY_DIR
-    "${SHARE_INSTALL_PREFIX}/desktop-directories"
-    CACHE PATH "The XDG directory"
-  )
-
-  SET(SYSCONF_INSTALL_DIR
-    "${EXEC_INSTALL_PREFIX}/etc"
-    CACHE PATH "The ${APPLICATION_NAME} sysconfig install dir (default prefix/etc)"
-  )
-  SET(MAN_INSTALL_DIR
-    "${SHARE_INSTALL_PREFIX}/man"
-    CACHE PATH "The ${APPLICATION_NAME} man install dir (default prefix/man)"
-  )
-  SET(INFO_INSTALL_DIR
-    "${SHARE_INSTALL_PREFIX}/info"
-    CACHE PATH "The ${APPLICATION_NAME} info install dir (default prefix/info)"
-  )
-else()
-  # Same same
-  set(BIN_INSTALL_DIR "bin" CACHE PATH "-")
-  set(SBIN_INSTALL_DIR "sbin" CACHE PATH "-")
-  set(LIB_INSTALL_DIR "lib${LIB_SUFFIX}" CACHE PATH "-")
-  set(INCLUDE_INSTALL_DIR "include" CACHE PATH "-")
-  set(CMAKE_INSTALL_DIR "CMake" CACHE PATH "-")
-  set(PLUGIN_INSTALL_DIR "plugins" CACHE PATH "-")
-  set(HTML_INSTALL_DIR "doc/HTML" CACHE PATH "-")
-  set(ICON_INSTALL_DIR "icons" CACHE PATH "-")
-  set(SOUND_INSTALL_DIR "soudns" CACHE PATH "-")
-  set(LOCALE_INSTALL_DIR "lang" CACHE PATH "-")
-endif ()
--- a/cmake/Modules/FindABIMap.cmake
+++ b/cmake/Modules/FindABIMap.cmake
@@ -302,12 +302,13 @@ function(get_file_list _TARGET_NAME)
    add_custom_target(
        ${_TARGET_NAME}_int ALL
        COMMAND ${CMAKE_COMMAND}
-          -DOUTPUT_PATH="${_get_files_list_OUTPUT_PATH}"
-          -DDIRECTORIES="${_get_files_list_DIRECTORIES}"
-          -DFILES_PATTERNS="${_get_files_list_FILES_PATTERNS}"
+          -DOUTPUT_PATH=${_get_files_list_OUTPUT_PATH}
+          -DDIRECTORIES=${_get_files_list_DIRECTORIES}
+          -DFILES_PATTERNS=${_get_files_list_FILES_PATTERNS}
          -P ${_GET_FILES_LIST_SCRIPT}
        COMMENT
          "Searching for files"
+        VERBATIM
    )

    if (DEFINED _get_files_list_COPY_TO)
@@ -318,6 +319,7 @@ function(get_file_list _TARGET_NAME)
              ${_FILES_LIST_OUTPUT_PATH} ${_get_files_list_COPY_TO}
            DEPENDS ${_TARGET_NAME}_int
            COMMENT "Copying ${_TARGET_NAME} to ${_get_files_list_COPY_TO}"
+            VERBATIM
        )
    else()
        add_custom_target(${_TARGET_NAME} ALL
@@ -369,12 +371,13 @@ function(extract_symbols _TARGET_NAME)
    add_custom_target(
        ${_TARGET_NAME}_int ALL
        COMMAND ${CMAKE_COMMAND}
-          -DOUTPUT_PATH="${_SYMBOLS_OUTPUT_PATH}"
-          -DHEADERS_LIST_FILE="${_HEADERS_LIST_FILE}"
+          -DOUTPUT_PATH=${_SYMBOLS_OUTPUT_PATH}
+          -DHEADERS_LIST_FILE=${_HEADERS_LIST_FILE}
          -DFILTER_PATTERN=${_extract_symbols_FILTER_PATTERN}
          -P ${_EXTRACT_SYMBOLS_SCRIPT}
        DEPENDS ${_extract_symbols_HEADERS_LIST}
        COMMENT "Extracting symbols from headers"
+        VERBATIM
    )

    if (DEFINED _extract_symbols_COPY_TO)
@@ -385,6 +388,7 @@ function(extract_symbols _TARGET_NAME)
              ${_SYMBOLS_OUTPUT_PATH} ${_extract_symbols_COPY_TO}
            DEPENDS ${_TARGET_NAME}_int
            COMMENT "Copying ${_TARGET_NAME} to ${_extract_symbols_COPY_TO}"
+            VERBATIM
        )
    else()
        add_custom_target(${_TARGET_NAME} ALL
@@ -449,35 +453,37 @@ function(generate_map_file _TARGET_NAME)
        ${_TARGET_NAME}_int ALL
        COMMAND ${CMAKE_COMMAND}
          -DABIMAP_EXECUTABLE=${ABIMAP_EXECUTABLE}
-          -DSYMBOLS="${_SYMBOLS_FILE}"
+          -DSYMBOLS=${_SYMBOLS_FILE}
          -DCURRENT_MAP=${_generate_map_file_CURRENT_MAP}
-          -DOUTPUT_PATH="${_MAP_OUTPUT_PATH}"
+          -DOUTPUT_PATH=${_MAP_OUTPUT_PATH}
          -DFINAL=${_generate_map_file_FINAL}
          -DBREAK_ABI=${_generate_map_file_BREAK_ABI}
          -DRELEASE_NAME_VERSION=${_generate_map_file_RELEASE_NAME_VERSION}
          -P ${_GENERATE_MAP_SCRIPT}
        DEPENDS ${_generate_map_file_SYMBOLS}
        COMMENT "Generating the map ${_TARGET_NAME}"
+        VERBATIM
    )

    # Add a custom command setting the map as OUTPUT to allow it to be added as
    # a generated source
    add_custom_command(
        OUTPUT ${_MAP_OUTPUT_PATH}
-        DEPENDS ${_TARGET_NAME}
+        DEPENDS ${_TARGET_NAME}_copy
    )

    if (DEFINED _generate_map_file_COPY_TO)
        # Copy the generated map back to the COPY_TO
-        add_custom_target(${_TARGET_NAME} ALL
+        add_custom_target(${_TARGET_NAME}_copy ALL
            COMMAND
              ${CMAKE_COMMAND} -E copy_if_different ${_MAP_OUTPUT_PATH}
              ${_generate_map_file_COPY_TO}
            DEPENDS ${_TARGET_NAME}_int
            COMMENT "Copying ${_MAP_OUTPUT_PATH} to ${_generate_map_file_COPY_TO}"
+            VERBATIM
        )
    else()
-        add_custom_target(${_TARGET_NAME} ALL
+        add_custom_target(${_TARGET_NAME}_copy ALL
            DEPENDS ${_TARGET_NAME}_int
        )
    endif()
--- a/cmake/Modules/FindGCrypt.cmake
+++ b/cmake/Modules/FindGCrypt.cmake
@@ -49,7 +49,15 @@ find_library(GCRYPT_LIBRARY
    PATH_SUFFIXES
        lib
 )
-set(GCRYPT_LIBRARIES ${GCRYPT_LIBRARY})
+find_library(GCRYPT_ERROR_LIBRARY
+    NAMES
+        gpg-error
+        libgpg-error-0
+        libgpg-error6-0
+    HINTS
+        ${_GCRYPT_ROOT_HINTS_AND_PATHS}
+)
+set(GCRYPT_LIBRARIES ${GCRYPT_LIBRARY}  ${GCRYPT_ERROR_LIBRARY})

 if (GCRYPT_INCLUDE_DIR)
    file(STRINGS "${GCRYPT_INCLUDE_DIR}/gcrypt.h" _gcrypt_version_str REGEX "^#define GCRYPT_VERSION \"[0-9]+\\.[0-9]+\\.[0-9]")
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -4,14 +4,16 @@
 /* Version number of package */
 #cmakedefine VERSION "${PROJECT_VERSION}"

-#cmakedefine LOCALEDIR "${LOCALE_INSTALL_DIR}"
-#cmakedefine DATADIR "${DATADIR}"
-#cmakedefine LIBDIR "${LIBDIR}"
-#cmakedefine PLUGINDIR "${PLUGINDIR}"
 #cmakedefine SYSCONFDIR "${SYSCONFDIR}"
 #cmakedefine BINARYDIR "${BINARYDIR}"
 #cmakedefine SOURCEDIR "${SOURCEDIR}"

+/* Global bind configuration file path */
+#cmakedefine GLOBAL_BIND_CONFIG "${GLOBAL_BIND_CONFIG}"
+
+/* Global client configuration file path */
+#cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}"
+
 /************************** HEADER FILES *************************/

 /* Define to 1 if you have the <argp.h> header file. */
@@ -23,6 +25,9 @@
 /* Define to 1 if you have the <glob.h> header file. */
 #cmakedefine HAVE_GLOB_H 1

+/* Define to 1 if you have the <valgrind/valgrind.h> header file. */
+#cmakedefine HAVE_VALGRIND_VALGRIND_H 1
+
 /* Define to 1 if you have the <pty.h> header file. */
 #cmakedefine HAVE_PTY_H 1

@@ -92,6 +97,12 @@
 /* Define to 1 if you have gl_flags as a glob_t sturct member */
 #cmakedefine HAVE_GLOB_GL_FLAGS_MEMBER 1

+/* Define to 1 if you have OpenSSL with Ed25519 support */
+#cmakedefine HAVE_OPENSSL_ED25519 1
+
+/* Define to 1 if you have OpenSSL with X25519 support */
+#cmakedefine HAVE_OPENSSL_X25519 1
+
 /*************************** FUNCTIONS ***************************/

 /* Define to 1 if you have the `EVP_aes128_ctr' function. */
@@ -100,6 +111,9 @@
 /* Define to 1 if you have the `EVP_aes128_cbc' function. */
 #cmakedefine HAVE_OPENSSL_EVP_AES_CBC 1

+/* Define to 1 if you have the `EVP_aes128_gcm' function. */
+#cmakedefine HAVE_OPENSSL_EVP_AES_GCM 1
+
 /* Define to 1 if you have the `CRYPTO_THREADID_set_callback' function. */
 #cmakedefine HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK 1

@@ -109,6 +123,21 @@
 /* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */
 #cmakedefine HAVE_OPENSSL_EVP_CIPHER_CTX_NEW 1

+/* Define to 1 if you have the `EVP_KDF_CTX_new_id' function. */
+#cmakedefine HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID 1
+
+/* Define to 1 if you have the `FIPS_mode' function. */
+#cmakedefine HAVE_OPENSSL_FIPS_MODE 1
+
+/* Define to 1 if you have the `EVP_DigestSign' function. */
+#cmakedefine HAVE_OPENSSL_EVP_DIGESTSIGN 1
+
+/* Define to 1 if you have the `EVP_DigestVerify' function. */
+#cmakedefine HAVE_OPENSSL_EVP_DIGESTVERIFY 1
+
+/* Define to 1 if you have the `OPENSSL_ia32cap_loc' function. */
+#cmakedefine HAVE_OPENSSL_IA32CAP_LOC 1
+
 /* Define to 1 if you have the `snprintf' function. */
 #cmakedefine HAVE_SNPRINTF 1

@@ -178,6 +207,9 @@
 /* Define to 1 if you have the `SecureZeroMemory' function. */
 #cmakedefine HAVE_SECURE_ZERO_MEMORY 1

+/* Define to 1 if you have the `cmocka_set_test_filter' function. */
+#cmakedefine HAVE_CMOCKA_SET_TEST_FILTER 1
+
 /*************************** LIBRARIES ***************************/

 /* Define to 1 if you have the `crypto' library (-lcrypto). */
@@ -192,18 +224,21 @@
 /* Define to 1 if you have the `pthread' library (-lpthread). */
 #cmakedefine HAVE_PTHREAD 1

+/* Define to 1 if you have the `cmocka' library (-lcmocka). */
+#cmakedefine HAVE_CMOCKA 1
+
 /**************************** OPTIONS ****************************/

 #cmakedefine HAVE_GCC_THREAD_LOCAL_STORAGE 1
 #cmakedefine HAVE_MSC_THREAD_LOCAL_STORAGE 1

 #cmakedefine HAVE_FALLTHROUGH_ATTRIBUTE 1
+#cmakedefine HAVE_UNUSED_ATTRIBUTE 1

 #cmakedefine HAVE_CONSTRUCTOR_ATTRIBUTE 1
 #cmakedefine HAVE_DESTRUCTOR_ATTRIBUTE 1

 #cmakedefine HAVE_GCC_VOLATILE_MEMORY_PROTECTION 1
-#cmakedefine HAVE_GCC_NARG_MACRO 1

 #cmakedefine HAVE_COMPILER__FUNC__ 1
 #cmakedefine HAVE_COMPILER__FUNCTION__ 1
@@ -222,6 +257,12 @@
 /* Define to 1 if you want to enable server support */
 #cmakedefine WITH_SERVER 1

+/* Define to 1 if you want to enable DH group exchange algorithms */
+#cmakedefine WITH_GEX 1
+
+/* Define to 1 if you want to enable blowfish cipher support */
+#cmakedefine WITH_BLOWFISH_CIPHER 1
+
 /* Define to 1 if you want to enable debug output for crypto functions */
 #cmakedefine DEBUG_CRYPTO 1

--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -13,8 +13,11 @@ if (DOXYGEN_FOUND)
    set(DOXYGEN_TAB_SIZE 4)
    set(DOXYGEN_OPTIMIZE_OUTPUT_FOR_C YES)
    set(DOXYGEN_MARKDOWN_SUPPORT YES)
+    set(DOXYGEN_FULL_PATH_NAMES NO)

    set(DOXYGEN_PREDEFINED DOXYGEN
+                           WITH_SERVER
+                           WITH_SFTP
                           PRINTF_ATTRIBUTE(x,y))

    set(DOXYGEN_EXCLUDE ${CMAKE_CURRENT_SOURCE_DIR}/that_style)
--- a/doc/authentication.dox
+++ b/doc/authentication.dox
@@ -63,7 +63,7 @@ int authenticate_pubkey(ssh_session session)
 {
  int rc;

-  rc = ssh_userauth_publickey_auto(session, NULL);
+  rc = ssh_userauth_publickey_auto(session, NULL, NULL);

  if (rc == SSH_AUTH_ERROR)
  {
@@ -281,7 +281,7 @@ pass, ssh_userauth_none() might answer SSH_AUTH_SUCCESS.
 The following example shows how to perform "none" authentication:

@code
-int authenticate_kbdint(ssh_session session)
+int authenticate_none(ssh_session session)
 {
  int rc;

--- a/doc/curve25519-sha256@libssh.org.txt
+++ b/doc/curve25519-sha256@libssh.org.txt
@@ -112,8 +112,8 @@ This number is calculated using the following procedure:
     This conversion follows the network byte order. This step differs from 
     RFC5656.

-[RFC5656]    http://tools.ietf.org/html/rfc5656
+[RFC5656]    https://tools.ietf.org/html/rfc5656
 [SCHNEIER]   https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929
-[DJB]        http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
+[DJB]        https://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
 [Curve25519] "Curve25519: new Diffie-Hellman speed records."
-             http://cr.yp.to/ecdh/curve25519-20060209.pdf
+             https://cr.yp.to/ecdh/curve25519-20060209.pdf
--- a/doc/guided_tour.dox
+++ b/doc/guided_tour.dox
@@ -431,6 +431,9 @@ int show_remote_processes(ssh_session session)
 }
@endcode

+Each ssh_channel_request_exec() needs to be run on freshly created
+and connected (with ssh_channel_open_session()) channel.
+
@see @ref opening_shell
@see @ref remote_command
@see @ref sftp_subsystem
--- a/doc/linking.dox
+++ b/doc/linking.dox
@@ -28,6 +28,6 @@ the dllimport attribute.
@endcode

 If you're are statically linking with OpenSSL, read the "Linking your
-application" section in the NOTES.<OS> in the OpenSSL source tree!
+application" section in the NOTES.[OS] in the OpenSSL source tree!

 */
--- a/doc/mainpage.dox
+++ b/doc/mainpage.dox
@@ -39,8 +39,8 @@ The libssh library provides:

 - Client <b>and</b> server support
 - SSHv2 and SSHv1 protocol support
- - Supports <a href="http://test.libssh.org/" target="_blank">Linux, UNIX, BSD, Solaris, OS/2 and Windows</a>
- - Automated test cases with nightly <a href="http://test.libssh.org/" target="_blank">tests</a>
+ - Supports <a href="https://test.libssh.org/" target="_blank">Linux, UNIX, BSD, Solaris, OS/2 and Windows</a>
+ - Automated test cases with nightly <a href="https://test.libssh.org/" target="_blank">tests</a>
 - Event model based on poll(2), or a poll(2)-emulation.

@section main-copyright Copyright Policy
@@ -111,7 +111,7 @@ By making a contribution to this project, I certify that:
    Free Software Foundation; either version 2.1 of
    the License, or (at the option of the project) any later version.

-http://www.gnu.org/licenses/lgpl-2.1.html
+https://www.gnu.org/licenses/lgpl-2.1.html
@endverbatim

 We will maintain a copy of that email as a record that you have the rights to
@@ -151,47 +151,79 @@ The libssh Team

 The following RFC documents described SSH-2 protcol as an Internet standard.

- - <a href="http://tools.ietf.org/html/rfc4250" target="_blank">RFC 4250</a>,
+ - <a href="https://tools.ietf.org/html/rfc4250" target="_blank">RFC 4250</a>,
    The Secure Shell (SSH) Protocol Assigned Numbers
- - <a href="http://tools.ietf.org/html/rfc4251" target="_blank">RFC 4251</a>,
+ - <a href="https://tools.ietf.org/html/rfc4251" target="_blank">RFC 4251</a>,
    The Secure Shell (SSH) Protocol Architecture
- - <a href="http://tools.ietf.org/html/rfc4252" target="_blank">RFC 4252</a>,
+ - <a href="https://tools.ietf.org/html/rfc4252" target="_blank">RFC 4252</a>,
    The Secure Shell (SSH) Authentication Protocol
- - <a href="http://tools.ietf.org/html/rfc4253" target="_blank">RFC 4253</a>,
+ - <a href="https://tools.ietf.org/html/rfc4253" target="_blank">RFC 4253</a>,
    The Secure Shell (SSH) Transport Layer Protocol
- - <a href="http://tools.ietf.org/html/rfc4254" target="_blank">RFC 4254</a>,
+ - <a href="https://tools.ietf.org/html/rfc4254" target="_blank">RFC 4254</a>,
    The Secure Shell (SSH) Connection Protocol
- - <a href="http://tools.ietf.org/html/rfc4255" target="_blank">RFC 4255</a>,
+ - <a href="https://tools.ietf.org/html/rfc4255" target="_blank">RFC 4255</a>,
    Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
- - <a href="http://tools.ietf.org/html/rfc4256" target="_blank">RFC 4256</a>,
+    (not implemented in libssh)
+ - <a href="https://tools.ietf.org/html/rfc4256" target="_blank">RFC 4256</a>,
    Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
- - <a href="http://tools.ietf.org/html/rfc4335" target="_blank">RFC 4335</a>,
+ - <a href="https://tools.ietf.org/html/rfc4335" target="_blank">RFC 4335</a>,
    The Secure Shell (SSH) Session Channel Break Extension
- - <a href="http://tools.ietf.org/html/rfc4344" target="_blank">RFC 4344</a>,
+ - <a href="https://tools.ietf.org/html/rfc4344" target="_blank">RFC 4344</a>,
    The Secure Shell (SSH) Transport Layer Encryption Modes
- - <a href="http://tools.ietf.org/html/rfc4345" target="_blank">RFC 4345</a>,
+ - <a href="https://tools.ietf.org/html/rfc4345" target="_blank">RFC 4345</a>,
    Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol

 It was later modified and expanded by the following RFCs.

- - <a href="http://tools.ietf.org/html/rfc4419" target="_blank">RFC 4419</a>,
+ - <a href="https://tools.ietf.org/html/rfc4419" target="_blank">RFC 4419</a>,
    Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
    Protocol
- - <a href="http://tools.ietf.org/html/rfc4432" target="_blank">RFC 4432</a>,
+ - <a href="https://tools.ietf.org/html/rfc4432" target="_blank">RFC 4432</a>,
    RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol
- - <a href="http://tools.ietf.org/html/rfc4462" target="_blank">RFC 4462</a>,
+    (not implemented in libssh)
+ - <a href="https://tools.ietf.org/html/rfc4462" target="_blank">RFC 4462</a>,
    Generic Security Service Application Program Interface (GSS-API)
    Authentication and Key Exchange for the Secure Shell (SSH) Protocol
- - <a href="http://tools.ietf.org/html/rfc4716" target="_blank">RFC 4716</a>,
+    (only the authentication implemented in libssh)
+ - <a href="https://tools.ietf.org/html/rfc4716" target="_blank">RFC 4716</a>,
    The Secure Shell (SSH) Public Key File Format
- - <a href="http://tools.ietf.org/html/rfc5647" target="_blank">RFC 5647</a>,
+    (not implemented in libssh)
+ - <a href="https://tools.ietf.org/html/rfc5647" target="_blank">RFC 5647</a>,
    AES Galois Counter Mode for the Secure Shell Transport Layer Protocol
- - <a href="http://tools.ietf.org/html/rfc5656" target="_blank">RFC 5656</a>,
+    (the algorithm negotiation implemented according to openssh.com)
+ - <a href="https://tools.ietf.org/html/rfc5656" target="_blank">RFC 5656</a>,
    Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
+ - <a href="https://tools.ietf.org/html/rfc6594" target="_blank">RFC 6594</a>,
+    Use of the SHA-256 Algorithm with RSA, DSA, and ECDSA in SSHFP Resource Records
+    (not implemented in libssh)
+ - <a href="https://tools.ietf.org/html/rfc6668" target="_blank">RFC 6668</a>,
+    SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol
+ - <a href="https://tools.ietf.org/html/rfc7479" target="_blank">RFC 7479</a>,
+    Using Ed25519 in SSHFP Resource Records
+    (not implemented in libssh)
+ - <a href="https://tools.ietf.org/html/rfc8160" target="_blank">RFC 8160</a>,
+    IUTF8 Terminal Mode in Secure Shell (SSH)
+    (not handled in libssh)
+ - <a href="https://tools.ietf.org/html/rfc8270" target="_blank">RFC 8270</a>,
+    Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits
+ - <a href="https://tools.ietf.org/html/rfc8308" target="_blank">RFC 8308</a>,
+    Extension Negotiation in the Secure Shell (SSH) Protocol
+    (only the "server-sig-algs" extension implemented)
+ - <a href="https://tools.ietf.org/html/rfc8332" target="_blank">RFC 8332</a>,
+    Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol
+
+There are also drafts that are being currently developed and followed.
+
+ - <a href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-kex-sha2-10" target="_blank">draft-ietf-curdle-ssh-kex-sha2-10</a>
+    Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)
+ - <a href="https://tools.ietf.org/html/draft-miller-ssh-agent-03" target="_blank">draft-miller-ssh-agent-03</a>
+    SSH Agent Protocol
+ - <a href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-12" target="_blank">draft-ietf-curdle-ssh-curves-12</a>
+    Secure Shell (SSH) Key Exchange Method using Curve25519 and Curve448

 Interesting cryptography documents:

- - <a href="http://www.cryptsoft.com/pkcs11doc/" target="_blank">PKCS #11</a>, PKCS #11 reference documents, describing interface with smartcards.
+ - <a href="https://www.cryptsoft.com/pkcs11doc/" target="_blank">PKCS #11</a>, PKCS #11 reference documents, describing interface with smartcards.

@subsection main-rfc-sftp Secure Shell File Transfer Protocol (SFTP)

@@ -199,26 +231,22 @@ The protocol is not an Internet standard but it is still widely implemented.
 OpenSSH and most other implementation implement Version 3 of the protocol. We
 do the same in libssh.

- - <a href="http://tools.ietf.org/html/draft-ietf-secsh-filexfer-02" target="_blank">
+ - <a href="https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02" target="_blank">
   draft-ietf-secsh-filexfer-02.txt</a>,
   SSH File Transfer Protocol

@subsection main-rfc-extensions Secure Shell Extensions

-The libssh project has an extension to support Curve25519 which is also supported by
-the OpenSSH project.
-
- - <a href="http://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt" target="_blank">curve25519-sha256@libssh.org</a>,
-   Curve25519-SHA256 for ECDH KEX
-
 The OpenSSH project has defined some extensions to the protocol. We support some of
 them like the statvfs calls in SFTP or the ssh-agent.

- - <a href="http://api.libssh.org/rfc/PROTOCOL" target="_blank">
+ - <a href="https://api.libssh.org/rfc/PROTOCOL" target="_blank">
    OpenSSH's deviations and extensions</a>
- - <a href="http://api.libssh.org/rfc/PROTOCOL.agent" target="_blank">
-    OpenSSH's ssh-agent</a>
- - <a href="http://api.libssh.org/rfc/PROTOCOL.certkeys" target="_blank">
+ - <a href="https://api.libssh.org/rfc/PROTOCOL.certkeys" target="_blank">
    OpenSSH's pubkey certificate authentication</a>
+ - <a href="https://api.libssh.org/rfc/PROTOCOL.chacha20poly1305" target="_blank">
+    chacha20-poly1305@openssh.com authenticated encryption mode</a>
+ - <a href="https://api.libssh.org/rfc/PROTOCOL.key" target="_blank">
+    OpenSSH private key format (openssh-key-v1)</a>

 */
--- a/doc/sftp.dox
+++ b/doc/sftp.dox
@@ -61,7 +61,7 @@ int sftp_helloworld(ssh_session session)
  rc = sftp_init(sftp);
  if (rc != SSH_OK)
  {
-    fprintf(stderr, "Error initializing SFTP session: %s.\n",
+    fprintf(stderr, "Error initializing SFTP session: code %d.\n",
            sftp_get_error(sftp));
    sftp_free(sftp);
    return rc;
--- a/examples/CMakeLists.txt
+++ b/examples/CMakeLists.txt
@@ -6,10 +6,7 @@ set(examples_SRCS
  connect_ssh.c
 )

-include_directories(
-  ${LIBSSH_PUBLIC_INCLUDE_DIRS}
-  ${CMAKE_BINARY_DIR}
-)
+include_directories(${libssh_BINARY_DIR}/include ${libssh_BINARY_DIR})

 if (ARGP_INCLUDE_DIR)
    include_directories(${ARGP_INCLUDE_DIR})
@@ -18,60 +15,68 @@ endif()
 if (UNIX AND NOT WIN32)
    add_executable(libssh_scp libssh_scp.c ${examples_SRCS})
    target_compile_options(libssh_scp PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-    target_link_libraries(libssh_scp ${LIBSSH_SHARED_LIBRARY})
+    target_link_libraries(libssh_scp ssh::ssh)

    add_executable(scp_download scp_download.c ${examples_SRCS})
    target_compile_options(scp_download PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-    target_link_libraries(scp_download ${LIBSSH_SHARED_LIBRARY})
+    target_link_libraries(scp_download ssh::ssh)

    add_executable(sshnetcat sshnetcat.c ${examples_SRCS})
    target_compile_options(sshnetcat PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-    target_link_libraries(sshnetcat ${LIBSSH_SHARED_LIBRARY})
+    target_link_libraries(sshnetcat ssh::ssh)

    if (WITH_SFTP)
        add_executable(samplesftp samplesftp.c ${examples_SRCS})
        target_compile_options(samplesftp PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-        target_link_libraries(samplesftp ${LIBSSH_SHARED_LIBRARY})
+        target_link_libraries(samplesftp ssh::ssh)
    endif (WITH_SFTP)

    add_executable(ssh-client ssh_client.c ${examples_SRCS})
    target_compile_options(ssh-client PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-    target_link_libraries(ssh-client ${LIBSSH_SHARED_LIBRARY})
+    target_link_libraries(ssh-client ssh::ssh)

    if (WITH_SERVER AND (ARGP_LIBRARY OR HAVE_ARGP_H))
        if (HAVE_LIBUTIL)
            add_executable(ssh_server_fork ssh_server_fork.c)
            target_compile_options(ssh_server_fork PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(ssh_server_fork ${LIBSSH_SHARED_LIBRARY} ${ARGP_LIBRARY} util)
+            target_link_libraries(ssh_server_fork ssh::ssh ${ARGP_LIBRARY} util)
        endif (HAVE_LIBUTIL)

        if (WITH_GSSAPI AND GSSAPI_FOUND)
            add_executable(samplesshd-cb samplesshd-cb.c)
            target_compile_options(samplesshd-cb PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(samplesshd-cb ${LIBSSH_SHARED_LIBRARY} ${ARGP_LIBRARY})
+            target_link_libraries(samplesshd-cb ssh::ssh ${ARGP_LIBRARY})

            add_executable(proxy proxy.c)
            target_compile_options(proxy PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(proxy ${LIBSSH_SHARED_LIBRARY} ${ARGP_LIBRARY})
+            target_link_libraries(proxy ssh::ssh ${ARGP_LIBRARY})
+
+            add_executable(sshd_direct-tcpip sshd_direct-tcpip.c)
+            target_compile_options(sshd_direct-tcpip PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
+            target_link_libraries(sshd_direct-tcpip ssh::ssh ${ARGP_LIBRARY})
        endif (WITH_GSSAPI AND GSSAPI_FOUND)

        add_executable(samplesshd-kbdint samplesshd-kbdint.c)
        target_compile_options(samplesshd-kbdint PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-        target_link_libraries(samplesshd-kbdint ${LIBSSH_SHARED_LIBRARY} ${ARGP_LIBRARY})
+        target_link_libraries(samplesshd-kbdint ssh::ssh ${ARGP_LIBRARY})

    endif()
 endif (UNIX AND NOT WIN32)

 add_executable(exec exec.c ${examples_SRCS})
 target_compile_options(exec PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-target_link_libraries(exec ${LIBSSH_SHARED_LIBRARY})
+target_link_libraries(exec ssh::ssh)

 add_executable(senddata senddata.c ${examples_SRCS})
 target_compile_options(senddata PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-target_link_libraries(senddata ${LIBSSH_SHARED_LIBRARY})
+target_link_libraries(senddata ssh::ssh)
+
+add_executable(keygen keygen.c)
+target_compile_options(keygen PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
+target_link_libraries(keygen ssh::ssh)

 add_executable(libsshpp libsshpp.cpp)
-target_link_libraries(libsshpp ${LIBSSH_SHARED_LIBRARY})
+target_link_libraries(libsshpp ssh::ssh)

 add_executable(libsshpp_noexcept libsshpp_noexcept.cpp)
-target_link_libraries(libsshpp_noexcept ${LIBSSH_SHARED_LIBRARY})
+target_link_libraries(libsshpp_noexcept ssh::ssh)
--- a/examples/authentication.c
+++ b/examples/authentication.c
@@ -100,6 +100,39 @@ int authenticate_kbdint(ssh_session session, const char *password)
    return err;
 }

+static int auth_keyfile(ssh_session session, char* keyfile)
+{
+    ssh_key key = NULL;
+    char pubkey[132] = {0}; // +".pub"
+    int rc;
+
+    snprintf(pubkey, sizeof(pubkey), "%s.pub", keyfile);
+
+    rc = ssh_pki_import_pubkey_file( pubkey, &key);
+
+    if (rc != SSH_OK)
+        return SSH_AUTH_DENIED;
+
+    rc = ssh_userauth_try_publickey(session, NULL, key);
+
+    ssh_key_free(key);
+
+    if (rc!=SSH_AUTH_SUCCESS)
+        return SSH_AUTH_DENIED;
+
+    rc = ssh_pki_import_privkey_file(keyfile, NULL, NULL, NULL, &key);
+
+    if (rc != SSH_OK)
+        return SSH_AUTH_DENIED;
+
+    rc = ssh_userauth_publickey(session, NULL, key);
+
+    ssh_key_free(key);
+
+    return rc;
+}
+
+
 static void error(ssh_session session)
 {
    fprintf(stderr,"Authentication failed: %s\n",ssh_get_error(session));
@@ -140,6 +173,35 @@ int authenticate_console(ssh_session session)
                break;
            }
        }
+        {
+            char buffer[128] = {0};
+            char *p = NULL;
+
+            printf("Automatic pubkey failed. "
+                   "Do you want to try a specific key? (y/n)\n");
+            if (fgets(buffer, sizeof(buffer), stdin) == NULL) {
+                break;
+            }
+            if ((buffer[0]=='Y') || (buffer[0]=='y')) {
+                printf("private key filename: ");
+
+                if (fgets(buffer, sizeof(buffer), stdin) == NULL) {
+                    return SSH_AUTH_ERROR;
+                }
+
+                buffer[sizeof(buffer) - 1] = '\0';
+                if ((p = strchr(buffer, '\n'))) {
+                    *p = '\0';
+                }
+
+                rc = auth_keyfile(session, buffer);
+
+                if(rc == SSH_AUTH_SUCCESS) {
+                    break;
+                }
+                fprintf(stderr, "failed with key\n");
+            }
+        }

        // Try to authenticate with keyboard interactive";
        if (method & SSH_AUTH_METHOD_INTERACTIVE) {
@@ -172,7 +234,7 @@ int authenticate_console(ssh_session session)
    banner = ssh_get_issue_banner(session);
    if (banner) {
        printf("%s\n",banner);
-        ssh_string_free_char(banner);
+        SSH_STRING_FREE_CHAR(banner);
    }

    return rc;
--- a/examples/examples_common.h
+++ b/examples/examples_common.h
@@ -14,6 +14,10 @@ clients must be made or how a client should react.
 #define EXAMPLES_COMMON_H_

 #include <libssh/libssh.h>
+
+/** Zero a structure */
+#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
+
 int authenticate_console(ssh_session session);
 int authenticate_kbdint(ssh_session session, const char *password);
 int verify_knownhost(ssh_session session);
--- a/examples/exec.c
+++ b/examples/exec.c
@@ -8,7 +8,7 @@ int main(void) {
    ssh_session session;
    ssh_channel channel;
    char buffer[256];
-    int nbytes;
+    int rbytes, wbytes, total = 0;
    int rc;

    session = connect_ssh("localhost", NULL, 0);
@@ -35,15 +35,30 @@ int main(void) {
        goto failed;
    }

-    nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
-    while (nbytes > 0) {
-        if (fwrite(buffer, 1, nbytes, stdout) != (unsigned int) nbytes) {
-            goto failed;
-        }
-        nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+    rbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+    if (rbytes <= 0) {
+        goto failed;
    }

-    if (nbytes < 0) {
+    do {
+        wbytes = fwrite(buffer + total, 1, rbytes, stdout);
+        if (wbytes <= 0) {
+            goto failed;
+        }
+
+        total += wbytes;
+
+        /* When it was not possible to write the whole buffer to stdout */
+        if (wbytes < rbytes) {
+            rbytes -= wbytes;
+            continue;
+        }
+
+        rbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+        total = 0;
+    } while (rbytes > 0);
+
+    if (rbytes < 0) {
        goto failed;
    }

--- a/examples/keygen.c
+++ b/examples/keygen.c
@@ -0,0 +1,41 @@
+/* keygen.c
+ * Sample implementation of ssh-keygen using libssh
+ */
+
+/*
+Copyright 2019 Red Hat, Inc.
+
+Author: Jakub Jelen <jjelen@redhat.com>
+
+This file is part of the SSH Library
+
+You are free to copy this file, modify it in any way, consider it being public
+domain. This does not apply to the rest of the library though, but it is
+allowed to cut-and-paste working code from this file to any license of
+program.
+ */
+
+#include <libssh/libssh.h>
+#include <stdio.h>
+
+int main(void)
+{
+    ssh_key key = NULL;
+    int rv;
+
+    /* Generate a new ED25519 private key file */
+    rv = ssh_pki_generate(SSH_KEYTYPE_ED25519, 0, &key);
+    if (rv != SSH_OK) {
+        fprintf(stderr, "Failed to generate private key");
+	return -1;
+    }
+
+    /* Write it to a file testkey in the current dirrectory */
+    rv = ssh_pki_export_privkey_file(key, NULL, NULL, NULL, "testkey");
+    if (rv != SSH_OK) {
+        fprintf(stderr, "Failed to write private key file");
+	return -1;
+    }
+
+    return 0;
+}
--- a/examples/knownhosts.c
+++ b/examples/knownhosts.c
@@ -32,82 +32,86 @@ clients must be made or how a client should react.
 #define strncasecmp _strnicmp
 #endif

-int verify_knownhost(ssh_session session){
-  enum ssh_known_hosts_e state;
-  char buf[10];
-  unsigned char *hash = NULL;
-  size_t hlen;
-  ssh_key srv_pubkey;
-  int rc;
+int verify_knownhost(ssh_session session)
+{
+    enum ssh_known_hosts_e state;
+    char buf[10];
+    unsigned char *hash = NULL;
+    size_t hlen;
+    ssh_key srv_pubkey;
+    int rc;

-  rc = ssh_get_server_publickey(session, &srv_pubkey);
-  if (rc < 0) {
-      return -1;
-  }
+    rc = ssh_get_server_publickey(session, &srv_pubkey);
+    if (rc < 0) {
+        return -1;
+    }

-  rc = ssh_get_publickey_hash(srv_pubkey,
-                              SSH_PUBLICKEY_HASH_SHA256,
-                              &hash,
-                              &hlen);
-  ssh_key_free(srv_pubkey);
-  if (rc < 0) {
-      return -1;
-  }
+    rc = ssh_get_publickey_hash(srv_pubkey,
+                                SSH_PUBLICKEY_HASH_SHA256,
+                                &hash,
+                                &hlen);
+    ssh_key_free(srv_pubkey);
+    if (rc < 0) {
+        return -1;
+    }

-  state = ssh_session_is_known_server(session);
+    state = ssh_session_is_known_server(session);

-  switch(state){
-    case SSH_KNOWN_HOSTS_OK:
-      break; /* ok */
+    switch(state) {
    case SSH_KNOWN_HOSTS_CHANGED:
-      fprintf(stderr,"Host key for server changed : server's one is now :\n");
-      ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
-      ssh_clean_pubkey_hash(&hash);
-      fprintf(stderr,"For security reason, connection will be stopped\n");
-      return -1;
+        fprintf(stderr,"Host key for server changed : server's one is now :\n");
+        ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
+        ssh_clean_pubkey_hash(&hash);
+        fprintf(stderr,"For security reason, connection will be stopped\n");
+        return -1;
    case SSH_KNOWN_HOSTS_OTHER:
-      fprintf(stderr,"The host key for this server was not found but an other type of key exists.\n");
-      fprintf(stderr,"An attacker might change the default server key to confuse your client"
-          "into thinking the key does not exist\n"
-          "We advise you to rerun the client with -d or -r for more safety.\n");
-      return -1;
+        fprintf(stderr,"The host key for this server was not found but an other type of key exists.\n");
+        fprintf(stderr,"An attacker might change the default server key to confuse your client"
+                "into thinking the key does not exist\n"
+                "We advise you to rerun the client with -d or -r for more safety.\n");
+        return -1;
    case SSH_KNOWN_HOSTS_NOT_FOUND:
-      fprintf(stderr,"Could not find known host file. If you accept the host key here,\n");
-      fprintf(stderr,"the file will be automatically created.\n");
-      /* fallback to SSH_SERVER_NOT_KNOWN behavior */
-      FALL_THROUGH;
+        fprintf(stderr,"Could not find known host file. If you accept the host key here,\n");
+        fprintf(stderr,"the file will be automatically created.\n");
+        /* fallback to SSH_SERVER_NOT_KNOWN behavior */
+        FALL_THROUGH;
    case SSH_SERVER_NOT_KNOWN:
-      fprintf(stderr,
-              "The server is unknown. Do you trust the host key (yes/no)?\n");
-      ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
+        fprintf(stderr,
+                "The server is unknown. Do you trust the host key (yes/no)?\n");
+        ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);

-      if (fgets(buf, sizeof(buf), stdin) == NULL) {
-	    ssh_clean_pubkey_hash(&hash);
-        return -1;
-      }
-      if(strncasecmp(buf,"yes",3)!=0){
-	    ssh_clean_pubkey_hash(&hash);
-        return -1;
-      }
-      fprintf(stderr,"This new key will be written on disk for further usage. do you agree ?\n");
-      if (fgets(buf, sizeof(buf), stdin) == NULL) {
-	    ssh_clean_pubkey_hash(&hash);
-        return -1;
-      }
-      if(strncasecmp(buf,"yes",3)==0){
-        if (ssh_write_knownhost(session) < 0) {
-          ssh_clean_pubkey_hash(&hash);
-          fprintf(stderr, "error %s\n", strerror(errno));
-          return -1;
+        if (fgets(buf, sizeof(buf), stdin) == NULL) {
+            ssh_clean_pubkey_hash(&hash);
+            return -1;
+        }
+        if(strncasecmp(buf,"yes",3)!=0){
+            ssh_clean_pubkey_hash(&hash);
+            return -1;
+        }
+        fprintf(stderr,"This new key will be written on disk for further usage. do you agree ?\n");
+        if (fgets(buf, sizeof(buf), stdin) == NULL) {
+            ssh_clean_pubkey_hash(&hash);
+            return -1;
+        }
+        if(strncasecmp(buf,"yes",3)==0){
+            rc = ssh_session_update_known_hosts(session);
+            if (rc != SSH_OK) {
+                ssh_clean_pubkey_hash(&hash);
+                fprintf(stderr, "error %s\n", strerror(errno));
+                return -1;
+            }
        }
-      }

-      break;
+        break;
    case SSH_KNOWN_HOSTS_ERROR:
-      ssh_clean_pubkey_hash(&hash);
-      fprintf(stderr,"%s",ssh_get_error(session));
-      return -1;
-  }
-  ssh_clean_pubkey_hash(&hash);
-  return 0;
+        ssh_clean_pubkey_hash(&hash);
+        fprintf(stderr,"%s",ssh_get_error(session));
+        return -1;
+    case SSH_KNOWN_HOSTS_OK:
+        break; /* ok */
+    }
+
+    ssh_clean_pubkey_hash(&hash);
+
+    return 0;
 }
--- a/examples/libssh_scp.c
+++ b/examples/libssh_scp.c
@@ -233,7 +233,7 @@ static int open_location(struct location *loc, int flag) {
        loc->file = fopen(loc->path, flag == READ ? "r":"w");
        if (!loc->file) {
            if (errno == EISDIR) {
-                if (chdir(loc->path)) {
+                if (loc->path != NULL && chdir(loc->path)) {
                    fprintf(stderr,
                            "Error changing directory to %s: %s\n",
                            loc->path, strerror(errno));
@@ -257,14 +257,15 @@ static int open_location(struct location *loc, int flag) {
 * @param recursive Copy also directories
 */
 static int do_copy(struct location *src, struct location *dest, int recursive) {
-    int size;
+    size_t size;
    socket_t fd;
    struct stat s;
    int w, r;
    char buffer[16384];
-    int total = 0;
-    int mode;
+    size_t total = 0;
+    mode_t mode;
    char *filename = NULL;
+
    /* recursive mode doesn't work yet */
    (void)recursive;
    /* Get the file name and size*/
@@ -302,7 +303,7 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {
                fprintf(stderr,
                        "Error: %s\n",
                        ssh_get_error(src->session));
-                ssh_string_free_char(filename);
+                SSH_STRING_FREE_CHAR(filename);
                return -1;
            }
        } while(r != SSH_SCP_REQUEST_NEWFILE);
@@ -315,7 +316,7 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {
            fprintf(stderr,
                    "error: %s\n",
                    ssh_get_error(dest->session));
-            ssh_string_free_char(filename);
+            SSH_STRING_FREE_CHAR(filename);
            ssh_scp_free(dest->scp);
            dest->scp = NULL;
            return -1;
@@ -330,7 +331,7 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {
                if (src->is_ssh) {
                    ssh_scp_deny_request(src->scp, "Cannot open local file");
                }
-                ssh_string_free_char(filename);
+                SSH_STRING_FREE_CHAR(filename);
                return -1;
            }
        }
@@ -346,7 +347,7 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {
                fprintf(stderr,
                        "Error reading scp: %s\n",
                        ssh_get_error(src->session));
-                ssh_string_free_char(filename);
+                SSH_STRING_FREE_CHAR(filename);
                return -1;
            }

@@ -363,7 +364,7 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {
                fprintf(stderr,
                        "Error reading file: %s\n",
                        strerror(errno));
-                ssh_string_free_char(filename);
+                SSH_STRING_FREE_CHAR(filename);
                return -1;
            }
        }
@@ -376,7 +377,7 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {
                        ssh_get_error(dest->session));
                ssh_scp_free(dest->scp);
                dest->scp = NULL;
-                ssh_string_free_char(filename);
+                SSH_STRING_FREE_CHAR(filename);
                return -1;
            }
        } else {
@@ -385,7 +386,7 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {
                fprintf(stderr,
                        "Error writing in local file: %s\n",
                        strerror(errno));
-                ssh_string_free_char(filename);
+                SSH_STRING_FREE_CHAR(filename);
                return -1;
            }
        }
@@ -393,8 +394,8 @@ static int do_copy(struct location *src, struct location *dest, int recursive) {

    } while(total < size);

-    ssh_string_free_char(filename);
-    printf("wrote %d bytes\n", total);
+    SSH_STRING_FREE_CHAR(filename);
+    printf("wrote %zu bytes\n", total);
    return 0;
 }

--- a/examples/ssh_client.c
+++ b/examples/ssh_client.c
@@ -1,16 +1,17 @@
-/* client.c */
+/* ssh_client.c */
+
 /*
-Copyright 2003-2009 Aris Adamantiadis
-
-This file is part of the SSH Library
-
-You are free to copy this file, modify it in any way, consider it being public
-domain. This does not apply to the rest of the library though, but it is
-allowed to cut-and-paste working code from this file to any license of
-program.
-The goal is to show the API in action. It's not a reference on how terminal
-clients must be made or how a client should react.
-*/
+ * Copyright 2003-2015 Aris Adamantiadis
+ *
+ * This file is part of the SSH Library
+ *
+ * You are free to copy this file, modify it in any way, consider it being public
+ * domain. This does not apply to the rest of the library though, but it is
+ * allowed to cut-and-paste working code from this file to any license of
+ * program.
+ * The goal is to show the API in action. It's not a reference on how terminal
+ * clients must be made or how a client should react.
+ */

 #include "config.h"
 #include <stdio.h>
@@ -197,19 +198,20 @@ static void sizechanged(void)
 static void select_loop(ssh_session session,ssh_channel channel)
 {
    ssh_connector connector_in, connector_out, connector_err;
+    int rc;

    ssh_event event = ssh_event_new();

    /* stdin */
    connector_in = ssh_connector_new(session);
-    ssh_connector_set_out_channel(connector_in, channel, SSH_CONNECTOR_STDOUT);
+    ssh_connector_set_out_channel(connector_in, channel, SSH_CONNECTOR_STDINOUT);
    ssh_connector_set_in_fd(connector_in, 0);
    ssh_event_add_connector(event, connector_in);

    /* stdout */
    connector_out = ssh_connector_new(session);
    ssh_connector_set_out_fd(connector_out, 1);
-    ssh_connector_set_in_channel(connector_out, channel, SSH_CONNECTOR_STDOUT);
+    ssh_connector_set_in_channel(connector_out, channel, SSH_CONNECTOR_STDINOUT);
    ssh_event_add_connector(event, connector_out);

    /* stderr */
@@ -222,7 +224,11 @@ static void select_loop(ssh_session session,ssh_channel channel)
        if (signal_delayed) {
            sizechanged();
        }
-        ssh_event_dopoll(event, 60000);
+        rc = ssh_event_dopoll(event, 60000);
+        if (rc == SSH_ERROR) {
+            fprintf(stderr, "Error in ssh_event_dopoll()\n");
+            break;
+        }
    }
    ssh_event_remove_connector(event, connector_in);
    ssh_event_remove_connector(event, connector_out);
@@ -233,7 +239,6 @@ static void select_loop(ssh_session session,ssh_channel channel)
    ssh_connector_free(connector_err);

    ssh_event_free(event);
-    ssh_channel_free(channel);
 }

 static void shell(ssh_session session)
@@ -241,7 +246,11 @@ static void shell(ssh_session session)
    ssh_channel channel;
    struct termios terminal_local;
    int interactive=isatty(0);
+
    channel = ssh_channel_new(session);
+    if (channel == NULL) {
+        return;
+    }

    if (interactive) {
        tcgetattr(0, &terminal_local);
@@ -250,6 +259,7 @@ static void shell(ssh_session session)

    if (ssh_channel_open_session(channel)) {
        printf("Error opening channel : %s\n", ssh_get_error(session));
+        ssh_channel_free(channel);
        return;
    }
    chan = channel;
@@ -260,6 +270,7 @@ static void shell(ssh_session session)

    if (ssh_channel_request_shell(channel)) {
        printf("Requesting shell : %s\n", ssh_get_error(session));
+        ssh_channel_free(channel);
        return;
    }

@@ -273,6 +284,7 @@ static void shell(ssh_session session)
    if (interactive) {
        do_cleanup(0);
    }
+    ssh_channel_free(channel);
 }

 static void batch_shell(ssh_session session)
@@ -289,12 +301,18 @@ static void batch_shell(ssh_session session)
    }

    channel = ssh_channel_new(session);
+    if (channel == NULL) {
+        return;
+    }
+
    ssh_channel_open_session(channel);
    if (ssh_channel_request_exec(channel, buffer)) {
        printf("Error executing '%s' : %s\n", buffer, ssh_get_error(session));
+        ssh_channel_free(channel);
        return;
    }
    select_loop(session, channel);
+    ssh_channel_free(channel);
 }

 static int client(ssh_session session)
--- a/examples/ssh_server_fork.c
+++ b/examples/ssh_server_fork.c
@@ -37,6 +37,7 @@ The goal is to show the API in action.
 #endif
 #include <sys/ioctl.h>
 #include <sys/wait.h>
+#include <sys/stat.h>
 #include <stdio.h>

 #ifndef KEYS_FOLDER
@@ -69,8 +70,11 @@ static void set_default_keys(ssh_bind sshbind,
        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY,
                             KEYS_FOLDER "ssh_host_ecdsa_key");
    }
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY,
+                         KEYS_FOLDER "ssh_host_ed25519_key");
 }
-
+#define DEF_STR_SIZE 1024
+char authorizedkeys[DEF_STR_SIZE] = {0};
 #ifdef HAVE_ARGP_H
 const char *argp_program_version = "libssh server example "
 SSH_STRINGIFY(LIBSSH_VERSION);
@@ -125,6 +129,14 @@ static struct argp_option options[] = {
        .doc   = "Set the ecdsa key.",
        .group = 0
    },
+    {
+        .name  = "authorizedkeys",
+        .key   = 'a',
+        .arg   = "FILE",
+        .flags = 0,
+        .doc   = "Set the authorized keys file.",
+        .group = 0
+    },
    {
        .name  = "no-default-keys",
        .key   = 'n',
@@ -178,6 +190,9 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY, arg);
            ecdsa_already_set = 1;
            break;
+        case 'a':
+            strncpy(authorizedkeys, arg, DEF_STR_SIZE-1);
+            break;
        case 'v':
            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR,
                                 "3");
@@ -434,6 +449,53 @@ static int auth_password(ssh_session session, const char *user,
    return SSH_AUTH_DENIED;
 }

+static int auth_publickey(ssh_session session,
+                          const char *user,
+                          struct ssh_key_struct *pubkey,
+                          char signature_state,
+                          void *userdata)
+{
+    struct session_data_struct *sdata = (struct session_data_struct *) userdata;
+
+    (void) user;
+    (void) session;
+
+    if (signature_state == SSH_PUBLICKEY_STATE_NONE) {
+        return SSH_AUTH_SUCCESS;
+    }
+
+    if (signature_state != SSH_PUBLICKEY_STATE_VALID) {
+        return SSH_AUTH_DENIED;
+    }
+
+    // valid so far.  Now look through authorized keys for a match
+    if (authorizedkeys[0]) {
+        ssh_key key = NULL;
+        int result;
+        struct stat buf;
+
+        if (stat(authorizedkeys, &buf) == 0) {
+            result = ssh_pki_import_pubkey_file( authorizedkeys, &key );
+            if ((result != SSH_OK) || (key==NULL)) {
+                fprintf(stderr,
+                        "Unable to import public key file %s\n",
+                        authorizedkeys);
+            } else {
+                result = ssh_key_cmp( key, pubkey, SSH_KEY_CMP_PUBLIC );
+                ssh_key_free(key);
+                if (result == 0) {
+                    sdata->authenticated = 1;
+                    return SSH_AUTH_SUCCESS;
+                }
+            }
+        }
+    }
+
+    // no matches
+    sdata->authenticated = 0;
+    return SSH_AUTH_DENIED;
+}
+
 static ssh_channel channel_open(ssh_session session, void *userdata) {
    struct session_data_struct *sdata = (struct session_data_struct *) userdata;

@@ -472,7 +534,8 @@ static int process_stderr(socket_t fd, int revents, void *userdata) {
 }

 static void handle_session(ssh_event event, ssh_session session) {
-    int n, rc;
+    int n;
+    int rc = 0;

    /* Structure for storing the pty size. */
    struct winsize wsize = {
@@ -517,6 +580,12 @@ static void handle_session(ssh_event event, ssh_session session) {
        .channel_open_request_session_function = channel_open,
    };

+    if (authorizedkeys[0]) {
+        server_cb.auth_pubkey_function = auth_publickey;
+        ssh_set_auth_methods(session, SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY);
+    } else
+        ssh_set_auth_methods(session, SSH_AUTH_METHOD_PASSWORD);
+
    ssh_callbacks_init(&server_cb);
    ssh_callbacks_init(&channel_cb);

@@ -527,7 +596,6 @@ static void handle_session(ssh_event event, ssh_session session) {
        return;
    }

-    ssh_set_auth_methods(session, SSH_AUTH_METHOD_PASSWORD);
    ssh_event_add_session(event, session);

    n = 0;
--- a/examples/sshd_direct-tcpip.c
+++ b/examples/sshd_direct-tcpip.c
@@ -0,0 +1,749 @@
+/* This is a sample implementation of a libssh based SSH server */
+/*
+Copyright 2003-2009 Aris Adamantiadis
+Copyright 2018 T. Wimmer
+
+This file is part of the SSH Library
+
+You are free to copy this file, modify it in any way, consider it being public
+domain. This does not apply to the rest of the library though, but it is
+allowed to cut-and-paste working code from this file to any license of
+program.
+The goal is to show the API in action. It's not a reference on how terminal
+clients must be made or how a client should react.
+*/
+
+/*
+ Example:
+  ./sshd_direct-tcpip -v -p 2022 -d serverkey.dsa -r serverkey.rsa 127.0.0.1
+*/
+
+#include "config.h"
+
+#include <libssh/libssh.h>
+#include <libssh/server.h>
+#include <libssh/callbacks.h>
+
+#ifdef HAVE_ARGP_H
+#include <argp.h>
+#endif
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <poll.h>
+
+#define SAFE_FREE(x) do { if ((x) != NULL) {free(x); x=NULL;} } while(0)
+
+#ifndef __unused__
+# ifdef HAVE_UNUSED_ATTRIBUTE
+#  define __unused__ __attribute__((unused))
+# else /* HAVE_UNUSED_ATTRIBUTE */
+#  define __unused__
+# endif /* HAVE_UNUSED_ATTRIBUTE */
+#endif /* __unused__ */
+
+#ifndef UNUSED_PARAM
+#define UNUSED_PARAM(param) param __unused__
+#endif /* UNUSED_PARAM */
+
+#ifndef KEYS_FOLDER
+#ifdef _WIN32
+#define KEYS_FOLDER
+#else
+#define KEYS_FOLDER "/etc/ssh/"
+#endif
+#endif
+
+#define USER "user"
+#define PASSWORD "pwd"
+
+struct event_fd_data_struct {
+    int *p_fd;
+    ssh_channel channel;
+    struct ssh_channel_callbacks_struct *cb_chan;
+    int stacked;
+};
+
+struct cleanup_node_struct {
+    struct event_fd_data_struct *data;
+    struct cleanup_node_struct *next;
+};
+
+static bool authenticated = false;
+static int tries = 0;
+static bool error_set = false;
+static int sockets_cnt = 0;
+static ssh_event mainloop = NULL;
+static struct cleanup_node_struct *cleanup_stack = NULL;
+
+static void _close_socket(struct event_fd_data_struct event_fd_data);
+
+static void
+cleanup_push(struct cleanup_node_struct** head_ref,
+             struct event_fd_data_struct *new_data)
+{
+    // Allocate memory for node
+    struct cleanup_node_struct *new_node = malloc(sizeof *new_node);
+
+    if (head_ref != NULL) {
+        new_node->next = *head_ref;
+    } else {
+        new_node->next = NULL;
+    }
+
+    // Copy new_data
+    new_node->data = new_data;
+
+    // Change head pointer as new node is added at the beginning
+    (*head_ref) = new_node;
+}
+
+static void
+do_cleanup(struct cleanup_node_struct **head_ref)
+{
+    struct cleanup_node_struct *current = (*head_ref);
+    struct cleanup_node_struct *previous = NULL, *gone = NULL;
+
+    while (current != NULL) {
+        if (ssh_channel_is_closed(current->data->channel)) {
+            if (current == (*head_ref)) {
+                (*head_ref) = current->next;
+            }
+            if (previous != NULL) {
+                previous->next = current->next;
+            }
+            gone = current;
+            current = current->next;
+
+            if (gone->data->channel) {
+                _close_socket(*gone->data);
+                ssh_remove_channel_callbacks(gone->data->channel, gone->data->cb_chan);
+                ssh_channel_free(gone->data->channel);
+                gone->data->channel = NULL;
+
+                SAFE_FREE(gone->data->p_fd);
+                SAFE_FREE(gone->data->cb_chan);
+                SAFE_FREE(gone->data);
+                SAFE_FREE(gone);
+            }
+            else {
+                fprintf(stderr, "channel already freed!\n");
+            }
+            _ssh_log(SSH_LOG_FUNCTIONS, "=== do_cleanup", "Freed.");
+        }
+        else {
+            ssh_channel_close(current->data->channel);
+            previous = current;
+            current = current->next;
+        }
+    }
+}
+
+static int
+auth_password(ssh_session session,
+              const char *user,
+              const char *password,
+              UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== auth_password", "Authenticating user %s pwd %s",
+             user,
+             password);
+    if (strcmp(user, USER) == 0 && strcmp(password, PASSWORD) == 0) {
+        authenticated = true;
+        printf("Authenticated\n");
+        return SSH_AUTH_SUCCESS;
+    }
+    if (tries >= 3) {
+        printf("Too many authentication tries\n");
+        ssh_disconnect(session);
+        error_set = true;
+        return SSH_AUTH_DENIED;
+    }
+    tries++;
+    return SSH_AUTH_DENIED;
+}
+
+static int
+auth_gssapi_mic(ssh_session session,
+                const char *user,
+                const char *principal,
+                UNUSED_PARAM(void *userdata))
+{
+    ssh_gssapi_creds creds = ssh_gssapi_get_creds(session);
+    printf("Authenticating user %s with gssapi principal %s\n",
+           user, principal);
+    if (creds != NULL) {
+        printf("Received some gssapi credentials\n");
+    } else {
+        printf("Not received any forwardable creds\n");
+    }
+    printf("authenticated\n");
+    authenticated = true;
+    return SSH_AUTH_SUCCESS;
+}
+
+static int
+subsystem_request(UNUSED_PARAM(ssh_session session),
+                  UNUSED_PARAM(ssh_channel channel),
+                  const char *subsystem,
+                  UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== subsystem_request", "Channel subsystem reqeuest: %s",
+             subsystem);
+    return 0;
+}
+
+struct ssh_channel_callbacks_struct channel_cb = {
+    .channel_subsystem_request_function = subsystem_request
+};
+
+static ssh_channel
+new_session_channel(UNUSED_PARAM(ssh_session session),
+                    UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL, "=== subsystem_request", "Session channel request");
+    /* For TCP forward only there seems to be no need for a session channel */
+    /*if(chan != NULL)
+        return NULL;
+    printf("Session channel request\n");
+    chan = ssh_channel_new(session);
+    ssh_callbacks_init(&channel_cb);
+    ssh_set_channel_callbacks(chan, &channel_cb);
+    return chan;*/
+    return NULL;
+}
+
+static void
+stack_socket_close(UNUSED_PARAM(ssh_session session),
+                   struct event_fd_data_struct *event_fd_data)
+{
+    if (event_fd_data->stacked != 1) {
+        _ssh_log(SSH_LOG_FUNCTIONS, "=== stack_socket_close",
+                 "Closing fd = %d sockets_cnt = %d", *event_fd_data->p_fd,
+                 sockets_cnt);
+        event_fd_data->stacked = 1;
+        cleanup_push(&cleanup_stack, event_fd_data);
+    }
+}
+
+static void
+_close_socket(struct event_fd_data_struct event_fd_data)
+{
+    _ssh_log(SSH_LOG_FUNCTIONS, "=== close_socket",
+             "Closing fd = %d sockets_cnt = %d", *event_fd_data.p_fd,
+             sockets_cnt);
+    ssh_event_remove_fd(mainloop, *event_fd_data.p_fd);
+    sockets_cnt--;
+#ifdef _WIN32
+    closesocket(*event_fd_data.p_fd);
+#else
+    close(*event_fd_data.p_fd);
+#endif // _WIN32
+    (*event_fd_data.p_fd) = SSH_INVALID_SOCKET;
+}
+
+static int
+service_request(UNUSED_PARAM(ssh_session session),
+                const char *service,
+                UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL, "=== service_request", "Service request: %s", service);
+    return 0;
+}
+
+static void
+global_request(UNUSED_PARAM(ssh_session session),
+               ssh_message message,
+               UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== global_request", "Global request, message type: %d",
+             ssh_message_type(message));
+}
+
+static void
+my_channel_close_function(ssh_session session,
+                          UNUSED_PARAM(ssh_channel channel),
+                          void *userdata)
+{
+    struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
+
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== my_channel_close_function",
+             "Channel closed by remote.");
+
+    stack_socket_close(session, event_fd_data);
+}
+
+static void
+my_channel_eof_function(ssh_session session,
+                        UNUSED_PARAM(ssh_channel channel),
+                        void *userdata)
+{
+    struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
+
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== my_channel_eof_function",
+             "Got EOF on channel. Shuting down write on socket (fd = %d).",
+             *event_fd_data->p_fd);
+
+    stack_socket_close(session, event_fd_data);
+}
+
+static void
+my_channel_exit_status_function(UNUSED_PARAM(ssh_session session),
+                                UNUSED_PARAM(ssh_channel channel),
+                                int exit_status,
+                                void *userdata)
+{
+    struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
+
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== my_channel_exit_status_function",
+             "Got exit status %d on channel fd = %d.",
+             exit_status, *event_fd_data->p_fd);
+}
+
+static int
+my_channel_data_function(ssh_session session,
+                         UNUSED_PARAM(ssh_channel channel),
+                         void *data,
+                         uint32_t len,
+                         UNUSED_PARAM(int is_stderr),
+                         void *userdata)
+{
+    int i = 0;
+    struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
+
+    if (event_fd_data->channel == NULL) {
+        fprintf(stderr, "Why we're here? Stacked = %d\n", event_fd_data->stacked);
+    }
+
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== my_channel_data_function",
+             "%d bytes waiting on channel for reading. Fd = %d",
+             len,
+             *event_fd_data->p_fd);
+    if (len > 0) {
+        i = send(*event_fd_data->p_fd, data, len, 0);
+    }
+    if (i < 0) {
+        _ssh_log(SSH_LOG_WARNING, "=== my_channel_data_function",
+                 "Writing to tcp socket %d: %s", *event_fd_data->p_fd,
+                 strerror(errno));
+        stack_socket_close(session, event_fd_data);
+    }
+    else {
+        _ssh_log(SSH_LOG_FUNCTIONS, "=== my_channel_data_function", "Sent %d bytes", i);
+    }
+    return i;
+}
+
+static int
+my_fd_data_function(UNUSED_PARAM(socket_t fd),
+                    int revents,
+                    void *userdata)
+{
+    struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
+    ssh_channel channel = event_fd_data->channel;
+    ssh_session session;
+    int len, i, wr;
+    char buf[16384];
+    int blocking;
+
+    if (channel == NULL) {
+        _ssh_log(SSH_LOG_FUNCTIONS, "=== my_fd_data_function", "channel == NULL!");
+        return 0;
+    }
+
+    session = ssh_channel_get_session(channel);
+
+    if (ssh_channel_is_closed(channel)) {
+        _ssh_log(SSH_LOG_FUNCTIONS, "=== my_fd_data_function", "channel is closed!");
+        stack_socket_close(session, event_fd_data);
+        return 0;
+    }
+
+    if (!(revents & POLLIN)) {
+        if (revents & POLLPRI) {
+            _ssh_log(SSH_LOG_PROTOCOL, "=== my_fd_data_function", "poll revents & POLLPRI");
+        }
+        if (revents & POLLOUT) {
+            _ssh_log(SSH_LOG_PROTOCOL, "=== my_fd_data_function", "poll revents & POLLOUT");
+        }
+        if (revents & POLLHUP) {
+            _ssh_log(SSH_LOG_PROTOCOL, "=== my_fd_data_function", "poll revents & POLLHUP");
+        }
+        if (revents & POLLNVAL) {
+            _ssh_log(SSH_LOG_PROTOCOL, "=== my_fd_data_function", "poll revents & POLLNVAL");
+        }
+        if (revents & POLLERR) {
+            _ssh_log(SSH_LOG_PROTOCOL, "=== my_fd_data_function", "poll revents & POLLERR");
+        }
+        return 0;
+    }
+
+    blocking = ssh_is_blocking(session);
+    ssh_set_blocking(session, 0);
+
+    _ssh_log(SSH_LOG_FUNCTIONS,
+             "=== my_fd_data_function",
+             "Trying to read from tcp socket fd = %d",
+             *event_fd_data->p_fd);
+#ifdef _WIN32
+    struct sockaddr from;
+    int fromlen = sizeof(from);
+    len = recvfrom(*event_fd_data->p_fd, buf, sizeof(buf), 0, &from, &fromlen);
+#else
+    len = recv(*event_fd_data->p_fd, buf, sizeof(buf), 0);
+#endif // _WIN32
+    if (len < 0) {
+        _ssh_log(SSH_LOG_WARNING, "=== my_fd_data_function", "Reading from tcp socket: %s", strerror(errno));
+
+        ssh_channel_send_eof(channel);
+    }
+    else if (len > 0) {
+        if (ssh_channel_is_open(channel)) {
+            wr = 0;
+            do {
+                i = ssh_channel_write(channel, buf, len);
+                if (i < 0) {
+                    _ssh_log(SSH_LOG_WARNING, "=== my_fd_data_function", "Error writing on the direct-tcpip channel: %d", i);
+                    len = wr;
+                    break;
+                }
+                wr += i;
+                _ssh_log(SSH_LOG_FUNCTIONS, "=== my_fd_data_function", "channel_write (%d from %d)", wr, len);
+            } while (i > 0 && wr < len);
+        }
+        else {
+            _ssh_log(SSH_LOG_WARNING, "=== my_fd_data_function", "Can't write on closed channel!");
+        }
+    }
+    else {
+        _ssh_log(SSH_LOG_PROTOCOL, "=== my_fd_data_function", "The destination host has disconnected!");
+
+        ssh_channel_close(channel);
+#ifdef _WIN32
+        shutdown(*event_fd_data->p_fd, SD_RECEIVE);
+#else
+        shutdown(*event_fd_data->p_fd, SHUT_RD);
+#endif // _WIN32
+    }
+    ssh_set_blocking(session, blocking);
+
+    return len;
+}
+
+static int
+open_tcp_socket(ssh_message msg)
+{
+    struct sockaddr_in sin;
+    int forwardsock = -1;
+    struct hostent *host;
+    const char *dest_hostname;
+    int dest_port;
+
+    forwardsock = socket(AF_INET, SOCK_STREAM, 0);
+    if (forwardsock < 0) {
+        _ssh_log(SSH_LOG_WARNING, "=== open_tcp_socket", "ERROR opening socket: %s", strerror(errno));
+        return -1;
+    }
+
+    dest_hostname = ssh_message_channel_request_open_destination(msg);
+    dest_port = ssh_message_channel_request_open_destination_port(msg);
+
+    _ssh_log(SSH_LOG_PROTOCOL, "=== open_tcp_socket", "Connecting to %s on port %d", dest_hostname, dest_port);
+
+    host = gethostbyname(dest_hostname);
+    if (host == NULL) {
+        close(forwardsock);
+        _ssh_log(SSH_LOG_WARNING, "=== open_tcp_socket", "ERROR, no such host: %s", dest_hostname);
+        return -1;
+    }
+
+    memset((char *)&sin, '\0', sizeof(sin));
+    sin.sin_family = AF_INET;
+    memcpy((char *)&sin.sin_addr.s_addr, (char *)host->h_addr, host->h_length);
+    sin.sin_port = htons(dest_port);
+
+    if (connect(forwardsock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+        close(forwardsock);
+        _ssh_log(SSH_LOG_WARNING, "=== open_tcp_socket", "ERROR connecting: %s", strerror(errno));
+        return -1;
+    }
+
+    sockets_cnt++;
+    _ssh_log(SSH_LOG_FUNCTIONS, "=== open_tcp_socket", "Connected. sockets_cnt = %d", sockets_cnt);
+    return forwardsock;
+}
+
+static int
+message_callback(UNUSED_PARAM(ssh_session session),
+                 ssh_message message,
+                 UNUSED_PARAM(void *userdata))
+{
+    ssh_channel channel;
+    int socket_fd, *pFd;
+    struct ssh_channel_callbacks_struct *cb_chan;
+    struct event_fd_data_struct *event_fd_data;
+
+    _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d",
+             ssh_message_type(message));
+    _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message Subtype: %d",
+             ssh_message_subtype(message));
+    if (ssh_message_type(message) == SSH_REQUEST_CHANNEL_OPEN) {
+        _ssh_log(SSH_LOG_PROTOCOL, "=== message_callback", "channel_request_open");
+
+        if (ssh_message_subtype(message) == SSH_CHANNEL_DIRECT_TCPIP) {
+            channel = ssh_message_channel_request_open_reply_accept(message);
+
+            if (channel == NULL) {
+                _ssh_log(SSH_LOG_WARNING, "=== message_callback", "Accepting direct-tcpip channel failed!");
+                return 1;
+            }
+            else {
+                _ssh_log(SSH_LOG_PROTOCOL, "=== message_callback", "Connected to channel!");
+
+                socket_fd = open_tcp_socket(message);
+                if (-1 == socket_fd) {
+                    return 1;
+                }
+
+                pFd = malloc(sizeof *pFd);
+                cb_chan = malloc(sizeof *cb_chan);
+                event_fd_data = malloc(sizeof *event_fd_data);
+                if (pFd == NULL || cb_chan == NULL || event_fd_data == NULL) {
+                    SAFE_FREE(pFd);
+                    SAFE_FREE(cb_chan);
+                    SAFE_FREE(event_fd_data);
+                    return 1;
+                }
+
+                (*pFd) = socket_fd;
+                event_fd_data->channel = channel;
+                event_fd_data->p_fd = pFd;
+                event_fd_data->stacked = 0;
+                event_fd_data->cb_chan = cb_chan;
+
+                cb_chan->userdata = event_fd_data;
+                cb_chan->channel_eof_function = my_channel_eof_function;
+                cb_chan->channel_close_function = my_channel_close_function;
+                cb_chan->channel_data_function = my_channel_data_function;
+                cb_chan->channel_exit_status_function = my_channel_exit_status_function;
+
+                ssh_callbacks_init(cb_chan);
+                ssh_set_channel_callbacks(channel, cb_chan);
+
+                ssh_event_add_fd(mainloop, (socket_t)*pFd, POLLIN, my_fd_data_function, event_fd_data);
+
+                return 0;
+            }
+        }
+    }
+    return 1;
+}
+
+#ifdef HAVE_ARGP_H
+const char *argp_program_version = "libssh server example "
+SSH_STRINGIFY(LIBSSH_VERSION);
+const char *argp_program_bug_address = "<libssh@libssh.org>";
+
+/* Program documentation. */
+static char doc[] = "libssh -- a Secure Shell protocol implementation";
+
+/* A description of the arguments we accept. */
+static char args_doc[] = "BINDADDR";
+
+/* The options we understand. */
+static struct argp_option options[] = {
+    {
+        .name  = "port",
+        .key   = 'p',
+        .arg   = "PORT",
+        .flags = 0,
+        .doc   = "Set the port to bind.",
+        .group = 0
+    },
+    {
+        .name  = "hostkey",
+        .key   = 'k',
+        .arg   = "FILE",
+        .flags = 0,
+        .doc   = "Set the host key.",
+        .group = 0
+    },
+    {
+        .name  = "dsakey",
+        .key   = 'd',
+        .arg   = "FILE",
+        .flags = 0,
+        .doc   = "Set the dsa key.",
+        .group = 0
+    },
+    {
+        .name  = "rsakey",
+        .key   = 'r',
+        .arg   = "FILE",
+        .flags = 0,
+        .doc   = "Set the rsa key.",
+        .group = 0
+    },
+    {
+        .name  = "verbose",
+        .key   = 'v',
+        .arg   = NULL,
+        .flags = 0,
+        .doc   = "Get verbose output.",
+        .group = 0
+    },
+    {NULL, 0, NULL, 0, NULL, 0}
+};
+
+/* Parse a single option. */
+static error_t
+parse_opt (int key, char *arg, struct argp_state *state)
+{
+    /* Get the input argument from argp_parse, which we
+     * know is a pointer to our arguments structure.
+     */
+    ssh_bind sshbind = state->input;
+
+    switch (key) {
+        case 'p':
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
+            break;
+        case 'd':
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
+            break;
+        case 'k':
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
+            break;
+        case 'r':
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, arg);
+            break;
+        case 'v':
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "1");
+            break;
+        case ARGP_KEY_ARG:
+            if (state->arg_num >= 1) {
+                /* Too many arguments. */
+                argp_usage (state);
+            }
+            ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDADDR, arg);
+            break;
+        case ARGP_KEY_END:
+            if (state->arg_num < 1) {
+                /* Not enough arguments. */
+                argp_usage (state);
+            }
+            break;
+        default:
+            return ARGP_ERR_UNKNOWN;
+    }
+
+    return 0;
+}
+
+/* Our argp parser. */
+static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+#endif /* HAVE_ARGP_H */
+
+int
+main(int argc, char **argv)
+{
+    ssh_session session;
+    ssh_bind sshbind;
+    struct ssh_server_callbacks_struct cb = {
+        .userdata = NULL,
+        .auth_password_function = auth_password,
+        .auth_gssapi_mic_function = auth_gssapi_mic,
+        .channel_open_request_session_function = new_session_channel,
+        .service_request_function = service_request
+    };
+    struct ssh_callbacks_struct cb_gen = {
+        .userdata = NULL,
+        .global_request_function = global_request
+    };
+
+    int ret = 1;
+
+    sshbind = ssh_bind_new();
+    session = ssh_new();
+    mainloop = ssh_event_new();
+
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, KEYS_FOLDER "ssh_host_dsa_key");
+    ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key");
+
+#ifdef HAVE_ARGP_H
+    /*
+     * Parse our arguments; every option seen by parse_opt will
+     * be reflected in arguments.
+     */
+    argp_parse (&argp, argc, argv, 0, 0, sshbind);
+#else
+    (void)argc;
+    (void)argv;
+#endif
+
+    if (ssh_bind_listen(sshbind) < 0) {
+        printf("Error listening to socket: %s\n", ssh_get_error(sshbind));
+        return 1;
+    }
+
+    if (ssh_bind_accept(sshbind, session) == SSH_ERROR) {
+        printf("error accepting a connection : %s\n", ssh_get_error(sshbind));
+        ret = 1;
+        goto shutdown;
+    }
+
+    ssh_callbacks_init(&cb);
+    ssh_callbacks_init(&cb_gen);
+    ssh_set_server_callbacks(session, &cb);
+    ssh_set_callbacks(session, &cb_gen);
+    ssh_set_message_callback(session, message_callback, (void *)NULL);
+
+    if (ssh_handle_key_exchange(session)) {
+        printf("ssh_handle_key_exchange: %s\n", ssh_get_error(session));
+        ret = 1;
+        goto shutdown;
+    }
+    ssh_set_auth_methods(session, SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_GSSAPI_MIC);
+    ssh_event_add_session(mainloop, session);
+
+    while (!authenticated) {
+        if (error_set) {
+            break;
+        }
+        if (ssh_event_dopoll(mainloop, -1) == SSH_ERROR) {
+            printf("Error : %s\n", ssh_get_error(session));
+            ret = 1;
+            goto shutdown;
+        }
+    }
+    if (error_set) {
+        printf("Error, exiting loop\n");
+    } else {
+        printf("Authenticated and got a channel\n");
+
+        while (!error_set) {
+            if (ssh_event_dopoll(mainloop, 100) == SSH_ERROR) {
+                printf("Error : %s\n", ssh_get_error(session));
+                ret = 1;
+                goto shutdown;
+            }
+            do_cleanup(&cleanup_stack);
+        }
+    }
+
+shutdown:
+    ssh_disconnect(session);
+    ssh_bind_free(sshbind);
+    ssh_finalize();
+    return ret;
+}
--- a/examples/sshnetcat.c
+++ b/examples/sshnetcat.c
@@ -90,6 +90,7 @@ static void select_loop(ssh_session session,ssh_channel channel){
 		do{
            int fd;

+            ZERO_STRUCT(fds);
 			FD_ZERO(&fds);
 			if(!eof)
 				FD_SET(0,&fds);
--- a/include/libssh/CMakeLists.txt
+++ b/include/libssh/CMakeLists.txt
@@ -26,8 +26,14 @@ install(
  FILES
    ${libssh_HDRS}
  DESTINATION
-    ${INCLUDE_INSTALL_DIR}/${APPLICATION_NAME}
+    ${CMAKE_INSTALL_INCLUDEDIR}/${APPLICATION_NAME}
  COMPONENT
    headers
 )

+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/libssh_version.h.cmake
+               ${libssh_BINARY_DIR}/include/libssh/libssh_version.h
+               @ONLY)
+install(FILES ${libssh_BINARY_DIR}/include/libssh/libssh_version.h
+        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${APPLICATION_NAME}
+        COMPONENT headers)
--- a/include/libssh/agent.h
+++ b/include/libssh/agent.h
@@ -104,7 +104,7 @@ void ssh_agent_free(struct ssh_agent_struct *agent);
 */
 int ssh_agent_is_running(struct ssh_session_struct *session);

-int ssh_agent_get_ident_count(struct ssh_session_struct *session);
+uint32_t ssh_agent_get_ident_count(struct ssh_session_struct *session);

 ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
                                 char **comment);
--- a/include/libssh/bignum.h
+++ b/include/libssh/bignum.h
@@ -26,9 +26,8 @@
 #include "libssh/libmbedcrypto.h"

 bignum ssh_make_string_bn(ssh_string string);
-void ssh_make_string_bn_inplace(ssh_string string, bignum bnout);
 ssh_string ssh_make_bignum_string(bignum num);
-void ssh_print_bignum(const char *which, const bignum num);
+void ssh_print_bignum(const char *which, const_bignum num);


 #endif /* BIGNUM_H_ */
--- a/include/libssh/bind.h
+++ b/include/libssh/bind.h
@@ -22,6 +22,7 @@
 #define BIND_H_

 #include "libssh/priv.h"
+#include "libssh/kex.h"
 #include "libssh/session.h"

 struct ssh_bind_struct {
@@ -31,7 +32,7 @@ struct ssh_bind_struct {

  struct ssh_poll_handle_struct *poll;
  /* options */
-  char *wanted_methods[10];
+  char *wanted_methods[SSH_KEX_METHODS];
  char *banner;
  char *ecdsakey;
  char *dsakey;
@@ -46,6 +47,9 @@ struct ssh_bind_struct {
  unsigned int bindport;
  int blocking;
  int toaccept;
+  bool config_processed;
+  char *config_dir;
+  char *pubkey_accepted_key_types;
 };

 struct ssh_poll_handle_struct *ssh_bind_get_poll(struct ssh_bind_struct
--- a/include/libssh/bind_config.h
+++ b/include/libssh/bind_config.h
@@ -0,0 +1,64 @@
+/*
+ * bind_config.h - Parse the SSH server configuration file
+ *
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2019 by Red Hat, Inc.
+ *
+ * Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#ifndef BIND_CONFIG_H_
+#define BIND_CONFIG_H_
+
+#include "libssh/server.h"
+
+enum ssh_bind_config_opcode_e {
+    /* Known but not allowed in Match block */
+    BIND_CFG_NOT_ALLOWED_IN_MATCH = -4,
+    /* Unknown opcode */
+    BIND_CFG_UNKNOWN = -3,
+    /* Known and not applicable to libssh */
+    BIND_CFG_NA = -2,
+    /* Known but not supported by current libssh version */
+    BIND_CFG_UNSUPPORTED = -1,
+    BIND_CFG_INCLUDE,
+    BIND_CFG_HOSTKEY,
+    BIND_CFG_LISTENADDRESS,
+    BIND_CFG_PORT,
+    BIND_CFG_LOGLEVEL,
+    BIND_CFG_CIPHERS,
+    BIND_CFG_MACS,
+    BIND_CFG_KEXALGORITHMS,
+    BIND_CFG_MATCH,
+    BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES,
+    BIND_CFG_HOSTKEY_ALGORITHMS,
+
+    BIND_CFG_MAX /* Keep this one last in the list */
+};
+
+/* @brief Parse configuration file and set the options to the given ssh_bind
+ *
+ * @params[in] sshbind   The ssh_bind context to be configured
+ * @params[in] filename  The path to the configuration file
+ *
+ * @returns    0 on successful parsing the configuration file, -1 on error
+ */
+int ssh_bind_config_parse_file(ssh_bind sshbind, const char *filename);
+
+#endif /* BIND_CONFIG_H_ */
--- a/include/libssh/buffer.h
+++ b/include/libssh/buffer.h
@@ -40,21 +40,21 @@ void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len);
 int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, uint32_t len);
 int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
                       const char *format,
-                       int argc,
+                       size_t argc,
                       va_list ap);
 int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
                     const char *format,
-                     int argc,
+                     size_t argc,
                     ...);
 #define ssh_buffer_pack(buffer, format, ...) \
    _ssh_buffer_pack((buffer), (format), __VA_NARG__(__VA_ARGS__), __VA_ARGS__, SSH_BUFFER_PACK_END)

 int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
-                         const char *format, int argc,
+                         const char *format, size_t argc,
                         va_list ap);
 int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer,
                       const char *format,
-                       int argc,
+                       size_t argc,
                       ...);
 #define ssh_buffer_unpack(buffer, format, ...) \
    _ssh_buffer_unpack((buffer), (format), __VA_NARG__(__VA_ARGS__), __VA_ARGS__, SSH_BUFFER_PACK_END)
--- a/include/libssh/bytearray.h
+++ b/include/libssh/bytearray.h
@@ -0,0 +1,90 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2018 Andreas Schneider <asn@cryptomilk.org>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+#ifndef _BYTEARRAY_H
+#define _BYTEARRAY_H
+
+#define _DATA_BYTE_CONST(data, pos) \
+    ((uint8_t)(((const uint8_t *)(data))[(pos)]))
+
+#define _DATA_BYTE(data, pos) \
+    (((uint8_t *)(data))[(pos)])
+
+/*
+ * These macros pull or push integer values from byte arrays stored in
+ * little-endian byte order.
+ */
+#define PULL_LE_U8(data, pos) \
+    (_DATA_BYTE_CONST(data, pos))
+
+#define PULL_LE_U16(data, pos) \
+    ((uint16_t)PULL_LE_U8(data, pos) | ((uint16_t)(PULL_LE_U8(data, (pos) + 1))) << 8)
+
+#define PULL_LE_U32(data, pos) \
+    ((uint32_t)(PULL_LE_U16(data, pos) | ((uint32_t)PULL_LE_U16(data, (pos) + 2)) << 16))
+
+#define PULL_LE_U64(data, pos) \
+    ((uint64_t)(PULL_LE_U32(data, pos) | ((uint64_t)PULL_LE_U32(data, (pos) + 4)) << 32))
+
+
+#define PUSH_LE_U8(data, pos, val) \
+    (_DATA_BYTE(data, pos) = ((uint8_t)(val)))
+
+#define PUSH_LE_U16(data, pos, val) \
+    (PUSH_LE_U8((data), (pos), (uint8_t)((uint16_t)(val) & 0xff)), PUSH_LE_U8((data), (pos) + 1, (uint8_t)((uint16_t)(val) >> 8)))
+
+#define PUSH_LE_U32(data, pos, val) \
+    (PUSH_LE_U16((data), (pos), (uint16_t)((uint32_t)(val) & 0xffff)), PUSH_LE_U16((data), (pos) + 2, (uint16_t)((uint32_t)(val) >> 16)))
+
+#define PUSH_LE_U64(data, pos, val) \
+    (PUSH_LE_U32((data), (pos), (uint32_t)((uint64_t)(val) & 0xffffffff)), PUSH_LE_U32((data), (pos) + 4, (uint32_t)((uint64_t)(val) >> 32)))
+
+
+
+/*
+ * These macros pull or push integer values from byte arrays stored in
+ * big-endian byte order (network byte order).
+ */
+#define PULL_BE_U8(data, pos) \
+    (_DATA_BYTE_CONST(data, pos))
+
+#define PULL_BE_U16(data, pos) \
+    ((((uint16_t)(PULL_BE_U8(data, pos))) << 8) | (uint16_t)PULL_BE_U8(data, (pos) + 1))
+
+#define PULL_BE_U32(data, pos) \
+    ((((uint32_t)PULL_BE_U16(data, pos)) << 16) | (uint32_t)(PULL_BE_U16(data, (pos) + 2)))
+
+#define PULL_BE_U64(data, pos) \
+    ((((uint64_t)PULL_BE_U32(data, pos)) << 32) | (uint64_t)(PULL_BE_U32(data, (pos) + 4)))
+
+
+
+#define PUSH_BE_U8(data, pos, val) \
+    (_DATA_BYTE(data, pos) = ((uint8_t)(val)))
+
+#define PUSH_BE_U16(data, pos, val) \
+    (PUSH_BE_U8((data), (pos), (uint8_t)(((uint16_t)(val)) >> 8)), PUSH_BE_U8((data), (pos) + 1, (uint8_t)((val) & 0xff)))
+
+#define PUSH_BE_U32(data, pos, val) \
+    (PUSH_BE_U16((data), (pos), (uint16_t)(((uint32_t)(val)) >> 16)), PUSH_BE_U16((data), (pos) + 2, (uint16_t)((val) & 0xffff)))
+
+#define PUSH_BE_U64(data, pos, val) \
+    (PUSH_BE_U32((data), (pos), (uint32_t)(((uint64_t)(val)) >> 32)), PUSH_BE_U32((data), (pos) + 4, (uint32_t)((val) & 0xffffffff)))
+
+#endif /* _BYTEARRAY_H */
--- a/include/libssh/callbacks.h
+++ b/include/libssh/callbacks.h
@@ -854,7 +854,7 @@ typedef struct ssh_channel_callbacks_struct *ssh_channel_callbacks;
 * @code
 * struct ssh_channel_callbacks_struct cb = {
 *   .userdata = data,
- *   .channel_data = my_channel_data_function
+ *   .channel_data_function = my_channel_data_function
 * };
 * ssh_callbacks_init(&cb);
 * ssh_set_channel_callbacks(channel, &cb);
@@ -944,9 +944,20 @@ LIBSSH_API int ssh_threads_set_callbacks(struct ssh_threads_callbacks_struct
    *cb);

 /**
- * @brief returns a pointer on the pthread threads callbacks, to be used with
+ * @brief Returns a pointer to the appropriate callbacks structure for the
+ * environment, to be used with ssh_threads_set_callbacks.
+ *
+ * @returns A pointer to a ssh_threads_callbacks_struct to be used with
 * ssh_threads_set_callbacks.
- * @warning you have to link with the library ssh_threads.
+ *
+ * @see ssh_threads_set_callbacks
+ */
+LIBSSH_API struct ssh_threads_callbacks_struct *ssh_threads_get_default(void);
+
+/**
+ * @brief Returns a pointer on the pthread threads callbacks, to be used with
+ * ssh_threads_set_callbacks.
+ *
 * @see ssh_threads_set_callbacks
 */
 LIBSSH_API struct ssh_threads_callbacks_struct *ssh_threads_get_pthread(void);
--- a/include/libssh/channels.h
+++ b/include/libssh/channels.h
@@ -97,8 +97,9 @@ SSH_PACKET_CALLBACK(channel_rcv_close);
 SSH_PACKET_CALLBACK(channel_rcv_request);
 SSH_PACKET_CALLBACK(channel_rcv_data);

-int channel_default_bufferize(ssh_channel channel, void *data, int len,
-        int is_stderr);
+int channel_default_bufferize(ssh_channel channel,
+                              void *data, size_t len,
+                              bool is_stderr);
 int ssh_channel_flush(ssh_channel channel);
 uint32_t ssh_channel_new_id(ssh_session session);
 ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id);
--- a/include/libssh/config.h
+++ b/include/libssh/config.h
@@ -0,0 +1,68 @@
+/*
+ * config.h - parse the ssh config file
+ *
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2009-2018    by Andreas Schneider <asn@cryptomilk.org>
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#ifndef LIBSSH_CONFIG_H_
+#define LIBSSH_CONFIG_H_
+
+
+enum ssh_config_opcode_e {
+    /* Unknown opcode */
+    SOC_UNKNOWN = -3,
+    /* Known and not applicable to libssh */
+    SOC_NA = -2,
+    /* Known but not supported by current libssh version */
+    SOC_UNSUPPORTED = -1,
+    SOC_HOST,
+    SOC_MATCH,
+    SOC_HOSTNAME,
+    SOC_PORT,
+    SOC_USERNAME,
+    SOC_IDENTITY,
+    SOC_CIPHERS,
+    SOC_MACS,
+    SOC_COMPRESSION,
+    SOC_TIMEOUT,
+    SOC_PROTOCOL,
+    SOC_STRICTHOSTKEYCHECK,
+    SOC_KNOWNHOSTS,
+    SOC_PROXYCOMMAND,
+    SOC_PROXYJUMP,
+    SOC_GSSAPISERVERIDENTITY,
+    SOC_GSSAPICLIENTIDENTITY,
+    SOC_GSSAPIDELEGATECREDENTIALS,
+    SOC_INCLUDE,
+    SOC_BINDADDRESS,
+    SOC_GLOBALKNOWNHOSTSFILE,
+    SOC_LOGLEVEL,
+    SOC_HOSTKEYALGORITHMS,
+    SOC_KEXALGORITHMS,
+    SOC_GSSAPIAUTHENTICATION,
+    SOC_KBDINTERACTIVEAUTHENTICATION,
+    SOC_PASSWORDAUTHENTICATION,
+    SOC_PUBKEYAUTHENTICATION,
+    SOC_PUBKEYACCEPTEDTYPES,
+    SOC_REKEYLIMIT,
+
+    SOC_MAX /* Keep this one last in the list */
+};
+#endif /* LIBSSH_CONFIG_H_ */
--- a/include/libssh/config_parser.h
+++ b/include/libssh/config_parser.h
@@ -0,0 +1,57 @@
+/*
+ * config_parser.h - Common configuration file parser functions
+ *
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2019 by Red Hat, Inc.
+ *
+ * Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#ifndef CONFIG_PARSER_H_
+#define CONFIG_PARSER_H_
+
+char *ssh_config_get_cmd(char **str);
+
+char *ssh_config_get_token(char **str);
+
+long ssh_config_get_long(char **str, long notfound);
+
+const char *ssh_config_get_str_tok(char **str, const char *def);
+
+int ssh_config_get_yesno(char **str, int notfound);
+
+/* @brief Parse SSH URI in format [user@]host[:port] from the given string
+ *
+ * @param[in]   tok      String to parse
+ * @param[out]  username Pointer to the location, where the new username will
+ *                       be stored or NULL if we do not care about the result.
+ * @param[out]  hostname Pointer to the location, where the new hostname will
+ *                       be stored or NULL if we do not care about the result.
+ * @param[out]  port     Pointer to the location, where the new port will
+ *                       be stored or NULL if we do not care about the result.
+ *
+ * @returns     SSH_OK if the provided string is in format of SSH URI,
+ *              SSH_ERROR on failure
+ */
+int ssh_config_parse_uri(const char *tok,
+        char **username,
+        char **hostname,
+        char **port);
+
+#endif /* LIBSSH_CONFIG_H_ */
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -25,10 +25,13 @@
 #ifndef _CRYPTO_H_
 #define _CRYPTO_H_

+#include <stdbool.h>
 #include "config.h"

 #ifdef HAVE_LIBGCRYPT
 #include <gcrypt.h>
+#elif defined(HAVE_LIBMBEDCRYPTO)
+#include <mbedtls/gcm.h>
 #endif
 #include "libssh/wrapper.h"

@@ -42,17 +45,27 @@
 #ifdef HAVE_OPENSSL_ECDH_H
 #include <openssl/ecdh.h>
 #endif
+#include "libssh/dh.h"
 #include "libssh/ecdh.h"
 #include "libssh/kex.h"
 #include "libssh/curve25519.h"

 #define DIGEST_MAX_LEN 64

+#define AES_GCM_TAGLEN 16
+#define AES_GCM_IVLEN  12
+
 enum ssh_key_exchange_e {
  /* diffie-hellman-group1-sha1 */
  SSH_KEX_DH_GROUP1_SHA1=1,
  /* diffie-hellman-group14-sha1 */
  SSH_KEX_DH_GROUP14_SHA1,
+#ifdef WITH_GEX
+  /* diffie-hellman-group-exchange-sha1 */
+  SSH_KEX_DH_GEX_SHA1,
+  /* diffie-hellman-group-exchange-sha256 */
+  SSH_KEX_DH_GEX_SHA256,
+#endif /* WITH_GEX */
  /* ecdh-sha2-nistp256 */
  SSH_KEX_ECDH_SHA2_NISTP256,
  /* ecdh-sha2-nistp384 */
@@ -67,22 +80,35 @@ enum ssh_key_exchange_e {
  SSH_KEX_DH_GROUP16_SHA512,
  /* diffie-hellman-group18-sha512 */
  SSH_KEX_DH_GROUP18_SHA512,
+  /* diffie-hellman-group14-sha256 */
+  SSH_KEX_DH_GROUP14_SHA256,
 };

 enum ssh_cipher_e {
    SSH_NO_CIPHER=0,
+#ifdef WITH_BLOWFISH_CIPHER
    SSH_BLOWFISH_CBC,
+#endif /* WITH_BLOWFISH_CIPHER */
    SSH_3DES_CBC,
    SSH_AES128_CBC,
    SSH_AES192_CBC,
    SSH_AES256_CBC,
    SSH_AES128_CTR,
    SSH_AES192_CTR,
-    SSH_AES256_CTR
+    SSH_AES256_CTR,
+    SSH_AEAD_AES128_GCM,
+    SSH_AEAD_AES256_GCM,
+    SSH_AEAD_CHACHA20_POLY1305
 };

+struct dh_ctx;
+
 struct ssh_crypto_struct {
-    bignum e,f,x,k,y;
+    bignum shared_secret;
+    struct dh_ctx *dh_ctx;
+#ifdef WITH_GEX
+    size_t dh_pmin; size_t dh_pn; size_t dh_pmax; /* preferred group parameters */
+#endif /* WITH_GEX */
 #ifdef HAVE_ECDH
 #ifdef HAVE_OPENSSL_ECC
    EC_KEY *ecdh_privkey;
@@ -100,8 +126,9 @@ struct ssh_crypto_struct {
    ssh_curve25519_pubkey curve25519_server_pubkey;
 #endif
    ssh_string dh_server_signature; /* information used by dh_handshake. */
-    size_t digest_len; /* len of all the fields below */
+    size_t session_id_len;
    unsigned char *session_id;
+    size_t digest_len; /* len of the secret hash */
    unsigned char *secret_hash; /* Secret hash is same as session id until re-kex */
    unsigned char *encryptIV;
    unsigned char *decryptIV;
@@ -112,6 +139,7 @@ struct ssh_crypto_struct {
    unsigned char hmacbuf[DIGEST_MAX_LEN];
    struct ssh_cipher_struct *in_cipher, *out_cipher; /* the cipher structures/objects */
    enum ssh_hmac_e in_hmac, out_hmac; /* the MAC algorithms used */
+    bool in_hmac_etm, out_hmac_etm; /* Whether EtM mode is used or not */

    ssh_key server_pubkey;
    int do_compress_out; /* idem */
@@ -125,7 +153,8 @@ struct ssh_crypto_struct {
    struct ssh_kex_struct client_kex;
    char *kex_methods[SSH_KEX_METHODS];
    enum ssh_key_exchange_e kex_type;
-    enum ssh_mac_e mac_type; /* Mac operations to use for key gen */
+    enum ssh_kdf_digest digest_type; /* Digest type for session keys derivation */
+    enum ssh_crypto_direction_e used; /* Is this crypto still used for either of directions? */
 };

 struct ssh_cipher_struct {
@@ -136,6 +165,7 @@ struct ssh_cipher_struct {
    size_t keylen; /* length of the key structure */
 #ifdef HAVE_LIBGCRYPT
    gcry_cipher_hd_t *key;
+    unsigned char last_iv[AES_GCM_IVLEN];
 #elif defined HAVE_LIBCRYPTO
    struct ssh_3des_key_schedule *des3_key;
    struct ssh_aes_key_schedule *aes_key;
@@ -145,17 +175,30 @@ struct ssh_cipher_struct {
    mbedtls_cipher_context_t encrypt_ctx;
    mbedtls_cipher_context_t decrypt_ctx;
    mbedtls_cipher_type_t type;
+#ifdef MBEDTLS_GCM_C
+    mbedtls_gcm_context gcm_ctx;
+    unsigned char last_iv[AES_GCM_IVLEN];
+#endif /* MBEDTLS_GCM_C */
 #endif
    struct chacha20_poly1305_keysched *chacha20_schedule;
    unsigned int keysize; /* bytes of key used. != keylen */
    size_t tag_size; /* overhead required for tag */
+    /* Counters for rekeying initialization */
+    uint32_t packets;
+    uint64_t blocks;
+    /* Rekeying limit for the cipher or manually enforced */
+    uint64_t max_blocks;
    /* sets the new key for immediate use */
    int (*set_encrypt_key)(struct ssh_cipher_struct *cipher, void *key, void *IV);
    int (*set_decrypt_key)(struct ssh_cipher_struct *cipher, void *key, void *IV);
-    void (*encrypt)(struct ssh_cipher_struct *cipher, void *in, void *out,
-        unsigned long len);
-    void (*decrypt)(struct ssh_cipher_struct *cipher, void *in, void *out,
-        unsigned long len);
+    void (*encrypt)(struct ssh_cipher_struct *cipher,
+                    void *in,
+                    void *out,
+                    size_t len);
+    void (*decrypt)(struct ssh_cipher_struct *cipher,
+                    void *in,
+                    void *out,
+                    size_t len);
    void (*aead_encrypt)(struct ssh_cipher_struct *cipher, void *in, void *out,
        size_t len, uint8_t *mac, uint64_t seq);
    int (*aead_decrypt_length)(struct ssh_cipher_struct *cipher, void *in,
@@ -166,5 +209,9 @@ struct ssh_cipher_struct {
 };

 const struct ssh_cipher_struct *ssh_get_chacha20poly1305_cipher(void);
+int sshkdf_derive_key(struct ssh_crypto_struct *crypto,
+                      unsigned char *key, size_t key_len,
+                      int key_type, unsigned char *output,
+                      size_t requested_len);

 #endif /* _CRYPTO_H_ */
--- a/include/libssh/curve25519.h
+++ b/include/libssh/curve25519.h
@@ -48,10 +48,9 @@ typedef unsigned char ssh_curve25519_privkey[CURVE25519_PRIVKEY_SIZE];


 int ssh_client_curve25519_init(ssh_session session);
-int ssh_client_curve25519_reply(ssh_session session, ssh_buffer packet);

 #ifdef WITH_SERVER
-int ssh_server_curve25519_init(ssh_session session, ssh_buffer packet);
+void ssh_server_curve25519_init(ssh_session session);
 #endif /* WITH_SERVER */

 #endif /* CURVE25519_H_ */
--- a/include/libssh/dh-gex.h
+++ b/include/libssh/dh-gex.h
@@ -0,0 +1,32 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2016 by Aris Adamantiadis <aris@0xbadc0de.be>
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+
+#ifndef SRC_DH_GEX_H_
+#define SRC_DH_GEX_H_
+
+int ssh_client_dhgex_init(ssh_session session);
+
+#ifdef WITH_SERVER
+void ssh_server_dhgex_init(ssh_session session);
+#endif /* WITH_SERVER */
+
+#endif /* SRC_DH_GEX_H_ */
--- a/include/libssh/dh.h
+++ b/include/libssh/dh.h
@@ -25,25 +25,37 @@

 #include "libssh/crypto.h"

-int ssh_dh_generate_e(ssh_session session);
-int ssh_dh_generate_f(ssh_session session);
-int ssh_dh_generate_x(ssh_session session);
-int ssh_dh_generate_y(ssh_session session);
+struct dh_ctx;

+#define DH_CLIENT_KEYPAIR 0
+#define DH_SERVER_KEYPAIR 1
+
+/* functions implemented by crypto backends */
+int ssh_dh_init_common(struct ssh_crypto_struct *crypto);
+void ssh_dh_cleanup(struct ssh_crypto_struct *crypto);
+
+int ssh_dh_get_parameters(struct dh_ctx *ctx,
+                          const_bignum *modulus, const_bignum *generator);
+int ssh_dh_set_parameters(struct dh_ctx *ctx,
+                          const bignum modulus, const bignum generator);
+
+int ssh_dh_keypair_gen_keys(struct dh_ctx *ctx, int peer);
+int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
+                            const_bignum *priv, const_bignum *pub);
+int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
+                            const bignum priv, const bignum pub);
+
+int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
+                                 bignum *dest);
+
+void ssh_dh_debug_crypto(struct ssh_crypto_struct *c);
+
+/* common functions */
 int ssh_dh_init(void);
 void ssh_dh_finalize(void);

-ssh_string ssh_dh_get_e(ssh_session session);
-ssh_string ssh_dh_get_f(ssh_session session);
-int ssh_dh_import_f(ssh_session session,ssh_string f_string);
-int ssh_dh_import_e(ssh_session session, ssh_string e_string);
-
-int ssh_dh_import_pubkey_blob(ssh_session session, ssh_string pubkey_blob);
-int ssh_dh_import_next_pubkey_blob(ssh_session session, ssh_string pubkey_blob);
-
-int ssh_dh_build_k(ssh_session session);
-int ssh_client_dh_init(ssh_session session);
-int ssh_client_dh_reply(ssh_session session, ssh_buffer packet);
+int ssh_dh_import_next_pubkey_blob(ssh_session session,
+                                   ssh_string pubkey_blob);

 ssh_key ssh_dh_get_current_server_publickey(ssh_session session);
 int ssh_dh_get_current_server_publickey_blob(ssh_session session,
@@ -52,10 +64,12 @@ ssh_key ssh_dh_get_next_server_publickey(ssh_session session);
 int ssh_dh_get_next_server_publickey_blob(ssh_session session,
                                          ssh_string *pubkey_blob);

-int ssh_make_sessionid(ssh_session session);
-/* add data for the final cookie */
-int ssh_hashbufin_add_cookie(ssh_session session, unsigned char *cookie);
-int ssh_hashbufout_add_cookie(ssh_session session);
-int ssh_generate_session_keys(ssh_session session);
+int ssh_client_dh_init(ssh_session session);
+#ifdef WITH_SERVER
+void ssh_server_dh_init(ssh_session session);
+#endif /* WITH_SERVER */
+int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet);
+int ssh_fallback_group(uint32_t pmax, bignum *p, bignum *g);
+bool ssh_dh_is_known_group(bignum modulus, bignum generator);

 #endif /* DH_H_ */
--- a/include/libssh/ecdh.h
+++ b/include/libssh/ecdh.h
@@ -22,6 +22,7 @@
 #define ECDH_H_

 #include "config.h"
+#include "libssh/callbacks.h"

 #ifdef HAVE_LIBCRYPTO
 #ifdef HAVE_OPENSSL_ECDH_H
@@ -41,15 +42,15 @@
 #define HAVE_ECDH 1
 #endif

-/* Common functions.  */
-int ssh_client_ecdh_reply(ssh_session session, ssh_buffer packet);
-
+extern struct ssh_packet_callbacks_struct ssh_ecdh_client_callbacks;
 /* Backend-specific functions.  */
 int ssh_client_ecdh_init(ssh_session session);
 int ecdh_build_k(ssh_session session);

 #ifdef WITH_SERVER
-int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet);
+extern struct ssh_packet_callbacks_struct ssh_ecdh_server_callbacks;
+void ssh_server_ecdh_init(ssh_session session);
+SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init);
 #endif /* WITH_SERVER */

 #endif /* ECDH_H_ */
--- a/include/libssh/ed25519.h
+++ b/include/libssh/ed25519.h
@@ -56,8 +56,8 @@ int crypto_sign_ed25519_keypair(ed25519_pubkey pk, ed25519_privkey sk);
 * @return    0 on success.
 */
 int crypto_sign_ed25519(
-    unsigned char *sm,unsigned long long *smlen,
-    const unsigned char *m,unsigned long long mlen,
+    unsigned char *sm, uint64_t *smlen,
+    const unsigned char *m, uint64_t mlen,
    const ed25519_privkey sk);

 /** @internal
@@ -71,8 +71,8 @@ int crypto_sign_ed25519(
 * @returns   0 on success (supposedly).
 */
 int crypto_sign_ed25519_open(
-    unsigned char *m,unsigned long long *mlen,
-    const unsigned char *sm,unsigned long long smlen,
+    unsigned char *m, uint64_t *mlen,
+    const unsigned char *sm, uint64_t smlen,
    const ed25519_pubkey pk);

 /** @} */
--- a/include/libssh/fe25519.h
+++ b/include/libssh/fe25519.h
@@ -39,7 +39,7 @@ void fe25519_unpack(fe25519 *r, const unsigned char x[32]);

 void fe25519_pack(unsigned char r[32], const fe25519 *x);

-int fe25519_iszero(const fe25519 *x);
+uint32_t fe25519_iszero(const fe25519 *x);

 int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y);

--- a/include/libssh/kex.h
+++ b/include/libssh/kex.h
@@ -39,12 +39,21 @@ int ssh_set_client_kex(ssh_session session);
 int ssh_kex_select_methods(ssh_session session);
 int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
 char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
+char *ssh_keep_fips_algos(enum ssh_kex_types_e algo, const char *list);
 char **ssh_space_tokenize(const char *chain);
 int ssh_get_kex1(ssh_session session);
 char *ssh_find_matching(const char *in_d, const char *what_d);
 const char *ssh_kex_get_supported_method(uint32_t algo);
 const char *ssh_kex_get_default_methods(uint32_t algo);
+const char *ssh_kex_get_fips_methods(uint32_t algo);
 const char *ssh_kex_get_description(uint32_t algo);
 char *ssh_client_select_hostkeys(ssh_session session);
+int ssh_send_rekex(ssh_session session);
+int server_set_kex(ssh_session session);
+int ssh_make_sessionid(ssh_session session);
+/* add data for the final cookie */
+int ssh_hashbufin_add_cookie(ssh_session session, unsigned char *cookie);
+int ssh_hashbufout_add_cookie(ssh_session session);
+int ssh_generate_session_keys(ssh_session session);

 #endif /* KEX_H_ */
--- a/include/libssh/keys.h
+++ b/include/libssh/keys.h
@@ -28,13 +28,13 @@
 struct ssh_public_key_struct {
    int type;
    const char *type_c; /* Don't free it ! it is static */
-#ifdef HAVE_LIBGCRYPT
+#if defined(HAVE_LIBGCRYPT)
    gcry_sexp_t dsa_pub;
    gcry_sexp_t rsa_pub;
-#elif HAVE_LIBCRYPTO
+#elif defined(HAVE_LIBCRYPTO)
    DSA *dsa_pub;
    RSA *rsa_pub;
-#elif HAVE_LIBMBEDCRYPTO
+#elif defined(HAVE_LIBMBEDCRYPTO)
    mbedtls_pk_context *rsa_pub;
    void *dsa_pub;
 #endif
@@ -42,13 +42,13 @@ struct ssh_public_key_struct {

 struct ssh_private_key_struct {
    int type;
-#ifdef HAVE_LIBGCRYPT
+#if defined(HAVE_LIBGCRYPT)
    gcry_sexp_t dsa_priv;
    gcry_sexp_t rsa_priv;
-#elif defined HAVE_LIBCRYPTO
+#elif defined(HAVE_LIBCRYPTO)
    DSA *dsa_priv;
    RSA *rsa_priv;
-#elif HAVE_LIBMBEDCRYPTO
+#elif defined(HAVE_LIBMBEDCRYPTO)
    mbedtls_pk_context *rsa_priv;
    void *dsa_priv;
 #endif
--- a/include/libssh/knownhosts.h
+++ b/include/libssh/knownhosts.h
@@ -23,6 +23,7 @@
 #define SSH_KNOWNHOSTS_H_

 struct ssh_list *ssh_known_hosts_get_algorithms(ssh_session session);
+char *ssh_known_hosts_get_algorithms_names(ssh_session session);
 enum ssh_known_hosts_e
 ssh_session_get_known_hosts_entry_file(ssh_session session,
                                       const char *filename,
--- a/include/libssh/libcrypto.h
+++ b/include/libssh/libcrypto.h
@@ -31,6 +31,7 @@
 #include <openssl/md5.h>
 #include <openssl/hmac.h>
 #include <openssl/evp.h>
+#include <openssl/crypto.h>

 typedef EVP_MD_CTX* SHACTX;
 typedef EVP_MD_CTX* SHA256CTX;
@@ -64,6 +65,7 @@ typedef void *EVPCTX;
 #define BROKEN_AES_CTR
 #endif
 typedef BIGNUM*  bignum;
+typedef const BIGNUM* const_bignum;
 typedef BN_CTX* bignum_CTX;

 #define bignum_new() BN_new()
@@ -74,19 +76,47 @@ typedef BN_CTX* bignum_CTX;
    } \
    } while(0)
 #define bignum_set_word(bn,n) BN_set_word(bn,n)
-#define bignum_bin2bn(bn,datalen,data) BN_bin2bn(bn,datalen,data)
+#define bignum_bin2bn(data, datalen, dest)   \
+    do {                                     \
+        (*dest) = BN_new();                  \
+        if ((*dest) != NULL) {               \
+            BN_bin2bn(data,datalen,(*dest)); \
+        }                                    \
+    } while(0)
 #define bignum_bn2dec(num) BN_bn2dec(num)
-#define bignum_dec2bn(bn,data) BN_dec2bn(data,bn)
-#define bignum_bn2hex(num) BN_bn2hex(num)
+#define bignum_dec2bn(data, bn) BN_dec2bn(bn, data)
+#define bignum_hex2bn(data, bn) BN_hex2bn(bn, data)
+#define bignum_bn2hex(num, dest) (*dest)=(unsigned char *)BN_bn2hex(num)
 #define bignum_rand(rnd, bits) BN_rand(rnd, bits, 0, 1)
+#define bignum_rand_range(rnd, max) BN_rand_range(rnd, max)
 #define bignum_ctx_new() BN_CTX_new()
 #define bignum_ctx_free(num) BN_CTX_free(num)
+#define bignum_ctx_invalid(ctx) ((ctx) == NULL)
 #define bignum_mod_exp(dest,generator,exp,modulo,ctx) BN_mod_exp(dest,generator,exp,modulo,ctx)
-#define bignum_num_bytes(num) BN_num_bytes(num)
-#define bignum_num_bits(num) BN_num_bits(num)
-#define bignum_is_bit_set(num,bit) BN_is_bit_set(num,bit)
-#define bignum_bn2bin(num,ptr) BN_bn2bin(num,ptr)
+#define bignum_add(dest, a, b) BN_add(dest, a, b)
+#define bignum_sub(dest, a, b) BN_sub(dest, a, b)
+#define bignum_mod(dest, a, b, ctx) BN_mod(dest, a, b, ctx)
+#define bignum_num_bytes(num) (size_t)BN_num_bytes(num)
+#define bignum_num_bits(num) (size_t)BN_num_bits(num)
+#define bignum_is_bit_set(num,bit) BN_is_bit_set(num, (int)bit)
+#define bignum_bn2bin(num,len, ptr) BN_bn2bin(num, ptr)
 #define bignum_cmp(num1,num2) BN_cmp(num1,num2)
+#define bignum_rshift1(dest, src) BN_rshift1(dest, src)
+#define bignum_dup(orig, dest) do { \
+        if (*(dest) == NULL) { \
+            *(dest) = BN_dup(orig); \
+        } else { \
+            BN_copy(*(dest), orig); \
+        } \
+    } while(0)
+
+
+/* Returns true if the OpenSSL is operating in FIPS mode */
+#ifdef HAVE_OPENSSL_FIPS_MODE
+#define ssh_fips_mode() (FIPS_mode() != 0)
+#else
+#define ssh_fips_mode() false
+#endif

 #endif /* HAVE_LIBCRYPTO */

--- a/include/libssh/libgcrypt.h
+++ b/include/libssh/libgcrypt.h
@@ -50,6 +50,8 @@ typedef gcry_md_hd_t EVPCTX;
 #define EVP_DIGEST_LEN EVP_MAX_MD_SIZE

 typedef gcry_mpi_t bignum;
+typedef const struct gcry_mpi *const_bignum;
+typedef void* bignum_CTX;

 /* Constants for curves.  */
 #define NID_gcrypt_nistp256 0
@@ -59,6 +61,7 @@ typedef gcry_mpi_t bignum;
 /* missing gcrypt functions */
 int ssh_gcry_dec2bn(bignum *bn, const char *data);
 char *ssh_gcry_bn2dec(bignum bn);
+int ssh_gcry_rand_range(bignum rnd, bignum max);

 #define bignum_new() gcry_mpi_new(0)
 #define bignum_safe_free(num) do { \
@@ -67,20 +70,38 @@ char *ssh_gcry_bn2dec(bignum bn);
        (num)=NULL; \
    } \
    } while (0)
-#define bignum_set_word(bn,n) gcry_mpi_set_ui(bn,n)
-#define bignum_bin2bn(bn,datalen,data) gcry_mpi_scan(data,GCRYMPI_FMT_USG,bn,datalen,NULL)
+#define bignum_free(num) gcry_mpi_release(num)
+#define bignum_ctx_new() NULL
+#define bignum_ctx_free(ctx) do {(ctx) = NULL;} while(0)
+#define bignum_ctx_invalid(ctx) (ctx != NULL)
+#define bignum_set_word(bn,n) (gcry_mpi_set_ui(bn,n)!=NULL ? 1 : 0)
+#define bignum_bin2bn(data,datalen,dest) gcry_mpi_scan(dest,GCRYMPI_FMT_USG,data,datalen,NULL)
 #define bignum_bn2dec(num) ssh_gcry_bn2dec(num)
 #define bignum_dec2bn(num, data) ssh_gcry_dec2bn(data, num)
-#define bignum_bn2hex(num,data) gcry_mpi_aprint(GCRYMPI_FMT_HEX,data,NULL,num)
-#define bignum_hex2bn(num,datalen,data) gcry_mpi_scan(num,GCRYMPI_FMT_HEX,data,datalen,NULL)
-#define bignum_rand(num,bits) gcry_mpi_randomize(num,bits,GCRY_STRONG_RANDOM),gcry_mpi_set_bit(num,bits-1),gcry_mpi_set_bit(num,0)
-#define bignum_mod_exp(dest,generator,exp,modulo) gcry_mpi_powm(dest,generator,exp,modulo)
+
+#define bignum_bn2hex(num, data) \
+    gcry_mpi_aprint(GCRYMPI_FMT_HEX, data, NULL, (const gcry_mpi_t)num)
+
+#define bignum_hex2bn(data, num) (gcry_mpi_scan(num,GCRYMPI_FMT_HEX,data,0,NULL)==0?1:0)
+#define bignum_rand(num,bits) 1,gcry_mpi_randomize(num,bits,GCRY_STRONG_RANDOM),gcry_mpi_set_bit(num,bits-1),gcry_mpi_set_bit(num,0)
+#define bignum_mod_exp(dest,generator,exp,modulo, ctx) 1,gcry_mpi_powm(dest,generator,exp,modulo)
 #define bignum_num_bits(num) gcry_mpi_get_nbits(num)
 #define bignum_num_bytes(num) ((gcry_mpi_get_nbits(num)+7)/8)
 #define bignum_is_bit_set(num,bit) gcry_mpi_test_bit(num,bit)
 #define bignum_bn2bin(num,datalen,data) gcry_mpi_print(GCRYMPI_FMT_USG,data,datalen,NULL,num)
 #define bignum_cmp(num1,num2) gcry_mpi_cmp(num1,num2)
-
+#define bignum_rshift1(dest, src) gcry_mpi_rshift (dest, src, 1)
+#define bignum_add(dst, a, b) gcry_mpi_add(dst, a, b)
+#define bignum_sub(dst, a, b) gcry_mpi_sub(dst, a, b)
+#define bignum_mod(dst, a, b, ctx) 1,gcry_mpi_mod(dst, a, b)
+#define bignum_rand_range(rnd, max) ssh_gcry_rand_range(rnd, max);
+#define bignum_dup(orig, dest) do { \
+        if (*(dest) == NULL) { \
+            *(dest) = gcry_mpi_copy(orig); \
+        } else { \
+            gcry_mpi_set(*(dest), orig); \
+        } \
+    } while(0)
 /* Helper functions for data conversions.  */

 /* Extract an MPI from the given s-expression SEXP named NAME which is
@@ -91,6 +112,8 @@ ssh_string ssh_sexp_extract_mpi(const gcry_sexp_t sexp,
                                enum gcry_mpi_format informat,
                                enum gcry_mpi_format outformat);

+#define ssh_fips_mode() false
+
 #endif /* HAVE_LIBGCRYPT */

 #endif /* LIBGCRYPT_H_ */
--- a/include/libssh/libmbedcrypto.h
+++ b/include/libssh/libmbedcrypto.h
@@ -60,6 +60,8 @@ typedef mbedtls_md_context_t *EVPCTX;
 #define EVP_DIGEST_LEN EVP_MAX_MD_SIZE

 typedef mbedtls_mpi *bignum;
+typedef const mbedtls_mpi *const_bignum;
+typedef void* bignum_CTX;

 /* Constants for curves */
 #define NID_mbedtls_nistp256 0
@@ -73,9 +75,11 @@ struct mbedtls_ecdsa_sig {

 bignum ssh_mbedcry_bn_new(void);
 void ssh_mbedcry_bn_free(bignum num);
-char *ssh_mbedcry_bn2num(bignum num, int radix);
+unsigned char *ssh_mbedcry_bn2num(const_bignum num, int radix);
 int ssh_mbedcry_rand(bignum rnd, int bits, int top, int bottom);
 int ssh_mbedcry_is_bit_set(bignum num, size_t pos);
+int ssh_mbedcry_rand_range(bignum dest, bignum max);
+int ssh_mbedcry_hex2bn(bignum *dest, char *data);

 #define bignum_new() ssh_mbedcry_bn_new()
 #define bignum_safe_free(num) do { \
@@ -84,22 +88,44 @@ int ssh_mbedcry_is_bit_set(bignum num, size_t pos);
        (num)=NULL; \
    } \
    } while(0)
-#define bignum_set_word(bn, n) mbedtls_mpi_lset(bn, n) /* TODO fix
+#define bignum_ctx_new() NULL
+#define bignum_ctx_free(num) do {(num) = NULL;} while(0)
+#define bignum_ctx_invalid(ctx) (ctx == NULL?0:1)
+#define bignum_set_word(bn, n) (mbedtls_mpi_lset(bn, n)==0?1:0) /* TODO fix
                                                          overflow/underflow */
-#define bignum_bin2bn(data, datalen, bn) mbedtls_mpi_read_binary(bn, data, \
-        datalen)
+#define bignum_bin2bn(data, datalen, bn) do { \
+    *(bn) = bignum_new(); \
+    if (*(bn) != NULL) { \
+        mbedtls_mpi_read_binary(*(bn), data, datalen); \
+    } \
+    } while(0)
 #define bignum_bn2dec(num) ssh_mbedcry_bn2num(num, 10)
 #define bignum_dec2bn(data, bn) mbedtls_mpi_read_string(bn, 10, data)
-#define bignum_bn2hex(num) ssh_mbedcry_bn2num(num, 16)
+#define bignum_bn2hex(num, dest) (*dest)=ssh_mbedcry_bn2num(num, 16)
+#define bignum_hex2bn(data, dest) ssh_mbedcry_hex2bn(dest, data)
 #define bignum_rand(rnd, bits) ssh_mbedcry_rand((rnd), (bits), 0, 1)
+#define bignum_rand_range(rnd, max) ssh_mbedcry_rand_range(rnd, max)
 #define bignum_mod_exp(dest, generator, exp, modulo, ctx) \
-        mbedtls_mpi_exp_mod(dest, generator, exp, modulo, NULL)
+        (mbedtls_mpi_exp_mod(dest, generator, exp, modulo, NULL)==0?1:0)
+#define bignum_add(dest, a, b) mbedtls_mpi_add_mpi(dest, a, b)
+#define bignum_sub(dest, a, b) mbedtls_mpi_sub_mpi(dest, a, b)
+#define bignum_mod(dest, a, b, ctx) \
+    (mbedtls_mpi_mod_mpi(dest, a, b) == 0 ? 1 : 0)
 #define bignum_num_bytes(num) mbedtls_mpi_size(num)
 #define bignum_num_bits(num) mbedtls_mpi_bitlen(num)
 #define bignum_is_bit_set(num, bit) ssh_mbedcry_is_bit_set(num, bit)
-#define bignum_bn2bin(num, ptr) mbedtls_mpi_write_binary(num, ptr, \
+#define bignum_bn2bin(num, len, ptr) mbedtls_mpi_write_binary(num, ptr, \
        mbedtls_mpi_size(num))
 #define bignum_cmp(num1, num2) mbedtls_mpi_cmp_mpi(num1, num2)
+#define bignum_rshift1(dest, src) mbedtls_mpi_copy(dest, src), mbedtls_mpi_shift_r(dest, 1)
+#define bignum_dup(orig, dest) do { \
+    if (*(dest) == NULL) { \
+        *(dest) = bignum_new(); \
+    } \
+    if (*(dest) != NULL) { \
+        mbedtls_mpi_copy(orig, *(dest)); \
+    } \
+    } while(0)

 mbedtls_ctr_drbg_context *ssh_get_mbedtls_ctr_drbg_context(void);

@@ -108,5 +134,7 @@ int ssh_mbedtls_random(void *where, int len, int strong);
 ssh_string make_ecpoint_string(const mbedtls_ecp_group *g, const
        mbedtls_ecp_point *p);

+#define ssh_fips_mode() false
+
 #endif /* HAVE_LIBMBEDCRYPTO */
 #endif /* LIBMBEDCRYPTO_H_ */
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -1,7 +1,7 @@
 /*
 * This file is part of the SSH Library
 *
- * Copyright (c) 2003-2009 by Aris Adamantiadis
+ * Copyright (c) 2003-2021 by Aris Adamantiadis and the libssh team
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
@@ -21,6 +21,8 @@
 #ifndef _LIBSSH_H
 #define _LIBSSH_H

+#include <libssh/libssh_version.h>
+
 #if defined _WIN32 || defined __CYGWIN__
  #ifdef LIBSSH_STATIC
    #define LIBSSH_API
@@ -71,23 +73,6 @@
 #define SSH_STRINGIFY(s) SSH_TOSTRING(s)
 #define SSH_TOSTRING(s) #s

-/* libssh version macros */
-#define SSH_VERSION_INT(a, b, c) ((a) << 16 | (b) << 8 | (c))
-#define SSH_VERSION_DOT(a, b, c) a ##.## b ##.## c
-#define SSH_VERSION(a, b, c) SSH_VERSION_DOT(a, b, c)
-
-/* libssh version */
-#define LIBSSH_VERSION_MAJOR  0
-#define LIBSSH_VERSION_MINOR  8
-#define LIBSSH_VERSION_MICRO  8
-
-#define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
-                                           LIBSSH_VERSION_MINOR, \
-                                           LIBSSH_VERSION_MICRO)
-#define LIBSSH_VERSION     SSH_VERSION(LIBSSH_VERSION_MAJOR, \
-                                       LIBSSH_VERSION_MINOR, \
-                                       LIBSSH_VERSION_MICRO)
-
 /* GCC have printf type attribute check.  */
 #ifdef __GNUC__
 #define PRINTF_ATTRIBUTE(a,b) __attribute__ ((__format__ (__printf__, a, b)))
@@ -168,13 +153,13 @@ enum ssh_auth_e {
 };

 /* auth flags */
-#define SSH_AUTH_METHOD_UNKNOWN 0
-#define SSH_AUTH_METHOD_NONE 0x0001
-#define SSH_AUTH_METHOD_PASSWORD 0x0002
-#define SSH_AUTH_METHOD_PUBLICKEY 0x0004
-#define SSH_AUTH_METHOD_HOSTBASED 0x0008
-#define SSH_AUTH_METHOD_INTERACTIVE 0x0010
-#define SSH_AUTH_METHOD_GSSAPI_MIC 0x0020
+#define SSH_AUTH_METHOD_UNKNOWN     0x0000u
+#define SSH_AUTH_METHOD_NONE        0x0001u
+#define SSH_AUTH_METHOD_PASSWORD    0x0002u
+#define SSH_AUTH_METHOD_PUBLICKEY   0x0004u
+#define SSH_AUTH_METHOD_HOSTBASED   0x0008u
+#define SSH_AUTH_METHOD_INTERACTIVE 0x0010u
+#define SSH_AUTH_METHOD_GSSAPI_MIC  0x0020u

 /* messages */
 enum ssh_requests_e {
@@ -293,10 +278,17 @@ enum ssh_keytypes_e{
  SSH_KEYTYPE_DSS=1,
  SSH_KEYTYPE_RSA,
  SSH_KEYTYPE_RSA1,
-  SSH_KEYTYPE_ECDSA,
+  SSH_KEYTYPE_ECDSA, /* deprecated */
  SSH_KEYTYPE_ED25519,
  SSH_KEYTYPE_DSS_CERT01,
-  SSH_KEYTYPE_RSA_CERT01
+  SSH_KEYTYPE_RSA_CERT01,
+  SSH_KEYTYPE_ECDSA_P256,
+  SSH_KEYTYPE_ECDSA_P384,
+  SSH_KEYTYPE_ECDSA_P521,
+  SSH_KEYTYPE_ECDSA_P256_CERT01,
+  SSH_KEYTYPE_ECDSA_P384_CERT01,
+  SSH_KEYTYPE_ECDSA_P521_CERT01,
+  SSH_KEYTYPE_ED25519_CERT01,
 };

 enum ssh_keycmp_e {
@@ -405,6 +397,9 @@ enum ssh_options_e {
  SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
  SSH_OPTIONS_NODELAY,
  SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+  SSH_OPTIONS_PROCESS_CONFIG,
+  SSH_OPTIONS_REKEY_DATA,
+  SSH_OPTIONS_REKEY_TIME,
 };

 enum {
@@ -431,6 +426,7 @@ enum ssh_scp_request_types {
 enum ssh_connector_flags_e {
    /** Only the standard stream of the channel */
    SSH_CONNECTOR_STDOUT = 1,
+    SSH_CONNECTOR_STDINOUT = 1,
    /** Only the exception stream of the channel */
    SSH_CONNECTOR_STDERR = 2,
    /** Merge both standard and exception streams */
@@ -451,6 +447,8 @@ LIBSSH_API ssh_channel ssh_channel_new(ssh_session session);
 LIBSSH_API int ssh_channel_open_auth_agent(ssh_channel channel);
 LIBSSH_API int ssh_channel_open_forward(ssh_channel channel, const char *remotehost,
    int remoteport, const char *sourcehost, int localport);
+LIBSSH_API int ssh_channel_open_forward_unix(ssh_channel channel, const char *remotepath,
+    const char *sourcehost, int localport);
 LIBSSH_API int ssh_channel_open_session(ssh_channel channel);
 LIBSSH_API int ssh_channel_open_x11(ssh_channel channel, const char *orig_addr, int orig_port);
 LIBSSH_API int ssh_channel_poll(ssh_channel channel, int is_stderr);
@@ -543,6 +541,11 @@ SSH_DEPRECATED LIBSSH_API ssh_channel ssh_forward_accept(ssh_session session, in
 SSH_DEPRECATED LIBSSH_API int ssh_forward_cancel(ssh_session session, const char *address, int port);
 SSH_DEPRECATED LIBSSH_API int ssh_forward_listen(ssh_session session, const char *address, int port, int *bound_port);
 SSH_DEPRECATED LIBSSH_API int ssh_get_publickey(ssh_session session, ssh_key *key);
+SSH_DEPRECATED LIBSSH_API int ssh_write_knownhost(ssh_session session);
+SSH_DEPRECATED LIBSSH_API char *ssh_dump_knownhost(ssh_session session);
+SSH_DEPRECATED LIBSSH_API int ssh_is_server_known(ssh_session session);
+SSH_DEPRECATED LIBSSH_API void ssh_print_hexa(const char *descr, const unsigned char *what, size_t len);
+


 LIBSSH_API int ssh_get_random(void *where,int len,int strong);
@@ -552,7 +555,6 @@ LIBSSH_API int ssh_get_poll_flags(ssh_session session);
 LIBSSH_API int ssh_init(void);
 LIBSSH_API int ssh_is_blocking(ssh_session session);
 LIBSSH_API int ssh_is_connected(ssh_session session);
-LIBSSH_API int ssh_is_server_known(ssh_session session);

 /* KNOWN HOSTS */
 LIBSSH_API void ssh_knownhosts_entry_free(struct ssh_knownhosts_entry *entry);
@@ -572,9 +574,8 @@ LIBSSH_API int ssh_session_export_known_hosts_entry(ssh_session session,
                                                    char **pentry_string);
 LIBSSH_API int ssh_session_update_known_hosts(ssh_session session);

-LIBSSH_API enum ssh_known_hosts_e
-ssh_session_get_known_hosts_entry(ssh_session session,
-                                  struct ssh_knownhosts_entry **pentry);
+LIBSSH_API enum ssh_known_hosts_e ssh_session_get_known_hosts_entry(ssh_session session,
+        struct ssh_knownhosts_entry **pentry);
 LIBSSH_API enum ssh_known_hosts_e ssh_session_is_known_server(ssh_session session);

 /* LOGGING */
@@ -592,7 +593,10 @@ SSH_DEPRECATED LIBSSH_API void ssh_log(ssh_session session,
                                       const char *format, ...) PRINTF_ATTRIBUTE(3, 4);

 LIBSSH_API ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg);
+LIBSSH_API int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan);
 LIBSSH_API int ssh_message_channel_request_reply_success(ssh_message msg);
+#define SSH_MESSAGE_FREE(x) \
+    do { if ((x) != NULL) { ssh_message_free(x); (x) = NULL; } } while(0)
 LIBSSH_API void ssh_message_free(ssh_message msg);
 LIBSSH_API ssh_message ssh_message_get(ssh_session session);
 LIBSSH_API int ssh_message_subtype(ssh_message msg);
@@ -614,7 +618,13 @@ LIBSSH_API ssh_pcap_file ssh_pcap_file_new(void);
 LIBSSH_API int ssh_pcap_file_open(ssh_pcap_file pcap, const char *filename);

 /**
- * @brief SSH authentication callback.
+ * @addtogroup libssh_auth
+ *
+ * @{
+ */
+
+/**
+ * @brief SSH authentication callback for password and publickey auth.
 *
 * @param prompt        Prompt to be displayed.
 * @param buf           Buffer to save the password. You should null-terminate it.
@@ -629,6 +639,8 @@ LIBSSH_API int ssh_pcap_file_open(ssh_pcap_file pcap, const char *filename);
 typedef int (*ssh_auth_callback) (const char *prompt, char *buf, size_t len,
    int echo, int verify, void *userdata);

+/** @} */
+
 LIBSSH_API ssh_key ssh_key_new(void);
 #define SSH_KEY_FREE(x) \
    do { if ((x) != NULL) { ssh_key_free(x); x = NULL; } } while(0)
@@ -693,7 +705,6 @@ LIBSSH_API char *ssh_get_fingerprint_hash(enum ssh_publickey_hash_type type,
                                          unsigned char *hash,
                                          size_t len);
 LIBSSH_API void ssh_print_hash(enum ssh_publickey_hash_type type, unsigned char *hash, size_t len);
-LIBSSH_API void ssh_print_hexa(const char *descr, const unsigned char *what, size_t len);
 LIBSSH_API int ssh_send_ignore (ssh_session session, const char *data);
 LIBSSH_API int ssh_send_debug (ssh_session session, const char *message, int always_display);
 LIBSSH_API void ssh_gssapi_set_creds(ssh_session session, const ssh_gssapi_creds creds);
@@ -760,8 +771,6 @@ LIBSSH_API int ssh_userauth_kbdint_setanswer(ssh_session session, unsigned int i
    const char *answer);
 LIBSSH_API int ssh_userauth_gssapi(ssh_session session);
 LIBSSH_API const char *ssh_version(int req_version);
-LIBSSH_API int ssh_write_knownhost(ssh_session session);
-LIBSSH_API char *ssh_dump_knownhost(ssh_session session);

 LIBSSH_API void ssh_string_burn(ssh_string str);
 LIBSSH_API ssh_string ssh_string_copy(ssh_string str);
--- a/include/libssh/libssh_version.h.cmake
+++ b/include/libssh/libssh_version.h.cmake
@@ -0,0 +1,41 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2020 by Heiko Thiery
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _LIBSSH_VERSION_H
+#define _LIBSSH_VERSION_H
+
+/* libssh version macros */
+#define SSH_VERSION_INT(a, b, c) ((a) << 16 | (b) << 8 | (c))
+#define SSH_VERSION_DOT(a, b, c) a ##.## b ##.## c
+#define SSH_VERSION(a, b, c) SSH_VERSION_DOT(a, b, c)
+
+/* libssh version */
+#define LIBSSH_VERSION_MAJOR  @libssh_VERSION_MAJOR@
+#define LIBSSH_VERSION_MINOR  @libssh_VERSION_MINOR@
+#define LIBSSH_VERSION_MICRO  @libssh_VERSION_PATCH@
+
+#define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
+                                           LIBSSH_VERSION_MINOR, \
+                                           LIBSSH_VERSION_MICRO)
+#define LIBSSH_VERSION     SSH_VERSION(LIBSSH_VERSION_MAJOR, \
+                                       LIBSSH_VERSION_MINOR, \
+                                       LIBSSH_VERSION_MICRO)
+
+#endif /* _LIBSSH_VERSION_H */
--- a/include/libssh/libsshpp.hpp
+++ b/include/libssh/libsshpp.hpp
@@ -212,7 +212,7 @@ public:
   * @see ssh_userauth_kbdint
   */
  int userauthKbdint(const char* username, const char* submethods){
-    int ret=ssh_userauth_kbdint(c_session,NULL,NULL);
+    int ret = ssh_userauth_kbdint(c_session, username, submethods);
    ssh_throw(ret);
    return ret;
  }
@@ -407,7 +407,7 @@ public:
   * @see ssh_write_knownhost
   */
  int writeKnownhost(){
-    int ret = ssh_write_knownhost(c_session);
+    int ret = ssh_session_update_known_hosts(c_session);
    ssh_throw(ret);
    return ret;
  }
--- a/include/libssh/messages.h
+++ b/include/libssh/messages.h
@@ -28,7 +28,7 @@ struct ssh_auth_request {
    int method;
    char *password;
    struct ssh_key_struct *pubkey;
-    char signature_state;
+    enum ssh_publickey_state_e signature_state;
    char kbdint_response;
 };

@@ -101,8 +101,6 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request);

 int ssh_message_handle_channel_request(ssh_session session, ssh_channel channel, ssh_buffer packet,
    const char *request, uint8_t want_reply);
-void ssh_message_queue(ssh_session session, ssh_message message);
 ssh_message ssh_message_pop_head(ssh_session session);
-int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan);

 #endif /* MESSAGES_H_ */
--- a/include/libssh/misc.h
+++ b/include/libssh/misc.h
@@ -26,6 +26,7 @@
 char *ssh_get_user_home_dir(void);
 char *ssh_get_local_username(void);
 int ssh_file_readaccess_ok(const char *file);
+int ssh_dir_writeable(const char *path);

 char *ssh_path_expand_tilde(const char *d);
 char *ssh_path_expand_escape(ssh_session session, const char *s);
@@ -87,6 +88,13 @@ int ssh_timeout_update(struct ssh_timestamp *ts, int timeout);

 int ssh_match_group(const char *group, const char *object);

+void uint64_inc(unsigned char *counter);
+
+void ssh_log_hexdump(const char *descr, const unsigned char *what, size_t len);
+
+int ssh_mkdirs(const char *pathname, mode_t mode);
+
 int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len);
+int ssh_newline_vis(const char *string, char *buf, size_t buf_len);

 #endif /* MISC_H_ */
--- a/include/libssh/packet.h
+++ b/include/libssh/packet.h
@@ -70,6 +70,7 @@ int ssh_packet_parse_type(ssh_session session);
 int ssh_packet_socket_callback(const void *data, size_t len, void *user);
 void ssh_packet_register_socket_callback(ssh_session session, struct ssh_socket_struct *s);
 void ssh_packet_set_callbacks(ssh_session session, ssh_packet_callbacks callbacks);
+void ssh_packet_remove_callbacks(ssh_session session, ssh_packet_callbacks callbacks);
 void ssh_packet_set_default_callbacks(ssh_session session);
 void ssh_packet_process(ssh_session session, uint8_t type);

@@ -79,8 +80,12 @@ int ssh_packet_decrypt(ssh_session session, uint8_t *destination, uint8_t *sourc
        size_t start, size_t encrypted_size);
 unsigned char *ssh_packet_encrypt(ssh_session session,
                                  void *packet,
-                                  unsigned int len);
-int ssh_packet_hmac_verify(ssh_session session,ssh_buffer buffer,
+                                  uint32_t len);
+int ssh_packet_hmac_verify(ssh_session session, const void *data, size_t len,
                           unsigned char *mac, enum ssh_hmac_e type);
+int ssh_packet_set_newkeys(ssh_session session,
+                           enum ssh_crypto_direction_e direction);
+struct ssh_crypto_struct *ssh_packet_get_current_crypto(ssh_session session,
+        enum ssh_crypto_direction_e direction);

 #endif /* PACKET_H_ */
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -30,7 +30,15 @@
 #endif

 #include "libssh/crypto.h"
+#ifdef HAVE_OPENSSL_ED25519
+/* If using OpenSSL implementation, define the signature lenght which would be
+ * defined in libssh/ed25519.h otherwise */
+#define ED25519_SIG_LEN 64
+#else
 #include "libssh/ed25519.h"
+#endif
+/* This definition is used for both OpenSSL and internal implementations */
+#define ED25519_KEY_LEN 32

 #define MAX_PUBKEY_SIZE 0x100000 /* 1M */
 #define MAX_PRIVKEY_SIZE 0x400000 /* 4M */
@@ -44,25 +52,30 @@ struct ssh_key_struct {
    int flags;
    const char *type_c; /* Don't free it ! it is static */
    int ecdsa_nid;
-#ifdef HAVE_LIBGCRYPT
+#if defined(HAVE_LIBGCRYPT)
    gcry_sexp_t dsa;
    gcry_sexp_t rsa;
    gcry_sexp_t ecdsa;
-#elif HAVE_LIBMBEDCRYPTO
+#elif defined(HAVE_LIBMBEDCRYPTO)
    mbedtls_pk_context *rsa;
    mbedtls_ecdsa_context *ecdsa;
    void *dsa;
-#elif HAVE_LIBCRYPTO
+#elif defined(HAVE_LIBCRYPTO)
    DSA *dsa;
    RSA *rsa;
-#ifdef HAVE_OPENSSL_ECC
+# if defined(HAVE_OPENSSL_ECC)
    EC_KEY *ecdsa;
-#else
+# else
    void *ecdsa;
-#endif /* HAVE_OPENSSL_EC_H */
-#endif
+# endif /* HAVE_OPENSSL_EC_H */
+#endif /* HAVE_LIBGCRYPT */
+#ifdef HAVE_OPENSSL_ED25519
+    uint8_t *ed25519_pubkey;
+    uint8_t *ed25519_privkey;
+#else
    ed25519_pubkey *ed25519_pubkey;
    ed25519_privkey *ed25519_privkey;
+#endif
    void *cert;
    enum ssh_keytypes_e cert_type;
 };
@@ -71,23 +84,18 @@ struct ssh_signature_struct {
    enum ssh_keytypes_e type;
    enum ssh_digest_e hash_type;
    const char *type_c;
-#ifdef HAVE_LIBGCRYPT
+#if defined(HAVE_LIBGCRYPT)
    gcry_sexp_t dsa_sig;
    gcry_sexp_t rsa_sig;
    gcry_sexp_t ecdsa_sig;
-#elif defined HAVE_LIBCRYPTO
-    DSA_SIG *dsa_sig;
-    ssh_string rsa_sig;
-# ifdef HAVE_OPENSSL_ECC
-    ECDSA_SIG *ecdsa_sig;
-# else
-    void *ecdsa_sig;
-# endif
-#elif defined HAVE_LIBMBEDCRYPTO
+#elif defined(HAVE_LIBMBEDCRYPTO)
    ssh_string rsa_sig;
    struct mbedtls_ecdsa_sig ecdsa_sig;
-#endif
+#endif /* HAVE_LIBGCRYPT */
+#ifndef HAVE_OPENSSL_ED25519
    ed25519_signature *ed25519_sig;
+#endif
+    ssh_string raw_sig;
 };

 typedef struct ssh_signature_struct *ssh_signature;
@@ -100,10 +108,25 @@ const char *
 ssh_key_get_signature_algorithm(ssh_session session,
                                enum ssh_keytypes_e type);
 enum ssh_keytypes_e ssh_key_type_from_signature_name(const char *name);
+enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type);
+enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
+                                       enum ssh_keytypes_e type);
+enum ssh_digest_e ssh_key_hash_from_name(const char *name);
+
+#define is_ecdsa_key_type(t) \
+    ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521)
+
+#define is_cert_type(kt)\
+      ((kt) == SSH_KEYTYPE_DSS_CERT01 ||\
+       (kt) == SSH_KEYTYPE_RSA_CERT01 ||\
+      ((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\
+       (kt) <= SSH_KEYTYPE_ED25519_CERT01))

 /* SSH Signature Functions */
 ssh_signature ssh_signature_new(void);
 void ssh_signature_free(ssh_signature sign);
+#define SSH_SIGNATURE_FREE(x) \
+    do { ssh_signature_free(x); x = NULL; } while(0)

 int ssh_pki_export_signature_blob(const ssh_signature sign,
                                  ssh_string *sign_blob);
@@ -113,7 +136,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
 int ssh_pki_signature_verify(ssh_session session,
                             ssh_signature sig,
                             const ssh_key key,
-                             unsigned char *digest,
+                             const unsigned char *digest,
                             size_t dlen);

 /* SSH Public Key Functions */
@@ -128,12 +151,13 @@ int ssh_pki_import_cert_blob(const ssh_string cert_blob,

 /* SSH Signing Functions */
 ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf,
-    const ssh_key privatekey);
+    const ssh_key privatekey, enum ssh_digest_e hash_type);
 ssh_string ssh_pki_do_sign_agent(ssh_session session,
                                 struct ssh_buffer_struct *buf,
                                 const ssh_key pubkey);
 ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
-                                         const ssh_key privkey);
+                                         const ssh_key privkey,
+                                         const enum ssh_digest_e digest);

 /* Temporary functions, to be removed after migration to ssh_key */
 ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key);
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -61,6 +61,8 @@ int pki_key_compare(const ssh_key k1,
                    const ssh_key k2,
                    enum ssh_keycmp_e what);

+int pki_key_check_hash_compatible(ssh_key key,
+                                  enum ssh_digest_e hash_type);
 /* SSH Private Key Functions */
 enum ssh_keytypes_e pki_privatekey_type_from_string(const char *privkey);
 ssh_key pki_private_key_from_base64(const char *b64_key,
@@ -109,30 +111,29 @@ int pki_privkey_build_ecdsa(ssh_key key,
 ssh_string pki_publickey_to_blob(const ssh_key key);

 /* SSH Signature Functions */
+ssh_signature pki_sign_data(const ssh_key privkey,
+                            enum ssh_digest_e hash_type,
+                            const unsigned char *input,
+                            size_t input_len);
+int pki_verify_data_signature(ssh_signature signature,
+                              const ssh_key pubkey,
+                              const unsigned char *input,
+                              size_t input_len);
 ssh_string pki_signature_to_blob(const ssh_signature sign);
 ssh_signature pki_signature_from_blob(const ssh_key pubkey,
                                      const ssh_string sig_blob,
                                      enum ssh_keytypes_e type,
                                      enum ssh_digest_e hash_type);
-int pki_signature_verify(ssh_session session,
-                         const ssh_signature sig,
-                         const ssh_key key,
-                         const unsigned char *hash,
-                         size_t hlen);

 /* SSH Signing Functions */
-#define pki_do_sign(key, hash, hlen) \
-    pki_do_sign_hash(key, hash, hlen, SSH_DIGEST_AUTO)
+ssh_signature pki_do_sign(const ssh_key privkey,
+                          const unsigned char *input,
+                          size_t input_len,
+                          enum ssh_digest_e hash_type);
 ssh_signature pki_do_sign_hash(const ssh_key privkey,
                               const unsigned char *hash,
                               size_t hlen,
                               enum ssh_digest_e hash_type);
-#define pki_do_sign_sessionid(key, hash, hlen) \
-    pki_do_sign_sessionid_hash(key, hash, hlen, SSH_DIGEST_AUTO)
-ssh_signature pki_do_sign_sessionid_hash(const ssh_key key,
-                                        const unsigned char *hash,
-                                        size_t hlen,
-                                        enum ssh_digest_e hash_type);
 int pki_ed25519_sign(const ssh_key privkey, ssh_signature sig,
        const unsigned char *hash, size_t hlen);
 int pki_ed25519_verify(const ssh_key pubkey, ssh_signature sig,
@@ -142,8 +143,8 @@ int pki_ed25519_key_cmp(const ssh_key k1,
                enum ssh_keycmp_e what);
 int pki_ed25519_key_dup(ssh_key new, const ssh_key key);
 int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key);
-ssh_string pki_ed25519_sig_to_blob(ssh_signature sig);
-int pki_ed25519_sig_from_blob(ssh_signature sig, ssh_string sig_blob);
+ssh_string pki_ed25519_signature_to_blob(ssh_signature sig);
+int pki_signature_from_ed25519_blob(ssh_signature sig, ssh_string sig_blob);
 int pki_privkey_build_ed25519(ssh_key key,
                              ssh_string pubkey,
                              ssh_string privkey);
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -32,6 +32,7 @@
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdbool.h>

 #if !defined(HAVE_STRTOULL)
 # if defined(HAVE___STRTOULL)
@@ -78,6 +79,22 @@ char *strndup(const char *s, size_t n);
 #  endif /* __WORDSIZE */
 # endif /* PRIu64 */

+# ifndef PRIu32
+#  define PRIu32 "u"
+# endif /* PRIu32 */
+
+# ifndef PRIx64
+#  if __WORDSIZE == 64
+#   define PRIx64 "lx"
+#  else
+#   define PRIx64 "llx"
+#  endif /* __WORDSIZE */
+# endif /* PRIx64 */
+
+# ifndef PRIx32
+#  define PRIx32 "x"
+# endif /* PRIx32 */
+
 # ifdef _MSC_VER
 #  include <stdio.h>
 #  include <stdarg.h> /* va_copy define check */
@@ -205,7 +222,17 @@ int gettimeofday(struct timeval *__p, void *__t);
 struct ssh_common_struct;
 struct ssh_kex_struct;

-int ssh_get_key_params(ssh_session session, ssh_key *privkey);
+enum ssh_digest_e {
+    SSH_DIGEST_AUTO=0,
+    SSH_DIGEST_SHA1=1,
+    SSH_DIGEST_SHA256,
+    SSH_DIGEST_SHA384,
+    SSH_DIGEST_SHA512,
+};
+
+int ssh_get_key_params(ssh_session session,
+                       ssh_key *privkey,
+                       enum ssh_digest_e *digest);

 /* LOGGING */
 void ssh_log_function(int verbosity,
@@ -256,14 +283,12 @@ int ssh_auth_reply_success(ssh_session session, int partial);
 int ssh_send_banner(ssh_session session, int is_server);

 /* connect.c */
-socket_t ssh_connect_host(ssh_session session, const char *host,const char
-        *bind_addr, int port, long timeout, long usec);
 socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host,
 		const char *bind_addr, int port);

 /* in base64.c */
 ssh_buffer base64_to_bin(const char *source);
-unsigned char *bin_to_base64(const unsigned char *source, int len);
+uint8_t *bin_to_base64(const uint8_t *source, size_t len);

 /* gzip.c */
 int compress_buffer(ssh_session session,ssh_buffer buf);
@@ -324,7 +349,6 @@ void explicit_bzero(void *s, size_t n);
 /**
 * Get the argument cound of variadic arguments
 */
-#ifdef HAVE_GCC_NARG_MACRO
 /*
 * Since MSVC 2010 there is a bug in passing __VA_ARGS__ to subsequent
 * macros as a single token, which results in:
@@ -334,7 +358,7 @@ void explicit_bzero(void *s, size_t n);
 #define VA_APPLY_VARIADIC_MACRO(macro, tuple) macro tuple

 #define __VA_NARG__(...) \
-        (__VA_NARG_(_0, ## __VA_ARGS__, __RSEQ_N()) - 1)
+        (__VA_NARG_(__VA_ARGS__, __RSEQ_N()))
 #define __VA_NARG_(...) \
        VA_APPLY_VARIADIC_MACRO(__VA_ARG_N, (__VA_ARGS__))
 #define __VA_ARG_N( \
@@ -353,10 +377,6 @@ void explicit_bzero(void *s, size_t n);
        29, 28, 27, 26, 25, 24, 23, 22, 21, 20, \
        19, 18, 17, 16, 15, 14, 13, 12, 11, 10, \
         9,  8,  7,  6,  5,  4,  3,  2,  1,  0
-#else
-/* clang does not support the above construction */
-#define __VA_NARG__(...) (-1)
-#endif

 #define CLOSE_SOCKET(s) do { if ((s) != SSH_INVALID_SOCKET) { _XCLOSESOCKET(s); (s) = SSH_INVALID_SOCKET;} } while(0)

@@ -386,6 +406,24 @@ void explicit_bzero(void *s, size_t n);
 # endif /* HAVE_FALLTHROUGH_ATTRIBUTE */
 #endif /* FALL_THROUGH */

+#ifndef __attr_unused__
+# ifdef HAVE_UNUSED_ATTRIBUTE
+#  define __attr_unused__ __attribute__((unused))
+# else /* HAVE_UNUSED_ATTRIBUTE */
+#  define __attr_unused__
+# endif /* HAVE_UNUSED_ATTRIBUTE */
+#endif /* __attr_unused__ */
+
+#ifndef UNUSED_PARAM
+#define UNUSED_PARAM(param) param __attr_unused__
+#endif /* UNUSED_PARAM */
+
+#ifndef UNUSED_VAR
+#define UNUSED_VAR(var) __attr_unused__ var
+#endif /* UNUSED_VAR */
+
 void ssh_agent_state_free(void *data);

+bool is_ssh_initialized(void);
+
 #endif /* _LIBSSH_PRIV_H */
--- a/include/libssh/server.h
+++ b/include/libssh/server.h
@@ -46,7 +46,16 @@ enum ssh_bind_options_e {
  SSH_BIND_OPTIONS_LOG_VERBOSITY,
  SSH_BIND_OPTIONS_LOG_VERBOSITY_STR,
  SSH_BIND_OPTIONS_ECDSAKEY,
-  SSH_BIND_OPTIONS_IMPORT_KEY
+  SSH_BIND_OPTIONS_IMPORT_KEY,
+  SSH_BIND_OPTIONS_KEY_EXCHANGE,
+  SSH_BIND_OPTIONS_CIPHERS_C_S,
+  SSH_BIND_OPTIONS_CIPHERS_S_C,
+  SSH_BIND_OPTIONS_HMAC_C_S,
+  SSH_BIND_OPTIONS_HMAC_S_C,
+  SSH_BIND_OPTIONS_CONFIG_DIR,
+  SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
+  SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
+  SSH_BIND_OPTIONS_PROCESS_CONFIG,
 };

 typedef struct ssh_bind_struct* ssh_bind;
@@ -85,6 +94,9 @@ LIBSSH_API ssh_bind ssh_bind_new(void);
 LIBSSH_API int ssh_bind_options_set(ssh_bind sshbind,
    enum ssh_bind_options_e type, const void *value);

+LIBSSH_API int ssh_bind_options_parse_config(ssh_bind sshbind,
+    const char *filename);
+
 /**
 * @brief Start listening to the socket.
 *
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -20,6 +20,8 @@

 #ifndef SESSION_H_
 #define SESSION_H_
+#include <stdbool.h>
+
 #include "libssh/priv.h"
 #include "libssh/kex.h"
 #include "libssh/packet.h"
@@ -27,6 +29,8 @@
 #include "libssh/auth.h"
 #include "libssh/channels.h"
 #include "libssh/poll.h"
+#include "libssh/config.h"
+#include "libssh/misc.h"

 /* These are the different states a SSH session can be into its life */
 enum ssh_session_state_e {
@@ -45,6 +49,8 @@ enum ssh_session_state_e {

 enum ssh_dh_state_e {
  DH_STATE_INIT=0,
+  DH_STATE_GROUP_SENT,
+  DH_STATE_REQUEST_SENT,
  DH_STATE_INIT_SENT,
  DH_STATE_NEWKEYS_SENT,
  DH_STATE_FINISHED
@@ -111,6 +117,7 @@ struct ssh_session_struct {
    int openssh;
    uint32_t send_seq;
    uint32_t recv_seq;
+    struct ssh_timestamp last_rekey_time;

    int connected;
    /* !=0 when the user got a session handle */
@@ -131,12 +138,14 @@ struct ssh_session_struct {
    ssh_buffer in_buffer;
    PACKET in_packet;
    ssh_buffer out_buffer;
+    struct ssh_list *out_queue; /* This list is used for delaying packets
+                                   when rekeying is required */

    /* the states are used by the nonblocking stuff to remember */
    /* where it was before being interrupted */
    enum ssh_pending_call_e pending_call_state;
    enum ssh_session_state_e session_state;
-    int packet_state;
+    enum ssh_packet_state_e packet_state;
    enum ssh_dh_state_e dh_handshake_state;
    enum ssh_channel_request_state_e global_req_state;
    struct ssh_agent_state_struct *agent_state;
@@ -179,6 +188,7 @@ struct ssh_session_struct {
        ssh_key ed25519_key;
        /* The type of host key wanted by client */
        enum ssh_keytypes_e hostkey;
+        enum ssh_digest_e hostkey_digest;
    } srv;

    /* auths accepted by server */
@@ -203,7 +213,7 @@ struct ssh_session_struct {
        char *sshdir;
        char *knownhosts;
        char *global_knownhosts;
-        char *wanted_methods[10];
+        char *wanted_methods[SSH_KEX_METHODS];
        char *pubkey_accepted_types;
        char *ProxyCommand;
        char *custombanner;
@@ -218,6 +228,10 @@ struct ssh_session_struct {
        int gss_delegate_creds;
        int flags;
        int nodelay;
+        bool config_processed;
+        uint8_t options_seen[SOC_MAX];
+        uint64_t rekey_data;
+        uint32_t rekey_time;
    } opts;
    /* counters */
    ssh_counter socket_counter;
@@ -231,8 +245,10 @@ struct ssh_session_struct {
 */
 typedef int (*ssh_termination_function)(void *user);
 int ssh_handle_packets(ssh_session session, int timeout);
-int ssh_handle_packets_termination(ssh_session session, int timeout,
-    ssh_termination_function fct, void *user);
+int ssh_handle_packets_termination(ssh_session session,
+                                   long timeout,
+                                   ssh_termination_function fct,
+                                   void *user);
 void ssh_socket_exception_callback(int code, int errno_code, void *user);

 #endif /* SESSION_H_ */
--- a/include/libssh/sftp.h
+++ b/include/libssh/sftp.h
@@ -201,13 +201,18 @@ struct sftp_statvfs_struct {
 };

 /**
- * @brief Start a new sftp session.
+ * @brief Creates a new sftp session.
+ *
+ * This function creates a new sftp session and allocates a new sftp channel
+ * with the server inside of the provided ssh session. This function call is
+ * usually followed by the sftp_init(), which initializes SFTP protocol itself.
 *
 * @param session       The ssh session to use.
 *
 * @return              A new sftp session or NULL on error.
 *
 * @see sftp_free()
+ * @see sftp_init()
 */
 LIBSSH_API sftp_session sftp_new(ssh_session session);

@@ -232,7 +237,10 @@ LIBSSH_API sftp_session sftp_new_channel(ssh_session session, ssh_channel channe
 LIBSSH_API void sftp_free(sftp_session sftp);

 /**
- * @brief Initialize the sftp session with the server.
+ * @brief Initialize the sftp protocol with the server.
+ *
+ * This function involves the SFTP protocol initialization (as described
+ * in the SFTP specification), including the version and extensions negotiation.
 *
 * @param sftp          The sftp session to initialize.
 *
@@ -853,15 +861,15 @@ LIBSSH_API sftp_session sftp_server_new(ssh_session session, ssh_channel chan);
 * @return             0 on success, < 0 on error.
 */
 LIBSSH_API int sftp_server_init(sftp_session sftp);
+
+/**
+ * @brief Close and deallocate a sftp server session.
+ *
+ * @param sftp          The sftp session handle to free.
+ */
+LIBSSH_API void sftp_server_free(sftp_session sftp);
 #endif  /* WITH_SERVER */

-/* this is not a public interface */
-#define SFTP_HANDLES 256
-sftp_packet sftp_packet_read(sftp_session sftp);
-int sftp_packet_write(sftp_session sftp,uint8_t type, ssh_buffer payload);
-void sftp_packet_free(sftp_packet packet);
-int buffer_add_attributes(ssh_buffer buffer, sftp_attributes attr);
-sftp_attributes sftp_parse_attr(sftp_session session, ssh_buffer buf,int expectname);
 /* sftpserver.c */

 LIBSSH_API sftp_client_message sftp_get_client_message(sftp_session sftp);
--- a/include/libssh/sftp_priv.h
+++ b/include/libssh/sftp_priv.h
@@ -1,9 +1,7 @@
 /*
- * crc32.c - simple CRC32 code
- *
 * This file is part of the SSH Library
 *
- * Copyright (c) 2005 by Aris Adamantiadis
+ * Copyright (c) 2003-2008 by Aris Adamantiadis
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
@@ -20,9 +18,15 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

-#ifndef _CRC32_H
-#define _CRC32_H
+#ifndef SFTP_PRIV_H
+#define SFTP_PRIV_H

-uint32_t ssh_crc32(const char *buf, uint32_t len);
+sftp_packet sftp_packet_read(sftp_session sftp);
+ssize_t sftp_packet_write(sftp_session sftp, uint8_t type, ssh_buffer payload);
+void sftp_packet_free(sftp_packet packet);
+int buffer_add_attributes(ssh_buffer buffer, sftp_attributes attr);
+sftp_attributes sftp_parse_attr(sftp_session session,
+                                ssh_buffer buf,
+                                int expectname);

-#endif /* _CRC32_H */
+#endif /* SFTP_PRIV_H */
--- a/include/libssh/socket.h
+++ b/include/libssh/socket.h
@@ -63,6 +63,9 @@ void ssh_socket_set_callbacks(ssh_socket s, ssh_socket_callbacks callbacks);
 int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int revents, void *v_s);
 struct ssh_poll_handle_struct * ssh_socket_get_poll_handle(ssh_socket s);

-int ssh_socket_connect(ssh_socket s, const char *host, int port, const char *bind_addr);
+int ssh_socket_connect(ssh_socket s,
+                       const char *host,
+                       uint16_t port,
+                       const char *bind_addr);

 #endif /* SOCKET_H_ */
--- a/include/libssh/token.h
+++ b/include/libssh/token.h
@@ -0,0 +1,48 @@
+/*
+ * token.h - Tokens list handling
+ *
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2019 by Red Hat, Inc.
+ *
+ * Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#ifndef TOKEN_H_
+#define TOKEN_H_
+
+struct ssh_tokens_st {
+    char *buffer;
+    char **tokens;
+};
+
+struct ssh_tokens_st *ssh_tokenize(const char *chain, char separator);
+
+void ssh_tokens_free(struct ssh_tokens_st *tokens);
+
+char *ssh_find_matching(const char *available_d,
+                        const char *preferred_d);
+
+char *ssh_find_all_matching(const char *available_d,
+                            const char *preferred_d);
+
+char *ssh_remove_duplicates(const char *list);
+
+char *ssh_append_without_duplicates(const char *list,
+                                    const char *appended_list);
+#endif /* TOKEN_H_ */
--- a/include/libssh/wrapper.h
+++ b/include/libssh/wrapper.h
@@ -21,24 +21,19 @@
 #ifndef WRAPPER_H_
 #define WRAPPER_H_

+#include <stdbool.h>
+
 #include "config.h"
 #include "libssh/libssh.h"
 #include "libssh/libcrypto.h"
 #include "libssh/libgcrypt.h"
 #include "libssh/libmbedcrypto.h"

-enum ssh_digest_e {
-    SSH_DIGEST_AUTO=0,
-    SSH_DIGEST_SHA1=1,
-    SSH_DIGEST_SHA256,
-    SSH_DIGEST_SHA512
-};
-
-enum ssh_mac_e {
-  SSH_MAC_SHA1=1,
-  SSH_MAC_SHA256,
-  SSH_MAC_SHA384,
-  SSH_MAC_SHA512
+enum ssh_kdf_digest {
+    SSH_KDF_SHA1=1,
+    SSH_KDF_SHA256,
+    SSH_KDF_SHA384,
+    SSH_KDF_SHA512
 };

 enum ssh_hmac_e {
@@ -46,7 +41,8 @@ enum ssh_hmac_e {
  SSH_HMAC_SHA256,
  SSH_HMAC_SHA512,
  SSH_HMAC_MD5,
-  SSH_HMAC_AEAD_POLY1305
+  SSH_HMAC_AEAD_POLY1305,
+  SSH_HMAC_AEAD_GCM
 };

 enum ssh_des_e {
@@ -57,9 +53,17 @@ enum ssh_des_e {
 struct ssh_hmac_struct {
  const char* name;
  enum ssh_hmac_e hmac_type;
+  bool etm;
+};
+
+enum ssh_crypto_direction_e {
+    SSH_DIRECTION_IN = 1,
+    SSH_DIRECTION_OUT = 2,
+    SSH_DIRECTION_BOTH = 3,
 };

 struct ssh_cipher_struct;
+struct ssh_crypto_struct;

 typedef struct ssh_mac_ctx_struct *ssh_mac_ctx;
 MD5CTX md5_init(void);
@@ -69,37 +73,38 @@ void md5_final(unsigned char *md,MD5CTX c);
 SHACTX sha1_init(void);
 void sha1_update(SHACTX c, const void *data, unsigned long len);
 void sha1_final(unsigned char *md,SHACTX c);
-void sha1(unsigned char *digest,int len,unsigned char *hash);
+void sha1(const unsigned char *digest,int len,unsigned char *hash);

 SHA256CTX sha256_init(void);
 void sha256_update(SHA256CTX c, const void *data, unsigned long len);
 void sha256_final(unsigned char *md,SHA256CTX c);
-void sha256(unsigned char *digest, int len, unsigned char *hash);
+void sha256(const unsigned char *digest, int len, unsigned char *hash);

 SHA384CTX sha384_init(void);
 void sha384_update(SHA384CTX c, const void *data, unsigned long len);
 void sha384_final(unsigned char *md,SHA384CTX c);
-void sha384(unsigned char *digest, int len, unsigned char *hash);
+void sha384(const unsigned char *digest, int len, unsigned char *hash);

 SHA512CTX sha512_init(void);
 void sha512_update(SHA512CTX c, const void *data, unsigned long len);
 void sha512_final(unsigned char *md,SHA512CTX c);
-void sha512(unsigned char *digest, int len, unsigned char *hash);
+void sha512(const unsigned char *digest, int len, unsigned char *hash);

 void evp(int nid, unsigned char *digest, int len, unsigned char *hash, unsigned int *hlen);
 EVPCTX evp_init(int nid);
 void evp_update(EVPCTX ctx, const void *data, unsigned long len);
 void evp_final(EVPCTX ctx, unsigned char *md, unsigned int *mdlen);

-ssh_mac_ctx ssh_mac_ctx_init(enum ssh_mac_e type);
-void ssh_mac_update(ssh_mac_ctx ctx, const void *data, unsigned long len);
-void ssh_mac_final(unsigned char *md, ssh_mac_ctx ctx);
-
 HMACCTX hmac_init(const void *key,int len, enum ssh_hmac_e type);
 void hmac_update(HMACCTX c, const void *data, unsigned long len);
 void hmac_final(HMACCTX ctx,unsigned char *hashmacbuf,unsigned int *len);
 size_t hmac_digest_len(enum ssh_hmac_e type);

+int ssh_kdf(struct ssh_crypto_struct *crypto,
+            unsigned char *key, size_t key_len,
+            int key_type, unsigned char *output,
+            size_t requested_len);
+
 int crypt_set_algorithms_client(ssh_session session);
 int crypt_set_algorithms_server(ssh_session session);
 struct ssh_crypto_struct *crypto_new(void);
@@ -112,6 +117,6 @@ void ssh_crypto_finalize(void);
 void ssh_cipher_clear(struct ssh_cipher_struct *cipher);
 struct ssh_hmac_struct *ssh_get_hmactab(void);
 struct ssh_cipher_struct *ssh_get_ciphertab(void);
-const char *ssh_hmac_type_to_string(enum ssh_hmac_e hmac_type);
+const char *ssh_hmac_type_to_string(enum ssh_hmac_e hmac_type, bool etm);

 #endif /* WRAPPER_H_ */
--- a/libssh-config.cmake.in
+++ b/libssh-config.cmake.in
@@ -1,15 +0,0 @@
-@PACKAGE_INIT@
-
-if (EXISTS "${CMAKE_CURRENT_LIST_DIR}/CMakeCache.txt")
-    # In tree build
-    set_and_check(LIBSSH_INCLUDE_DIR "${CMAKE_CURRENT_LIST_DIR}/include")
-    set_and_check(LIBSSH_LIBRARIES "${CMAKE_CURRENT_LIST_DIR}/lib/@LIBSSH_LIBRARY_NAME@")
-else()
-    set_and_check(LIBSSH_INCLUDE_DIR "@PACKAGE_INCLUDE_INSTALL_DIR@")
-    set_and_check(LIBSSH_LIBRARIES "@PACKAGE_LIB_INSTALL_DIR@/@LIBSSH_LIBRARY_NAME@")
-endif()
-
-# For backward compatibility
-set(LIBSSH_LIBRARY ${LIBSSH_LIBRARIES})
-
-mark_as_advanced(LIBSSH_LIBRARIES LIBSSH_LIBRARY LIBSSH_INCLUDE_DIR)
--- a/libssh.pc.cmake
+++ b/libssh.pc.cmake
@@ -1,6 +1,6 @@
 Name: ${PROJECT_NAME}
 Description: The SSH Library
 Version: ${PROJECT_VERSION}
-Libs: -L${LIB_INSTALL_DIR} -lssh
-Cflags: -I${INCLUDE_INSTALL_DIR}
+Libs: -L${CMAKE_INSTALL_FULL_LIBDIR} -lssh
+Cflags: -I${CMAKE_INSTALL_FULL_INCLUDEDIR}

--- a/obj/build_make.sh
+++ b/obj/build_make.sh
@@ -1,200 +0,0 @@
-#!/bin/bash
-#
-# Last Change: 2008-06-18 14:13:46
-#
-# Script to build libssh on UNIX.
-#
-# Copyright (c) 2006-2007 Andreas Schneider <asn@cryptomilk.org>
-#
-
-SOURCE_DIR=".."
-
-LANG=C
-export LANG
-
-SCRIPT="$0"
-COUNT=0
-while [ -L "${SCRIPT}" ]
-do
-	SCRIPT=$(readlink ${SCRIPT})
-	COUNT=$(expr ${COUNT} + 1)
-	if [ ${COUNT} -gt 100 ]; then
-		echo "Too many symbolic links"
-		exit 1
-	fi
-done
-BUILDDIR=$(dirname ${SCRIPT})
-
-cleanup_and_exit () {
-	if test "$1" = 0 -o -z "$1" ; then
-		exit 0
-	else
-		exit $1
-	fi
-}
-
-function configure() {
-	if [ -n "${CMAKEDIR}" ]; then
-		${CMAKEDIR}/bin/cmake "$@" ${SOURCE_DIR} || cleanup_and_exit $?
-	else
-		cmake "$@" ${SOURCE_DIR} || cleanup_and_exit $?
-	fi
-}
-
-function compile() {
-	if [ -f /proc/cpuinfo ]; then
-		CPUCOUNT=$(grep -c processor /proc/cpuinfo)
-	elif test `uname` = "SunOS" ; then
-		CPUCOUNT=$(psrinfo -p)
-	else
-		CPUCOUNT="1"
-	fi
-
-	if [ "${CPUCOUNT}" -gt "1" ]; then
-		${MAKE} -j${CPUCOUNT} $1 || cleanup_and_exit $?
-	else
-		${MAKE} $1 || exit $?
-	fi
-}
-
-function clean_build_dir() {
-	find ! -path "*.svn*" ! -name "*.bat" ! -name "*.sh" ! -name "." -print0 | xargs -0 rm -rf
-}
-
-function usage () {
-echo "Usage: `basename $0` [--prefix /install_prefix|--build [debug|final]|--clean|--verbose|--libsuffix (32|64)|--help|--clang|--cmakedir /directory|--make
-(gmake|make)|--ccompiler(gcc|cc)|--withstaticlib|--unittesting|--clientunittesting|--withserver|--withoutsymbolversioning]"
-    cleanup_and_exit
-}
-
-cd ${BUILDDIR}
-
-# the default CMake options:
-OPTIONS="--graphviz=${BUILDDIR}/libssh.dot"
-
-# the default 'make' utility:
-MAKE="make"
-
-while test -n "$1"; do
-	PARAM="$1"
-	ARG="$2"
-	shift
-	case ${PARAM} in
-		*-*=*)
-		ARG=${PARAM#*=}
-		PARAM=${PARAM%%=*}
-		set -- "----noarg=${PARAM}" "$@"
-	esac
-	case ${PARAM} in
-		*-help|-h)
-			#echo_help
-			usage
-			cleanup_and_exit
-		;;
-		*-build)
-			DOMAKE="1"
-			BUILD_TYPE="${ARG}"
-			test -n "${BUILD_TYPE}" && shift
-		;;
-		*-clean)
-			clean_build_dir
-			cleanup_and_exit
-		;;
-		*-clang)
-			OPTIONS="${OPTIONS} -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++"
-		;;
-		*-verbose)
-			DOVERBOSE="1"
-		;;
-		*-memtest)
-			OPTIONS="${OPTIONS} -DMEM_NULL_TESTS=ON"
-		;;
-		*-libsuffix)
-			OPTIONS="${OPTIONS} -DLIB_SUFFIX=${ARG}"
-			shift
-		;;
-		*-prefix)
-			OPTIONS="${OPTIONS} -DCMAKE_INSTALL_PREFIX=${ARG}"
-			shift
-		;;
-		*-sysconfdir)
-			OPTIONS="${OPTIONS} -DSYSCONF_INSTALL_DIR=${ARG}"
-			shift
-		;;
-		*-cmakedir)
-			CMAKEDIR="${ARG}"
-			shift
-		;;
-		*-make)
-			MAKE="${ARG}"
-			shift
-		;;
-		*-ccompiler)
-			OPTIONS="${OPTIONS} -DCMAKE_C_COMPILER=${ARG}"
-			shift
-		;;
-		*-withstaticlib)
-			OPTIONS="${OPTIONS} -DWITH_STATIC_LIB=ON"
-		;;
-		*-unittesting)
-			OPTIONS="${OPTIONS} -DUNIT_TESTING=ON"
-		;;
-		*-clientunittesting)
-			OPTIONS="${OPTIONS} -DCLIENT_TESTING=ON"
-		;;
-		*-withserver)
-			OPTIONS="${OPTIONS} -DWITH_SERVER=ON"
-		;;
-		*-withoutsymbolversioning)
-			OPTIONS="${OPTIONS} -DWITH_SYMBOL_VERSIONING=OFF"
-		;;
-		*-finalrelease)
-			OPTIONS="${OPTIONS} -DWITH_FINAL=ON"
-		;;
-		----noarg)
-			echo "$ARG does not take an argument"
-			cleanup_and_exit
-		;;
-		-*)
-			echo Unknown Option "$PARAM". Exit.
-			cleanup_and_exit 1
-		;;
-		*)
-			usage
-		;;
-	esac
-done
-
-if [ "${DOMAKE}" == "1" ]; then
-	OPTIONS="${OPTIONS} -DCMAKE_BUILD_TYPE=${BUILD_TYPE}"
-fi
-
-if [ -n "${DOVERBOSE}" ]; then
-	OPTIONS="${OPTIONS} -DCMAKE_VERBOSE_MAKEFILE=1"
-else
-	OPTIONS="${OPTIONS} -DCMAKE_VERBOSE_MAKEFILE=0"
-fi
-
-test -f "${BUILDDIR}/.build.log" && rm -f ${BUILDDIR}/.build.log
-touch ${BUILDDIR}/.build.log
-# log everything from here to .build.log
-exec 1> >(exec -a 'build logging tee' tee -a ${BUILDDIR}/.build.log) 2>&1
-echo "${HOST} started build at $(date)."
-echo
-
-configure ${OPTIONS} "$@"
-
-if [ -n "${DOMAKE}" ]; then
-	test -n "${DOVERBOSE}" && compile VERBOSE=1 || compile
-fi
-
-DOT=$(which dot 2>/dev/null)
-if [ -n "${DOT}" ]; then
-	${DOT} -Tpng -o${BUILDDIR}/libssh.png ${BUILDDIR}/libssh.dot
-	${DOT} -Tsvg -o${BUILDDIR}/libssh.svg ${BUILDDIR}/libssh.dot
-fi
-
-exec >&0 2>&0		# so that the logging tee finishes
-sleep 1			# wait till tee terminates
-
-cleanup_and_exit 0
--- a/src/ABI/current
+++ b/src/ABI/current
@@ -1 +1 @@
-4.7.5
+4.8.7
--- a/src/ABI/libssh-4.8.0.symbols
+++ b/src/ABI/libssh-4.8.0.symbols
@@ -96,6 +96,7 @@ sftp_rmdir
 sftp_seek
 sftp_seek64
 sftp_send_client_message
+sftp_server_free
 sftp_server_init
 sftp_server_new
 sftp_server_version
@@ -120,6 +121,7 @@ ssh_bind_free
 ssh_bind_get_fd
 ssh_bind_listen
 ssh_bind_new
+ssh_bind_options_parse_config
 ssh_bind_options_set
 ssh_bind_set_blocking
 ssh_bind_set_callbacks
@@ -147,6 +149,7 @@ ssh_channel_listen_forward
 ssh_channel_new
 ssh_channel_open_auth_agent
 ssh_channel_open_forward
+ssh_channel_open_forward_unix
 ssh_channel_open_reverse_forward
 ssh_channel_open_session
 ssh_channel_open_x11
@@ -268,6 +271,7 @@ ssh_message_channel_request_open_destination_port
 ssh_message_channel_request_open_originator
 ssh_message_channel_request_open_originator_port
 ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
 ssh_message_channel_request_pty_height
 ssh_message_channel_request_pty_pxheight
 ssh_message_channel_request_pty_pxwidth
--- a/src/ABI/libssh-4.8.1.symbols
+++ b/src/ABI/libssh-4.8.1.symbols
@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char
--- a/src/ABI/libssh-4.8.2.symbols
+++ b/src/ABI/libssh-4.8.2.symbols
@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char
--- a/src/ABI/libssh-4.8.3.symbols
+++ b/src/ABI/libssh-4.8.3.symbols
@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char
--- a/src/ABI/libssh-4.8.4.symbols
+++ b/src/ABI/libssh-4.8.4.symbols
@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char
--- a/src/ABI/libssh-4.8.5.symbols
+++ b/src/ABI/libssh-4.8.5.symbols
@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char
--- a/src/ABI/libssh-4.8.6.symbols
+++ b/src/ABI/libssh-4.8.6.symbols
@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char
--- a/src/ABI/libssh-4.8.7.symbols
+++ b/src/ABI/libssh-4.8.7.symbols
@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -1,9 +1,7 @@
-set(LIBSSH_PUBLIC_INCLUDE_DIRS
-  ${libssh_SOURCE_DIR}/include
-  CACHE INTERNAL "libssh public include directories"
-)
+set(LIBSSH_PUBLIC_INCLUDE_DIRS ${libssh_SOURCE_DIR}/include)

 set(LIBSSH_PRIVATE_INCLUDE_DIRS
+  ${libssh_BINARY_DIR}/include
  ${libssh_BINARY_DIR}
 )

@@ -18,14 +16,7 @@ if (WIN32)
  )
 endif (WIN32)

-if (HAVE_LIBSOCKET)
-  set(LIBSSH_LINK_LIBRARIES
-    ${LIBSSH_LINK_LIBRARIES}
-    socket
-  )
-endif (HAVE_LIBSOCKET)
-
-if (OPENSSL_CRYPTO_LIBRARY)
+if (OPENSSL_CRYPTO_LIBRARIES)
  set(LIBSSH_PRIVATE_INCLUDE_DIRS
    ${LIBSSH_PRIVATE_INCLUDE_DIRS}
    ${OPENSSL_INCLUDE_DIR}
@@ -33,9 +24,9 @@ if (OPENSSL_CRYPTO_LIBRARY)

  set(LIBSSH_LINK_LIBRARIES
    ${LIBSSH_LINK_LIBRARIES}
-    ${OPENSSL_CRYPTO_LIBRARY}
+    ${OPENSSL_CRYPTO_LIBRARIES}
  )
-endif (OPENSSL_CRYPTO_LIBRARY)
+endif (OPENSSL_CRYPTO_LIBRARIES)

 if (MBEDTLS_CRYPTO_LIBRARY)
    set(LIBSSH_PRIVATE_INCLUDE_DIRS
@@ -48,7 +39,7 @@ if (MBEDTLS_CRYPTO_LIBRARY)
  )
 endif (MBEDTLS_CRYPTO_LIBRARY)

-if (GCRYPT_LIBRARY)
+if (GCRYPT_LIBRARIES)
  set(LIBSSH_PRIVATE_INCLUDE_DIRS
    ${LIBSSH_PRIVATE_INCLUDE_DIRS}
    ${GCRYPT_INCLUDE_DIR}
@@ -56,9 +47,8 @@ if (GCRYPT_LIBRARY)

  set(LIBSSH_LINK_LIBRARIES
    ${LIBSSH_LINK_LIBRARIES}
-    ${GCRYPT_LIBRARY}
-  )
-endif (GCRYPT_LIBRARY)
+    ${GCRYPT_LIBRARIES})
+endif()

 if (WITH_ZLIB)
  set(LIBSSH_PRIVATE_INCLUDE_DIRS
@@ -96,15 +86,12 @@ if (WITH_NACL AND NACL_FOUND)
  )
 endif (WITH_NACL AND NACL_FOUND)

-set(LIBSSH_LINK_LIBRARIES
-  ${LIBSSH_LINK_LIBRARIES}
-  CACHE INTERNAL "libssh link libraries"
-)
-
-set(LIBSSH_SHARED_LIBRARY
-  ssh_shared
-  CACHE INTERNAL "libssh shared library"
-)
+if (MINGW AND Threads_FOUND)
+  set(LIBSSH_LINK_LIBRARIES
+    ${LIBSSH_LINK_LIBRARIES}
+    Threads::Threads
+  )
+endif()

 if (BUILD_STATIC_LIB)
  set(LIBSSH_STATIC_LIBRARY
@@ -131,6 +118,7 @@ set(libssh_SRCS
  error.c
  getpass.c
  init.c
+  kdf.c
  kex.c
  known_hosts.c
  knownhosts.c
@@ -146,7 +134,6 @@ set(libssh_SRCS
  pcap.c
  pki.c
  pki_container_openssh.c
-  pki_ed25519.c
  poll.c
  session.c
  scp.c
@@ -157,14 +144,19 @@ set(libssh_SRCS
  external/bcrypt_pbkdf.c
  external/blowfish.c
  external/chacha.c
-  external/ed25519.c
-  external/fe25519.c
-  external/ge25519.c
  external/poly1305.c
-  external/sc25519.c
  chachapoly.c
+  config_parser.c
+  token.c
+  pki_ed25519_common.c
 )

+if (DEFAULT_C_NO_DEPRECATION_FLAGS)
+    set_source_files_properties(known_hosts.c
+                                PROPERTIES
+                                    COMPILE_FLAGS ${DEFAULT_C_NO_DEPRECATION_FLAGS})
+endif()
+
 if (CMAKE_USE_PTHREADS_INIT)
    set(libssh_SRCS
        ${libssh_SRCS}
@@ -192,6 +184,12 @@ if (WITH_GCRYPT)
        gcrypt_missing.c
        pki_gcrypt.c
        ecdh_gcrypt.c
+        dh_key.c
+        pki_ed25519.c
+        external/ed25519.c
+        external/fe25519.c
+        external/ge25519.c
+        external/sc25519.c
       )
 elseif (WITH_MBEDTLS)
    set(libssh_SRCS
@@ -201,6 +199,12 @@ elseif (WITH_MBEDTLS)
        mbedcrypto_missing.c
        pki_mbedcrypto.c
        ecdh_mbedcrypto.c
+        dh_key.c
+        pki_ed25519.c
+        external/ed25519.c
+        external/fe25519.c
+        external/ge25519.c
+        external/sc25519.c
       )
 else (WITH_GCRYPT)
    set(libssh_SRCS
@@ -209,7 +213,18 @@ else (WITH_GCRYPT)
        pki_crypto.c
        ecdh_crypto.c
        libcrypto.c
+        dh_crypto.c
       )
+    if (NOT HAVE_OPENSSL_ED25519)
+        set(libssh_SRCS
+            ${libssh_SRCS}
+            pki_ed25519.c
+            external/ed25519.c
+            external/fe25519.c
+            external/ge25519.c
+            external/sc25519.c
+           )
+    endif (NOT HAVE_OPENSSL_ED25519)
    if(OPENSSL_VERSION VERSION_LESS "1.1.0")
        set(libssh_SRCS ${libssh_SRCS} libcrypto-compat.c)
    endif()
@@ -234,9 +249,17 @@ if (WITH_SERVER)
    ${libssh_SRCS}
    server.c
    bind.c
+    bind_config.c
  )
 endif (WITH_SERVER)

+if (WITH_GEX)
+  set(libssh_SRCS
+    ${libssh_SRCS}
+    dh-gex.c
+  )
+endif (WITH_GEX)
+
 if (WITH_ZLIB)
  set(libssh_SRCS
    ${libssh_SRCS}
@@ -252,17 +275,14 @@ if (WITH_GSSAPI AND GSSAPI_FOUND)
 endif (WITH_GSSAPI AND GSSAPI_FOUND)

 if (NOT WITH_NACL)
-  set(libssh_SRCS
-    ${libssh_SRCS}
-    external/curve25519_ref.c
-  )
+    if (NOT HAVE_OPENSSL_ED25519)
+        set(libssh_SRCS
+            ${libssh_SRCS}
+            external/curve25519_ref.c
+           )
+    endif (NOT HAVE_OPENSSL_ED25519)
 endif (NOT WITH_NACL)

-include_directories(
-  ${LIBSSH_PUBLIC_INCLUDE_DIRS}
-  ${LIBSSH_PRIVATE_INCLUDE_DIRS}
-)
-
 # Set the path to the default map file
 set(MAP_PATH "${CMAKE_CURRENT_SOURCE_DIR}/${PROJECT_NAME}.map")

@@ -294,10 +314,27 @@ if (WITH_SYMBOL_VERSIONING AND HAVE_LD_VERSION_SCRIPT AND ABIMAP_FOUND)
    )
 endif (WITH_SYMBOL_VERSIONING AND HAVE_LD_VERSION_SCRIPT AND ABIMAP_FOUND)

-add_library(${LIBSSH_SHARED_LIBRARY} SHARED ${libssh_SRCS})
-target_compile_options(${LIBSSH_SHARED_LIBRARY} PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
+# This gets built as a static library, if -DBUILD_SHARED_LIBS=OFF is passed to
+# cmake.
+add_library(ssh ${libssh_SRCS})
+target_compile_options(ssh
+                       PRIVATE
+                           ${DEFAULT_C_COMPILE_FLAGS}
+                           -D_GNU_SOURCE)
+target_include_directories(ssh
+                           PUBLIC
+                               $<BUILD_INTERFACE:${libssh_SOURCE_DIR}/include>
+                               $<INSTALL_INTERFACE:include>
+                           PRIVATE ${LIBSSH_PRIVATE_INCLUDE_DIRS})

-target_link_libraries(${LIBSSH_SHARED_LIBRARY} ${LIBSSH_LINK_LIBRARIES})
+target_link_libraries(ssh
+                      PRIVATE ${LIBSSH_LINK_LIBRARIES})
+
+if (WIN32 AND NOT BUILD_SHARED_LIBS)
+    target_compile_definitions(ssh PUBLIC "LIBSSH_STATIC")
+endif ()
+
+add_library(ssh::ssh ALIAS ssh)

 if (WITH_SYMBOL_VERSIONING AND HAVE_LD_VERSION_SCRIPT)
    if (ABIMAP_FOUND)
@@ -305,45 +342,54 @@ if (WITH_SYMBOL_VERSIONING AND HAVE_LD_VERSION_SCRIPT)
        set(MAP_PATH "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}_dev.map")
    endif (ABIMAP_FOUND)

-    set_target_properties(${LIBSSH_SHARED_LIBRARY}
-                          PROPERTIES LINK_FLAGS
-                          "-Wl,--version-script,\"${MAP_PATH}\"")
+    target_link_libraries(ssh PRIVATE "-Wl,--version-script,\"${MAP_PATH}\"")
 endif (WITH_SYMBOL_VERSIONING AND HAVE_LD_VERSION_SCRIPT)

-set_target_properties(
-  ${LIBSSH_SHARED_LIBRARY}
+set_target_properties(ssh
    PROPERTIES
      VERSION
        ${LIBRARY_VERSION}
      SOVERSION
        ${LIBRARY_SOVERSION}
-      OUTPUT_NAME
-        ssh
      DEFINE_SYMBOL
        LIBSSH_EXPORTS
 )

 if (WITH_VISIBILITY_HIDDEN)
-  set_target_properties(${LIBSSH_SHARED_LIBRARY} PROPERTIES COMPILE_FLAGS "-fvisibility=hidden")
+    set_target_properties(ssh PROPERTIES C_VISIBILITY_PRESET hidden)
 endif (WITH_VISIBILITY_HIDDEN)

 if (MINGW)
-    set_target_properties(${LIBSSH_SHARED_LIBRARY} PROPERTIES LINK_FLAGS "-Wl,--enable-stdcall-fixup")
+    target_link_libraries(ssh PRIVATE "-Wl,--enable-stdcall-fixup")
+    target_compile_definitions(ssh PRIVATE "_POSIX_SOURCE")
 endif ()


-install(
-  TARGETS
-    ${LIBSSH_SHARED_LIBRARY}
-  RUNTIME DESTINATION ${BIN_INSTALL_DIR}
-  LIBRARY DESTINATION ${LIB_INSTALL_DIR}
-  ARCHIVE DESTINATION ${LIB_INSTALL_DIR}
-  COMPONENT libraries
-)
+install(TARGETS ssh
+        EXPORT libssh-config
+        RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
+        LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
+        ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+        COMPONENT libraries)
+
+install(EXPORT libssh-config
+        DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/${PROJECT_NAME})

 if (BUILD_STATIC_LIB)
-  add_library(${LIBSSH_STATIC_LIBRARY} STATIC ${libssh_SRCS})
-  target_compile_options(${LIBSSH_STATIC_LIBRARY} PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
+  add_library(ssh-static STATIC ${libssh_SRCS})
+  target_compile_options(ssh-static
+                         PRIVATE
+                            ${DEFAULT_C_COMPILE_FLAGS}
+                            -D_GNU_SOURCE)
+
+  target_include_directories(ssh-static
+                             PUBLIC
+                                 $<BUILD_INTERFACE:${libssh_SOURCE_DIR}/include>
+                                 $<INSTALL_INTERFACE:include>
+                             PRIVATE ${LIBSSH_PRIVATE_INCLUDE_DIRS})
+  target_link_libraries(ssh-static
+                        PUBLIC ${LIBSSH_LINK_LIBRARIES})
+  add_library(ssh::static ALIAS ssh-static)

  if (MSVC)
    set(OUTPUT_SUFFIX static)
@@ -351,7 +397,7 @@ if (BUILD_STATIC_LIB)
    set(OUTPUT_SUFFIX )
  endif (MSVC)
  set_target_properties(
-    ${LIBSSH_STATIC_LIBRARY}
+    ssh-static
      PROPERTIES
        VERSION
          ${LIBRARY_VERSION}
@@ -364,22 +410,8 @@ if (BUILD_STATIC_LIB)
  )

  if (WIN32)
-    set_target_properties(
-      ${LIBSSH_STATIC_LIBRARY}
-        PROPERTIES
-          COMPILE_FLAGS
-            "-DLIBSSH_STATIC"
-    )
+    target_compile_definitions(ssh-static PUBLIC "LIBSSH_STATIC")
  endif (WIN32)
-
-    if (WITH_STATIC_LIB)
-      install(TARGETS
-                ${LIBSSH_STATIC_LIBRARY}
-              DESTINATION
-                ${LIB_INSTALL_DIR}/${OUTPUT_SUFFIX}
-              COMPONENT
-                libraries)
-    endif (WITH_STATIC_LIB)
 endif (BUILD_STATIC_LIB)

 message(STATUS "Threads_FOUND=${Threads_FOUND}")
--- a/src/agent.c
+++ b/src/agent.c
@@ -56,33 +56,13 @@
 #include "libssh/session.h"
 #include "libssh/poll.h"
 #include "libssh/pki.h"
+#include "libssh/bytearray.h"

 /* macro to check for "agent failure" message */
 #define agent_failed(x) \
  (((x) == SSH_AGENT_FAILURE) || ((x) == SSH_COM_AGENT2_FAILURE) || \
   ((x) == SSH2_AGENT_FAILURE))

-static uint32_t agent_get_u32(const void *vp) {
-  const uint8_t *p = (const uint8_t *)vp;
-  uint32_t v;
-
-  v  = (uint32_t)p[0] << 24;
-  v |= (uint32_t)p[1] << 16;
-  v |= (uint32_t)p[2] << 8;
-  v |= (uint32_t)p[3];
-
-  return v;
-}
-
-static void agent_put_u32(void *vp, uint32_t v) {
-  uint8_t *p = (uint8_t *)vp;
-
-  p[0] = (uint8_t)(v >> 24) & 0xff;
-  p[1] = (uint8_t)(v >> 16) & 0xff;
-  p[2] = (uint8_t)(v >> 8) & 0xff;
-  p[3] = (uint8_t)v & 0xff;
-}
-
 static size_t atomicio(struct ssh_agent_struct *agent, void *buf, size_t n, int do_read) {
  char *b = buf;
  size_t pos = 0;
@@ -216,7 +196,7 @@ void ssh_agent_close(struct ssh_agent_struct *agent) {
 void ssh_agent_free(ssh_agent agent) {
  if (agent) {
    if (agent->ident) {
-      ssh_buffer_free(agent->ident);
+      SSH_BUFFER_FREE(agent->ident);
    }
    if (agent->sock) {
      ssh_agent_close(agent);
@@ -275,7 +255,7 @@ static int agent_talk(struct ssh_session_struct *session,

  len = ssh_buffer_get_len(request);
  SSH_LOG(SSH_LOG_TRACE, "Request length: %u", len);
-  agent_put_u32(payload, len);
+  PUSH_BE_U32(payload, 0, len);

  /* send length and then the request packet */
  if (atomicio(session->agent, payload, 4, 0) == 4) {
@@ -299,7 +279,7 @@ static int agent_talk(struct ssh_session_struct *session,
    return -1;
  }

-  len = agent_get_u32(payload);
+  len = PULL_BE_U32(payload, 0);
  if (len > 256 * 1024) {
    ssh_set_error(session, SSH_FATAL,
        "Authentication response too long: %u", len);
@@ -327,83 +307,91 @@ static int agent_talk(struct ssh_session_struct *session,
  return 0;
 }

-int ssh_agent_get_ident_count(struct ssh_session_struct *session) {
-  ssh_buffer request = NULL;
-  ssh_buffer reply = NULL;
-  unsigned int type = 0;
-  uint32_t buf[1] = {0};
-  int rc;
+uint32_t ssh_agent_get_ident_count(struct ssh_session_struct *session)
+{
+    ssh_buffer request = NULL;
+    ssh_buffer reply = NULL;
+    unsigned int type = 0;
+    uint32_t count = 0;
+    int rc;

-  /* send message to the agent requesting the list of identities */
-  request = ssh_buffer_new();
-  if (request == NULL) {
-      ssh_set_error_oom(session);
-      return -1;
-  }
-  if (ssh_buffer_add_u8(request, SSH2_AGENTC_REQUEST_IDENTITIES) < 0) {
-      ssh_set_error_oom(session);
-      ssh_buffer_free(request);
-      return -1;
-  }
+    /* send message to the agent requesting the list of identities */
+    request = ssh_buffer_new();
+    if (request == NULL) {
+        ssh_set_error_oom(session);
+        return 0;
+    }
+    if (ssh_buffer_add_u8(request, SSH2_AGENTC_REQUEST_IDENTITIES) < 0) {
+        ssh_set_error_oom(session);
+        SSH_BUFFER_FREE(request);
+        return 0;
+    }

-  reply = ssh_buffer_new();
-  if (reply == NULL) {
-    ssh_buffer_free(request);
-    ssh_set_error(session, SSH_FATAL, "Not enough space");
-    return -1;
-  }
+    reply = ssh_buffer_new();
+    if (reply == NULL) {
+        SSH_BUFFER_FREE(request);
+        ssh_set_error(session, SSH_FATAL, "Not enough space");
+        return 0;
+    }

-  if (agent_talk(session, request, reply) < 0) {
-    ssh_buffer_free(request);
-    ssh_buffer_free(reply);
-    return 0;
-  }
-  ssh_buffer_free(request);
+    if (agent_talk(session, request, reply) < 0) {
+        SSH_BUFFER_FREE(request);
+        SSH_BUFFER_FREE(reply);
+        return 0;
+    }
+    SSH_BUFFER_FREE(request);

-  /* get message type and verify the answer */
-  rc = ssh_buffer_get_u8(reply, (uint8_t *) &type);
-  if (rc != sizeof(uint8_t)) {
-    ssh_set_error(session, SSH_FATAL,
-        "Bad authentication reply size: %d", rc);
-    ssh_buffer_free(reply);
-    return -1;
-  }
+    /* get message type and verify the answer */
+    rc = ssh_buffer_get_u8(reply, (uint8_t *) &type);
+    if (rc != sizeof(uint8_t)) {
+        ssh_set_error(session, SSH_FATAL,
+                "Bad authentication reply size: %d", rc);
+        SSH_BUFFER_FREE(reply);
+        return 0;
+    }
 #ifdef WORDS_BIGENDIAN
-  type = bswap_32(type);
+    type = bswap_32(type);
 #endif

-  SSH_LOG(SSH_LOG_WARN,
-      "Answer type: %d, expected answer: %d",
-      type, SSH2_AGENT_IDENTITIES_ANSWER);
+    SSH_LOG(SSH_LOG_WARN,
+            "Answer type: %d, expected answer: %d",
+            type, SSH2_AGENT_IDENTITIES_ANSWER);

-  if (agent_failed(type)) {
-      ssh_buffer_free(reply);
-      return 0;
-  } else if (type != SSH2_AGENT_IDENTITIES_ANSWER) {
-      ssh_set_error(session, SSH_FATAL,
-          "Bad authentication reply message type: %u", type);
-      ssh_buffer_free(reply);
-      return -1;
-  }
+    if (agent_failed(type)) {
+        SSH_BUFFER_FREE(reply);
+        return 0;
+    } else if (type != SSH2_AGENT_IDENTITIES_ANSWER) {
+        ssh_set_error(session, SSH_FATAL,
+                "Bad authentication reply message type: %u", type);
+        SSH_BUFFER_FREE(reply);
+        return 0;
+    }

-  ssh_buffer_get_u32(reply, (uint32_t *) buf);
-  session->agent->count = agent_get_u32(buf);
-  SSH_LOG(SSH_LOG_DEBUG, "Agent count: %d",
-      session->agent->count);
-  if (session->agent->count > 1024) {
-    ssh_set_error(session, SSH_FATAL,
-        "Too many identities in authentication reply: %d",
-        session->agent->count);
-    ssh_buffer_free(reply);
-    return -1;
-  }
+    rc = ssh_buffer_get_u32(reply, &count);
+    if (rc != 4) {
+        ssh_set_error(session,
+                SSH_FATAL,
+                "Failed to read count");
+        SSH_BUFFER_FREE(reply);
+        return 0;
+    }
+    session->agent->count = ntohl(count);
+    SSH_LOG(SSH_LOG_DEBUG, "Agent count: %d",
+            session->agent->count);
+    if (session->agent->count > 1024) {
+        ssh_set_error(session, SSH_FATAL,
+                "Too many identities in authentication reply: %d",
+                session->agent->count);
+        SSH_BUFFER_FREE(reply);
+        return 0;
+    }

-  if (session->agent->ident) {
-    ssh_buffer_reinit(session->agent->ident);
-  }
-  session->agent->ident = reply;
+    if (session->agent->ident) {
+        ssh_buffer_reinit(session->agent->ident);
+    }
+    session->agent->ident = reply;

-  return session->agent->count;
+    return session->agent->count;
 }

 /* caller has to free commment */
@@ -437,7 +425,7 @@ ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
    /* get the comment */
    tmp = ssh_buffer_get_ssh_string(session->agent->ident);
    if (tmp == NULL) {
-        ssh_string_free(blob);
+        SSH_STRING_FREE(blob);

        return NULL;
    }
@@ -445,12 +433,12 @@ ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
    if (comment) {
        *comment = ssh_string_to_char(tmp);
    } else {
-        ssh_string_free(blob);
-        ssh_string_free(tmp);
+        SSH_STRING_FREE(blob);
+        SSH_STRING_FREE(tmp);

        return NULL;
    }
-    ssh_string_free(tmp);
+    SSH_STRING_FREE(tmp);

    /* get key from blob */
    rc = ssh_pki_import_pubkey_blob(blob, &key);
@@ -458,7 +446,7 @@ ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
        /* Try again as a cert. */
        rc = ssh_pki_import_cert_blob(blob, &key);
    }
-    ssh_string_free(blob);
+    SSH_STRING_FREE(blob);
    if (rc == SSH_ERROR) {
        return NULL;
    }
@@ -504,13 +492,13 @@ ssh_string ssh_agent_sign_data(ssh_session session,

    /* create request */
    if (ssh_buffer_add_u8(request, SSH2_AGENTC_SIGN_REQUEST) < 0) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }

    rc = ssh_pki_export_pubkey_blob(pubkey, &key_blob);
    if (rc < 0) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }

@@ -525,31 +513,31 @@ ssh_string ssh_agent_sign_data(ssh_session session,
                                  sizeof(uint32_t) * 2 +
                                  ssh_string_len(key_blob));
    if (rc < 0) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }

    /* adds len + blob */
    rc = ssh_buffer_add_ssh_string(request, key_blob);
-    ssh_string_free(key_blob);
+    SSH_STRING_FREE(key_blob);
    if (rc < 0) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }

    /* Add data */
    dlen = ssh_buffer_get_len(data);
    if (ssh_buffer_add_u32(request, htonl(dlen)) < 0) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }
    if (ssh_buffer_add_data(request, ssh_buffer_get(data), dlen) < 0) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }

    /* Add Flags: SHA2 extension (RFC 8332) if negotiated */
-    if (pubkey->type == SSH_KEYTYPE_RSA) {
+    if (ssh_key_type_plain(pubkey->type) == SSH_KEYTYPE_RSA) {
        if (session->extensions & SSH_EXT_SIG_RSA_SHA512) {
            flags |= SSH_AGENT_RSA_SHA2_512;
        } else if (session->extensions & SSH_EXT_SIG_RSA_SHA256) {
@@ -557,27 +545,27 @@ ssh_string ssh_agent_sign_data(ssh_session session,
        }
    }
    if (ssh_buffer_add_u32(request, htonl(flags)) < 0) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }

    reply = ssh_buffer_new();
    if (reply == NULL) {
-        ssh_buffer_free(request);
+        SSH_BUFFER_FREE(request);
        return NULL;
    }

    /* send the request */
    if (agent_talk(session, request, reply) < 0) {
-        ssh_buffer_free(request);
-        ssh_buffer_free(reply);
+        SSH_BUFFER_FREE(request);
+        SSH_BUFFER_FREE(reply);
        return NULL;
    }
-    ssh_buffer_free(request);
+    SSH_BUFFER_FREE(request);

    /* check if reply is valid */
    if (ssh_buffer_get_u8(reply, (uint8_t *) &type) != sizeof(uint8_t)) {
-        ssh_buffer_free(reply);
+        SSH_BUFFER_FREE(reply);
        return NULL;
    }
 #ifdef WORDS_BIGENDIAN
@@ -586,19 +574,19 @@ ssh_string ssh_agent_sign_data(ssh_session session,

    if (agent_failed(type)) {
        SSH_LOG(SSH_LOG_WARN, "Agent reports failure in signing the key");
-        ssh_buffer_free(reply);
+        SSH_BUFFER_FREE(reply);
        return NULL;
    } else if (type != SSH2_AGENT_SIGN_RESPONSE) {
        ssh_set_error(session,
                      SSH_FATAL,
                      "Bad authentication response: %u",
                      type);
-        ssh_buffer_free(reply);
+        SSH_BUFFER_FREE(reply);
        return NULL;
    }

    sig_blob = ssh_buffer_get_ssh_string(reply);
-    ssh_buffer_free(reply);
+    SSH_BUFFER_FREE(reply);

    return sig_blob;
 }
--- a/src/auth.c
+++ b/src/auth.c
@@ -25,6 +25,7 @@
 #include "config.h"

 #include <stdio.h>
+#include <string.h>

 #ifndef _WIN32
 #include <netinet/in.h>
@@ -69,7 +70,7 @@ static int ssh_userauth_request_service(ssh_session session) {
    int rc;

    rc = ssh_service_request(session, "ssh-userauth");
-    if (rc != SSH_OK) {
+    if ((rc != SSH_OK) && (rc != SSH_AGAIN)) {
        SSH_LOG(SSH_LOG_WARN,
                "Failed to request \"ssh-userauth\" service");
    }
@@ -204,7 +205,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) {
        SSH_LOG(SSH_LOG_DEBUG,
                "Received SSH_USERAUTH_BANNER packet");
        if (session->banner != NULL)
-            ssh_string_free(session->banner);
+            SSH_STRING_FREE(session->banner);
        session->banner = banner;
    }

@@ -282,7 +283,10 @@ end:
 *
 * It is also used to communicate the new to the upper levels.
 */
-SSH_PACKET_CALLBACK(ssh_packet_userauth_success) {
+SSH_PACKET_CALLBACK(ssh_packet_userauth_success)
+{
+  struct ssh_crypto_struct *crypto = NULL;
+
  (void)packet;
  (void)type;
  (void)user;
@@ -294,13 +298,16 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_success) {
  session->session_state = SSH_SESSION_STATE_AUTHENTICATED;
  session->flags |= SSH_SESSION_FLAG_AUTHENTICATED;

-  if (session->current_crypto && session->current_crypto->delayed_compress_out) {
+  crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_OUT);
+  if (crypto != NULL && crypto->delayed_compress_out) {
      SSH_LOG(SSH_LOG_DEBUG, "Enabling delayed compression OUT");
-      session->current_crypto->do_compress_out = 1;
+      crypto->do_compress_out = 1;
  }
-  if (session->current_crypto && session->current_crypto->delayed_compress_in) {
+
+  crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN);
+  if (crypto != NULL && crypto->delayed_compress_in) {
      SSH_LOG(SSH_LOG_DEBUG, "Enabling delayed compression IN");
-      session->current_crypto->do_compress_in = 1;
+      crypto->do_compress_in = 1;
  }

    /* Reset errors by previous authentication methods. */
@@ -509,26 +516,13 @@ int ssh_userauth_try_publickey(ssh_session session,
            return SSH_ERROR;
    }

-    switch (pubkey->type) {
-    case SSH_KEYTYPE_UNKNOWN:
-        ssh_set_error(session,
-                      SSH_REQUEST_DENIED,
+    /* Check if the given public key algorithm is allowed */
+    sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);
+    if (sig_type_c == NULL) {
+        ssh_set_error(session, SSH_REQUEST_DENIED,
                      "Invalid key type (unknown)");
        return SSH_AUTH_DENIED;
-    case SSH_KEYTYPE_ECDSA:
-        sig_type_c = ssh_pki_key_ecdsa_name(pubkey);
-        break;
-    case SSH_KEYTYPE_DSS:
-    case SSH_KEYTYPE_RSA:
-    case SSH_KEYTYPE_RSA1:
-    case SSH_KEYTYPE_ED25519:
-    case SSH_KEYTYPE_DSS_CERT01:
-    case SSH_KEYTYPE_RSA_CERT01:
-        sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);
-        break;
    }
-
-    /* Check if the given public key algorithm is allowed */
    if (!ssh_key_algorithm_allowed(session, sig_type_c)) {
        ssh_set_error(session, SSH_REQUEST_DENIED,
                      "The key algorithm '%s' is not allowed to be used by"
@@ -564,7 +558,7 @@ int ssh_userauth_try_publickey(ssh_session session,
        goto fail;
    }

-    ssh_string_free(pubkey_s);
+    SSH_STRING_FREE(pubkey_s);

    session->auth.current_method = SSH_AUTH_METHOD_PUBLICKEY;
    session->auth.state = SSH_AUTH_STATE_PUBKEY_OFFER_SENT;
@@ -582,7 +576,7 @@ pending:

    return rc;
 fail:
-    ssh_string_free(pubkey_s);
+    SSH_STRING_FREE(pubkey_s);
    ssh_set_error_oom(session);
    ssh_buffer_reinit(session->out_buffer);

@@ -620,6 +614,7 @@ int ssh_userauth_publickey(ssh_session session,
    int rc;
    const char *sig_type_c = NULL;
    enum ssh_keytypes_e key_type;
+    enum ssh_digest_e hash_type;

    if (session == NULL) {
        return SSH_AUTH_ERROR;
@@ -645,26 +640,13 @@ int ssh_userauth_publickey(ssh_session session,
    /* Cert auth requires presenting the cert type name (*-cert@openssh.com) */
    key_type = privkey->cert != NULL ? privkey->cert_type : privkey->type;

-    switch (key_type) {
-    case SSH_KEYTYPE_UNKNOWN:
-        ssh_set_error(session,
-                      SSH_REQUEST_DENIED,
+    /* Check if the given public key algorithm is allowed */
+    sig_type_c = ssh_key_get_signature_algorithm(session, key_type);
+    if (sig_type_c == NULL) {
+        ssh_set_error(session, SSH_REQUEST_DENIED,
                      "Invalid key type (unknown)");
        return SSH_AUTH_DENIED;
-    case SSH_KEYTYPE_ECDSA:
-        sig_type_c = ssh_pki_key_ecdsa_name(privkey);
-        break;
-    case SSH_KEYTYPE_DSS:
-    case SSH_KEYTYPE_RSA:
-    case SSH_KEYTYPE_RSA1:
-    case SSH_KEYTYPE_ED25519:
-    case SSH_KEYTYPE_DSS_CERT01:
-    case SSH_KEYTYPE_RSA_CERT01:
-        sig_type_c = ssh_key_get_signature_algorithm(session, key_type);
-        break;
    }
-
-    /* Check if the given public key algorithm is allowed */
    if (!ssh_key_algorithm_allowed(session, sig_type_c)) {
        ssh_set_error(session, SSH_REQUEST_DENIED,
                      "The key algorithm '%s' is not allowed to be used by"
@@ -699,16 +681,19 @@ int ssh_userauth_publickey(ssh_session session,
    if (rc < 0) {
        goto fail;
    }
-    ssh_string_free(str);
+    SSH_STRING_FREE(str);
+
+    /* Get the hash type to be used in the signature based on the key type */
+    hash_type = ssh_key_type_to_hash(session, privkey->type);

    /* sign the buffer with the private key */
-    str = ssh_pki_do_sign(session, session->out_buffer, privkey);
+    str = ssh_pki_do_sign(session, session->out_buffer, privkey, hash_type);
    if (str == NULL) {
        goto fail;
    }

    rc = ssh_buffer_add_ssh_string(session->out_buffer, str);
-    ssh_string_free(str);
+    SSH_STRING_FREE(str);
    str = NULL;
    if (rc < 0) {
        goto fail;
@@ -730,7 +715,7 @@ pending:

    return rc;
 fail:
-    ssh_string_free(str);
+    SSH_STRING_FREE(str);
    ssh_set_error_oom(session);
    ssh_buffer_reinit(session->out_buffer);

@@ -771,9 +756,15 @@ static int ssh_userauth_agent_publickey(ssh_session session,
    if (rc < 0) {
        goto fail;
    }
-    sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);

    /* Check if the given public key algorithm is allowed */
+    sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);
+    if (sig_type_c == NULL) {
+        ssh_set_error(session, SSH_REQUEST_DENIED,
+                      "Invalid key type (unknown)");
+        SSH_STRING_FREE(pubkey_s);
+        return SSH_AUTH_DENIED;
+    }
    if (!ssh_key_algorithm_allowed(session, sig_type_c)) {
        ssh_set_error(session, SSH_REQUEST_DENIED,
                      "The key algorithm '%s' is not allowed to be used by"
@@ -850,7 +841,7 @@ void ssh_agent_state_free(void *data) {
    struct ssh_agent_state_struct *state = data;

    if (state) {
-        ssh_string_free_char(state->comment);
+        SSH_STRING_FREE_CHAR(state->comment);
        ssh_key_free(state->pubkey);
        free (state);
    }
@@ -928,7 +919,7 @@ int ssh_userauth_agent(ssh_session session,
            } else if (rc != SSH_AUTH_SUCCESS) {
                SSH_LOG(SSH_LOG_DEBUG,
                        "Public key of %s refused by server", state->comment);
-                ssh_string_free_char(state->comment);
+                SSH_STRING_FREE_CHAR(state->comment);
                state->comment = NULL;
                ssh_key_free(state->pubkey);
                state->pubkey = ssh_agent_get_next_ident(session, &state->comment);
@@ -944,7 +935,7 @@ int ssh_userauth_agent(ssh_session session,
            rc = ssh_userauth_agent_publickey(session, username, state->pubkey);
            if (rc == SSH_AUTH_AGAIN)
                return rc;
-            ssh_string_free_char(state->comment);
+            SSH_STRING_FREE_CHAR(state->comment);
            state->comment = NULL;
            if (rc == SSH_AUTH_ERROR || rc == SSH_AUTH_PARTIAL) {
                ssh_agent_state_free (session->agent_state);
@@ -1040,6 +1031,9 @@ int ssh_userauth_publickey_auto(ssh_session session,
            ssh_set_error_oom(session);
            return SSH_AUTH_ERROR;
        }
+
+        /* Set state explicitly */
+        session->auth.auto_state->state = SSH_AUTH_AUTO_STATE_NONE;
    }
    state = session->auth.auto_state;
    if (state->state == SSH_AUTH_AUTO_STATE_NONE) {
@@ -1122,7 +1116,9 @@ int ssh_userauth_publickey_auto(ssh_session session,
                        "Public key authentication error for %s",
                        privkey_file);
                ssh_key_free(state->privkey);
+                state->privkey = NULL;
                ssh_key_free(state->pubkey);
+                state->pubkey = NULL;
                SAFE_FREE(session->auth.auto_state);
                return rc;
            } else if (rc == SSH_AUTH_AGAIN) {
@@ -1188,6 +1184,9 @@ int ssh_userauth_publickey_auto(ssh_session session,
                return rc;
            }

+            ssh_key_free(state->privkey);
+            ssh_key_free(state->pubkey);
+
            SSH_LOG(SSH_LOG_WARN,
                    "The server accepted the public key but refused the signature");
            state->it = state->it->next;
@@ -1271,6 +1270,9 @@ int ssh_userauth_password(ssh_session session,
        goto fail;
    }

+    /* Set the buffer as secure to be explicitly zeroed when freed */
+    ssh_buffer_set_secure(session->out_buffer);
+
    session->auth.current_method = SSH_AUTH_METHOD_PASSWORD;
    session->auth.state = SSH_AUTH_STATE_PASSWORD_AUTH_SENT;
    session->pending_call_state = SSH_PENDING_CALL_AUTH_PASSWORD;
@@ -1336,7 +1338,7 @@ ssh_kbdint ssh_kbdint_new(void) {


 void ssh_kbdint_free(ssh_kbdint kbd) {
-    int i, n;
+    size_t i, n;

    if (kbd == NULL) {
        return;
@@ -1372,7 +1374,7 @@ void ssh_kbdint_free(ssh_kbdint kbd) {
 }

 void ssh_kbdint_clean(ssh_kbdint kbd) {
-    int i, n;
+    size_t i, n;

    if (kbd == NULL) {
        return;
@@ -1561,7 +1563,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_request) {
            );

    /* We don't care about tmp */
-    ssh_string_free(tmp);
+    SSH_STRING_FREE(tmp);

    if (rc != SSH_OK) {
        ssh_set_error(session, SSH_FATAL, "Invalid USERAUTH_INFO_REQUEST msg");
@@ -1785,7 +1787,7 @@ const char *ssh_userauth_kbdint_getprompt(ssh_session session, unsigned int i,
    }

    if (echo) {
-        *echo = session->kbdint->echo[i];
+        *echo = (char)session->kbdint->echo[i];
    }

    return session->kbdint->prompts[i];
--- a/src/base64.c
+++ b/src/base64.c
@@ -29,7 +29,8 @@
 #include "libssh/priv.h"
 #include "libssh/buffer.h"

-static char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+static
+const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                         "abcdefghijklmnopqrstuvwxyz"
                         "0123456789+/";

@@ -167,19 +168,19 @@ ssh_buffer base64_to_bin(const char *source) {

 error:
  SAFE_FREE(base64);
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return NULL;
 }

-#define BLOCK(letter, n) do {ptr = strchr(alphabet, source[n]); \
+#define BLOCK(letter, n) do {ptr = strchr((const char *)alphabet, source[n]); \
                             if(!ptr) return -1; \
-                             i = ptr - alphabet; \
+                             i = ptr - (const char *)alphabet; \
                             SET_##letter(*block, i); \
                         } while(0)

 /* Returns 0 if ok, -1 if not (ie invalid char into the stuff) */
 static int to_block4(unsigned long *block, const char *source, int num) {
-  char *ptr;
+  const char *ptr = NULL;
  unsigned int i;

  *block = 0;
@@ -234,29 +235,32 @@ static int get_equals(char *string) {
 }

 /* thanks sysk for debugging my mess :) */
+static void _bin_to_base64(uint8_t *dest,
+                           const uint8_t source[3],
+                           size_t len)
+{
 #define BITS(n) ((1 << (n)) - 1)
-static void _bin_to_base64(unsigned char *dest, const unsigned char source[3],
-    int len) {
-  switch (len) {
-    case 1:
-      dest[0] = alphabet[(source[0] >> 2)];
-      dest[1] = alphabet[((source[0] & BITS(2)) << 4)];
-      dest[2] = '=';
-      dest[3] = '=';
-      break;
-    case 2:
-      dest[0] = alphabet[source[0] >> 2];
-      dest[1] = alphabet[(source[1] >> 4) | ((source[0] & BITS(2)) << 4)];
-      dest[2] = alphabet[(source[1] & BITS(4)) << 2];
-      dest[3] = '=';
-      break;
-    case 3:
-      dest[0] = alphabet[(source[0] >> 2)];
-      dest[1] = alphabet[(source[1] >> 4) | ((source[0] & BITS(2)) << 4)];
-      dest[2] = alphabet[ (source[2] >> 6) | (source[1] & BITS(4)) << 2];
-      dest[3] = alphabet[source[2] & BITS(6)];
-      break;
-  }
+    switch (len) {
+        case 1:
+            dest[0] = alphabet[(source[0] >> 2)];
+            dest[1] = alphabet[((source[0] & BITS(2)) << 4)];
+            dest[2] = '=';
+            dest[3] = '=';
+            break;
+        case 2:
+            dest[0] = alphabet[source[0] >> 2];
+            dest[1] = alphabet[(source[1] >> 4) | ((source[0] & BITS(2)) << 4)];
+            dest[2] = alphabet[(source[1] & BITS(4)) << 2];
+            dest[3] = '=';
+            break;
+        case 3:
+            dest[0] = alphabet[(source[0] >> 2)];
+            dest[1] = alphabet[(source[1] >> 4) | ((source[0] & BITS(2)) << 4)];
+            dest[2] = alphabet[(source[2] >> 6) | (source[1] & BITS(4)) << 2];
+            dest[3] = alphabet[source[2] & BITS(6)];
+            break;
+    }
+#undef BITS
 }

 /**
@@ -266,25 +270,29 @@ static void _bin_to_base64(unsigned char *dest, const unsigned char source[3],
 *
 * @returns the converted string
 */
-unsigned char *bin_to_base64(const unsigned char *source, int len) {
-  unsigned char *base64;
-  unsigned char *ptr;
-  int flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
-  flen = (4 * flen) / 3 + 1;
+uint8_t *bin_to_base64(const uint8_t *source, size_t len)
+{
+    uint8_t *base64 = NULL;
+    uint8_t *ptr = NULL;
+    size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
+    flen = (4 * flen) / 3 + 1;

-  base64 = malloc(flen);
-  if (base64 == NULL) {
-    return NULL;
-  }
-  ptr = base64;
+    base64 = malloc(flen);
+    if (base64 == NULL) {
+        return NULL;
+    }
+    ptr = base64;

-  while(len > 0){
-    _bin_to_base64(ptr, source, len > 3 ? 3 : len);
-    ptr += 4;
-    source += 3;
-    len -= 3;
-  }
-  ptr[0] = '\0';
+    while(len > 0){
+        _bin_to_base64(ptr, source, len > 3 ? 3 : len);
+        ptr += 4;
+        if (len < 3) {
+            break;
+        }
+        source += 3;
+        len -= 3;
+    }
+    ptr[0] = '\0';

-  return base64;
+    return base64;
 }
--- a/src/bignum.c
+++ b/src/bignum.c
@@ -29,9 +29,9 @@

 ssh_string ssh_make_bignum_string(bignum num) {
  ssh_string ptr = NULL;
-  int pad = 0;
-  unsigned int len = bignum_num_bytes(num);
-  unsigned int bits = bignum_num_bits(num);
+  size_t pad = 0;
+  size_t len = bignum_num_bytes(num);
+  size_t bits = bignum_num_bits(num);

  if (len == 0) {
      return NULL;
@@ -43,7 +43,9 @@ ssh_string ssh_make_bignum_string(bignum num) {
  }

 #ifdef DEBUG_CRYPTO
-  fprintf(stderr, "%d bits, %d bytes, %d padding\n", bits, len, pad);
+  SSH_LOG(SSH_LOG_TRACE,
+          "%zu bits, %zu bytes, %zu padding\n",
+          bits, len, pad);
 #endif /* DEBUG_CRYPTO */

  ptr = ssh_string_new(len + pad);
@@ -56,70 +58,40 @@ ssh_string ssh_make_bignum_string(bignum num) {
    ptr->data[0] = 0;
  }

-#ifdef HAVE_LIBGCRYPT
  bignum_bn2bin(num, len, ptr->data + pad);
-#elif HAVE_LIBCRYPTO
-  bignum_bn2bin(num, ptr->data + pad);
-#elif HAVE_LIBMBEDCRYPTO
-  bignum_bn2bin(num, ptr->data + pad);
-#endif

  return ptr;
 }

-bignum ssh_make_string_bn(ssh_string string){
-  bignum bn = NULL;
-  unsigned int len = ssh_string_len(string);
+bignum ssh_make_string_bn(ssh_string string)
+{
+    bignum bn = NULL;
+    size_t len = ssh_string_len(string);

 #ifdef DEBUG_CRYPTO
-  fprintf(stderr, "Importing a %d bits, %d bytes object ...\n",
-      len * 8, len);
+    SSH_LOG(SSH_LOG_TRACE,
+            "Importing a %zu bits, %zu bytes object ...\n",
+            len * 8, len);
 #endif /* DEBUG_CRYPTO */

-#ifdef HAVE_LIBGCRYPT
-  bignum_bin2bn(string->data, len, &bn);
-#elif defined HAVE_LIBCRYPTO
-  bn = bignum_bin2bn(string->data, len, NULL);
-#elif defined HAVE_LIBMBEDCRYPTO
-  bn = bignum_new();
-  bignum_bin2bn(string->data, len, bn);
-#endif
+    bignum_bin2bn(string->data, len, &bn);

-  return bn;
-}
-
-void ssh_make_string_bn_inplace(ssh_string string, bignum bnout) {
-  unsigned int len = ssh_string_len(string);
-#ifdef HAVE_LIBGCRYPT
-  /* XXX: FIXME as needed for LIBGCRYPT ECDSA codepaths. */
-  (void) len;
-  (void) bnout;
-#elif defined HAVE_LIBCRYPTO
-  bignum_bin2bn(string->data, len, bnout);
-#elif defined HAVE_LIBMBEDCRYPTO
-  bignum_bin2bn(string->data, len, bnout);
-#endif
+    return bn;
 }

 /* prints the bignum on stderr */
-void ssh_print_bignum(const char *which, const bignum num) {
+void ssh_print_bignum(const char *name, const_bignum num)
+{
+    unsigned char *hex = NULL;
+    if (num != NULL) {
+        bignum_bn2hex(num, &hex);
+    }
+    fprintf(stderr, "%s value: %s\n", name, (hex == NULL) ? "(null)" : (char *) hex);
 #ifdef HAVE_LIBGCRYPT
-  unsigned char *hex = NULL;
-  bignum_bn2hex(num, &hex);
+    SAFE_FREE(hex);
 #elif defined HAVE_LIBCRYPTO
-  char *hex = NULL;
-  hex = bignum_bn2hex(num);
+    OPENSSL_free(hex);
 #elif defined HAVE_LIBMBEDCRYPTO
-  char *hex = NULL;
-  hex = bignum_bn2hex(num);
-#endif
-  fprintf(stderr, "%s value: ", which);
-  fprintf(stderr, "%s\n", (hex == NULL) ? "(null)" : (char *) hex);
-#ifdef HAVE_LIBGCRYPT
-  SAFE_FREE(hex);
-#elif defined HAVE_LIBCRYPTO
-  OPENSSL_free(hex);
-#elif defined HAVE_LIBMBEDCRYPTO
-  SAFE_FREE(hex);
+    SAFE_FREE(hex);
 #endif
 }
--- a/src/bind.c
+++ b/src/bind.c
@@ -38,6 +38,7 @@
 #include "libssh/buffer.h"
 #include "libssh/socket.h"
 #include "libssh/session.h"
+#include "libssh/token.h"

 /**
 * @addtogroup libssh_server
@@ -130,18 +131,17 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname,
 }

 ssh_bind ssh_bind_new(void) {
-  ssh_bind ptr;
+    ssh_bind ptr;

-  ptr = malloc(sizeof(struct ssh_bind_struct));
-  if (ptr == NULL) {
-    return NULL;
-  }
-  ZERO_STRUCTP(ptr);
-  ptr->bindfd = SSH_INVALID_SOCKET;
-  ptr->bindport= 22;
-  ptr->common.log_verbosity = 0;
+    ptr = calloc(1, sizeof(struct ssh_bind_struct));
+    if (ptr == NULL) {
+        return NULL;
+    }
+    ptr->bindfd = SSH_INVALID_SOCKET;
+    ptr->bindport = 22;
+    ptr->common.log_verbosity = 0;

-  return ptr;
+    return ptr;
 }

 static int ssh_bind_import_keys(ssh_bind sshbind) {
@@ -169,7 +169,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) {
          return SSH_ERROR;
      }

-      if (ssh_key_type(sshbind->ecdsa) != SSH_KEYTYPE_ECDSA) {
+      if (!is_ecdsa_key_type(ssh_key_type(sshbind->ecdsa))) {
          ssh_set_error(sshbind, SSH_FATAL,
                  "The ECDSA host key has the wrong type");
          ssh_key_free(sshbind->ecdsa);
@@ -343,12 +343,24 @@ static int ssh_bind_poll_callback(ssh_poll_handle sshpoll,
 * @param sshbind the ssh_bind object
 * @returns a ssh_poll handle suitable for operation
 */
-ssh_poll_handle ssh_bind_get_poll(ssh_bind sshbind){
-  if(sshbind->poll)
+ssh_poll_handle ssh_bind_get_poll(ssh_bind sshbind)
+{
+    short events = POLLIN;
+
+    if (sshbind->poll) {
+        return sshbind->poll;
+    }
+
+#ifdef POLLRDHUP
+    events |= POLLRDHUP;
+#endif /* POLLRDHUP */
+
+    sshbind->poll = ssh_poll_new(sshbind->bindfd,
+                                 events,
+                                 ssh_bind_poll_callback,
+                                 sshbind);
+
    return sshbind->poll;
-  sshbind->poll=ssh_poll_new(sshbind->bindfd,POLLIN,
-      ssh_bind_poll_callback,sshbind);
-  return sshbind->poll;
 }

 void ssh_bind_set_blocking(ssh_bind sshbind, int blocking) {
@@ -382,6 +394,8 @@ void ssh_bind_free(ssh_bind sshbind){
  /* options */
  SAFE_FREE(sshbind->banner);
  SAFE_FREE(sshbind->bindaddr);
+  SAFE_FREE(sshbind->config_dir);
+  SAFE_FREE(sshbind->pubkey_accepted_key_types);

  SAFE_FREE(sshbind->dsakey);
  SAFE_FREE(sshbind->rsakey);
@@ -397,7 +411,7 @@ void ssh_bind_free(ssh_bind sshbind){
  ssh_key_free(sshbind->ed25519);
  sshbind->ed25519 = NULL;

-  for (i = 0; i < 10; i++) {
+  for (i = 0; i < SSH_KEX_METHODS; i++) {
    if (sshbind->wanted_methods[i]) {
      SAFE_FREE(sshbind->wanted_methods[i]);
    }
@@ -409,15 +423,26 @@ void ssh_bind_free(ssh_bind sshbind){
 int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){
    int i, rc;

+    if (sshbind == NULL) {
+        return SSH_ERROR;
+    }
+
    if (session == NULL){
        ssh_set_error(sshbind, SSH_FATAL,"session is null");
        return SSH_ERROR;
    }

+    /* Apply global bind configurations, if it hasn't been applied before */
+    rc = ssh_bind_options_parse_config(sshbind, NULL);
+    if (rc != 0) {
+        ssh_set_error(sshbind, SSH_FATAL,"Could not parse global config");
+        return SSH_ERROR;
+    }
+
    session->server = 1;

-    /* copy options */
-    for (i = 0; i < 10; i++) {
+    /* Copy options from bind to session */
+    for (i = 0; i < SSH_KEX_METHODS; i++) {
      if (sshbind->wanted_methods[i]) {
        session->opts.wanted_methods[i] = strdup(sshbind->wanted_methods[i]);
        if (session->opts.wanted_methods[i] == NULL) {
@@ -436,6 +461,29 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){
      }
    }

+    if (sshbind->pubkey_accepted_key_types != NULL) {
+        if (session->opts.pubkey_accepted_types == NULL) {
+            session->opts.pubkey_accepted_types = strdup(sshbind->pubkey_accepted_key_types);
+            if (session->opts.pubkey_accepted_types == NULL) {
+                ssh_set_error_oom(sshbind);
+                return SSH_ERROR;
+            }
+        } else {
+            char *p;
+            /* If something was set to the session prior to calling this
+             * function, keep only what is allowed by the options set in
+             * sshbind */
+            p = ssh_find_all_matching(sshbind->pubkey_accepted_key_types,
+                                      session->opts.pubkey_accepted_types);
+            if (p == NULL) {
+                return SSH_ERROR;
+            }
+
+            SAFE_FREE(session->opts.pubkey_accepted_types);
+            session->opts.pubkey_accepted_types = p;
+        }
+    }
+
    session->common.log_verbosity = sshbind->common.log_verbosity;
    if(sshbind->banner != NULL)
    	session->opts.custombanner = strdup(sshbind->banner);
--- a/src/bind_config.c
+++ b/src/bind_config.c
@@ -0,0 +1,638 @@
+/*
+ * bind_config.c - Parse the SSH server configuration file
+ *
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2019 by Red Hat, Inc.
+ *
+ * Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#ifdef HAVE_GLOB_H
+# include <glob.h>
+#endif
+
+#include "libssh/bind.h"
+#include "libssh/bind_config.h"
+#include "libssh/config_parser.h"
+#include "libssh/priv.h"
+#include "libssh/server.h"
+#include "libssh/options.h"
+
+#define MAX_LINE_SIZE 1024
+
+/* Flags used for the parser state */
+#define PARSING     1
+#define IN_MATCH    (1<<1)
+
+struct ssh_bind_config_keyword_table_s {
+  const char *name;
+  enum ssh_bind_config_opcode_e opcode;
+  bool allowed_in_match;
+};
+
+static struct ssh_bind_config_keyword_table_s
+ssh_bind_config_keyword_table[] = {
+    {
+        .name   = "include",
+        .opcode = BIND_CFG_INCLUDE
+    },
+    {
+        .name   = "hostkey",
+        .opcode = BIND_CFG_HOSTKEY
+    },
+    {
+        .name   = "listenaddress",
+        .opcode = BIND_CFG_LISTENADDRESS
+    },
+    {
+        .name   = "port",
+        .opcode = BIND_CFG_PORT
+    },
+    {
+        .name   = "loglevel",
+        .opcode = BIND_CFG_LOGLEVEL,
+        .allowed_in_match = true,
+    },
+    {
+        .name   = "ciphers",
+        .opcode = BIND_CFG_CIPHERS
+    },
+    {
+        .name   = "macs",
+        .opcode = BIND_CFG_MACS
+    },
+    {
+        .name   = "kexalgorithms",
+        .opcode = BIND_CFG_KEXALGORITHMS
+    },
+    {
+        .name   = "match",
+        .opcode = BIND_CFG_MATCH,
+        .allowed_in_match = true
+    },
+    {
+        .name   = "pubkeyacceptedkeytypes",
+        .opcode = BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES,
+        .allowed_in_match = true
+    },
+    {
+        .name   = "hostkeyalgorithms",
+        .opcode = BIND_CFG_HOSTKEY_ALGORITHMS,
+        .allowed_in_match = true
+    },
+    {
+        .opcode = BIND_CFG_UNKNOWN,
+    }
+};
+
+enum ssh_bind_config_match_e {
+    BIND_MATCH_UNKNOWN = -1,
+    BIND_MATCH_ALL,
+    BIND_MATCH_USER,
+    BIND_MATCH_GROUP,
+    BIND_MATCH_HOST,
+    BIND_MATCH_LOCALADDRESS,
+    BIND_MATCH_LOCALPORT,
+    BIND_MATCH_RDOMAIN,
+    BIND_MATCH_ADDRESS,
+};
+
+struct ssh_bind_config_match_keyword_table_s {
+    const char *name;
+    enum ssh_bind_config_match_e opcode;
+};
+
+static struct ssh_bind_config_match_keyword_table_s
+ssh_bind_config_match_keyword_table[] = {
+    {
+        .name   = "all",
+        .opcode = BIND_MATCH_ALL
+    },
+    {
+        .name   = "user",
+        .opcode = BIND_MATCH_USER
+    },
+    {
+        .name   = "group",
+        .opcode = BIND_MATCH_GROUP
+    },
+    {
+        .name   = "host",
+        .opcode = BIND_MATCH_HOST
+    },
+    {
+        .name   = "localaddress",
+        .opcode = BIND_MATCH_LOCALADDRESS
+    },
+    {
+        .name   = "localport",
+        .opcode = BIND_MATCH_LOCALPORT
+    },
+    {
+        .name   = "rdomain",
+        .opcode = BIND_MATCH_RDOMAIN
+    },
+    {
+        .name   = "address",
+        .opcode = BIND_MATCH_ADDRESS
+    },
+    {
+        .opcode = BIND_MATCH_UNKNOWN
+    },
+};
+
+static enum ssh_bind_config_opcode_e
+ssh_bind_config_get_opcode(char *keyword, uint32_t *parser_flags)
+{
+    int i;
+
+    for (i = 0; ssh_bind_config_keyword_table[i].name != NULL; i++) {
+        if (strcasecmp(keyword, ssh_bind_config_keyword_table[i].name) == 0) {
+            if ((*parser_flags & IN_MATCH) &&
+                !(ssh_bind_config_keyword_table[i].allowed_in_match))
+            {
+                return BIND_CFG_NOT_ALLOWED_IN_MATCH;
+            }
+            return ssh_bind_config_keyword_table[i].opcode;
+        }
+    }
+
+    return BIND_CFG_UNKNOWN;
+}
+
+static int
+ssh_bind_config_parse_line(ssh_bind bind,
+                           const char *line,
+                           unsigned int count,
+                           uint32_t *parser_flags,
+                           uint8_t *seen);
+
+static void local_parse_file(ssh_bind bind,
+                             const char *filename,
+                             uint32_t *parser_flags,
+                             uint8_t *seen)
+{
+    FILE *f;
+    char line[MAX_LINE_SIZE] = {0};
+    unsigned int count = 0;
+    int rv;
+
+    f = fopen(filename, "r");
+    if (f == NULL) {
+        SSH_LOG(SSH_LOG_RARE, "Cannot find file %s to load",
+                filename);
+        return;
+    }
+
+    SSH_LOG(SSH_LOG_PACKET, "Reading additional configuration data from %s",
+            filename);
+
+    while (fgets(line, sizeof(line), f)) {
+        count++;
+        rv = ssh_bind_config_parse_line(bind, line, count, parser_flags, seen);
+        if (rv < 0) {
+            fclose(f);
+            return;
+        }
+    }
+
+    fclose(f);
+    return;
+}
+
+#if defined(HAVE_GLOB) && defined(HAVE_GLOB_GL_FLAGS_MEMBER)
+static void local_parse_glob(ssh_bind bind,
+                             const char *fileglob,
+                             uint32_t *parser_flags,
+                             uint8_t *seen)
+{
+    glob_t globbuf = {
+        .gl_flags = 0,
+    };
+    int rt;
+    u_int i;
+
+    rt = glob(fileglob, GLOB_TILDE, NULL, &globbuf);
+    if (rt == GLOB_NOMATCH) {
+        globfree(&globbuf);
+        return;
+    } else if (rt != 0) {
+        SSH_LOG(SSH_LOG_RARE, "Glob error: %s",
+                fileglob);
+        globfree(&globbuf);
+        return;
+    }
+
+    for (i = 0; i < globbuf.gl_pathc; i++) {
+        local_parse_file(bind, globbuf.gl_pathv[i], parser_flags, seen);
+    }
+
+    globfree(&globbuf);
+}
+#endif /* HAVE_GLOB HAVE_GLOB_GL_FLAGS_MEMBER */
+
+static enum ssh_bind_config_match_e
+ssh_bind_config_get_match_opcode(const char *keyword)
+{
+    size_t i;
+
+    for (i = 0; ssh_bind_config_match_keyword_table[i].name != NULL; i++) {
+        if (strcasecmp(keyword, ssh_bind_config_match_keyword_table[i].name) == 0) {
+            return ssh_bind_config_match_keyword_table[i].opcode;
+        }
+    }
+
+    return BIND_MATCH_UNKNOWN;
+}
+
+static int
+ssh_bind_config_parse_line(ssh_bind bind,
+                           const char *line,
+                           unsigned int count,
+                           uint32_t *parser_flags,
+                           uint8_t *seen)
+{
+    enum ssh_bind_config_opcode_e opcode;
+    const char *p = NULL;
+    char *s = NULL, *x = NULL;
+    char *keyword = NULL;
+    size_t len;
+
+    int rc = 0;
+
+    if (bind == NULL) {
+        return -1;
+    }
+
+    if ((line == NULL) || (parser_flags == NULL)) {
+        ssh_set_error_invalid(bind);
+        return -1;
+    }
+
+    x = s = strdup(line);
+    if (s == NULL) {
+        ssh_set_error_oom(bind);
+        return -1;
+    }
+
+    /* Remove trailing spaces */
+    for (len = strlen(s) - 1; len > 0; len--) {
+        if (! isspace(s[len])) {
+            break;
+        }
+        s[len] = '\0';
+    }
+
+    keyword = ssh_config_get_token(&s);
+    if (keyword == NULL || *keyword == '#' ||
+            *keyword == '\0' || *keyword == '\n') {
+        SAFE_FREE(x);
+        return 0;
+    }
+
+    opcode = ssh_bind_config_get_opcode(keyword, parser_flags);
+    if ((*parser_flags & PARSING) &&
+            opcode != BIND_CFG_HOSTKEY &&
+            opcode != BIND_CFG_INCLUDE &&
+            opcode != BIND_CFG_MATCH &&
+            opcode > BIND_CFG_UNSUPPORTED) { /* Ignore all unknown types here */
+        /* Skip all the options that were already applied */
+        if (seen[opcode] != 0) {
+            SAFE_FREE(x);
+            return 0;
+        }
+        seen[opcode] = 1;
+    }
+
+    switch (opcode) {
+    case BIND_CFG_INCLUDE:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+#if defined(HAVE_GLOB) && defined(HAVE_GLOB_GL_FLAGS_MEMBER)
+            local_parse_glob(bind, p, parser_flags, seen);
+#else
+            local_parse_file(bind, p, parser_flags, seen);
+#endif /* HAVE_GLOB */
+        }
+        break;
+
+    case BIND_CFG_HOSTKEY:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set Hostkey value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_LISTENADDRESS:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDADDR, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set ListenAddress value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_PORT:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set Port value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_CIPHERS:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set C->S Ciphers value '%s'",
+                        count, p);
+                break;
+            }
+
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set S->C Ciphers value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_MACS:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HMAC_C_S, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set C->S MAC value '%s'",
+                        count, p);
+                break;
+            }
+
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HMAC_S_C, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set S->C MAC value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_LOGLEVEL:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            int value = -1;
+
+            if (strcasecmp(p, "quiet") == 0) {
+                value = SSH_LOG_NONE;
+            } else if (strcasecmp(p, "fatal") == 0 ||
+                    strcasecmp(p, "error")== 0 ||
+                    strcasecmp(p, "info") == 0) {
+                value = SSH_LOG_WARN;
+            } else if (strcasecmp(p, "verbose") == 0) {
+                value = SSH_LOG_INFO;
+            } else if (strcasecmp(p, "DEBUG") == 0 ||
+                    strcasecmp(p, "DEBUG1") == 0) {
+                value = SSH_LOG_DEBUG;
+            } else if (strcasecmp(p, "DEBUG2") == 0 ||
+                    strcasecmp(p, "DEBUG3") == 0) {
+                value = SSH_LOG_TRACE;
+            }
+            if (value != -1) {
+                rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_LOG_VERBOSITY,
+                        &value);
+                if (rc != 0) {
+                    SSH_LOG(SSH_LOG_WARN,
+                            "line %d: Failed to set LogLevel value '%s'",
+                            count, p);
+                }
+            }
+        }
+        break;
+    case BIND_CFG_KEXALGORITHMS:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_KEY_EXCHANGE, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set KexAlgorithms value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_MATCH: {
+        bool negate;
+        int result = PARSING;
+        size_t args = 0;
+        enum ssh_bind_config_match_e opt;
+        const char *p2 = NULL;
+
+        /* The options set in Match blocks should be applied when a connection
+         * is accepted, and not right away when parsing the file (as it is
+         * currently done). This means the configuration files should be parsed
+         * again or the options set in the Match blocks should be stored and
+         * applied as necessary. */
+
+        /* If this is the first Match block, erase the seen table to allow
+         * options to be overridden. Erasing the seen table was the easiest way
+         * to allow overriding an option, but only for the first occurrence of
+         * an option in a Match block. This is sufficient for the current
+         * implementation which supports only the 'All' criterion, meaning the
+         * options can be applied right away. */
+        if (!(*parser_flags & IN_MATCH)) {
+            memset(seen, 0x00, BIND_CFG_MAX * sizeof(uint8_t));
+        }
+
+        /* In this line the PARSING bit is cleared from the flags */
+        *parser_flags = IN_MATCH;
+        do {
+            p = p2 = ssh_config_get_str_tok(&s, NULL);
+            if (p == NULL || p[0] == '\0') {
+                break;
+            }
+            args++;
+            SSH_LOG(SSH_LOG_TRACE, "line %d: Processing Match keyword '%s'",
+                    count, p);
+
+            /* If the option is prefixed with ! the result should be negated */
+            negate = false;
+            if (p[0] == '!') {
+                negate = true;
+                p++;
+            }
+
+            opt = ssh_bind_config_get_match_opcode(p);
+            switch (opt) {
+            case BIND_MATCH_ALL:
+                p = ssh_config_get_str_tok(&s, NULL);
+                if ((args == 1) && (p == NULL || p[0] == '\0')) {
+                    /* The "all" keyword does not accept arguments or modifiers
+                     */
+                    if (negate == true) {
+                        result = 0;
+                    }
+                    break;
+                }
+                ssh_set_error(bind, SSH_FATAL,
+                              "line %d: ERROR - Match all cannot be combined with "
+                              "other Match attributes", count);
+                SAFE_FREE(x);
+                return -1;
+            case BIND_MATCH_USER:
+            case BIND_MATCH_GROUP:
+            case BIND_MATCH_HOST:
+            case BIND_MATCH_LOCALADDRESS:
+            case BIND_MATCH_LOCALPORT:
+            case BIND_MATCH_RDOMAIN:
+            case BIND_MATCH_ADDRESS:
+                /* Only "All" is supported for now */
+                /* Skip one argument */
+                p = ssh_config_get_str_tok(&s, NULL);
+                if (p == NULL || p[0] == '\0') {
+                    SSH_LOG(SSH_LOG_WARN, "line %d: Match keyword "
+                            "'%s' requires argument\n", count, p2);
+                    SAFE_FREE(x);
+                    return -1;
+                }
+                args++;
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Unsupported Match keyword '%s', ignoring\n",
+                        count,
+                        p2);
+                result = 0;
+                break;
+            case BIND_MATCH_UNKNOWN:
+            default:
+                ssh_set_error(bind, SSH_FATAL,
+                              "ERROR - Unknown argument '%s' for Match keyword", p);
+                SAFE_FREE(x);
+                return -1;
+            }
+        } while (p != NULL && p[0] != '\0');
+        if (args == 0) {
+            ssh_set_error(bind, SSH_FATAL,
+                          "ERROR - Match keyword requires an argument");
+            SAFE_FREE(x);
+            return -1;
+        }
+        /* This line only sets the PARSING flag if all checks passed */
+        *parser_flags |= result;
+        break;
+    }
+    case BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind,
+                                 SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set PubKeyAcceptedKeyTypes value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_HOSTKEY_ALGORITHMS:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            rc = ssh_bind_options_set(bind,
+                                 SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, p);
+            if (rc != 0) {
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Failed to set HostkeyAlgorithms value '%s'",
+                        count, p);
+            }
+        }
+        break;
+    case BIND_CFG_NOT_ALLOWED_IN_MATCH:
+        SSH_LOG(SSH_LOG_WARN, "Option not allowed in Match block: %s, line: %d",
+                keyword, count);
+        break;
+    case BIND_CFG_UNKNOWN:
+        SSH_LOG(SSH_LOG_WARN, "Unknown option: %s, line: %d",
+                keyword, count);
+        break;
+    case BIND_CFG_UNSUPPORTED:
+        SSH_LOG(SSH_LOG_WARN, "Unsupported option: %s, line: %d",
+                keyword, count);
+        break;
+    case BIND_CFG_NA:
+        SSH_LOG(SSH_LOG_WARN, "Option not applicable: %s, line: %d",
+                keyword, count);
+        break;
+    default:
+        ssh_set_error(bind, SSH_FATAL, "ERROR - unimplemented opcode: %d",
+                opcode);
+        SAFE_FREE(x);
+        return -1;
+        break;
+    }
+
+    SAFE_FREE(x);
+    return rc;
+}
+
+int ssh_bind_config_parse_file(ssh_bind bind, const char *filename)
+{
+    char line[MAX_LINE_SIZE] = {0};
+    unsigned int count = 0;
+    FILE *f;
+    uint32_t parser_flags;
+    int rv;
+
+    /* This local table is used during the parsing of the current file (and
+     * files included recursively in this file) to prevent an option to be
+     * redefined, i.e. the first value set is kept. But this DO NOT prevent the
+     * option to be redefined later by another file. */
+    uint8_t seen[BIND_CFG_MAX] = {0};
+
+    f = fopen(filename, "r");
+    if (f == NULL) {
+        return 0;
+    }
+
+    SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", filename);
+
+    parser_flags = PARSING;
+    while (fgets(line, sizeof(line), f)) {
+        count++;
+        rv = ssh_bind_config_parse_line(bind, line, count, &parser_flags, seen);
+        if (rv) {
+            fclose(f);
+            return -1;
+        }
+    }
+
+    fclose(f);
+    return 0;
+}
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -299,28 +299,33 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
 */
 int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
 {
-  buffer_verify(buffer);
-
-  if (data == NULL) {
-      return -1;
-  }
-
-  if (buffer->used + len < len) {
-    return -1;
-  }
-
-  if (buffer->allocated < (buffer->used + len)) {
-    if(buffer->pos > 0)
-      buffer_shift(buffer);
-    if (realloc_buffer(buffer, buffer->used + len) < 0) {
-      return -1;
+    if (buffer == NULL) {
+        return -1;
    }
-  }

-  memcpy(buffer->data+buffer->used, data, len);
-  buffer->used+=len;
-  buffer_verify(buffer);
-  return 0;
+    buffer_verify(buffer);
+
+    if (data == NULL) {
+        return -1;
+    }
+
+    if (buffer->used + len < len) {
+        return -1;
+    }
+
+    if (buffer->allocated < (buffer->used + len)) {
+        if (buffer->pos > 0) {
+            buffer_shift(buffer);
+        }
+        if (realloc_buffer(buffer, buffer->used + len) < 0) {
+            return -1;
+        }
+    }
+
+    memcpy(buffer->data + buffer->used, data, len);
+    buffer->used += len;
+    buffer_verify(buffer);
+    return 0;
 }

 /**
@@ -809,20 +814,20 @@ ssh_buffer_get_ssh_string(struct ssh_buffer_struct *buffer)
 */
 static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
                                       const char *format,
-                                       int argc,
+                                       size_t argc,
                                       va_list ap)
 {
    const char *p = NULL;
    ssh_string string = NULL;
    char *cstring = NULL;
    size_t needed_size = 0;
-    size_t count;
    size_t len;
+    size_t count;
    int rc = SSH_OK;

    for (p = format, count = 0; *p != '\0'; p++, count++) {
        /* Invalid number of arguments passed */
-        if (argc != -1 && count > argc) {
+        if (count > argc) {
            return SSH_ERROR;
        }

@@ -881,7 +886,7 @@ static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
        }
    }

-    if (argc != -1 && argc != count) {
+    if (argc != count) {
        return SSH_ERROR;
    }

@@ -891,11 +896,7 @@ static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
         */
        uint32_t canary = va_arg(ap, uint32_t);
        if (canary != SSH_BUFFER_PACK_END) {
-            if (argc == -1){
-                return SSH_ERROR;
-            } else {
-                abort();
-            }
+            abort();
        }
    }

@@ -918,7 +919,7 @@ static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
 */
 int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
                       const char *format,
-                       int argc,
+                       size_t argc,
                       va_list ap)
 {
    int rc = SSH_ERROR;
@@ -934,11 +935,15 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
    char *cstring;
    bignum b;
    size_t len;
-    int count;
+    size_t count;
+
+    if (argc > 256) {
+        return SSH_ERROR;
+    }

    for (p = format, count = 0; *p != '\0'; p++, count++) {
        /* Invalid number of arguments passed */
-        if (argc != -1 && count > argc) {
+        if (count > argc) {
            return SSH_ERROR;
        }

@@ -1010,19 +1015,15 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
        }
    }

-    if (argc != -1 && argc != count) {
+    if (argc != count) {
        return SSH_ERROR;
    }

    if (rc != SSH_ERROR){
-        /* Check if our canary is intact, if not somthing really bad happened */
+        /* Check if our canary is intact, if not something really bad happened */
        uint32_t canary = va_arg(ap, uint32_t);
        if (canary != SSH_BUFFER_PACK_END) {
-            if (argc == -1){
-                return SSH_ERROR;
-            } else {
-                abort();
-            }
+            abort();
        }
    }
    return rc;
@@ -1050,12 +1051,16 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
 */
 int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
                     const char *format,
-                     int argc,
+                     size_t argc,
                     ...)
 {
    va_list ap;
    int rc;

+    if (argc > 256) {
+        return SSH_ERROR;
+    }
+
    va_start(ap, argc);
    rc = ssh_buffer_pack_allocate_va(buffer, format, argc, ap);
    va_end(ap);
@@ -1082,11 +1087,11 @@ int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
 */
 int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
                         const char *format,
-                         int argc,
+                         size_t argc,
                         va_list ap)
 {
    int rc = SSH_ERROR;
-    const char *p, *last;
+    const char *p = format, *last;
    union {
        uint8_t *byte;
        uint16_t *word;
@@ -1094,24 +1099,32 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
        uint64_t *qword;
        ssh_string *string;
        char **cstring;
+        bignum *bignum;
        void **data;
    } o;
    size_t len, rlen, max_len;
+    ssh_string tmp_string = NULL;
    va_list ap_copy;
-    int count;
+    size_t count;

    max_len = ssh_buffer_get_len(buffer);

    /* copy the argument list in case a rollback is needed */
    va_copy(ap_copy, ap);

-    for (p = format, count = 0; *p != '\0'; p++, count++) {
+    if (argc > 256) {
+        rc = SSH_ERROR;
+        goto cleanup;
+    }
+
+    for (count = 0; *p != '\0'; p++, count++) {
        /* Invalid number of arguments passed */
-        if (argc != -1 && count > argc) {
+        if (count > argc) {
            rc = SSH_ERROR;
            goto cleanup;
        }

+        rc = SSH_ERROR;
        switch (*p) {
        case 'b':
            o.byte = va_arg(ap, uint8_t *);
@@ -1121,20 +1134,38 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
        case 'w':
            o.word = va_arg(ap,  uint16_t *);
            rlen = ssh_buffer_get_data(buffer, o.word, sizeof(uint16_t));
-            *o.word = ntohs(*o.word);
-            rc = rlen==2 ? SSH_OK : SSH_ERROR;
+            if (rlen == 2) {
+                *o.word = ntohs(*o.word);
+                rc = SSH_OK;
+            }
            break;
        case 'd':
            o.dword = va_arg(ap, uint32_t *);
            rlen = ssh_buffer_get_u32(buffer, o.dword);
-            *o.dword = ntohl(*o.dword);
-            rc = rlen==4 ? SSH_OK : SSH_ERROR;
+            if (rlen == 4) {
+                *o.dword = ntohl(*o.dword);
+                rc = SSH_OK;
+            }
            break;
        case 'q':
            o.qword = va_arg(ap, uint64_t*);
            rlen = ssh_buffer_get_u64(buffer, o.qword);
-            *o.qword = ntohll(*o.qword);
-            rc = rlen==8 ? SSH_OK : SSH_ERROR;
+            if (rlen == 8) {
+                *o.qword = ntohll(*o.qword);
+                rc = SSH_OK;
+            }
+            break;
+        case 'B':
+            o.bignum = va_arg(ap, bignum *);
+            *o.bignum = NULL;
+            tmp_string = ssh_buffer_get_ssh_string(buffer);
+            if (tmp_string == NULL) {
+                break;
+            }
+            *o.bignum = ssh_make_string_bn(tmp_string);
+            ssh_string_burn(tmp_string);
+            SSH_STRING_FREE(tmp_string);
+            rc = (*o.bignum != NULL) ? SSH_OK : SSH_ERROR;
            break;
        case 'S':
            o.string = va_arg(ap, ssh_string *);
@@ -1147,14 +1178,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,

            o.cstring = va_arg(ap, char **);
            *o.cstring = NULL;
-            rc = ssh_buffer_get_u32(buffer, &u32len);
-            if (rc != 4){
-                rc = SSH_ERROR;
+            rlen = ssh_buffer_get_u32(buffer, &u32len);
+            if (rlen != 4){
                break;
            }
            len = ntohl(u32len);
            if (len > max_len - 1) {
-                rc = SSH_ERROR;
                break;
            }

@@ -1210,14 +1239,13 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
            break;
        default:
            SSH_LOG(SSH_LOG_WARN, "Invalid buffer format %c", *p);
-            rc = SSH_ERROR;
        }
        if (rc != SSH_OK) {
            break;
        }
    }

-    if (argc != -1 && argc != count) {
+    if (argc != count) {
        rc = SSH_ERROR;
    }

@@ -1226,11 +1254,7 @@ cleanup:
        /* Check if our canary is intact, if not something really bad happened */
        uint32_t canary = va_arg(ap, uint32_t);
        if (canary != SSH_BUFFER_PACK_END){
-            if (argc == -1){
-                rc = SSH_ERROR;
-            } else {
-                abort();
-            }
+            abort();
        }
    }

@@ -1267,6 +1291,10 @@ cleanup:
                    break;
                }
                break;
+            case 'B':
+                o.bignum = va_arg(ap_copy, bignum *);
+                bignum_safe_free(*o.bignum);
+                break;
            case 'S':
                o.string = va_arg(ap_copy, ssh_string *);
                if (buffer->secure) {
@@ -1313,6 +1341,7 @@ cleanup:
 *                         's': char ** (C string, pulled as SSH string)
 *                         'P': size_t, void ** (len of data, pointer to data)
 *                              only pulls data.
+ *                         'B': bignum * (pulled as SSH string)
 * @returns             SSH_OK on success
 *                      SSH_ERROR on error
 * @warning             when using 'P' with a constant size (e.g. 8), do not
@@ -1320,7 +1349,7 @@ cleanup:
 */
 int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer,
                       const char *format,
-                       int argc,
+                       size_t argc,
                       ...)
 {
    va_list ap;
--- a/src/chachapoly.c
+++ b/src/chachapoly.c
@@ -109,11 +109,11 @@ static void chacha20_poly1305_aead_encrypt(struct ssh_cipher_struct *cipher,
                         out_packet->payload,
                         len - sizeof(uint32_t));

-    /* ssh_print_hexa("poly1305_ctx", poly1305_ctx, sizeof(poly1305_ctx)); */
+    /* ssh_log_hexdump("poly1305_ctx", poly1305_ctx, sizeof(poly1305_ctx)); */
    /* step 4, compute the MAC */
    poly1305_auth(tag, (uint8_t *)out_packet, len, poly1305_ctx);
-    /* ssh_print_hexa("poly1305 src", (uint8_t *)out_packet, len);
-    ssh_print_hexa("poly1305 tag", tag, POLY1305_TAGLEN); */
+    /* ssh_log_hexdump("poly1305 src", (uint8_t *)out_packet, len);
+    ssh_log_hexdump("poly1305 tag", tag, POLY1305_TAGLEN); */
 }

 static int chacha20_poly1305_aead_decrypt_length(
@@ -159,17 +159,17 @@ static int chacha20_poly1305_aead_decrypt(struct ssh_cipher_struct *cipher,
                         poly1305_ctx,
                         POLY1305_KEYLEN);
 #if 0
-    ssh_print_hexa("poly1305_ctx", poly1305_ctx, sizeof(poly1305_ctx));
+    ssh_log_hexdump("poly1305_ctx", poly1305_ctx, sizeof(poly1305_ctx));
 #endif

    poly1305_auth(tag, (uint8_t *)complete_packet, encrypted_size +
            sizeof(uint32_t), poly1305_ctx);
 #if 0
-    ssh_print_hexa("poly1305 src",
+    ssh_log_hexdump("poly1305 src",
                   (uint8_t*)complete_packet,
                   encrypted_size + 4);
-    ssh_print_hexa("poly1305 tag", tag, POLY1305_TAGLEN);
-    ssh_print_hexa("received tag", mac, POLY1305_TAGLEN);
+    ssh_log_hexdump("poly1305 tag", tag, POLY1305_TAGLEN);
+    ssh_log_hexdump("received tag", mac, POLY1305_TAGLEN);
 #endif

    cmp = memcmp(tag, mac, POLY1305_TAGLEN);
@@ -192,6 +192,7 @@ static void chacha20_cleanup(struct ssh_cipher_struct *cipher) {
 }

 const struct ssh_cipher_struct chacha20poly1305_cipher = {
+    .ciphertype = SSH_AEAD_CHACHA20_POLY1305,
    .name = "chacha20-poly1305@openssh.com",
    .blocksize = 8,
    .lenfield_blocksize = 4,
--- a/src/channels.c
+++ b/src/channels.c
@@ -29,6 +29,9 @@
 #include <errno.h>
 #include <time.h>
 #include <stdbool.h>
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif /* HAVE_SYS_TIME_H */

 #ifndef _WIN32
 #include <netinet/in.h>
@@ -85,6 +88,11 @@ ssh_channel ssh_channel_new(ssh_session session)
        return NULL;
    }

+    /* Check if we have an authenticated session */
+    if (!(session->flags & SSH_SESSION_FLAG_AUTHENTICATED)) {
+        return NULL;
+    }
+
    channel = calloc(1, sizeof(struct ssh_channel_struct));
    if (channel == NULL) {
        ssh_set_error_oom(session);
@@ -101,7 +109,7 @@ ssh_channel ssh_channel_new(ssh_session session)
    channel->stderr_buffer = ssh_buffer_new();
    if (channel->stderr_buffer == NULL) {
        ssh_set_error_oom(session);
-        ssh_buffer_free(channel->stdout_buffer);
+        SSH_BUFFER_FREE(channel->stdout_buffer);
        SAFE_FREE(channel);
        return NULL;
    }
@@ -112,10 +120,21 @@ ssh_channel ssh_channel_new(ssh_session session)

    if (session->channels == NULL) {
        session->channels = ssh_list_new();
+        if (session->channels == NULL) {
+            ssh_set_error_oom(session);
+            SSH_BUFFER_FREE(channel->stdout_buffer);
+            SSH_BUFFER_FREE(channel->stderr_buffer);
+            SAFE_FREE(channel);
+            return NULL;
+        }
    }

    ssh_list_prepend(session->channels, channel);

+    /* Set states explicitly */
+    channel->state = SSH_CHANNEL_STATE_NOT_OPEN;
+    channel->request_state = SSH_CHANNEL_REQ_STATE_NONE;
+
    return channel;
 }

@@ -154,8 +173,8 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){
  channel=ssh_channel_from_local(session,channelid);
  if(channel==NULL){
    ssh_set_error(session, SSH_FATAL,
-        "Unknown channel id %lu",
-        (long unsigned int) channelid);
+        "Unknown channel id %"PRIu32,
+        (uint32_t) channelid);
    /* TODO: Set error marking in channel object */

    return SSH_PACKET_USED;
@@ -182,9 +201,9 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){
  }

  SSH_LOG(SSH_LOG_PROTOCOL,
-      "Remote window : %lu, maxpacket : %lu",
-      (long unsigned int) channel->remote_window,
-      (long unsigned int) channel->remote_maxpacket);
+      "Remote window : %"PRIu32", maxpacket : %"PRIu32,
+      (uint32_t) channel->remote_window,
+      (uint32_t) channel->remote_maxpacket);

  channel->state = SSH_CHANNEL_STATE_OPEN;
  channel->flags &= ~SSH_CHANNEL_FLAG_NOT_BOUND;
@@ -230,9 +249,9 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
  }

  ssh_set_error(session, SSH_REQUEST_DENIED,
-      "Channel opening failure: channel %u error (%lu) %s",
+      "Channel opening failure: channel %u error (%"PRIu32") %s",
      channel->local_channel,
-      (long unsigned int) code,
+      (uint32_t) code,
      error);
  SAFE_FREE(error);
  channel->state=SSH_CHANNEL_STATE_OPEN_DENIED;
@@ -269,75 +288,92 @@ static int ssh_channel_open_termination(void *c){
 * @param[in]  maxpacket The maximum packet size allowed (like MTU).
 *
 * @param[in]  payload   The buffer containing additional payload for the query.
+ *
+ * @return             SSH_OK if successful; SSH_ERROR otherwise.
 */
-static int channel_open(ssh_channel channel, const char *type, int window,
-    int maxpacket, ssh_buffer payload) {
-  ssh_session session = channel->session;
-  int err=SSH_ERROR;
-  int rc;
+static int
+channel_open(ssh_channel channel,
+             const char *type,
+             uint32_t window,
+             uint32_t maxpacket,
+             ssh_buffer payload)
+{
+    ssh_session session = channel->session;
+    int err = SSH_ERROR;
+    int rc;

-  switch(channel->state){
-  case SSH_CHANNEL_STATE_NOT_OPEN:
-    break;
-  case SSH_CHANNEL_STATE_OPENING:
-    goto pending;
-  case SSH_CHANNEL_STATE_OPEN:
-  case SSH_CHANNEL_STATE_CLOSED:
-  case SSH_CHANNEL_STATE_OPEN_DENIED:
-    goto end;
-  default:
-    ssh_set_error(session,SSH_FATAL,"Bad state in channel_open: %d",channel->state);
-  }
-  channel->local_channel = ssh_channel_new_id(session);
-  channel->local_maxpacket = maxpacket;
-  channel->local_window = window;
-
-  SSH_LOG(SSH_LOG_PROTOCOL,
-      "Creating a channel %d with %d window and %d max packet",
-      channel->local_channel, window, maxpacket);
-
-  rc = ssh_buffer_pack(session->out_buffer,
-                       "bsddd",
-                       SSH2_MSG_CHANNEL_OPEN,
-                       type,
-                       channel->local_channel,
-                       channel->local_window,
-                       channel->local_maxpacket);
-  if (rc != SSH_OK){
-    ssh_set_error_oom(session);
-    return err;
-  }
-
-  if (payload != NULL) {
-    if (ssh_buffer_add_buffer(session->out_buffer, payload) < 0) {
-      ssh_set_error_oom(session);
-
-      return err;
+    switch (channel->state) {
+    case SSH_CHANNEL_STATE_NOT_OPEN:
+        break;
+    case SSH_CHANNEL_STATE_OPENING:
+        goto pending;
+    case SSH_CHANNEL_STATE_OPEN:
+    case SSH_CHANNEL_STATE_CLOSED:
+    case SSH_CHANNEL_STATE_OPEN_DENIED:
+        goto end;
+    default:
+        ssh_set_error(session, SSH_FATAL, "Bad state in channel_open: %d",
+                      channel->state);
+    }
+
+    channel->local_channel = ssh_channel_new_id(session);
+    channel->local_maxpacket = maxpacket;
+    channel->local_window = window;
+
+    SSH_LOG(SSH_LOG_PROTOCOL,
+            "Creating a channel %d with %d window and %d max packet",
+            channel->local_channel, window, maxpacket);
+
+    rc = ssh_buffer_pack(session->out_buffer,
+                         "bsddd",
+                         SSH2_MSG_CHANNEL_OPEN,
+                         type,
+                         channel->local_channel,
+                         channel->local_window,
+                         channel->local_maxpacket);
+    if (rc != SSH_OK) {
+        ssh_set_error_oom(session);
+        return err;
+    }
+
+    if (payload != NULL) {
+        if (ssh_buffer_add_buffer(session->out_buffer, payload) < 0) {
+            ssh_set_error_oom(session);
+
+            return err;
+        }
+    }
+    channel->state = SSH_CHANNEL_STATE_OPENING;
+    if (ssh_packet_send(session) == SSH_ERROR) {
+        return err;
+    }
+
+    SSH_LOG(SSH_LOG_PACKET,
+            "Sent a SSH_MSG_CHANNEL_OPEN type %s for channel %d",
+            type, channel->local_channel);
+
+pending:
+    /* wait until channel is opened by server */
+    err = ssh_handle_packets_termination(session,
+                                         SSH_TIMEOUT_DEFAULT,
+                                         ssh_channel_open_termination,
+                                         channel);
+
+    if (session->session_state == SSH_SESSION_STATE_ERROR) {
+        err = SSH_ERROR;
+    }
+
+end:
+    /* This needs to pass the SSH_AGAIN from the above,
+     * but needs to catch failed channel states */
+    if (channel->state == SSH_CHANNEL_STATE_OPEN) {
+        err = SSH_OK;
+    } else if (err != SSH_AGAIN) {
+        /* Messages were handled correctly, but he channel state is invalid */
+        err = SSH_ERROR;
    }
-  }
-  channel->state = SSH_CHANNEL_STATE_OPENING;
-  if (ssh_packet_send(session) == SSH_ERROR) {

    return err;
-  }
-
-  SSH_LOG(SSH_LOG_PACKET,
-      "Sent a SSH_MSG_CHANNEL_OPEN type %s for channel %d",
-      type, channel->local_channel);
-pending:
-  /* wait until channel is opened by server */
-  err = ssh_handle_packets_termination(session,
-                                       SSH_TIMEOUT_DEFAULT,
-                                       ssh_channel_open_termination,
-                                       channel);
-
-  if (session->session_state == SSH_SESSION_STATE_ERROR)
-    err = SSH_ERROR;
-end:
-  if(channel->state == SSH_CHANNEL_STATE_OPEN)
-    err=SSH_OK;
-
-  return err;
 }

 /* return channel with corresponding local id, or NULL if not found */
@@ -364,8 +400,12 @@ ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) {
 * @param session SSH session
 * @param channel SSH channel
 * @param minimumsize The minimum acceptable size for the new window.
+ * @return            SSH_OK if successful; SSH_ERROR otherwise.
 */
-static int grow_window(ssh_session session, ssh_channel channel, int minimumsize) {
+static int grow_window(ssh_session session,
+                       ssh_channel channel,
+                       uint32_t minimumsize)
+{
  uint32_t new_window = minimumsize > WINDOWBASE ? minimumsize : WINDOWBASE;
  int rc;

@@ -419,7 +459,7 @@ error:
 * @param[in]  packet   The buffer to parse packet from. The read pointer will
 *                      be moved after the call.
 *
- * @returns             The related ssh_channel, or NULL if the channel is
+ * @return              The related ssh_channel, or NULL if the channel is
 *                      unknown or the packet is invalid.
 */
 static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) {
@@ -437,8 +477,8 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) {
  channel = ssh_channel_from_local(session, chan);
  if (channel == NULL) {
    ssh_set_error(session, SSH_FATAL,
-        "Server specified invalid channel %lu",
-        (long unsigned int) chan);
+        "Server specified invalid channel %"PRIu32,
+        (uint32_t) chan);
  }

  return channel;
@@ -530,7 +570,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){

  if (channel_default_bufferize(channel, ssh_string_data(str), len,
        is_stderr) < 0) {
-    ssh_string_free(str);
+    SSH_STRING_FREE(str);

    return SSH_PACKET_USED;
  }
@@ -546,7 +586,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){
      channel->local_window,
      channel->remote_window);

-  ssh_string_free(str);
+  SSH_STRING_FREE(str);

  if (is_stderr) {
      buf = channel->stderr_buffer;
@@ -684,6 +724,10 @@ SSH_PACKET_CALLBACK(channel_rcv_request) {
 	if (strcmp(request,"exit-status") == 0) {
        SAFE_FREE(request);
        rc = ssh_buffer_unpack(packet, "d", &channel->exit_status);
+        if (rc != SSH_OK) {
+            SSH_LOG(SSH_LOG_PACKET, "Invalid exit-status packet");
+            return SSH_PACKET_USED;
+        }
        SSH_LOG(SSH_LOG_PACKET, "received exit-status %d", channel->exit_status);

        ssh_callbacks_execute_list(channel->callbacks,
@@ -810,8 +854,10 @@ SSH_PACKET_CALLBACK(channel_rcv_request) {
 *
 * FIXME is the window changed?
 */
-int channel_default_bufferize(ssh_channel channel, void *data, int len,
-    int is_stderr) {
+int channel_default_bufferize(ssh_channel channel,
+                              void *data, size_t len,
+                              bool is_stderr)
+{
  ssh_session session;

  if(channel == NULL) {
@@ -826,8 +872,10 @@ int channel_default_bufferize(ssh_channel channel, void *data, int len,
  }

  SSH_LOG(SSH_LOG_PACKET,
-      "placing %d bytes into channel buffer (stderr=%d)", len, is_stderr);
-  if (is_stderr == 0) {
+          "placing %zu bytes into channel buffer (%s)",
+          len,
+          is_stderr ? "stderr" : "stdout");
+  if (!is_stderr) {
    /* stdout */
    if (channel->stdout_buffer == NULL) {
      channel->stdout_buffer = ssh_buffer_new();
@@ -839,7 +887,7 @@ int channel_default_bufferize(ssh_channel channel, void *data, int len,

    if (ssh_buffer_add_data(channel->stdout_buffer, data, len) < 0) {
      ssh_set_error_oom(session);
-      ssh_buffer_free(channel->stdout_buffer);
+      SSH_BUFFER_FREE(channel->stdout_buffer);
      channel->stdout_buffer = NULL;
      return -1;
    }
@@ -855,7 +903,7 @@ int channel_default_bufferize(ssh_channel channel, void *data, int len,

    if (ssh_buffer_add_data(channel->stderr_buffer, data, len) < 0) {
      ssh_set_error_oom(session);
-      ssh_buffer_free(channel->stderr_buffer);
+      SSH_BUFFER_FREE(channel->stderr_buffer);
      channel->stderr_buffer = NULL;
      return -1;
    }
@@ -986,12 +1034,94 @@ int ssh_channel_open_forward(ssh_channel channel, const char *remotehost,
                    payload);

 error:
-  ssh_buffer_free(payload);
-  ssh_string_free(str);
+  SSH_BUFFER_FREE(payload);
+  SSH_STRING_FREE(str);

  return rc;
 }

+/**
+ * @brief Open a TCP/IP - UNIX domain socket forwarding channel.
+ *
+ * @param[in]  channel  An allocated channel.
+ *
+ * @param[in]  remotepath   The UNIX socket path on the remote machine
+ *
+ * @param[in]  sourcehost   The numeric IP address of the machine from where the
+ *                          connection request originates. This is mostly for
+ *                          logging purposes.
+ *
+ * @param[in]  localport    The port on the host from where the connection
+ *                          originated. This is mostly for logging purposes.
+ *
+ * @return              SSH_OK on success,
+ *                      SSH_ERROR if an error occurred,
+ *                      SSH_AGAIN if in nonblocking mode and call has
+ *                      to be done again.
+ *
+ * @warning This function does not bind the local port and does not
+ *          automatically forward the content of a socket to the channel.
+ *          You still have to use channel_read and channel_write for this.
+ * @warning Requires support of OpenSSH for UNIX domain socket forwarding.
+  */
+int ssh_channel_open_forward_unix(ssh_channel channel,
+                                  const char *remotepath,
+                                  const char *sourcehost,
+                                  int localport)
+{
+    ssh_session session = NULL;
+    ssh_buffer payload = NULL;
+    ssh_string str = NULL;
+    int rc = SSH_ERROR;
+    int version;
+
+    if (channel == NULL) {
+        return rc;
+    }
+
+    session = channel->session;
+
+    version = ssh_get_openssh_version(session);
+    if (version == 0) {
+        ssh_set_error(session,
+                      SSH_REQUEST_DENIED,
+                      "We're not connected to an OpenSSH server!");
+        return SSH_ERROR;
+    }
+
+    if (remotepath == NULL || sourcehost == NULL) {
+        ssh_set_error_invalid(session);
+        return rc;
+    }
+
+    payload = ssh_buffer_new();
+    if (payload == NULL) {
+        ssh_set_error_oom(session);
+        goto error;
+    }
+
+    rc = ssh_buffer_pack(payload,
+                         "ssd",
+                         remotepath,
+                         sourcehost,
+                         localport);
+    if (rc != SSH_OK) {
+        ssh_set_error_oom(session);
+        goto error;
+    }
+
+    rc = channel_open(channel,
+                      "direct-streamlocal@openssh.com",
+                      CHANNEL_INITIAL_WINDOW,
+                      CHANNEL_MAX_PACKET,
+                      payload);
+
+error:
+    SSH_BUFFER_FREE(payload);
+    SSH_STRING_FREE(str);
+
+    return rc;
+}

 /**
 * @brief Close and free a channel.
@@ -1061,13 +1191,15 @@ void ssh_channel_do_free(ssh_channel channel)
        ssh_list_remove(session->channels, it);
    }

-    ssh_buffer_free(channel->stdout_buffer);
-    ssh_buffer_free(channel->stderr_buffer);
+    SSH_BUFFER_FREE(channel->stdout_buffer);
+    SSH_BUFFER_FREE(channel->stderr_buffer);

    if (channel->callbacks != NULL) {
        ssh_list_free(channel->callbacks);
+        channel->callbacks = NULL;
    }

+    channel->session = NULL;
    SAFE_FREE(channel);
 }

@@ -1099,43 +1231,52 @@ void ssh_channel_do_free(ssh_channel channel)
 * @see ssh_channel_free()
 * @see ssh_channel_is_eof()
 */
-int ssh_channel_send_eof(ssh_channel channel){
-  ssh_session session;
-  int rc = SSH_ERROR;
-  int err;
+int ssh_channel_send_eof(ssh_channel channel)
+{
+    ssh_session session;
+    int rc = SSH_ERROR;
+    int err;

-  if(channel == NULL) {
-      return rc;
-  }
+    if (channel == NULL || channel->session == NULL) {
+        return rc;
+    }

-  session = channel->session;
+    /* If the EOF has already been sent we're done here. */
+    if (channel->local_eof != 0) {
+        return SSH_OK;
+    }

-  err = ssh_buffer_pack(session->out_buffer,
-                        "bd",
-                        SSH2_MSG_CHANNEL_EOF,
-                        channel->remote_channel);
-  if (err != SSH_OK) {
-    ssh_set_error_oom(session);
-    goto error;
-  }
+    session = channel->session;

-  rc = ssh_packet_send(session);
-  SSH_LOG(SSH_LOG_PACKET,
-      "Sent a EOF on client channel (%d:%d)",
-      channel->local_channel,
-      channel->remote_channel);
+    err = ssh_buffer_pack(session->out_buffer,
+                          "bd",
+                          SSH2_MSG_CHANNEL_EOF,
+                          channel->remote_channel);
+    if (err != SSH_OK) {
+        ssh_set_error_oom(session);
+        goto error;
+    }

-  rc = ssh_channel_flush(channel);
-  if(rc == SSH_ERROR)
-    goto error;
+    rc = ssh_packet_send(session);
+    SSH_LOG(SSH_LOG_PACKET,
+        "Sent a EOF on client channel (%d:%d)",
+        channel->local_channel,
+        channel->remote_channel);
+    if (rc != SSH_OK) {
+        goto error;
+    }

-  channel->local_eof = 1;
+    rc = ssh_channel_flush(channel);
+    if (rc == SSH_ERROR) {
+        goto error;
+    }
+    channel->local_eof = 1;

-  return rc;
+    return rc;
 error:
-  ssh_buffer_reinit(session->out_buffer);
+    ssh_buffer_reinit(session->out_buffer);

-  return rc;
+    return rc;
 }

 /**
@@ -1167,10 +1308,7 @@ int ssh_channel_close(ssh_channel channel)

    session = channel->session;

-    if (channel->local_eof == 0) {
-        rc = ssh_channel_send_eof(channel);
-    }
-
+    rc = ssh_channel_send_eof(channel);
    if (rc != SSH_OK) {
        return rc;
    }
@@ -1237,9 +1375,9 @@ static int ssh_waitsession_unblocked(void *s){
 * @brief Flushes a channel (and its session) until the output buffer
 *        is empty, or timeout elapsed.
 * @param channel SSH channel
- * @returns SSH_OK On success,
- *          SSH_ERROR on error
- *          SSH_AGAIN Timeout elapsed (or in nonblocking mode)
+ * @return  SSH_OK On success,
+ *          SSH_ERROR On error.
+ *          SSH_AGAIN Timeout elapsed (or in nonblocking mode).
 */
 int ssh_channel_flush(ssh_channel channel){
  return ssh_blocking_flush(channel->session, SSH_TIMEOUT_DEFAULT);
@@ -1713,7 +1851,7 @@ int ssh_channel_request_pty_size(ssh_channel channel, const char *terminal,
 pending:
  rc = channel_request(channel, "pty-req", buffer, 1);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);

  return rc;
 }
@@ -1773,7 +1911,7 @@ int ssh_channel_change_pty_size(ssh_channel channel, int cols, int rows) {

  rc = channel_request(channel, "window-change", buffer, 0);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);

  return rc;
 }
@@ -1842,11 +1980,23 @@ int ssh_channel_request_subsystem(ssh_channel channel, const char *subsys) {
 pending:
  rc = channel_request(channel, "subsystem", buffer, 1);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);

  return rc;
 }

+/**
+ * @brief Request sftp subsystem on the channel
+ *
+ * @param[in]  channel The channel to request the sftp subsystem.
+ *
+ * @return              SSH_OK on success,
+ *                      SSH_ERROR if an error occurred,
+ *                      SSH_AGAIN if in nonblocking mode and call has
+ *                      to be done again.
+ *
+ * @note You should use sftp_new() which does this for you.
+ */
 int ssh_channel_request_sftp( ssh_channel channel){
    if(channel == NULL) {
        return SSH_ERROR;
@@ -1946,7 +2096,7 @@ pending:
  rc = channel_request(channel, "x11-req", buffer, 1);

 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return rc;
 }

@@ -2259,7 +2409,7 @@ pending:
  }

 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return rc;
 }

@@ -2331,7 +2481,7 @@ pending:
  rc = ssh_global_request(session, "cancel-tcpip-forward", buffer, 1);

 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return rc;
 }

@@ -2389,7 +2539,7 @@ int ssh_channel_request_env(ssh_channel channel, const char *name, const char *v
 pending:
  rc = channel_request(channel, "env", buffer,1);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);

  return rc;
 }
@@ -2411,12 +2561,12 @@ error:
 *
 * Example:
@code
-   rc = channel_request_exec(channel, "ps aux");
+   rc = ssh_channel_request_exec(channel, "ps aux");
   if (rc > 0) {
       return -1;
   }

-   while ((rc = channel_read(channel, buffer, sizeof(buffer), 0)) > 0) {
+   while ((rc = ssh_channel_read(channel, buffer, sizeof(buffer), 0)) > 0) {
       if (fwrite(buffer, 1, rc, stdout) != (unsigned int) rc) {
           return -1;
       }
@@ -2458,7 +2608,7 @@ int ssh_channel_request_exec(ssh_channel channel, const char *cmd) {
 pending:
  rc = channel_request(channel, "exec", buffer, 1);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return rc;
 }

@@ -2521,7 +2671,7 @@ int ssh_channel_request_send_signal(ssh_channel channel, const char *sig) {

  rc = channel_request(channel, "signal", buffer, 0);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return rc;
 }

@@ -2564,7 +2714,7 @@ int ssh_channel_request_send_break(ssh_channel channel, uint32_t length) {
    rc = channel_request(channel, "break", buffer, 0);

 error:
-    ssh_buffer_free(buffer);
+    SSH_BUFFER_FREE(buffer);
    return rc;
 }

@@ -2774,7 +2924,7 @@ int ssh_channel_read_timeout(ssh_channel channel,
  ctx.buffer = stdbuf;
  ctx.count = 1;

-  if (timeout_ms < 0) {
+  if (timeout_ms < SSH_TIMEOUT_DEFAULT) {
      timeout_ms = SSH_TIMEOUT_INFINITE;
  }

@@ -2789,12 +2939,18 @@ int ssh_channel_read_timeout(ssh_channel channel,
  /*
   * If the channel is closed or in an error state, reading from it is an error
   */
-  if (session->session_state == SSH_SESSION_STATE_ERROR ||
-      channel->state == SSH_CHANNEL_STATE_CLOSED) {
+  if (session->session_state == SSH_SESSION_STATE_ERROR) {
      return SSH_ERROR;
  }
+  /* If the server closed the channel properly, there is nothing to do */
  if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
-    return 0;
+      return 0;
+  }
+  if (channel->state == SSH_CHANNEL_STATE_CLOSED) {
+      ssh_set_error(session,
+                    SSH_FATAL,
+                    "Remote channel is closed.");
+      return SSH_ERROR;
  }
  len = ssh_buffer_get_len(stdbuf);
  /* Read count bytes if len is greater, everything otherwise */
@@ -2835,42 +2991,45 @@ int ssh_channel_read_timeout(ssh_channel channel,
 *
 * @see ssh_channel_is_eof()
 */
-int ssh_channel_read_nonblocking(ssh_channel channel, void *dest, uint32_t count,
-    int is_stderr) {
-  ssh_session session;
-  int to_read;
-  int rc;
-  int blocking;
+int ssh_channel_read_nonblocking(ssh_channel channel,
+                                 void *dest,
+                                 uint32_t count,
+                                 int is_stderr)
+{
+    ssh_session session;
+    ssize_t to_read;
+    int rc;
+    int blocking;

-  if(channel == NULL) {
-      return SSH_ERROR;
-  }
-  if(dest == NULL) {
-      ssh_set_error_invalid(channel->session);
-      return SSH_ERROR;
-  }
+    if(channel == NULL) {
+        return SSH_ERROR;
+    }
+    if(dest == NULL) {
+        ssh_set_error_invalid(channel->session);
+        return SSH_ERROR;
+    }

-  session = channel->session;
+    session = channel->session;

-  to_read = ssh_channel_poll(channel, is_stderr);
+    to_read = ssh_channel_poll(channel, is_stderr);

-  if (to_read <= 0) {
-      if (session->session_state == SSH_SESSION_STATE_ERROR){
-          return SSH_ERROR;
-      }
+    if (to_read <= 0) {
+        if (session->session_state == SSH_SESSION_STATE_ERROR){
+            return SSH_ERROR;
+        }

-      return to_read; /* may be an error code */
-  }
+        return to_read; /* may be an error code */
+    }

-  if (to_read > (int)count) {
-    to_read = (int)count;
-  }
-  blocking = ssh_is_blocking(session);
-  ssh_set_blocking(session, 0);
-  rc = ssh_channel_read(channel, dest, to_read, is_stderr);
-  ssh_set_blocking(session,blocking);
+    if ((size_t)to_read > count) {
+        to_read = (ssize_t)count;
+    }
+    blocking = ssh_is_blocking(session);
+    ssh_set_blocking(session, 0);
+    rc = ssh_channel_read(channel, dest, (uint32_t)to_read, is_stderr);
+    ssh_set_blocking(session,blocking);

-  return rc;
+    return rc;
 }

 /**
@@ -2939,38 +3098,57 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr){
 *
 * @see ssh_channel_is_eof()
 */
-int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr){
-  ssh_session session;
-  ssh_buffer stdbuf;
-  struct ssh_channel_read_termination_struct ctx;
-  int rc;
+int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
+{
+    ssh_session session;
+    ssh_buffer stdbuf;
+    struct ssh_channel_read_termination_struct ctx;
+    size_t len;
+    int rc;

-  if(channel == NULL) {
-      return SSH_ERROR;
-  }
+    if (channel == NULL) {
+        return SSH_ERROR;
+    }

-  session = channel->session;
-  stdbuf = channel->stdout_buffer;
+    session = channel->session;
+    stdbuf = channel->stdout_buffer;

-  if (is_stderr) {
-    stdbuf = channel->stderr_buffer;
-  }
-  ctx.buffer = stdbuf;
-  ctx.channel = channel;
-  ctx.count = 1;
-  rc = ssh_handle_packets_termination(channel->session, timeout,
-      ssh_channel_read_termination, &ctx);
-  if(rc ==SSH_ERROR || session->session_state == SSH_SESSION_STATE_ERROR){
-    rc = SSH_ERROR;
-    goto end;
-  }
-  rc = ssh_buffer_get_len(stdbuf);
-  if(rc > 0)
-    goto end;
-  if (channel->remote_eof)
-    rc = SSH_EOF;
-end:
-  return rc;
+    if (is_stderr) {
+        stdbuf = channel->stderr_buffer;
+    }
+    ctx.buffer = stdbuf;
+    ctx.channel = channel;
+    ctx.count = 1;
+    rc = ssh_handle_packets_termination(channel->session,
+                                        timeout,
+                                        ssh_channel_read_termination,
+                                        &ctx);
+    if (rc == SSH_ERROR ||
+        session->session_state == SSH_SESSION_STATE_ERROR) {
+        rc = SSH_ERROR;
+        goto out;
+    } else if (rc == SSH_AGAIN) {
+        /* If the above timeout expired, it is ok and we do not need to
+         * attempt to check the read buffer. The calling functions do not
+         * expect us to return SSH_AGAIN either here. */
+        rc = SSH_OK;
+        goto out;
+    }
+    len = ssh_buffer_get_len(stdbuf);
+    if (len > 0) {
+        if (len > INT_MAX) {
+            rc = SSH_ERROR;
+        } else {
+            rc = (int)len;
+        }
+        goto out;
+    }
+    if (channel->remote_eof) {
+        rc = SSH_EOF;
+    }
+
+out:
+    return rc;
 }

 /**
@@ -3006,8 +3184,8 @@ static int ssh_channel_exit_status_termination(void *c){
 *
 * @param[in]  channel  The channel to get the status from.
 *
- * @returns             The exit status, -1 if no exit status has been returned
- *                      (yet).
+ * @return              The exit status, -1 if no exit status has been returned
+ *                      (yet), or SSH_ERROR on error.
 * @warning             This function may block until a timeout (or never)
 *                      if the other side is not willing to close the channel.
 *
@@ -3089,8 +3267,9 @@ static int channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans,
 }

 /* Just count number of pointers in the array */
-static int count_ptrs(ssh_channel *ptrs) {
-  int c;
+static size_t count_ptrs(ssh_channel *ptrs)
+{
+  size_t c;
  for (c = 0; ptrs[c] != NULL; c++)
    ;

@@ -3117,7 +3296,7 @@ static int count_ptrs(ssh_channel *ptrs) {
 *
 * @return             SSH_OK on a successful operation, SSH_EINTR if the
 *                     select(2) syscall was interrupted, then relaunch the
- *                     function.
+ *                     function, or SSH_ERROR on error.
 */
 int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans,
    ssh_channel *exceptchans, struct timeval * timeout) {
@@ -3344,7 +3523,7 @@ pending:
                    payload);

 error:
-  ssh_buffer_free(payload);
+  SSH_BUFFER_FREE(payload);

  return rc;
 }
@@ -3406,7 +3585,7 @@ pending:
                    payload);

 error:
-  ssh_buffer_free(payload);
+  SSH_BUFFER_FREE(payload);

  return rc;
 }
@@ -3447,7 +3626,7 @@ int ssh_channel_request_send_exit_status(ssh_channel channel, int exit_status) {

  rc = channel_request(channel, "exit-status", buffer, 0);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return rc;
 }

@@ -3502,7 +3681,7 @@ int ssh_channel_request_send_exit_signal(ssh_channel channel, const char *sig,

  rc = channel_request(channel, "exit-signal", buffer, 0);
 error:
-  ssh_buffer_free(buffer);
+  SSH_BUFFER_FREE(buffer);
  return rc;
 }

--- a/src/client.c
+++ b/src/client.c
@@ -38,6 +38,9 @@
 #include "libssh/socket.h"
 #include "libssh/session.h"
 #include "libssh/dh.h"
+#ifdef WITH_GEX
+#include "libssh/dh-gex.h"
+#endif /* WITH_GEX */
 #include "libssh/ecdh.h"
 #include "libssh/threads.h"
 #include "libssh/misc.h"
@@ -180,7 +183,6 @@ int ssh_send_banner(ssh_session session, int server)

    if (server == 1) {
        if (session->opts.custombanner == NULL){
-            len = strlen(banner);
            session->serverbanner = strdup(banner);
            if (session->serverbanner == NULL) {
                goto end;
@@ -250,10 +252,17 @@ static int dh_handshake(ssh_session session) {
      switch(session->next_crypto->kex_type){
        case SSH_KEX_DH_GROUP1_SHA1:
        case SSH_KEX_DH_GROUP14_SHA1:
+        case SSH_KEX_DH_GROUP14_SHA256:
        case SSH_KEX_DH_GROUP16_SHA512:
        case SSH_KEX_DH_GROUP18_SHA512:
          rc = ssh_client_dh_init(session);
          break;
+#ifdef WITH_GEX
+        case SSH_KEX_DH_GEX_SHA1:
+        case SSH_KEX_DH_GEX_SHA256:
+          rc = ssh_client_dhgex_init(session);
+          break;
+#endif /* WITH_GEX */
 #ifdef HAVE_ECDH
        case SSH_KEX_ECDH_SHA2_NISTP256:
        case SSH_KEX_ECDH_SHA2_NISTP384:
@@ -271,11 +280,7 @@ static int dh_handshake(ssh_session session) {
          rc = SSH_ERROR;
      }

-      if (rc == SSH_ERROR) {
-          return SSH_ERROR;
-      }
-
-      session->dh_handshake_state = DH_STATE_INIT_SENT;
+      break;
    case DH_STATE_INIT_SENT:
    	/* wait until ssh_packet_dh_reply is called */
    	break;
@@ -395,7 +400,7 @@ static void ssh_client_connection_callback(ssh_session session)
                goto error;
            }
            set_status(session, 0.4f);
-            SSH_LOG(SSH_LOG_RARE,
+            SSH_LOG(SSH_LOG_PROTOCOL,
                    "SSH server banner: %s", session->serverbanner);

            /* Here we analyze the different protocols the server allows. */
@@ -446,7 +451,7 @@ static void ssh_client_connection_callback(ssh_session session)
            if (dh_handshake(session) == SSH_ERROR) {
                goto error;
            }
-            /* FALL THROUGH */
+            FALL_THROUGH;
        case SSH_SESSION_STATE_DH:
            if(session->dh_handshake_state==DH_STATE_FINISHED){
                set_status(session,1.0f);
@@ -500,109 +505,138 @@ static int ssh_connect_termination(void *user){
 * @see ssh_new()
 * @see ssh_disconnect()
 */
-int ssh_connect(ssh_session session) {
-  int ret;
+int ssh_connect(ssh_session session)
+{
+    int ret;

-  if (session == NULL) {
-    return SSH_ERROR;
-  }
+    if (!is_ssh_initialized()) {
+        ssh_set_error(session, SSH_FATAL,
+                      "Library not initialized.");

-  switch(session->pending_call_state){
-  case SSH_PENDING_CALL_NONE:
-  	break;
-  case SSH_PENDING_CALL_CONNECT:
-  	goto pending;
-  default:
-  	ssh_set_error(session,SSH_FATAL,"Bad call during pending SSH call in ssh_connect");
+        return SSH_ERROR;
+    }

-  	return SSH_ERROR;
-  }
-  session->alive = 0;
-  session->client = 1;
+    if (session == NULL) {
+        return SSH_ERROR;
+    }

-  if (session->opts.fd == SSH_INVALID_SOCKET &&
-      session->opts.host == NULL &&
-      session->opts.ProxyCommand == NULL) {
-    ssh_set_error(session, SSH_FATAL, "Hostname required");
-    return SSH_ERROR;
-  }
+    switch(session->pending_call_state) {
+    case SSH_PENDING_CALL_NONE:
+        break;
+    case SSH_PENDING_CALL_CONNECT:
+        goto pending;
+    default:
+        ssh_set_error(session, SSH_FATAL,
+                      "Bad call during pending SSH call in ssh_connect");

-  ret = ssh_options_apply(session);
-  if (ret < 0) {
-      ssh_set_error(session, SSH_FATAL, "Couldn't apply options");
-      return SSH_ERROR;
-  }
+        return SSH_ERROR;
+    }
+    session->alive = 0;
+    session->client = 1;

-  SSH_LOG(SSH_LOG_PROTOCOL,
-          "libssh %s, using threading %s",
-          ssh_copyright(),
-          ssh_threads_get_type());
+    if (session->opts.fd == SSH_INVALID_SOCKET &&
+        session->opts.host == NULL &&
+        session->opts.ProxyCommand == NULL)
+    {
+        ssh_set_error(session, SSH_FATAL, "Hostname required");
+        return SSH_ERROR;
+    }

-  session->ssh_connection_callback = ssh_client_connection_callback;
-  session->session_state=SSH_SESSION_STATE_CONNECTING;
-  ssh_socket_set_callbacks(session->socket,&session->socket_callbacks);
-  session->socket_callbacks.connected=socket_callback_connected;
-  session->socket_callbacks.data=callback_receive_banner;
-  session->socket_callbacks.exception=ssh_socket_exception_callback;
-  session->socket_callbacks.userdata=session;
-  if (session->opts.fd != SSH_INVALID_SOCKET) {
-    session->session_state=SSH_SESSION_STATE_SOCKET_CONNECTED;
-    ssh_socket_set_fd(session->socket, session->opts.fd);
-    ret=SSH_OK;
+    /* If the system configuration files were not yet processed, do it now */
+    if (!session->opts.config_processed) {
+        ret = ssh_options_parse_config(session, NULL);
+        if (ret != 0) {
+            ssh_set_error(session, SSH_FATAL,
+                          "Failed to process system configuration files");
+            return SSH_ERROR;
+        }
+    }
+
+    ret = ssh_options_apply(session);
+    if (ret < 0) {
+        ssh_set_error(session, SSH_FATAL, "Couldn't apply options");
+        return SSH_ERROR;
+    }
+
+    SSH_LOG(SSH_LOG_PROTOCOL,
+            "libssh %s, using threading %s",
+            ssh_copyright(),
+            ssh_threads_get_type());
+
+    session->ssh_connection_callback = ssh_client_connection_callback;
+    session->session_state = SSH_SESSION_STATE_CONNECTING;
+    ssh_socket_set_callbacks(session->socket, &session->socket_callbacks);
+    session->socket_callbacks.connected = socket_callback_connected;
+    session->socket_callbacks.data = callback_receive_banner;
+    session->socket_callbacks.exception = ssh_socket_exception_callback;
+    session->socket_callbacks.userdata = session;
+
+    if (session->opts.fd != SSH_INVALID_SOCKET) {
+        session->session_state = SSH_SESSION_STATE_SOCKET_CONNECTED;
+        ssh_socket_set_fd(session->socket, session->opts.fd);
+        ret = SSH_OK;
 #ifndef _WIN32
-  } else if (session->opts.ProxyCommand != NULL){
-    ret = ssh_socket_connect_proxycommand(session->socket,
-                                          session->opts.ProxyCommand);
+    } else if (session->opts.ProxyCommand != NULL) {
+        ret = ssh_socket_connect_proxycommand(session->socket,
+                session->opts.ProxyCommand);
 #endif
-  } else {
-    ret=ssh_socket_connect(session->socket,
-                           session->opts.host,
-                           session->opts.port > 0 ? session->opts.port : 22,
-                           session->opts.bindaddr);
-  }
-  if (ret == SSH_ERROR) {
-    return SSH_ERROR;
-  }
+    } else {
+        ret = ssh_socket_connect(session->socket,
+                                 session->opts.host,
+                                 session->opts.port > 0 ? session->opts.port : 22,
+                                 session->opts.bindaddr);
+    }
+    if (ret == SSH_ERROR) {
+        return SSH_ERROR;
+    }

-  set_status(session, 0.2f);
+    set_status(session, 0.2f);
+
+    session->alive = 1;
+    SSH_LOG(SSH_LOG_PROTOCOL,
+            "Socket connecting, now waiting for the callbacks to work");

-  session->alive = 1;
-  SSH_LOG(SSH_LOG_PROTOCOL,"Socket connecting, now waiting for the callbacks to work");
 pending:
-  session->pending_call_state=SSH_PENDING_CALL_CONNECT;
-  if(ssh_is_blocking(session)) {
-      int timeout = (session->opts.timeout * 1000) +
-                    (session->opts.timeout_usec / 1000);
-      if (timeout == 0) {
-          timeout = 10 * 1000;
-      }
-      SSH_LOG(SSH_LOG_PACKET,"Actual timeout : %d", timeout);
-      ret = ssh_handle_packets_termination(session, timeout, ssh_connect_termination, session);
-      if (session->session_state != SSH_SESSION_STATE_ERROR &&
-          (ret == SSH_ERROR || !ssh_connect_termination(session))) {
-          ssh_set_error(session, SSH_FATAL,
-                        "Timeout connecting to %s", session->opts.host);
-          session->session_state = SSH_SESSION_STATE_ERROR;
-      }
-  }
-  else {
-      ret = ssh_handle_packets_termination(session,
-                                           SSH_TIMEOUT_NONBLOCKING,
-                                           ssh_connect_termination,
-                                           session);
-      if (ret == SSH_ERROR) {
-          session->session_state = SSH_SESSION_STATE_ERROR;
-      }
-  }
-  SSH_LOG(SSH_LOG_PACKET,"current state : %d",session->session_state);
-  if(!ssh_is_blocking(session) && !ssh_connect_termination(session)){
-    return SSH_AGAIN;
-  }
+    session->pending_call_state = SSH_PENDING_CALL_CONNECT;
+    if(ssh_is_blocking(session)) {
+        int timeout = (session->opts.timeout * 1000) +
+            (session->opts.timeout_usec / 1000);
+        if (timeout == 0) {
+            timeout = 10 * 1000;
+        }
+        SSH_LOG(SSH_LOG_PACKET, "Actual timeout : %d", timeout);
+        ret = ssh_handle_packets_termination(session, timeout,
+                                             ssh_connect_termination, session);
+        if (session->session_state != SSH_SESSION_STATE_ERROR &&
+            (ret == SSH_ERROR || !ssh_connect_termination(session)))
+        {
+            ssh_set_error(session, SSH_FATAL,
+                          "Timeout connecting to %s", session->opts.host);
+            session->session_state = SSH_SESSION_STATE_ERROR;
+        }
+    } else {
+        ret = ssh_handle_packets_termination(session,
+                                             SSH_TIMEOUT_NONBLOCKING,
+                                             ssh_connect_termination,
+                                             session);
+        if (ret == SSH_ERROR) {
+            session->session_state = SSH_SESSION_STATE_ERROR;
+        }
+    }

-  session->pending_call_state=SSH_PENDING_CALL_NONE;
-  if(session->session_state == SSH_SESSION_STATE_ERROR || session->session_state == SSH_SESSION_STATE_DISCONNECTED)
-  	return SSH_ERROR;
-  return SSH_OK;
+    SSH_LOG(SSH_LOG_PACKET, "current state : %d", session->session_state);
+    if (!ssh_is_blocking(session) && !ssh_connect_termination(session)) {
+        return SSH_AGAIN;
+    }
+
+    session->pending_call_state = SSH_PENDING_CALL_NONE;
+    if (session->session_state == SSH_SESSION_STATE_ERROR ||
+        session->session_state == SSH_SESSION_STATE_DISCONNECTED)
+    {
+        return SSH_ERROR;
+    }
+
+    return SSH_OK;
 }

 /**
@@ -687,6 +721,7 @@ error:
  }
  session->opts.fd = SSH_INVALID_SOCKET;
  session->session_state=SSH_SESSION_STATE_DISCONNECTED;
+  session->pending_call_state = SSH_PENDING_CALL_NONE;

  while ((it=ssh_list_get_iterator(session->channels)) != NULL) {
    ssh_channel_do_free(ssh_iterator_value(ssh_channel,it));
@@ -736,7 +771,7 @@ error:
 }

 const char *ssh_copyright(void) {
-    return SSH_STRINGIFY(LIBSSH_VERSION) " (c) 2003-2018 "
+    return SSH_STRINGIFY(LIBSSH_VERSION) " (c) 2003-2021 "
           "Aris Adamantiadis, Andreas Schneider "
           "and libssh contributors. "
           "Distributed under the LGPL, please refer to COPYING "
--- a/src/config.c
+++ b/src/config.c
@@ -31,7 +31,10 @@
 # include <glob.h>
 #endif
 #include <stdbool.h>
+#include <limits.h>

+#include "libssh/config_parser.h"
+#include "libssh/config.h"
 #include "libssh/priv.h"
 #include "libssh/session.h"
 #include "libssh/misc.h"
@@ -39,45 +42,6 @@

 #define MAX_LINE_SIZE 1024

-enum ssh_config_opcode_e {
-  /* Unknown opcode */
-  SOC_UNKNOWN = -3,
-  /* Known and not applicable to libssh */
-  SOC_NA = -2,
-  /* Known but not supported by current libssh version */
-  SOC_UNSUPPORTED = -1,
-  SOC_HOST,
-  SOC_MATCH,
-  SOC_HOSTNAME,
-  SOC_PORT,
-  SOC_USERNAME,
-  SOC_IDENTITY,
-  SOC_CIPHERS,
-  SOC_MACS,
-  SOC_COMPRESSION,
-  SOC_TIMEOUT,
-  SOC_PROTOCOL,
-  SOC_STRICTHOSTKEYCHECK,
-  SOC_KNOWNHOSTS,
-  SOC_PROXYCOMMAND,
-  SOC_GSSAPISERVERIDENTITY,
-  SOC_GSSAPICLIENTIDENTITY,
-  SOC_GSSAPIDELEGATECREDENTIALS,
-  SOC_INCLUDE,
-  SOC_BINDADDRESS,
-  SOC_GLOBALKNOWNHOSTSFILE,
-  SOC_LOGLEVEL,
-  SOC_HOSTKEYALGORITHMS,
-  SOC_KEXALGORITHMS,
-  SOC_GSSAPIAUTHENTICATION,
-  SOC_KBDINTERACTIVEAUTHENTICATION,
-  SOC_PASSWORDAUTHENTICATION,
-  SOC_PUBKEYAUTHENTICATION,
-  SOC_PUBKEYACCEPTEDTYPES,
-
-  SOC_END /* Keep this one last in the list */
-};
-
 struct ssh_config_keyword_table_s {
  const char *name;
  enum ssh_config_opcode_e opcode;
@@ -144,10 +108,10 @@ static struct ssh_config_keyword_table_s ssh_config_keyword_table[] = {
  { "numberofpasswordprompts", SOC_UNSUPPORTED},
  { "pkcs11provider", SOC_UNSUPPORTED},
  { "preferredauthentications", SOC_UNSUPPORTED},
-  { "proxyjump", SOC_UNSUPPORTED},
+  { "proxyjump", SOC_PROXYJUMP},
  { "proxyusefdpass", SOC_UNSUPPORTED},
  { "pubkeyacceptedtypes", SOC_PUBKEYACCEPTEDTYPES},
-  { "rekeylimit", SOC_UNSUPPORTED},
+  { "rekeylimit", SOC_REKEYLIMIT},
  { "remotecommand", SOC_UNSUPPORTED},
  { "revokedhostkeys", SOC_UNSUPPORTED},
  { "rhostsrsaauthentication", SOC_UNSUPPORTED},
@@ -183,12 +147,14 @@ static struct ssh_config_keyword_table_s ssh_config_keyword_table[] = {
  { "tunnel", SOC_NA},
  { "tunneldevice", SOC_NA},
  { "xauthlocation", SOC_NA},
+  { "pubkeyacceptedkeytypes", SOC_PUBKEYACCEPTEDTYPES},
  { NULL, SOC_UNKNOWN }
 };

 enum ssh_config_match_e {
    MATCH_UNKNOWN = -1,
    MATCH_ALL,
+    MATCH_FINAL,
    MATCH_CANONICAL,
    MATCH_EXEC,
    MATCH_HOST,
@@ -205,6 +171,7 @@ struct ssh_config_match_keyword_table_s {
 static struct ssh_config_match_keyword_table_s ssh_config_match_keyword_table[] = {
    { "all", MATCH_ALL },
    { "canonical", MATCH_CANONICAL },
+    { "final", MATCH_FINAL },
    { "exec", MATCH_EXEC },
    { "host", MATCH_HOST },
    { "originalhost", MATCH_ORIGINALHOST },
@@ -214,7 +181,7 @@ static struct ssh_config_match_keyword_table_s ssh_config_match_keyword_table[]
 };

 static int ssh_config_parse_line(ssh_session session, const char *line,
-    unsigned int count, int *parsing, int seen[]);
+    unsigned int count, int *parsing);

 static enum ssh_config_opcode_e ssh_config_get_opcode(char *keyword) {
  int i;
@@ -228,137 +195,47 @@ static enum ssh_config_opcode_e ssh_config_get_opcode(char *keyword) {
  return SOC_UNKNOWN;
 }

-static char *ssh_config_get_cmd(char **str) {
-  register char *c;
-  char *r;
+static void
+local_parse_file(ssh_session session,
+                 const char *filename,
+                 int *parsing)
+{
+    FILE *f;
+    char line[MAX_LINE_SIZE] = {0};
+    unsigned int count = 0;
+    int rv;

-  /* Ignore leading spaces */
-  for (c = *str; *c; c++) {
-    if (! isblank(*c)) {
-      break;
+    f = fopen(filename, "r");
+    if (f == NULL) {
+        SSH_LOG(SSH_LOG_RARE, "Cannot find file %s to load",
+                filename);
+        return;
    }
-  }

-  if (*c == '\"') {
-    for (r = ++c; *c; c++) {
-      if (*c == '\"') {
-        *c = '\0';
-        goto out;
-      }
+    SSH_LOG(SSH_LOG_PACKET, "Reading additional configuration data from %s", filename);
+    while (fgets(line, sizeof(line), f)) {
+        count++;
+        rv = ssh_config_parse_line(session, line, count, parsing);
+        if (rv < 0) {
+            fclose(f);
+            return;
+        }
    }
-  }

-  for (r = c; *c; c++) {
-    if (*c == '\n') {
-      *c = '\0';
-      goto out;
-    }
-  }
-
-out:
-  *str = c + 1;
-
-  return r;
-}
-
-static char *ssh_config_get_token(char **str) {
-  register char *c;
-  char *r;
-
-  c = ssh_config_get_cmd(str);
-
-  for (r = c; *c; c++) {
-    if (isblank(*c) || *c == '=') {
-      *c = '\0';
-      goto out;
-    }
-  }
-
-out:
-  *str = c + 1;
-
-  return r;
-}
-
-static long ssh_config_get_long(char **str, long notfound) {
-  char *p, *endp;
-  long i;
-
-  p = ssh_config_get_token(str);
-  if (p && *p) {
-    i = strtol(p, &endp, 10);
-    if (p == endp) {
-      return notfound;
-    }
-    return i;
-  }
-
-  return notfound;
-}
-
-static const char *ssh_config_get_str_tok(char **str, const char *def) {
-  char *p;
-
-  p = ssh_config_get_token(str);
-  if (p && *p) {
-    return p;
-  }
-
-  return def;
-}
-
-static int ssh_config_get_yesno(char **str, int notfound) {
-  const char *p;
-
-  p = ssh_config_get_str_tok(str, NULL);
-  if (p == NULL) {
-    return notfound;
-  }
-
-  if (strncasecmp(p, "yes", 3) == 0) {
-    return 1;
-  } else if (strncasecmp(p, "no", 2) == 0) {
-    return 0;
-  }
-
-  return notfound;
-}
-
-static void local_parse_file(ssh_session session, const char *filename, int *parsing, int seen[]) {
-  FILE *f;
-  char line[MAX_LINE_SIZE] = {0};
-  unsigned int count = 0;
-
-  if ((f = fopen(filename, "r")) == NULL) {
-    SSH_LOG(SSH_LOG_RARE, "Cannot find file %s to load",
-            filename);
+    fclose(f);
    return;
-  }
-
-  SSH_LOG(SSH_LOG_PACKET, "Reading additional configuration data from %s", filename);
-  while (fgets(line, sizeof(line), f)) {
-    count++;
-    if (ssh_config_parse_line(session, line, count, parsing, seen) < 0) {
-       fclose(f);
-       return;
-    }
-  }
-
-  fclose(f);
-  return;
 }

 #if defined(HAVE_GLOB) && defined(HAVE_GLOB_GL_FLAGS_MEMBER)
 static void local_parse_glob(ssh_session session,
                             const char *fileglob,
-                             int *parsing,
-                             int seen[])
+                             int *parsing)
 {
    glob_t globbuf = {
        .gl_flags = 0,
    };
    int rt;
-    u_int i;
+    size_t i;

    rt = glob(fileglob, GLOB_TILDE, NULL, &globbuf);
    if (rt == GLOB_NOMATCH) {
@@ -372,7 +249,7 @@ static void local_parse_glob(ssh_session session,
    }

    for (i = 0; i < globbuf.gl_pathc; i++) {
-        local_parse_file(session, globbuf.gl_pathv[i], parsing, seen);
+        local_parse_file(session, globbuf.gl_pathv[i], parsing);
    }

    globfree(&globbuf);
@@ -397,10 +274,8 @@ static int
 ssh_config_match(char *value, const char *pattern, bool negate)
 {
    int ok, result = 0;
-    char *lowervalue;

-    lowervalue = (value) ? ssh_lowercase(value) : NULL;
-    ok = match_pattern_list(lowervalue, pattern, strlen(pattern), 0);
+    ok = match_pattern_list(value, pattern, strlen(pattern), 0);
    if (ok <= 0 && negate == true) {
        result = 1;
    } else if (ok > 0 && negate == false) {
@@ -409,20 +284,120 @@ ssh_config_match(char *value, const char *pattern, bool negate)
    SSH_LOG(SSH_LOG_TRACE, "%s '%s' against pattern '%s'%s (ok=%d)",
            result == 1 ? "Matched" : "Not matched", value, pattern,
            negate == true ? " (negated)" : "", ok);
-    SAFE_FREE(lowervalue);
    return result;
 }

-static int ssh_config_parse_line(ssh_session session, const char *line,
-    unsigned int count, int *parsing, int seen[]) {
+/* @brief: Parse the ProxyJump configuration line and if parsing,
+ * stores the result in the configuration option
+ */
+static int
+ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
+{
+    char *c = NULL, *cp = NULL, *endp = NULL;
+    char *username = NULL;
+    char *hostname = NULL;
+    char *port = NULL;
+    char *next = NULL;
+    int cmp, rv = SSH_ERROR;
+    bool parse_entry = do_parsing;
+
+    /* Special value none disables the proxy */
+    cmp = strcasecmp(s, "none");
+    if (cmp == 0 && do_parsing) {
+        ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, s);
+        return SSH_OK;
+    }
+
+    /* This is comma-separated list of [user@]host[:port] entries */
+    c = strdup(s);
+    if (c == NULL) {
+        ssh_set_error_oom(session);
+        return SSH_ERROR;
+    }
+
+    cp = c;
+    do {
+        endp = strchr(cp, ',');
+        if (endp != NULL) {
+            /* Split out the token */
+            *endp = '\0';
+        }
+        if (parse_entry) {
+            /* We actually care only about the first item */
+            rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
+            /* The rest of the list needs to be passed on */
+            if (endp != NULL) {
+                next = strdup(endp + 1);
+                if (next == NULL) {
+                    ssh_set_error_oom(session);
+                    rv = SSH_ERROR;
+                }
+            }
+        } else {
+            /* The rest is just sanity-checked to avoid failures later */
+            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
+        }
+        if (rv != SSH_OK) {
+            goto out;
+        }
+        parse_entry = 0;
+        if (endp != NULL) {
+            cp = endp + 1;
+        } else {
+            cp = NULL; /* end */
+        }
+    } while (cp != NULL);
+
+    if (hostname != NULL && do_parsing) {
+        char com[512] = {0};
+
+        rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W [%%h]:%%p %s",
+                      username ? " -l " : "",
+                      username ? username : "",
+                      port ? " -p " : "",
+                      port ? port : "",
+                      next ? " -J " : "",
+                      next ? next : "",
+                      hostname);
+        if (rv < 0 || rv >= (int)sizeof(com)) {
+            SSH_LOG(SSH_LOG_WARN, "Too long ProxyJump configuration line");
+            rv = SSH_ERROR;
+            goto out;
+        }
+        ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, com);
+    }
+    rv = SSH_OK;
+
+out:
+    SAFE_FREE(username);
+    SAFE_FREE(hostname);
+    SAFE_FREE(port);
+    SAFE_FREE(next);
+    SAFE_FREE(c);
+    return rv;
+}
+
+static int
+ssh_config_parse_line(ssh_session session,
+                      const char *line,
+                      unsigned int count,
+                      int *parsing)
+{
  enum ssh_config_opcode_e opcode;
-  const char *p;
-  char *s, *x;
-  char *keyword;
-  char *lowerhost;
+  const char *p = NULL, *p2 = NULL;
+  char *s = NULL, *x = NULL;
+  char *keyword = NULL;
+  char *lowerhost = NULL;
  size_t len;
-  int i;
+  int i, rv;
+  uint8_t *seen = session->opts.options_seen;
  long l;
+  int64_t ll;
+
+  /* Ignore empty lines */
+  if (line == NULL || *line == '\0') {
+    return 0;
+  }

  x = s = strdup(line);
  if (s == NULL) {
@@ -450,7 +425,9 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
      opcode != SOC_HOST &&
      opcode != SOC_MATCH &&
      opcode != SOC_INCLUDE &&
+      opcode != SOC_IDENTITY &&
      opcode > SOC_UNSUPPORTED) { /* Ignore all unknown types here */
+      /* Skip all the options that were already applied */
      if (seen[opcode] != 0) {
          SAFE_FREE(x);
          return 0;
@@ -464,9 +441,9 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
      p = ssh_config_get_str_tok(&s, NULL);
      if (p && *parsing) {
 #if defined(HAVE_GLOB) && defined(HAVE_GLOB_GL_FLAGS_MEMBER)
-        local_parse_glob(session, p, parsing, seen);
+        local_parse_glob(session, p, parsing);
 #else
-        local_parse_file(session, p, parsing, seen);
+        local_parse_file(session, p, parsing);
 #endif /* HAVE_GLOB */
      }
      break;
@@ -476,10 +453,11 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
        int result = 1;
        size_t args = 0;
        enum ssh_config_match_e opt;
+        char *localuser = NULL;

        *parsing = 0;
        do {
-            p = ssh_config_get_str_tok(&s, NULL);
+            p = p2 = ssh_config_get_str_tok(&s, NULL);
            if (p == NULL || p[0] == '\0') {
                break;
            }
@@ -498,8 +476,10 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
            switch (opt) {
            case MATCH_ALL:
                p = ssh_config_get_str_tok(&s, NULL);
-                if (args == 1 && (p == NULL || p[0] == '\0')) {
-                    /* The first argument and end of line */
+                if (args <= 2 && (p == NULL || p[0] == '\0')) {
+                    /* The first or second, but last argument. The "all" keyword
+                     * can be prefixed with either "final" or "canonical"
+                     * keywords which do not have any effect here. */
                    if (negate == true) {
                        result = 0;
                    }
@@ -507,21 +487,74 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
                }

                ssh_set_error(session, SSH_FATAL,
-                              "line %d: ERROR - Match all can not be combined with "
+                              "line %d: ERROR - Match all cannot be combined with "
                              "other Match attributes", count);
                SAFE_FREE(x);
                return -1;

+            case MATCH_FINAL:
+            case MATCH_CANONICAL:
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Unsupported Match keyword '%s', skipping",
+                        count,
+                        p);
+                /* Not set any result here -- the result is dependent on the
+                 * following matches after this keyword */
+                break;
+
            case MATCH_EXEC:
-            case MATCH_ORIGINALHOST:
+                /* Skip to the end of line as unsupported */
+                p = ssh_config_get_cmd(&s);
+                if (p == NULL || p[0] == '\0') {
+                    SSH_LOG(SSH_LOG_WARN, "line %d: Match keyword "
+                            "'%s' requires argument", count, p2);
+                    SAFE_FREE(x);
+                    return -1;
+                }
+                args++;
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Unsupported Match keyword '%s', ignoring",
+                        count,
+                        p2);
+                result = 0;
+                break;
+
            case MATCH_LOCALUSER:
+                /* Here we match only one argument */
+                p = ssh_config_get_str_tok(&s, NULL);
+                if (p == NULL || p[0] == '\0') {
+                    ssh_set_error(session, SSH_FATAL,
+                                  "line %d: ERROR - Match user keyword "
+                                  "requires argument", count);
+                    SAFE_FREE(x);
+                    return -1;
+                }
+                localuser = ssh_get_local_username();
+                if (localuser == NULL) {
+                    SSH_LOG(SSH_LOG_WARN, "line %d: Can not get local username "
+                            "for conditional matching.", count);
+                    SAFE_FREE(x);
+                    return -1;
+                }
+                result &= ssh_config_match(localuser, p, negate);
+                SAFE_FREE(localuser);
+                args++;
+                break;
+
+            case MATCH_ORIGINALHOST:
                /* Skip one argument */
                p = ssh_config_get_str_tok(&s, NULL);
+                if (p == NULL || p[0] == '\0') {
+                    SSH_LOG(SSH_LOG_WARN, "line %d: Match keyword "
+                            "'%s' requires argument", count, p2);
+                    SAFE_FREE(x);
+                    return -1;
+                }
                args++;
-                FALL_THROUGH;
-            case MATCH_CANONICAL:
-                SSH_LOG(SSH_LOG_WARN, "line: %d: Unsupported Match keyword "
-                        "'%s', Ignoring\n", count, p);
+                SSH_LOG(SSH_LOG_WARN,
+                        "line %d: Unsupported Match keyword '%s', ignoring",
+                        count,
+                        p2);
                result = 0;
                break;

@@ -696,10 +729,25 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
      break;
    case SOC_PROXYCOMMAND:
      p = ssh_config_get_cmd(&s);
-      if (p && *parsing) {
+      /* We share the seen value with the ProxyJump */
+      if (p && *parsing && !seen[SOC_PROXYJUMP]) {
        ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, p);
      }
      break;
+    case SOC_PROXYJUMP:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p == NULL) {
+            SAFE_FREE(x);
+            return -1;
+        }
+        /* We share the seen value with the ProxyCommand */
+        rv = ssh_config_parse_proxy_jump(session, p,
+                                         (*parsing && !seen[SOC_PROXYCOMMAND]));
+        if (rv != SSH_OK) {
+            SAFE_FREE(x);
+            return -1;
+        }
+        break;
    case SOC_GSSAPISERVERIDENTITY:
      p = ssh_config_get_str_tok(&s, NULL);
      if (p && *parsing) {
@@ -773,6 +821,141 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
            ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, p);
        }
        break;
+    case SOC_REKEYLIMIT:
+        /* Parse the data limit */
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p == NULL) {
+            break;
+        } else if (strcmp(p, "default") == 0) {
+            /* Default rekey limits enforced automaticaly */
+            ll = 0;
+        } else {
+            char *endp = NULL;
+            ll = strtoll(p, &endp, 10);
+            if (p == endp || ll < 0) {
+                /* No number or negative */
+                SSH_LOG(SSH_LOG_WARN, "Invalid argument to rekey limit");
+                break;
+            }
+            switch (*endp) {
+            case 'G':
+                if (ll > LLONG_MAX / 1024) {
+                    SSH_LOG(SSH_LOG_WARN, "Possible overflow of rekey limit");
+                    ll = -1;
+                    break;
+                }
+                ll = ll * 1024;
+                FALL_THROUGH;
+            case 'M':
+                if (ll > LLONG_MAX / 1024) {
+                    SSH_LOG(SSH_LOG_WARN, "Possible overflow of rekey limit");
+                    ll = -1;
+                    break;
+                }
+                ll = ll * 1024;
+                FALL_THROUGH;
+            case 'K':
+                if (ll > LLONG_MAX / 1024) {
+                    SSH_LOG(SSH_LOG_WARN, "Possible overflow of rekey limit");
+                    ll = -1;
+                    break;
+                }
+                ll = ll * 1024;
+                endp++;
+                FALL_THROUGH;
+            case '\0':
+                /* just the number */
+                break;
+            default:
+                /* Invalid suffix */
+                ll = -1;
+                break;
+            }
+            if (*endp != ' ' && *endp != '\0') {
+                SSH_LOG(SSH_LOG_WARN,
+                        "Invalid trailing characters after the rekey limit: %s",
+                        endp);
+                break;
+            }
+        }
+        if (ll > -1 && *parsing) {
+            uint64_t v = (uint64_t)ll;
+            ssh_options_set(session, SSH_OPTIONS_REKEY_DATA, &v);
+        }
+        /* Parse the time limit */
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p == NULL) {
+            break;
+        } else if (strcmp(p, "none") == 0) {
+            ll = 0;
+        } else {
+            char *endp = NULL;
+            ll = strtoll(p, &endp, 10);
+            if (p == endp || ll < 0) {
+                /* No number or negative */
+                SSH_LOG(SSH_LOG_WARN, "Invalid argument to rekey limit");
+                break;
+            }
+            switch (*endp) {
+            case 'w':
+            case 'W':
+                if (ll > LLONG_MAX / 7) {
+                    SSH_LOG(SSH_LOG_WARN, "Possible overflow of rekey limit");
+                    ll = -1;
+                    break;
+                }
+                ll = ll * 7;
+                FALL_THROUGH;
+            case 'd':
+            case 'D':
+                if (ll > LLONG_MAX / 24) {
+                    SSH_LOG(SSH_LOG_WARN, "Possible overflow of rekey limit");
+                    ll = -1;
+                    break;
+                }
+                ll = ll * 24;
+                FALL_THROUGH;
+            case 'h':
+            case 'H':
+                if (ll > LLONG_MAX / 60) {
+                    SSH_LOG(SSH_LOG_WARN, "Possible overflow of rekey limit");
+                    ll = -1;
+                    break;
+                }
+                ll = ll * 60;
+                FALL_THROUGH;
+            case 'm':
+            case 'M':
+                if (ll > LLONG_MAX / 60) {
+                    SSH_LOG(SSH_LOG_WARN, "Possible overflow of rekey limit");
+                    ll = -1;
+                    break;
+                }
+                ll = ll * 60;
+                FALL_THROUGH;
+            case 's':
+            case 'S':
+                endp++;
+                FALL_THROUGH;
+            case '\0':
+                /* just the number */
+                break;
+            default:
+                /* Invalid suffix */
+                ll = -1;
+                break;
+            }
+            if (*endp != '\0') {
+                SSH_LOG(SSH_LOG_WARN, "Invalid trailing characters after the"
+                        " rekey limit: %s", endp);
+                break;
+            }
+        }
+        if (ll > -1 && *parsing) {
+            uint32_t v = (uint32_t)ll;
+            ssh_options_set(session, SSH_OPTIONS_REKEY_TIME, &v);
+        }
+        break;
    case SOC_GSSAPIAUTHENTICATION:
    case SOC_KBDINTERACTIVEAUTHENTICATION:
    case SOC_PASSWORDAUTHENTICATION:
@@ -799,7 +982,7 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
        }
        break;
    case SOC_NA:
-      SSH_LOG(SSH_LOG_INFO, "Unapplicable option: %s, line: %d\n",
+      SSH_LOG(SSH_LOG_INFO, "Unapplicable option: %s, line: %d",
              keyword, count);
      break;
    case SOC_UNSUPPORTED:
@@ -807,7 +990,7 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
              keyword, count);
      break;
    case SOC_UNKNOWN:
-      SSH_LOG(SSH_LOG_WARN, "Unknown option: %s, line: %d\n",
+      SSH_LOG(SSH_LOG_WARN, "Unknown option: %s, line: %d",
              keyword, count);
      break;
    default:
@@ -822,29 +1005,37 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
  return 0;
 }

-/* ssh_config_parse_file */
-int ssh_config_parse_file(ssh_session session, const char *filename) {
-  char line[MAX_LINE_SIZE] = {0};
-  unsigned int count = 0;
-  FILE *f;
-  int parsing;
-  int seen[SOC_END - SOC_UNSUPPORTED] = {0};
+/* @brief Parse configuration file and set the options to the given session
+ *
+ * @params[in] session   The ssh session
+ * @params[in] filename  The path to the ssh configuration file
+ *
+ * @returns    0 on successful parsing the configuration file, -1 on error
+ */
+int ssh_config_parse_file(ssh_session session, const char *filename)
+{
+    char line[MAX_LINE_SIZE] = {0};
+    unsigned int count = 0;
+    FILE *f;
+    int parsing, rv;

-  if ((f = fopen(filename, "r")) == NULL) {
-    return 0;
-  }
-
-  SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", filename);
-
-  parsing = 1;
-  while (fgets(line, sizeof(line), f)) {
-    count++;
-    if (ssh_config_parse_line(session, line, count, &parsing, seen) < 0) {
-      fclose(f);
-      return -1;
+    f = fopen(filename, "r");
+    if (f == NULL) {
+        return 0;
    }
-  }

-  fclose(f);
-  return 0;
+    SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", filename);
+
+    parsing = 1;
+    while (fgets(line, sizeof(line), f)) {
+        count++;
+        rv = ssh_config_parse_line(session, line, count, &parsing);
+        if (rv < 0) {
+            fclose(f);
+            return -1;
+        }
+    }
+
+    fclose(f);
+    return 0;
 }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .7.5
 .8.7