Release version: 0.26.0

* Remove unnecessary nested try/finally

* This handles the case of your concern.

An even better solution would be to have SSHClient and Session implement Auto-Closable so then you don't have to worry about doing anything in the finally block!

.travis.yml

@@ -1,13 +1,30 @@
 language: java
-before_cache:
-  - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock
-cache:
-  directories:
-  - $HOME/.gradle/caches/
-  - $HOME/.gradle/wrapper/
-sudo: false
 dist: trusty
+sudo: required
+
+services:
+  - docker
+
 jdk:
   - oraclejdk8
   - openjdk8
   - oraclejdk9
+
+before_cache:
+  - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock
+  - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
+
+cache:
+  directories:
+  - $HOME/.gradle/caches/
+  - $HOME/.gradle/wrapper/
+
+before_install:
+  - pip install --user codecov
+
+script:
+  - ./gradlew check
+  - ./gradlew integrationTest
+
+after_success:
+- codecov

README.adoc

@@ -1,11 +1,14 @@
 = sshj - SSHv2 library for Java
 Jeroen van Erp
 :sshj_groupid: com.hierynomus
-:sshj_version: 0.23.0
+:sshj_version: 0.26.0
 :source-highlighter: pygments
 
+image:https://api.bintray.com/packages/hierynomus/maven/sshj/images/download.svg[link="https://bintray.com/hierynomus/maven/sshj/_latestVersion"]
 image:https://travis-ci.org/hierynomus/sshj.svg?branch=master[link="https://travis-ci.org/hierynomus/sshj"]
 image:https://api.codacy.com/project/badge/Grade/14a0a316bb9149739b5ea26dbfa8da8a["Codacy code quality", link="https://www.codacy.com/app/jeroen_2/sshj?utm_source=github.com&utm_medium=referral&utm_content=hierynomus/sshj&utm_campaign=Badge_Grade"]
+image:https://codecov.io/gh/hierynomus/sshj/branch/master/graph/badge.svg["codecov", link="https://codecov.io/gh/hierynomus/sshj"]
+image:http://www.javadoc.io/badge/com.hierynomus/sshj.svg?color=blue["JavaDocs", link="http://www.javadoc.io/doc/com.hierynomus/sshj"]
 image:https://maven-badges.herokuapp.com/maven-central/com.hierynomus/sshj/badge.svg["Maven Central",link="https://maven-badges.herokuapp.com/maven-central/com.hierynomus/sshj"]
 image:https://javadoc-emblem.rhcloud.com/doc/com.hierynomus/sshj/badge.svg["Javadoc",link="http://www.javadoc.io/doc/com.hierynomus/sshj"]
 
@@ -78,7 +81,7 @@ signatures::
   `ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `ssh-ed25519`
 
 mac::
-  `hmac-md5`, `hmac-md5-96`, `hmac-sha1`, `hmac-sha1-96`, `hmac-sha2-256`, `hmac-sha2-512`
+  `hmac-md5`, `hmac-md5-96`, `hmac-sha1`, `hmac-sha1-96`, `hmac-sha2-256`, `hmac-sha2-512`, `hmac-ripemd160`
 
 compression::
   `zlib` and `zlib@openssh.com` (delayed zlib)
@@ -104,6 +107,9 @@ Google Group: http://groups.google.com/group/sshj-users
 Fork away!
 
 == Release history
+SSHJ 0.24.0 (2018-??-??)::
+* Added support for hmac-ripemd160
+
 SSHJ 0.23.0 (2017-10-13)::
 * Merged https://github.com/hierynomus/sshj/pulls/372[#372]: Upgrade to 'net.i2p.crypto:eddsa:0.2.0'
 * Fixed https://github.com/hierynomus/sshj/issues/355[#355] and https://github.com/hierynomus/sshj/issues/354[#354]: Correctly decode signature bytes

build.gradle

@@ -1,19 +1,38 @@
 import java.text.SimpleDateFormat
+import com.bmuschko.gradle.docker.tasks.container.*
+import com.bmuschko.gradle.docker.tasks.image.*
 
 plugins {
   id "java"
   id "groovy"
+  id "jacoco"
   id "osgi"
   id "maven-publish"
-  id "org.ajoberstar.release-opinion" version "1.4.2"
+  id 'pl.allegro.tech.build.axion-release' version '1.9.2'
+  id "com.bmuschko.docker-remote-api" version "3.2.1"
   id "com.github.hierynomus.license" version "0.12.1"
   id "com.jfrog.bintray" version "1.7"
-  id 'ru.vyarus.pom' version '1.0.3'
+  id 'ru.vyarus.java-lib' version '1.0.5'
+  // id 'ru.vyarus.pom' version '1.0.3'
   id 'ru.vyarus.github-info' version '1.1.0'
   id 'ru.vyarus.animalsniffer' version '1.4.2'
 }
 
 group = "com.hierynomus"
+
+scmVersion {
+  tag {
+    prefix = 'v'
+    versionSeparator = ''
+  }
+  hooks {
+    pre 'fileUpdate', [file: 'README.adoc', pattern: { v, c -> /:sshj_version: .*/}, replacement: { v, c -> ":sshj_version: $v" }]
+    pre 'commit'
+  }
+}
+
+project.version = scmVersion.version
+
 defaultTasks "build"
 
 repositories {
@@ -28,7 +47,7 @@ targetCompatibility = 1.6
 
 configurations.compile.transitive = false
 
-def bouncycastleVersion = "1.56"
+def bouncycastleVersion = "1.60"
 
 dependencies {
   signature 'org.codehaus.mojo.signature:java16:1.1@signature'
@@ -56,15 +75,7 @@ license {
   mapping {
     java = 'SLASHSTAR_STYLE'
   }
-  excludes(['**/djb/Curve25519.java', '**/sshj/common/Base64.java'])
-}
-
-if (project.file('.git').isDirectory()) {
-  release {
-    grgit = org.ajoberstar.grgit.Grgit.open(project.projectDir)
-  }
-} else {
-  version = "0.0.0-no.git"
+  excludes(['**/djb/Curve25519.java', '**/sshj/common/Base64.java', '**/org/mindrot/jbcrypt/*.java'])
 }
 
 // This disables the pedantic doclint feature of JDK8
@@ -84,7 +95,6 @@ task writeSshjVersionProperties {
 }
 
 jar.dependsOn writeSshjVersionProperties
-
 jar {
   manifest {
     // please see http://bnd.bndtools.org/chapters/390-wrapping.html
@@ -105,14 +115,7 @@ jar {
   }
 }
 
-task javadocJar(type: Jar) {
-  classifier = 'javadoc'
-  from javadoc
-}
-
-task sourcesJar(type: Jar) {
-  classifier = 'sources'
-  from sourceSets.main.allSource
+sourcesJar {
   manifest {
     attributes(
       // Add the needed OSGI attributes
@@ -125,6 +128,27 @@ task sourcesJar(type: Jar) {
   }
 }
 
+configurations {
+  integrationTestCompile.extendsFrom testCompile
+  integrationTestRuntime.extendsFrom testRuntime
+}
+
+sourceSets {
+  integrationTest {
+    groovy {
+      compileClasspath += sourceSets.main.output + sourceSets.test.output
+      runtimeClasspath += sourceSets.main.output + sourceSets.test.output
+      srcDir file('src/itest/groovy')
+    }
+    resources.srcDir file('src/itest/resources')
+  }
+}
+
+task integrationTest(type: Test) {
+  testClassesDirs = sourceSets.integrationTest.output.classesDirs
+  classpath = sourceSets.integrationTest.runtimeClasspath
+}
+
 tasks.withType(Test) {
   testLogging {
     exceptionFormat = 'full'
@@ -191,21 +215,12 @@ pom {
   }
 }
 
-publishing.publications {
-  Sshj(MavenPublication) {
-    from components.java
-    artifact sourcesJar
-    artifact javadocJar
-  }
-}
-
-
 if (project.hasProperty("bintrayUsername") && project.hasProperty("bintrayApiKey")) {
   bintray {
     user = project.property("bintrayUsername")
     key = project.property("bintrayApiKey")
     publish = true
-    publications = ["Sshj"]
+    publications = ["maven"]
     pkg {
       repo = "maven"
       name = project.name
@@ -214,7 +229,7 @@ if (project.hasProperty("bintrayUsername") && project.hasProperty("bintrayApiKey
       labels = ["ssh", "sftp", "secure-shell", "network", "file-transfer"]
       githubRepo = "hierynomus/sshj"
       version {
-        name = project.version.toString()
+        name = "${project.version}"
         vcsTag = "v${project.version}"
         released = new SimpleDateFormat('yyyy-MM-dd\'T\'HH:mm:ss.SSSZZ').format(new Date())
         gpg {
@@ -232,4 +247,43 @@ if (project.hasProperty("bintrayUsername") && project.hasProperty("bintrayApiKey
   }
 }
 
-project.tasks.release.dependsOn([project.tasks.build, project.tasks.bintrayUpload])
+jacocoTestReport {
+    reports {
+        xml.enabled true
+        html.enabled true
+    }
+}
+
+
+task buildItestImage(type: DockerBuildImage) {
+    inputDir = file('src/itest/docker-image')
+    tag = 'sshj/sshd-itest'
+}
+
+task createItestContainer(type: DockerCreateContainer) {
+    dependsOn buildItestImage
+    targetImageId { buildItestImage.getImageId() }
+    portBindings = ['2222:22']
+}
+
+task startItestContainer(type: DockerStartContainer) {
+    dependsOn createItestContainer
+    targetContainerId { createItestContainer.getContainerId() }
+}
+
+task stopItestContainer(type: DockerStopContainer) {
+    targetContainerId { createItestContainer.getContainerId() }
+}
+
+task forkedUploadRelease(type: GradleBuild) {
+  buildFile = project.buildFile
+  tasks = ["bintrayUpload"]
+}
+
+project.tasks.integrationTest.dependsOn(startItestContainer)
+project.tasks.integrationTest.finalizedBy(stopItestContainer)
+
+project.tasks.release.dependsOn([project.tasks.integrationTest, project.tasks.build])
+project.tasks.release.finalizedBy(project.tasks.forkedUploadRelease)
+project.tasks.jacocoTestReport.dependsOn(project.tasks.test)
+project.tasks.check.dependsOn(project.tasks.jacocoTestReport)

examples/pom.xml

@@ -55,7 +55,7 @@
         <dependency>
             <groupId>com.hierynomus</groupId>
             <artifactId>sshj</artifactId>
-            <version>0.19.0</version>
+            <version>0.24.0</version>
         </dependency>
     </dependencies>
 

examples/src/main/java/net/schmizz/sshj/examples/Exec.java

@@ -5,30 +5,36 @@ import net.schmizz.sshj.common.IOUtils;
 import net.schmizz.sshj.connection.channel.direct.Session;
 import net.schmizz.sshj.connection.channel.direct.Session.Command;
 
+import java.io.Console;
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 
 /** This examples demonstrates how a remote command can be executed. */
 public class Exec {
+    private static final Console con = System.console();
 
     public static void main(String... args)
             throws IOException {
         final SSHClient ssh = new SSHClient();
         ssh.loadKnownHosts();
-
         ssh.connect("localhost");
+        Session session = null;
         try {
             ssh.authPublickey(System.getProperty("user.name"));
-            final Session session = ssh.startSession();
-            try {
-                final Command cmd = session.exec("ping -c 1 google.com");
-                System.out.println(IOUtils.readFully(cmd.getInputStream()).toString());
-                cmd.join(5, TimeUnit.SECONDS);
-                System.out.println("\n** exit status: " + cmd.getExitStatus());
-            } finally {
-                session.close();
-            }
+            session = ssh.startSession();
+            final Command cmd = session.exec("ping -c 1 google.com");
+            con.writer().print(IOUtils.readFully(cmd.getInputStream()).toString());
+            cmd.join(5, TimeUnit.SECONDS);
+            con.writer().print("\n** exit status: " + cmd.getExitStatus());
         } finally {
+            try {
+                if (session != null) {
+                    session.close();
+                }
+            } catch (IOException e) {
+                // Do Nothing   
+            }
+            
             ssh.disconnect();
         }
     }

gradle/wrapper/gradle-wrapper.properties

@@ -3,4 +3,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-4.0-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-4.3-all.zip

src/itest/docker-image/Dockerfile

@@ -0,0 +1,17 @@
+FROM sickp/alpine-sshd:7.5
+
+ADD id_rsa.pub /home/sshj/.ssh/authorized_keys
+
+ADD test-container/ssh_host_ecdsa_key     /etc/ssh/ssh_host_ecdsa_key
+ADD test-container/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
+ADD test-container/sshd_config /etc/ssh/sshd_config
+
+RUN \
+  echo "root:smile" | chpasswd && \
+  adduser -D -s /bin/ash sshj && \
+  passwd -u sshj && \
+  chmod 600 /home/sshj/.ssh/authorized_keys && \
+  chmod 600 /etc/ssh/ssh_host_ecdsa_key && \
+  chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub && \
+  chown -R sshj:sshj /home/sshj
+

src/itest/docker-image/id_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoZ9l6Tkm2aL1tSBy2yw4xU5s8BE9MfqS/4J7DzvsYJxF6oQmTIjmStuhH/CT7UjuDtKXdXZUsIhKtafiizxGO8kHSzKDeitpth2RSr8ddMzZKyD6RNs7MfsgjA3UTtrrSrCXEY6O43S2cnuJrWzkPxtwxaQ3zOvDbS2tiulzyq0VzYmuhA/a4CyuQtJBuu+P2oqmu6pU/VB6IzONpvBvYbNPsH1WDmP7zko5wHPihXPCliztspKxS4DRtOZ7BGXyvg44UmIy0Kf4jOkaBV/eCCA4qH7ZHz71/5ceMOpszPcNOEmLGGYhwI+P3OuGMpkrSAv1f8IY6R8spZNncP6UaQ== no-passphrase

src/itest/docker-image/test-container/ssh_host_ecdsa_key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOpOBFjqe0hjK/hs4WZ3dZqnzanq1L3/JbvV1TCkbe4ToAoGCCqGSM49
+AwEHoUQDQgAEVzkrS7Yj0nXML7A3mE08YDthfBR/ZbyYJDIq1vTzcqs6KTaCT529
+swNXWLHO+mbHviZcRiI57ULXHZ1emom/Jw==
+-----END EC PRIVATE KEY-----

src/itest/docker-image/test-container/ssh_host_ecdsa_key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFc5K0u2I9J1zC+wN5hNPGA7YXwUf2W8mCQyKtb083KrOik2gk+dvbMDV1ixzvpmx74mXEYiOe1C1x2dXpqJvyc= root@404b27be2bf4

src/itest/docker-image/test-container/sshd_config

@@ -0,0 +1,132 @@
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+
+macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com

src/itest/groovy/com/hierynomus/sshj/IntegrationBaseSpec.groovy

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj
+
+import net.schmizz.sshj.Config
+import net.schmizz.sshj.DefaultConfig
+import net.schmizz.sshj.SSHClient
+import net.schmizz.sshj.transport.verification.PromiscuousVerifier
+import spock.lang.Specification
+
+class IntegrationBaseSpec extends Specification {
+    protected static final int DOCKER_PORT = 2222
+    protected static final String USERNAME = "sshj"
+    protected static final String KEYFILE = "src/test/resources/id_rsa"
+    protected final static String SERVER_IP = System.getProperty("serverIP", "127.0.0.1")
+
+    protected static SSHClient getConnectedClient(Config config) {
+        SSHClient sshClient = new SSHClient(config)
+        sshClient.addHostKeyVerifier(new PromiscuousVerifier())
+        sshClient.connect(SERVER_IP, DOCKER_PORT)
+
+        return sshClient
+    }
+
+    protected static SSHClient getConnectedClient() throws IOException {
+        return getConnectedClient(new DefaultConfig())
+    }
+
+}

src/itest/groovy/com/hierynomus/sshj/IntegrationSpec.groovy

@@ -0,0 +1,71 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj
+
+import net.schmizz.sshj.DefaultConfig
+import net.schmizz.sshj.SSHClient
+import net.schmizz.sshj.transport.TransportException
+import net.schmizz.sshj.userauth.UserAuthException
+
+class IntegrationSpec extends IntegrationBaseSpec {
+
+    def "should accept correct key"() {
+        given:
+        SSHClient sshClient = new SSHClient(new DefaultConfig())
+        sshClient.addHostKeyVerifier("d3:6a:a9:52:05:ab:b5:48:dd:73:60:18:0c:3a:f0:a3") // test-containers/ssh_host_ecdsa_key's fingerprint
+
+        when:
+        sshClient.connect(SERVER_IP, DOCKER_PORT)
+
+        then:
+        sshClient.isConnected()
+    }
+
+    def "should decline wrong key"() throws IOException {
+        given:
+        SSHClient sshClient = new SSHClient(new DefaultConfig())
+        sshClient.addHostKeyVerifier("d4:6a:a9:52:05:ab:b5:48:dd:73:60:18:0c:3a:f0:a3")
+
+        when:
+        sshClient.connect(SERVER_IP, DOCKER_PORT)
+
+        then:
+        thrown(TransportException.class)
+    }
+
+    def "should authenticate"() {
+        given:
+        SSHClient client = getConnectedClient()
+
+        when:
+        client.authPublickey(USERNAME, KEYFILE)
+
+        then:
+        client.isAuthenticated()
+    }
+
+   def "should not authenticate with wrong key"() {
+        given:
+        SSHClient client = getConnectedClient()
+
+        when:
+        client.authPublickey("sshj", "src/test/resources/id_dsa")
+
+        then:
+        thrown(UserAuthException.class)
+        !client.isAuthenticated()
+    }
+}

src/itest/groovy/com/hierynomus/sshj/sftp/FileWriteSpec.groovy

@@ -0,0 +1,68 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj.sftp
+
+import com.hierynomus.sshj.IntegrationBaseSpec
+import net.schmizz.sshj.SSHClient
+import net.schmizz.sshj.sftp.OpenMode
+import net.schmizz.sshj.sftp.RemoteFile
+import net.schmizz.sshj.sftp.SFTPClient
+
+import java.nio.charset.StandardCharsets
+
+import static org.codehaus.groovy.runtime.IOGroovyMethods.withCloseable
+
+class FileWriteSpec extends IntegrationBaseSpec {
+
+    def "should append to file (GH issue #390)"() {
+        given:
+        SSHClient client = getConnectedClient()
+        client.authPublickey("sshj", "src/test/resources/id_rsa")
+        SFTPClient sftp = client.newSFTPClient()
+        def file = "/home/sshj/test.txt"
+        def initialText = "This is the initial text.\n".getBytes(StandardCharsets.UTF_16)
+        def appendText = "And here's the appended text.\n".getBytes(StandardCharsets.UTF_16)
+
+        when:
+        withCloseable(sftp.open(file, EnumSet.of(OpenMode.WRITE, OpenMode.CREAT))) { RemoteFile initial ->
+            initial.write(0, initialText, 0, initialText.length)
+        }
+
+        then:
+        withCloseable(sftp.open(file, EnumSet.of(OpenMode.READ))) { RemoteFile read ->
+            def bytes = new byte[initialText.length]
+            read.read(0, bytes, 0, bytes.length)
+            bytes == initialText
+        }
+
+        when:
+        withCloseable(sftp.open(file, EnumSet.of(OpenMode.WRITE, OpenMode.APPEND))) { RemoteFile append ->
+            append.write(0, appendText, 0, appendText.length)
+        }
+
+        then:
+        withCloseable(sftp.open(file, EnumSet.of(OpenMode.READ))) { RemoteFile read ->
+            def bytes = new byte[initialText.length + appendText.length]
+            read.read(0, bytes, 0, bytes.length)
+            Arrays.copyOfRange(bytes, 0, initialText.length) == initialText
+            Arrays.copyOfRange(bytes, initialText.length, initialText.length + appendText.length) == appendText
+        }
+
+        cleanup:
+        sftp.close()
+        client.close()
+    }
+}

src/itest/groovy/com/hierynomus/sshj/transport/mac/MacSpec.groovy

@@ -0,0 +1,43 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj.transport.mac
+
+import com.hierynomus.sshj.IntegrationBaseSpec
+import net.schmizz.sshj.DefaultConfig
+import net.schmizz.sshj.transport.mac.HMACRIPEMD160
+import net.schmizz.sshj.transport.mac.HMACSHA2256
+import spock.lang.Unroll
+
+class MacSpec extends IntegrationBaseSpec {
+
+    @Unroll
+    def "should correctly connect with #mac MAC"() {
+        given:
+        def cfg = new DefaultConfig()
+        cfg.setMACFactories(macFactory)
+        def client = getConnectedClient(cfg)
+
+        when:
+        client.authPublickey(USERNAME, KEYFILE)
+
+        then:
+        client.authenticated
+
+        where:
+        macFactory << [Macs.HMACRIPEMD160(), Macs.HMACRIPEMD160OpenSsh(), Macs.HMACSHA2256(), Macs.HMACSHA2512()]
+        mac = macFactory.name
+    }
+}

src/main/java/com/hierynomus/sshj/transport/mac/Macs.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj.transport.mac;
+
+import net.schmizz.sshj.transport.mac.BaseMAC;
+
+public class Macs {
+    public static Factory HMACMD5() {
+        return new Factory("hmac-md5", "HmacMD5", 16, 16);
+    }
+    public static Factory HMACMD596() {
+        return new Factory("hmac-md5-96", "HmacMD5", 12, 16);
+    }
+    public static Factory HMACRIPEMD160() {
+        return new Factory("hmac-ripemd160", "HMACRIPEMD160", 20, 20);
+    }
+    public static Factory HMACRIPEMD16096() {
+        return new Factory("hmac-ripemd160-96", "HMACRIPEMD160", 12, 20);
+    }
+    public static Factory HMACRIPEMD160OpenSsh() {
+        return new Factory("hmac-ripemd160@openssh.com", "HMACRIPEMD160", 20, 20);
+    }
+    public static Factory HMACSHA1() {
+        return new Factory("hmac-sha1", "HmacSHA1", 20, 20);
+    }
+    public static Factory HMACSHA196() {
+        return new Factory("hmac-sha1-96", "HmacSHA1", 12, 20);
+    }
+    public static Factory HMACSHA2256() {
+        return new Factory("hmac-sha2-256", "HmacSHA256", 32, 32);
+    }
+    public static Factory HMACSHA2512() {
+        return new Factory("hmac-sha2-512", "HmacSHA512", 64, 64);
+    }
+
+    private static class Factory implements net.schmizz.sshj.common.Factory.Named<BaseMAC> {
+
+        private String name;
+        private String algorithm;
+        private int bSize;
+        private int defBSize;
+
+        public Factory(String name, String algorithm, int bSize, int defBSize) {
+            this.name = name;
+            this.algorithm = algorithm;
+            this.bSize = bSize;
+            this.defBSize = defBSize;
+        }
+
+        @Override
+        public String getName() {
+            return name;
+        }
+
+        @Override
+        public BaseMAC create() {
+            return new BaseMAC(algorithm, bSize, defBSize);
+        }
+    }
+}

src/main/java/com/hierynomus/sshj/transport/verification/KnownHostMatchers.java

@@ -135,7 +135,7 @@ public class KnownHostMatchers {
         private final Pattern pattern;
 
         public WildcardHostMatcher(String hostEntry) {
-            this.pattern = Pattern.compile(hostEntry.replace(".", "\\.").replace("*", ".*").replace("?", "."));
+            this.pattern = Pattern.compile("^" + hostEntry.replace("[", "\\[").replace("]", "\\]").replace(".", "\\.").replace("*", ".*").replace("?", ".") + "$");
         }
 
         @Override

src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java

@@ -15,22 +15,29 @@
  */
 package com.hierynomus.sshj.userauth.keyprovider;
 
+import com.hierynomus.sshj.transport.cipher.BlockCiphers;
 import net.i2p.crypto.eddsa.EdDSAPrivateKey;
 import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
 import net.schmizz.sshj.common.*;
 import net.schmizz.sshj.common.Buffer.PlainBuffer;
+import net.schmizz.sshj.transport.cipher.Cipher;
 import net.schmizz.sshj.userauth.keyprovider.BaseFileKeyProvider;
 import net.schmizz.sshj.userauth.keyprovider.FileKeyProvider;
 import net.schmizz.sshj.userauth.keyprovider.KeyFormat;
+import org.mindrot.jbcrypt.BCrypt;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.nio.CharBuffer;
+import java.nio.charset.Charset;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.PublicKey;
+import java.util.Arrays;
 
 /**
  * Reads a key file in the new OpenSSH format.
@@ -42,6 +49,7 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
     private static final String END = "-----END ";
     private static final byte[] AUTH_MAGIC = "openssh-key-v1\0".getBytes();
     public static final String OPENSSH_PRIVATE_KEY = "OPENSSH PRIVATE KEY-----";
+    public static final String BCRYPT = "bcrypt";
 
     public static class Factory
             implements net.schmizz.sshj.common.Factory.Named<FileKeyProvider> {
@@ -86,7 +94,7 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
 
         String cipherName = keyBuffer.readString(); // string ciphername
         String kdfName = keyBuffer.readString(); // string kdfname
-        String kdfOptions = keyBuffer.readString(); // string kdfoptions
+        byte[] kdfOptions = keyBuffer.readBytes(); // string kdfoptions
 
         int nrKeys = keyBuffer.readUInt32AsInt(); // int number of keys N; Should be 1
         if (nrKeys != 1) {
@@ -99,10 +107,44 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
             return readUnencrypted(privateKeyBuffer, publicKey);
         } else {
             logger.info("Keypair is encrypted with: " + cipherName + ", " + kdfName + ", " + kdfOptions);
-            throw new IOException("Cannot read encrypted keypair with " + cipherName + " yet.");
+            PlainBuffer decrypted = decryptBuffer(privateKeyBuffer, cipherName, kdfName, kdfOptions);
+            return readUnencrypted(decrypted, publicKey);
+//            throw new IOException("Cannot read encrypted keypair with " + cipherName + " yet.");
         }
     }
 
+    private PlainBuffer decryptBuffer(PlainBuffer privateKeyBuffer, String cipherName, String kdfName, byte[] kdfOptions) throws IOException {
+        Cipher cipher = createCipher(cipherName);
+        initializeCipher(kdfName, kdfOptions, cipher);
+        byte[] array = privateKeyBuffer.array();
+        cipher.update(array, 0, privateKeyBuffer.available());
+        return new PlainBuffer(array);
+    }
+
+    private void initializeCipher(String kdfName, byte[] kdfOptions, Cipher cipher) throws Buffer.BufferException {
+        if (kdfName.equals(BCRYPT)) {
+            PlainBuffer opts = new PlainBuffer(kdfOptions);
+            CharBuffer charBuffer = CharBuffer.wrap(pwdf.reqPassword(null));
+            ByteBuffer byteBuffer = Charset.forName("UTF-8").encode(charBuffer);
+            byte[] passphrase = Arrays.copyOfRange(byteBuffer.array(),
+                    byteBuffer.position(), byteBuffer.limit());
+            byte[] keyiv = new byte[48];
+            new BCrypt().pbkdf(passphrase, opts.readBytes(), opts.readUInt32AsInt(), keyiv);
+            byte[] key = Arrays.copyOfRange(keyiv, 0, 32);
+            byte[] iv = Arrays.copyOfRange(keyiv, 32, 48);
+            cipher.init(Cipher.Mode.Decrypt, key, iv);
+        } else {
+            throw new IllegalStateException("No support for KDF '" + kdfName + "'.");
+        }
+    }
+
+    private Cipher createCipher(String cipherName) {
+        if (cipherName.equals(BlockCiphers.AES256CTR().getName())) {
+            return BlockCiphers.AES256CTR().create();
+        }
+        throw new IllegalStateException("Cipher '" + cipherName + "' not currently implemented for openssh-key-v1 format");
+    }
+
     private PublicKey readPublicKey(final PlainBuffer plainBuffer) throws Buffer.BufferException, GeneralSecurityException {
         return KeyType.fromString(plainBuffer.readString()).readPubKeyFromBuffer(plainBuffer);
     }

src/main/java/net/schmizz/sshj/AndroidConfig.java

@@ -15,12 +15,17 @@
  */
 package net.schmizz.sshj;
 
+import com.hierynomus.sshj.signature.SignatureEdDSA;
+
 import net.schmizz.sshj.common.SecurityUtils;
 import net.schmizz.sshj.signature.SignatureDSA;
 import net.schmizz.sshj.signature.SignatureRSA;
 import net.schmizz.sshj.transport.random.JCERandom;
 import net.schmizz.sshj.transport.random.SingletonRandomFactory;
 
+/**
+ * Registers SpongyCastle as JCE provider.
+ */
 public class AndroidConfig
         extends DefaultConfig {
 
@@ -30,7 +35,9 @@ public class AndroidConfig
 
     // don't add ECDSA
     protected void initSignatureFactories() {
-        setSignatureFactories(new SignatureRSA.Factory(), new SignatureDSA.Factory());
+        setSignatureFactories(new SignatureRSA.Factory(), new SignatureDSA.Factory(),
+                // but add EdDSA
+                new SignatureEdDSA.Factory());
     }
 
     @Override

src/main/java/net/schmizz/sshj/DefaultConfig.java

@@ -92,7 +92,7 @@ public class DefaultConfig
             properties.load(DefaultConfig.class.getClassLoader().getResourceAsStream("sshj.properties"));
             String property = properties.getProperty("sshj.version");
             return "SSHJ_" + property.replace('-', '_'); // '-' is a disallowed character, see RFC-4253#section-4.2
-        } catch (IOException e) {
+        } catch (Exception e) {
             log.error("Could not read the sshj.properties file, returning an 'unknown' version as fallback.");
             return "SSHJ_VERSION_UNKNOWN";
         }

src/main/java/net/schmizz/sshj/common/Buffer.java

@@ -132,8 +132,9 @@ public class Buffer<T extends Buffer<T>> {
 
     protected void ensureAvailable(int a)
             throws BufferException {
-        if (available() < a)
+        if (available() < a) {
             throw new BufferException("Underflow");
+        }
     }
 
     public void ensureCapacity(int capacity) {
@@ -147,7 +148,6 @@ public class Buffer<T extends Buffer<T>> {
 
     /** Compact this {@link SSHPacket} */
     public void compact() {
-        System.err.println("COMPACTING");
         if (available() > 0)
             System.arraycopy(data, rpos, data, 0, wpos - rpos);
         wpos -= rpos;
@@ -246,7 +246,7 @@ public class Buffer<T extends Buffer<T>> {
      * @return this
      */
     public T putBytes(byte[] b, int off, int len) {
-        return putUInt32(len - off).putRawBytes(b, off, len);
+        return putUInt32(len).putRawBytes(b, off, len);
     }
 
     public void readRawBytes(byte[] buf)
@@ -356,8 +356,9 @@ public class Buffer<T extends Buffer<T>> {
     }
 
     public T putUInt64(long uint64) {
-        if (uint64 < 0)
+        if (uint64 < 0) {
             throw new IllegalArgumentException("Invalid value: " + uint64);
+        }
         return putUInt64Unchecked(uint64);
     }
 
@@ -392,8 +393,9 @@ public class Buffer<T extends Buffer<T>> {
     public String readString(Charset cs)
             throws BufferException {
         int len = readUInt32AsInt();
-        if (len < 0 || len > 32768)
+        if (len < 0 || len > 32768) {
             throw new BufferException("Bad item length: " + len);
+        }
         ensureAvailable(len);
         String s = new String(data, rpos, len, cs);
         rpos += len;
@@ -460,10 +462,13 @@ public class Buffer<T extends Buffer<T>> {
 
     public PublicKey readPublicKey()
             throws BufferException {
+        KeyType keyType = KeyType.fromString(readString());
         try {
-            return KeyType.fromString(readString()).readPubKeyFromBuffer(this);
+            return keyType.readPubKeyFromBuffer(this);
         } catch (GeneralSecurityException e) {
             throw new SSHRuntimeException(e);
+        } catch (UnsupportedOperationException uoe) {
+            throw new BufferException("Could not decode keytype " + keyType);
         }
     }
 

src/main/java/net/schmizz/sshj/common/ECDSAVariationsAdapter.java

@@ -18,9 +18,7 @@ package net.schmizz.sshj.common;
 import com.hierynomus.sshj.secg.SecgUtils;
 import org.bouncycastle.asn1.nist.NISTNamedCurves;
 import org.bouncycastle.asn1.x9.X9ECParameters;
-import org.bouncycastle.jce.spec.ECParameterSpec;
-import org.bouncycastle.jce.spec.ECPublicKeySpec;
-import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.jce.spec.ECNamedCurveSpec;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -31,6 +29,8 @@ import java.security.KeyFactory;
 import java.security.PublicKey;
 import java.security.interfaces.ECKey;
 import java.security.interfaces.ECPublicKey;
+import java.security.spec.ECPoint;
+import java.security.spec.ECPublicKeySpec;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
@@ -81,13 +81,14 @@ class ECDSAVariationsAdapter {
             BigInteger bigX = new BigInteger(1, x);
             BigInteger bigY = new BigInteger(1, y);
 
-            X9ECParameters ecParams = NISTNamedCurves.getByName(NIST_CURVES_NAMES.get(variation));
-            ECPoint pPublicPoint = ecParams.getCurve().createPoint(bigX, bigY);
-            ECParameterSpec spec = new ECParameterSpec(ecParams.getCurve(), ecParams.getG(), ecParams.getN());
-            ECPublicKeySpec publicSpec = new ECPublicKeySpec(pPublicPoint, spec);
+            String name = NIST_CURVES_NAMES.get(variation);
+            X9ECParameters ecParams = NISTNamedCurves.getByName(name);
+            ECNamedCurveSpec ecCurveSpec = new ECNamedCurveSpec(name, ecParams.getCurve(), ecParams.getG(), ecParams.getN());
+            ECPoint p = new ECPoint(bigX, bigY);
+            ECPublicKeySpec publicKeySpec = new ECPublicKeySpec(p, ecCurveSpec);
 
             KeyFactory keyFactory = KeyFactory.getInstance("ECDSA");
-            return keyFactory.generatePublic(publicSpec);
+            return keyFactory.generatePublic(publicKeySpec);
         } catch (Exception ex) {
             throw new GeneralSecurityException(ex);
         }

src/main/java/net/schmizz/sshj/common/IOUtils.java

@@ -40,7 +40,7 @@ public class IOUtils {
                 if (c != null)
                     c.close();
             } catch (IOException logged) {
-		loggerFactory.getLogger(IOUtils.class).warn("Error closing {} - {}", c, logged);
+                loggerFactory.getLogger(IOUtils.class).warn("Error closing {} - {}", c, logged);
             }
         }
     }

src/main/java/net/schmizz/sshj/common/SecurityUtils.java

@@ -18,11 +18,21 @@ package net.schmizz.sshj.common;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.Signature;
+
 import javax.crypto.Cipher;
 import javax.crypto.KeyAgreement;
 import javax.crypto.Mac;
 import javax.crypto.NoSuchPaddingException;
-import java.security.*;
 
 import static java.lang.String.format;
 
@@ -37,12 +47,17 @@ public class SecurityUtils {
      */
     public static final String BOUNCY_CASTLE = "BC";
 
+    /**
+     * Identifier for the BouncyCastle JCE provider
+     */
+    public static final String SPONGY_CASTLE = "SC";
+
     /*
     * Security provider identifier. null = default JCE
     */
     private static String securityProvider = null;
 
-    // relate to BC registration
+    // relate to BC registration (or SpongyCastle on Android)
     private static Boolean registerBouncyCastle;
     private static boolean registrationDone;
 
@@ -82,6 +97,8 @@ public class SecurityUtils {
         return false;
     }
 
+
+
     public static synchronized Cipher getCipher(String transformation)
             throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
         register();
@@ -222,11 +239,11 @@ public class SecurityUtils {
      * Attempts registering BouncyCastle as security provider if it has not been previously attempted and returns
      * whether the registration succeeded.
      *
-     * @return whether BC registered
+     * @return whether BC (or SC on Android) registered
      */
     public static synchronized boolean isBouncyCastleRegistered() {
         register();
-        return BOUNCY_CASTLE.equals(securityProvider);
+        return BOUNCY_CASTLE.equals(securityProvider) || SPONGY_CASTLE.equals(securityProvider);
     }
 
     public static synchronized void setRegisterBouncyCastle(boolean registerBouncyCastle) {

src/main/java/net/schmizz/sshj/connection/channel/AbstractChannel.java

@@ -362,10 +362,12 @@ public abstract class AbstractChannel
         } catch (Buffer.BufferException be) {
             throw new ConnectionException(be);
         }
-        if (len < 0 || len > getLocalMaxPacketSize() || len > buf.available())
+        if (len < 0 || len > getLocalMaxPacketSize() || len > buf.available()) {
             throw new ConnectionException(DisconnectReason.PROTOCOL_ERROR, "Bad item length: " + len);
-        if (log.isTraceEnabled())
+        }
+        if (log.isTraceEnabled()) {
             log.trace("IN #{}: {}", id, ByteArrayUtils.printHex(buf.array(), buf.rpos(), len));
+        }
         stream.receive(buf.array(), buf.rpos(), len);
     }
 

src/main/java/net/schmizz/sshj/connection/channel/ChannelInputStream.java

@@ -92,36 +92,43 @@ public final class ChannelInputStream
             throws IOException {
         synchronized (buf) {
             for (; ; ) {
-                if (buf.available() > 0)
+                if (buf.available() > 0) {
                     break;
-                if (eof)
-                    if (error != null)
+                }
+                if (eof) {
+                    if (error != null) {
                         throw error;
-                    else
+                    } else {
                         return -1;
+                    }
+                }
                 try {
                     buf.wait();
                 } catch (InterruptedException e) {
                     throw (IOException) new InterruptedIOException().initCause(e);
                 }
             }
-            if (len > buf.available())
+            if (len > buf.available()) {
                 len = buf.available();
+            }
             buf.readRawBytes(b, off, len);
-            if (buf.rpos() > win.getMaxPacketSize() && buf.available() == 0)
+            if (buf.rpos() > win.getMaxPacketSize() && buf.available() == 0) {
                 buf.clear();
+            }
         }
 
-        if (!chan.getAutoExpand())
+        if (!chan.getAutoExpand()) {
             checkWindow();
+        }
 
         return len;
     }
 
     public void receive(byte[] data, int offset, int len)
             throws ConnectionException, TransportException {
-        if (eof)
+        if (eof) {
             throw new ConnectionException("Getting data on EOF'ed stream");
+        }
         synchronized (buf) {
             buf.putRawBytes(data, offset, len);
             buf.notifyAll();
@@ -132,8 +139,9 @@ public final class ChannelInputStream
         synchronized (win) {
             win.consume(len);
         }
-        if (chan.getAutoExpand())
+        if (chan.getAutoExpand()) {
             checkWindow();
+        }
     }
 
     private void checkWindow()
@@ -143,7 +151,7 @@ public final class ChannelInputStream
             if (adjustment > 0) {
                 log.debug("Sending SSH_MSG_CHANNEL_WINDOW_ADJUST to #{} for {} bytes", chan.getRecipient(), adjustment);
                 trans.write(new SSHPacket(Message.CHANNEL_WINDOW_ADJUST)
-                                    .putUInt32(chan.getRecipient()).putUInt32(adjustment));
+                        .putUInt32(chan.getRecipient()).putUInt32(adjustment));
                 win.expand(adjustment);
             }
         }

src/main/java/net/schmizz/sshj/connection/channel/Window.java

@@ -59,8 +59,9 @@ public abstract class Window {
         synchronized (lock) {
             size -= dec;
             log.debug("Consuming by {} down to {}", dec, size);
-            if (size < 0)
+            if (size < 0) {
                 throw new ConnectionException("Window consumed to below 0");
+            }
         }
     }
 

src/main/java/net/schmizz/sshj/connection/channel/direct/LocalPortForwarder.java

@@ -181,8 +181,8 @@ public class LocalPortForwarder {
     public void close() throws IOException {
         if (!serverSocket.isClosed()) {
             log.info("Closing listener on {}", serverSocket.getLocalSocketAddress());
-            serverSocket.close();
             runningThread.interrupt();
+            serverSocket.close();
         }
     }
 

src/main/java/net/schmizz/sshj/sftp/RemoteFile.java

@@ -82,9 +82,7 @@ public class RemoteFile
             throws IOException {
         return requester.request(newRequest(PacketType.WRITE)
                 .putUInt64(fileOffset)
-                // TODO The SFTP spec claims this field is unneeded...? See #187
-                .putUInt32(len)
-                .putRawBytes(data, off, len)
+                .putString(data, off, len)
         );
     }
 

src/main/java/net/schmizz/sshj/transport/Encoder.java

@@ -62,8 +62,10 @@ final class Encoder
     long encode(SSHPacket buffer) {
         encodeLock.lock();
         try {
-            if (log.isTraceEnabled())
-                log.trace("Encoding packet #{}: {}", seq, buffer.printHex());
+            if (log.isTraceEnabled()) {
+                // Add +1 to seq as we log before actually incrementing the sequence.
+                log.trace("Encoding packet #{}: {}", seq + 1, buffer.printHex());
+            }
 
             if (usingCompression())
                 compress(buffer);

src/main/java/net/schmizz/sshj/transport/KeyExchanger.java

@@ -197,6 +197,12 @@ final class KeyExchanger
             if (hkv.verify(transport.getRemoteHost(), transport.getRemotePort(), key))
                 return;
         }
+        log.error("Disconnecting because none of the configured Host key verifiers ({}) could verify '{}' host key with fingerprint {} for {}:{}",
+                hostVerifiers,
+                KeyType.fromKey(key),
+                SecurityUtils.getFingerprint(key),
+                transport.getRemoteHost(),
+                transport.getRemotePort());
 
         throw new TransportException(DisconnectReason.HOST_KEY_NOT_VERIFIABLE,
                                      "Could not verify `" + KeyType.fromKey(key)

src/main/java/net/schmizz/sshj/transport/Reader.java

@@ -60,10 +60,8 @@ public final class Reader
                 }
             }
         } catch (Exception e) {
-            //noinspection StatementWithEmptyBody
-            if (isInterrupted()) {
-                // We are meant to shut up and draw to a close if interrupted
-            } else {
+            // We are meant to shut up and draw to a close if interrupted
+            if (!isInterrupted()) {
                 trans.die(e);
             }
         }

src/main/java/net/schmizz/sshj/transport/mac/HMACMD5.java

@@ -15,7 +15,12 @@
  */
 package net.schmizz.sshj.transport.mac;
 
-/** HMAC-MD5 <code>MAC</code>. */
+import com.hierynomus.sshj.transport.mac.Macs;
+
+/** HMAC-MD5 <code>MAC</code>.
+ *
+ * @deprecated Use {@link Macs#HMACMD5()}
+ */
 public class HMACMD5
         extends BaseMAC {
 

src/main/java/net/schmizz/sshj/transport/mac/HMACMD596.java

@@ -15,7 +15,12 @@
  */
 package net.schmizz.sshj.transport.mac;
 
-/** HMAC-MD5-96 <code>MAC</code> */
+import com.hierynomus.sshj.transport.mac.Macs;
+
+/** HMAC-MD5-96 <code>MAC</code>
+ *
+ * @deprecated Use {@link Macs#HMACMD596()}
+ */
 public class HMACMD596
         extends BaseMAC {
 

src/main/java/net/schmizz/sshj/transport/mac/HMACRIPEMD160.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.transport.mac;
+
+import com.hierynomus.sshj.transport.mac.Macs;
+
+/**
+ * @deprecated Use {@link Macs#HMACRIPEMD160()}
+ */
+public class HMACRIPEMD160 extends BaseMAC {
+    /** Named factory for the HMAC-RIPEMD160 <code>MAC</code> */
+    public static class Factory
+            implements net.schmizz.sshj.common.Factory.Named<MAC> {
+
+        @Override
+        public MAC create() {
+            return new HMACRIPEMD160();
+        }
+
+        @Override
+        public String getName() {
+            return "hmac-ripemd160";
+        }
+    }
+
+
+    public HMACRIPEMD160() {
+        super("HMACRIPEMD160", 20, 20);
+    }
+}

src/main/java/net/schmizz/sshj/transport/mac/HMACSHA1.java

@@ -15,7 +15,12 @@
  */
 package net.schmizz.sshj.transport.mac;
 
-/** HMAC-SHA1 <code>MAC</code> */
+import com.hierynomus.sshj.transport.mac.Macs;
+
+/** HMAC-SHA1 <code>MAC</code>
+ *
+ * @deprecated Use {@link Macs#HMACSHA1()}
+ */
 public class HMACSHA1
         extends BaseMAC {
 

src/main/java/net/schmizz/sshj/transport/mac/HMACSHA196.java

@@ -15,7 +15,12 @@
  */
 package net.schmizz.sshj.transport.mac;
 
-/** HMAC-SHA1-96 <code>MAC</code> */
+import com.hierynomus.sshj.transport.mac.Macs;
+
+/** HMAC-SHA1-96 <code>MAC</code>
+ *
+ * @deprecated Use {@link Macs#HMACSHA196()}
+ */
 public class HMACSHA196
         extends BaseMAC {
 

src/main/java/net/schmizz/sshj/transport/mac/HMACSHA2256.java

@@ -15,7 +15,12 @@
  */
 package net.schmizz.sshj.transport.mac;
 
-/** HMAC-SHA1 <code>MAC</code> */
+import com.hierynomus.sshj.transport.mac.Macs;
+
+/** HMAC-SHA1 <code>MAC</code>
+ *
+ * @deprecated Use {@link Macs#HMACSHA2256()}
+ */
 public class HMACSHA2256
         extends BaseMAC {
 

src/main/java/net/schmizz/sshj/transport/mac/HMACSHA2512.java

@@ -15,7 +15,12 @@
  */
 package net.schmizz.sshj.transport.mac;
 
-/** HMAC-SHA1 <code>MAC</code> */
+import com.hierynomus.sshj.transport.mac.Macs;
+
+/** HMAC-SHA1 <code>MAC</code>
+ *
+ * @deprecated Use {@link Macs#HMACSHA2512()}
+ */
 public class HMACSHA2512
         extends BaseMAC {
 

src/main/java/net/schmizz/sshj/transport/verification/ConsoleKnownHostsVerifier.java

@@ -41,7 +41,7 @@ public class ConsoleKnownHostsVerifier
     protected boolean hostKeyUnverifiableAction(String hostname, PublicKey key) {
         final KeyType type = KeyType.fromKey(key);
         console.printf("The authenticity of host '%s' can't be established.\n" +
-                               "%s key fingerprint is %s.\n", hostname, type, SecurityUtils.getFingerprint(key));
+                "%s key fingerprint is %s.\n", hostname, type, SecurityUtils.getFingerprint(key));
         String response = console.readLine("Are you sure you want to continue connecting (yes/no)? ");
         while (!(response.equalsIgnoreCase(YES) || response.equalsIgnoreCase(NO))) {
             response = console.readLine("Please explicitly enter yes/no: ");
@@ -60,7 +60,7 @@ public class ConsoleKnownHostsVerifier
     }
 
     @Override
-    protected boolean hostKeyChangedAction(KnownHostEntry entry, String hostname, PublicKey key) {
+    protected boolean hostKeyChangedAction(String hostname, PublicKey key) {
         final KeyType type = KeyType.fromKey(key);
         final String fp = SecurityUtils.getFingerprint(key);
         final String path = getFile().getAbsolutePath();

src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java

@@ -87,14 +87,23 @@ public class OpenSSHKnownHosts
 
         final String adjustedHostname = (port != 22) ? "[" + hostname + "]:" + port : hostname;
 
+        boolean foundApplicableHostEntry = false;
         for (KnownHostEntry e : entries) {
             try {
-                if (e.appliesTo(type, adjustedHostname))
-                    return e.verify(key) || hostKeyChangedAction(e, adjustedHostname, key);
+                if (e.appliesTo(type, adjustedHostname)) {
+                    foundApplicableHostEntry = true;
+                    if (e.verify(key)) {
+                        return true;
+                    }
+                }
             } catch (IOException ioe) {
                 log.error("Error with {}: {}", e, ioe);
                 return false;
             }
+
+        }
+        if (foundApplicableHostEntry) {
+            return hostKeyChangedAction(adjustedHostname, key);
         }
 
         return hostKeyUnverifiableAction(adjustedHostname, key);
@@ -104,7 +113,7 @@ public class OpenSSHKnownHosts
         return false;
     }
 
-    protected boolean hostKeyChangedAction(KnownHostEntry entry, String hostname, PublicKey key) {
+    protected boolean hostKeyChangedAction(String hostname, PublicKey key) {
         log.warn("Host key for `{}` has changed!", hostname);
         return false;
     }
@@ -199,7 +208,7 @@ public class OpenSSHKnownHosts
             }
             if(split.length < 3) {
                 log.error("Error reading entry `{}`", line);
-                return null;
+                return new BadHostEntry(line);
             }
             final String hostnames = split[i++];
             final String sType = split[i++];
@@ -209,7 +218,13 @@ public class OpenSSHKnownHosts
 
             if (type != KeyType.UNKNOWN) {
                 final String sKey = split[i++];
-                key = new Buffer.PlainBuffer(Base64.decode(sKey)).readPublicKey();
+                try {
+                    byte[] keyBytes = Base64.decode(sKey);
+                    key = new Buffer.PlainBuffer(keyBytes).readPublicKey();
+                } catch (IOException ioe) {
+                    log.warn("Error decoding Base64 key bytes", ioe);
+                    return new BadHostEntry(line);
+                }
             } else if (isBits(sType)) {
                 type = KeyType.RSA;
                 // int bits = Integer.valueOf(sType);
@@ -220,11 +235,11 @@ public class OpenSSHKnownHosts
                     key = keyFactory.generatePublic(new RSAPublicKeySpec(n, e));
                 } catch (Exception ex) {
                     log.error("Error reading entry `{}`, could not create key", line, ex);
-                    return null;
+                    return new BadHostEntry(line);
                 }
             } else {
                 log.error("Error reading entry `{}`, could not determine type", line);
-                return null;
+                return new BadHostEntry(line);
             }
 
             return new HostEntry(marker, hostnames, type, key);
@@ -310,7 +325,7 @@ public class OpenSSHKnownHosts
         protected final PublicKey key;
         private final KnownHostMatchers.HostMatcher matcher;
 
-        HostEntry(Marker marker, String hostPart, KeyType type, PublicKey key) throws SSHException {
+        public HostEntry(Marker marker, String hostPart, KeyType type, PublicKey key) throws SSHException {
             this.marker = marker;
             this.hostPart = hostPart;
             this.type = type;
@@ -340,7 +355,7 @@ public class OpenSSHKnownHosts
 
         @Override
         public boolean verify(PublicKey key) throws IOException {
-            return key.equals(this.key) && marker != Marker.REVOKED;
+            return getKeyString(key).equals(getKeyString(this.key)) && marker != Marker.REVOKED;
         }
 
         public String getLine() {
@@ -350,17 +365,55 @@ public class OpenSSHKnownHosts
 
             line.append(getHostPart());
             line.append(" ").append(type.toString());
-            line.append(" ").append(getKeyString());
+            line.append(" ").append(getKeyString(key));
             return line.toString();
         }
 
-        private String getKeyString() {
-            final Buffer.PlainBuffer buf = new Buffer.PlainBuffer().putPublicKey(key);
+        private String getKeyString(PublicKey pk) {
+            final Buffer.PlainBuffer buf = new Buffer.PlainBuffer().putPublicKey(pk);
             return Base64.encodeBytes(buf.array(), buf.rpos(), buf.available());
         }
 
         protected String getHostPart() {
-            return  hostPart;
+            return hostPart;
+        }
+    }
+
+    public static class BadHostEntry implements KnownHostEntry {
+        private String line;
+
+        public BadHostEntry(String line) {
+            this.line = line;
+        }
+
+        @Override
+        public KeyType getType() {
+            return KeyType.UNKNOWN;
+        }
+
+        @Override
+        public String getFingerprint() {
+            return null;
+        }
+
+        @Override
+        public boolean appliesTo(String host) throws IOException {
+            return false;
+        }
+
+        @Override
+        public boolean appliesTo(KeyType type, String host) throws IOException {
+            return false;
+        }
+
+        @Override
+        public boolean verify(PublicKey key) throws IOException {
+            return false;
+        }
+
+        @Override
+        public String getLine() {
+            return line;
         }
     }
 

src/main/java/net/schmizz/sshj/userauth/keyprovider/OpenSSHKeyFile.java

@@ -75,7 +75,12 @@ public class OpenSSHKeyFile
     @Override
     public void init(String privateKey, String publicKey) {
         if (publicKey != null) {
-            initPubKey(new StringReader(publicKey));
+            try {
+                initPubKey(new StringReader(publicKey));
+            } catch (IOException e) {
+                // let super provide both public & private key
+                log.warn("Error reading public key: {}", e.toString());
+            }
         }
         super.init(privateKey, null);
     }
@@ -85,23 +90,18 @@ public class OpenSSHKeyFile
      *
      * @param publicKey Public key accessible through a {@code Reader}
      */
-    private void initPubKey(Reader publicKey) {
+    private void initPubKey(Reader publicKey) throws IOException {
+        final BufferedReader br = new BufferedReader(publicKey);
         try {
-            final BufferedReader br = new BufferedReader(publicKey);
-            try {
-                final String keydata = br.readLine();
-                if (keydata != null) {
-                    String[] parts = keydata.trim().split(" ");
-                    assert parts.length >= 2;
-                    type = KeyType.fromString(parts[0]);
-                    pubKey = new Buffer.PlainBuffer(Base64.decode(parts[1])).readPublicKey();
-                }
-            } finally {
-                br.close();
+            final String keydata = br.readLine();
+            if (keydata != null) {
+                String[] parts = keydata.trim().split(" ");
+                assert parts.length >= 2;
+                type = KeyType.fromString(parts[0]);
+                pubKey = new Buffer.PlainBuffer(Base64.decode(parts[1])).readPublicKey();
             }
-        } catch (IOException e) {
-            // let super provide both public & private key
-            log.warn("Error reading public key: {}", e.toString());
+        } finally {
+            br.close();
         }
     }
 }

src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS8KeyFile.java

@@ -16,6 +16,7 @@
 package net.schmizz.sshj.userauth.keyprovider;
 
 import net.schmizz.sshj.common.IOUtils;
+import net.schmizz.sshj.common.SecurityUtils;
 import net.schmizz.sshj.userauth.password.PasswordUtils;
 import org.bouncycastle.openssl.EncryptionException;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
@@ -62,12 +63,12 @@ public class PKCS8KeyFile extends BaseFileKeyProvider {
                 final Object o = r.readObject();
 
                 final JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter();
-                pemConverter.setProvider("BC");
+                pemConverter.setProvider(SecurityUtils.getSecurityProvider());
 
                 if (o instanceof PEMEncryptedKeyPair) {
                     final PEMEncryptedKeyPair encryptedKeyPair = (PEMEncryptedKeyPair) o;
                     JcePEMDecryptorProviderBuilder decryptorBuilder = new JcePEMDecryptorProviderBuilder();
-                    decryptorBuilder.setProvider("BC");
+                    decryptorBuilder.setProvider(SecurityUtils.getSecurityProvider());
                     try {
                         passphrase = pwdf == null ? null : pwdf.reqPassword(resource);
                         kp = pemConverter.getKeyPair(encryptedKeyPair.decryptKeyPair(decryptorBuilder.build(passphrase)));

src/main/java/net/schmizz/sshj/userauth/password/PrivateKeyFileResource.java

@@ -27,6 +27,6 @@ public class PrivateKeyFileResource
     @Override
     public Reader getReader()
             throws IOException {
-        return new InputStreamReader(new FileInputStream(getDetail()));
+        return new InputStreamReader(new FileInputStream(getDetail()), "UTF-8");
     }
 }

src/main/java/org/mindrot/jbcrypt/BCrypt.java

@@ -0,0 +1,869 @@
+// Copyright (c) 2006 Damien Miller <djm@mindrot.org>
+//
+// Permission to use, copy, modify, and distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+package org.mindrot.jbcrypt;
+
+import java.io.UnsupportedEncodingException;
+import java.security.DigestException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+/**
+ * BCrypt implements OpenBSD-style Blowfish password hashing using
+ * the scheme described in "A Future-Adaptable Password Scheme" by
+ * Niels Provos and David Mazieres.
+ * <p>
+ * This password hashing system tries to thwart off-line password
+ * cracking using a computationally-intensive hashing algorithm,
+ * based on Bruce Schneier's Blowfish cipher. The work factor of
+ * the algorithm is parameterised, so it can be increased as
+ * computers get faster.
+ * <p>
+ * Usage is really simple. To hash a password for the first time,
+ * call the hashpw method with a random salt, like this:
+ * <p>
+ * <code>
+ * String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); <br>
+ * </code>
+ * <p>
+ * To check whether a plaintext password matches one that has been
+ * hashed previously, use the checkpw method:
+ * <p>
+ * <code>
+ * if (BCrypt.checkpw(candidate_password, stored_hash))<br>
+ * &nbsp;&nbsp;&nbsp;&nbsp;System.out.println("It matches");<br>
+ * else<br>
+ * &nbsp;&nbsp;&nbsp;&nbsp;System.out.println("It does not match");<br>
+ * </code>
+ * <p>
+ * The gensalt() method takes an optional parameter (log_rounds)
+ * that determines the computational complexity of the hashing:
+ * <p>
+ * <code>
+ * String strong_salt = BCrypt.gensalt(10)<br>
+ * String stronger_salt = BCrypt.gensalt(12)<br>
+ * </code>
+ * <p>
+ * The amount of work increases exponentially (2**log_rounds), so
+ * each increment is twice as much work. The default log_rounds is
+ * 10, and the valid range is 4 to 30.
+ *
+ * @author Damien Miller
+ * @version 0.2
+ */
+public class BCrypt {
+    // BCrypt parameters
+    private static final int GENSALT_DEFAULT_LOG2_ROUNDS = 10;
+    private static final int BCRYPT_SALT_LEN = 16;
+
+    // Blowfish parameters
+    private static final int BLOWFISH_NUM_ROUNDS = 16;
+
+    // Initial contents of key schedule
+    private static final int P_orig[] = {
+            0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
+            0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
+            0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
+            0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
+            0x9216d5d9, 0x8979fb1b
+    };
+    private static final int S_orig[] = {
+            0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
+            0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
+            0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
+            0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
+            0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
+            0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
+            0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
+            0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
+            0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
+            0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
+            0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
+            0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
+            0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
+            0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
+            0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
+            0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
+            0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
+            0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
+            0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
+            0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
+            0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
+            0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
+            0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
+            0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
+            0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
+            0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
+            0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
+            0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
+            0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
+            0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
+            0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
+            0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
+            0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
+            0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
+            0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
+            0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
+            0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
+            0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
+            0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
+            0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
+            0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
+            0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
+            0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
+            0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
+            0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
+            0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
+            0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
+            0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
+            0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
+            0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
+            0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
+            0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
+            0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
+            0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
+            0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
+            0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
+            0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
+            0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
+            0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
+            0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
+            0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
+            0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
+            0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
+            0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a,
+            0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
+            0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
+            0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
+            0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
+            0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
+            0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
+            0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
+            0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
+            0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
+            0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
+            0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
+            0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
+            0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
+            0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
+            0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
+            0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
+            0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
+            0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
+            0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
+            0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
+            0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
+            0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
+            0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
+            0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
+            0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
+            0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
+            0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
+            0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
+            0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
+            0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
+            0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
+            0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
+            0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
+            0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
+            0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
+            0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
+            0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
+            0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
+            0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
+            0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
+            0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
+            0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
+            0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
+            0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
+            0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
+            0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
+            0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
+            0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
+            0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
+            0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
+            0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
+            0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
+            0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
+            0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
+            0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
+            0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
+            0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
+            0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
+            0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
+            0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
+            0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
+            0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
+            0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
+            0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7,
+            0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
+            0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
+            0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
+            0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
+            0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
+            0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
+            0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
+            0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
+            0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
+            0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
+            0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
+            0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
+            0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
+            0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
+            0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
+            0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
+            0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
+            0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
+            0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
+            0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
+            0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
+            0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
+            0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
+            0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
+            0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
+            0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
+            0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
+            0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
+            0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
+            0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
+            0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
+            0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
+            0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
+            0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
+            0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
+            0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
+            0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
+            0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
+            0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
+            0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
+            0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
+            0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
+            0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
+            0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
+            0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
+            0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
+            0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
+            0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
+            0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
+            0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
+            0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
+            0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
+            0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
+            0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
+            0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
+            0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
+            0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
+            0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
+            0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
+            0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
+            0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
+            0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
+            0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
+            0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0,
+            0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
+            0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
+            0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
+            0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
+            0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
+            0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
+            0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
+            0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
+            0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
+            0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
+            0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
+            0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
+            0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
+            0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
+            0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
+            0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
+            0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
+            0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
+            0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
+            0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
+            0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
+            0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
+            0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
+            0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
+            0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
+            0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
+            0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
+            0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
+            0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
+            0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
+            0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
+            0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
+            0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
+            0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
+            0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
+            0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
+            0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
+            0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
+            0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
+            0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
+            0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
+            0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
+            0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
+            0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
+            0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
+            0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
+            0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
+            0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
+            0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
+            0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
+            0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
+            0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
+            0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
+            0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
+            0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
+            0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
+            0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
+            0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
+            0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
+            0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
+            0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
+            0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
+            0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
+            0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
+    };
+
+    // OpenBSD IV: "OxychromaticBlowfishSwatDynamite" in big endian
+    private static final int[] openbsd_iv = new int[] {
+            0x4f787963, 0x68726f6d, 0x61746963, 0x426c6f77,
+            0x66697368, 0x53776174, 0x44796e61, 0x6d697465,
+    };
+
+    // bcrypt IV: "OrpheanBeholderScryDoubt". The C implementation calls
+    // this "ciphertext", but it is really plaintext or an IV. We keep
+    // the name to make code comparison easier.
+    static private final int bf_crypt_ciphertext[] = {
+            0x4f727068, 0x65616e42, 0x65686f6c,
+            0x64657253, 0x63727944, 0x6f756274
+    };
+
+    // Table for Base64 encoding
+    static private final char base64_code[] = {
+            '.', '/', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
+            'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V',
+            'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h',
+            'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't',
+            'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5',
+            '6', '7', '8', '9'
+    };
+
+    // Table for Base64 decoding
+    static private final byte index_64[] = {
+            -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+            -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+            -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+            -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+            -1, -1, -1, -1, -1, -1, 0, 1, 54, 55,
+            56, 57, 58, 59, 60, 61, 62, 63, -1, -1,
+            -1, -1, -1, -1, -1, 2, 3, 4, 5, 6,
+            7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
+            17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
+            -1, -1, -1, -1, -1, -1, 28, 29, 30,
+            31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
+            41, 42, 43, 44, 45, 46, 47, 48, 49, 50,
+            51, 52, 53, -1, -1, -1, -1, -1
+    };
+
+    // Expanded Blowfish key
+    private int P[];
+    private int S[];
+
+    /**
+     * Encode a byte array using bcrypt's slightly-modified base64
+     * encoding scheme. Note that this is *not* compatible with
+     * the standard MIME-base64 encoding.
+     *
+     * @param d	the byte array to encode
+     * @param len	the number of bytes to encode
+     * @return	base64-encoded string
+     * @exception IllegalArgumentException if the length is invalid
+     */
+    private static String encode_base64(byte d[], int len)
+            throws IllegalArgumentException {
+        int off = 0;
+        StringBuffer rs = new StringBuffer();
+        int c1, c2;
+
+        if (len <= 0 || len > d.length)
+            throw new IllegalArgumentException ("Invalid len");
+
+        while (off < len) {
+            c1 = d[off++] & 0xff;
+            rs.append(base64_code[(c1 >> 2) & 0x3f]);
+            c1 = (c1 & 0x03) << 4;
+            if (off >= len) {
+                rs.append(base64_code[c1 & 0x3f]);
+                break;
+            }
+            c2 = d[off++] & 0xff;
+            c1 |= (c2 >> 4) & 0x0f;
+            rs.append(base64_code[c1 & 0x3f]);
+            c1 = (c2 & 0x0f) << 2;
+            if (off >= len) {
+                rs.append(base64_code[c1 & 0x3f]);
+                break;
+            }
+            c2 = d[off++] & 0xff;
+            c1 |= (c2 >> 6) & 0x03;
+            rs.append(base64_code[c1 & 0x3f]);
+            rs.append(base64_code[c2 & 0x3f]);
+        }
+        return rs.toString();
+    }
+
+    /**
+     * Look up the 3 bits base64-encoded by the specified character,
+     * range-checking againt conversion table
+     * @param x	the base64-encoded value
+     * @return	the decoded value of x
+     */
+    private static byte char64(char x) {
+        if ((int)x < 0 || (int)x > index_64.length)
+            return -1;
+        return index_64[(int)x];
+    }
+
+    /**
+     * Decode a string encoded using bcrypt's base64 scheme to a
+     * byte array. Note that this is *not* compatible with
+     * the standard MIME-base64 encoding.
+     * @param s	the string to decode
+     * @param maxolen	the maximum number of bytes to decode
+     * @return	an array containing the decoded bytes
+     * @throws IllegalArgumentException if maxolen is invalid
+     */
+    private static byte[] decode_base64(String s, int maxolen)
+            throws IllegalArgumentException {
+        StringBuffer rs = new StringBuffer();
+        int off = 0, slen = s.length(), olen = 0;
+        byte ret[];
+        byte c1, c2, c3, c4, o;
+
+        if (maxolen <= 0)
+            throw new IllegalArgumentException ("Invalid maxolen");
+
+        while (off < slen - 1 && olen < maxolen) {
+            c1 = char64(s.charAt(off++));
+            c2 = char64(s.charAt(off++));
+            if (c1 == -1 || c2 == -1)
+                break;
+            o = (byte)(c1 << 2);
+            o |= (c2 & 0x30) >> 4;
+            rs.append((char)o);
+            if (++olen >= maxolen || off >= slen)
+                break;
+            c3 = char64(s.charAt(off++));
+            if (c3 == -1)
+                break;
+            o = (byte)((c2 & 0x0f) << 4);
+            o |= (c3 & 0x3c) >> 2;
+            rs.append((char)o);
+            if (++olen >= maxolen || off >= slen)
+                break;
+            c4 = char64(s.charAt(off++));
+            o = (byte)((c3 & 0x03) << 6);
+            o |= c4;
+            rs.append((char)o);
+            ++olen;
+        }
+
+        ret = new byte[olen];
+        for (off = 0; off < olen; off++)
+            ret[off] = (byte)rs.charAt(off);
+        return ret;
+    }
+
+    /**
+     * Blowfish encipher a single 64-bit block encoded as
+     * two 32-bit halves
+     * @param lr	an array containing the two 32-bit half blocks
+     * @param off	the position in the array of the blocks
+     */
+    private final void encipher(int lr[], int off) {
+        int i, n, l = lr[off], r = lr[off + 1];
+
+        l ^= P[0];
+        for (i = 0; i <= BLOWFISH_NUM_ROUNDS - 2;) {
+            // Feistel substitution on left word
+            n = S[(l >> 24) & 0xff];
+            n += S[0x100 | ((l >> 16) & 0xff)];
+            n ^= S[0x200 | ((l >> 8) & 0xff)];
+            n += S[0x300 | (l & 0xff)];
+            r ^= n ^ P[++i];
+
+            // Feistel substitution on right word
+            n = S[(r >> 24) & 0xff];
+            n += S[0x100 | ((r >> 16) & 0xff)];
+            n ^= S[0x200 | ((r >> 8) & 0xff)];
+            n += S[0x300 | (r & 0xff)];
+            l ^= n ^ P[++i];
+        }
+        lr[off] = r ^ P[BLOWFISH_NUM_ROUNDS + 1];
+        lr[off + 1] = l;
+    }
+
+    /**
+     * Cycically extract a word of key material
+     * @param data	the string to extract the data from
+     * @param offp	a "pointer" (as a one-entry array) to the
+     * current offset into data
+     * @return	the next word of material from data
+     */
+    private static int streamtoword(byte data[], int offp[]) {
+        int i;
+        int word = 0;
+        int off = offp[0];
+
+        for (i = 0; i < 4; i++) {
+            word = (word << 8) | (data[off] & 0xff);
+            off = (off + 1) % data.length;
+        }
+
+        offp[0] = off;
+        return word;
+    }
+
+    /**
+     * Initialise the Blowfish key schedule
+     */
+    private void init_key() {
+        P = (int[])P_orig.clone();
+        S = (int[])S_orig.clone();
+    }
+
+    /**
+     * Key the Blowfish cipher
+     * @param key	an array containing the key
+     */
+    private void key(byte key[]) {
+        int i;
+        int koffp[] = { 0 };
+        int lr[] = { 0, 0 };
+        int plen = P.length, slen = S.length;
+
+        for (i = 0; i < plen; i++)
+            P[i] = P[i] ^ streamtoword(key, koffp);
+
+        for (i = 0; i < plen; i += 2) {
+            encipher(lr, 0);
+            P[i] = lr[0];
+            P[i + 1] = lr[1];
+        }
+
+        for (i = 0; i < slen; i += 2) {
+            encipher(lr, 0);
+            S[i] = lr[0];
+            S[i + 1] = lr[1];
+        }
+    }
+
+    /**
+     * Perform the "enhanced key schedule" step described by
+     * Provos and Mazieres in "A Future-Adaptable Password Scheme"
+     * http://www.openbsd.org/papers/bcrypt-paper.ps
+     * @param data	salt information
+     * @param key	password information
+     */
+    private void ekskey(byte data[], byte key[]) {
+        int i;
+        int koffp[] = { 0 }, doffp[] = { 0 };
+        int lr[] = { 0, 0 };
+        int plen = P.length, slen = S.length;
+
+        for (i = 0; i < plen; i++)
+            P[i] = P[i] ^ streamtoword(key, koffp);
+
+        for (i = 0; i < plen; i += 2) {
+            lr[0] ^= streamtoword(data, doffp);
+            lr[1] ^= streamtoword(data, doffp);
+            encipher(lr, 0);
+            P[i] = lr[0];
+            P[i + 1] = lr[1];
+        }
+
+        for (i = 0; i < slen; i += 2) {
+            lr[0] ^= streamtoword(data, doffp);
+            lr[1] ^= streamtoword(data, doffp);
+            encipher(lr, 0);
+            S[i] = lr[0];
+            S[i + 1] = lr[1];
+        }
+    }
+
+    /**
+     * Compatibility with new OpenBSD function.
+     */
+    public void hash(byte[] hpass, byte[] hsalt, byte[] output) {
+        init_key();
+        ekskey(hsalt, hpass);
+        for (int i = 0; i < 64; i++) {
+            key(hsalt);
+            key(hpass);
+        }
+
+        int[] buf = new int[openbsd_iv.length];
+        System.arraycopy(openbsd_iv, 0, buf, 0, openbsd_iv.length);
+        for (int i = 0; i < 8; i += 2) {
+            for (int j = 0; j < 64; j++) {
+                encipher(buf, i);
+            }
+        }
+
+        for (int i = 0, j = 0; i < buf.length; i++) {
+            // Output of this is little endian
+            output[j++] = (byte)(buf[i] & 0xff);
+            output[j++] = (byte)((buf[i] >> 8) & 0xff);
+            output[j++] = (byte)((buf[i] >> 16) & 0xff);
+            output[j++] = (byte)((buf[i] >> 24) & 0xff);
+        }
+    }
+
+    /**
+     * Compatibility with new OpenBSD function.
+     */
+    public void pbkdf(byte[] password, byte[] salt, int rounds, byte[] output) {
+        try {
+            MessageDigest sha512 = MessageDigest.getInstance("SHA-512");
+
+            int nblocks = (output.length + 31) / 32;
+            byte[] hpass = sha512.digest(password);
+
+            byte[] hsalt = new byte[64];
+            byte[] block_b = new byte[4];
+            byte[] out = new byte[32];
+            byte[] tmp = new byte[32];
+            for (int block = 1; block <= nblocks; block++) {
+                // Block count is in big endian
+                block_b[0] = (byte) ((block >> 24) & 0xFF);
+                block_b[1] = (byte) ((block >> 16) & 0xFF);
+                block_b[2] = (byte) ((block >> 8) & 0xFF);
+                block_b[3] = (byte) (block & 0xFF);
+
+                sha512.reset();
+                sha512.update(salt);
+                sha512.update(block_b);
+                sha512.digest(hsalt, 0, hsalt.length);
+
+                hash(hpass, hsalt, out);
+                System.arraycopy(out, 0, tmp, 0, out.length);
+
+                for (int round = 1; round < rounds; round++) {
+                    sha512.reset();
+                    sha512.update(tmp);
+                    sha512.digest(hsalt, 0, hsalt.length);
+
+                    hash(hpass, hsalt, tmp);
+
+                    for (int i = 0; i < tmp.length; i++) {
+                        out[i] ^= tmp[i];
+                    }
+                }
+
+                for (int i = 0; i < out.length; i++) {
+                    int idx = i * nblocks + (block - 1);
+                    if (idx < output.length) {
+                        output[idx] = out[i];
+                    }
+                }
+            }
+        } catch (DigestException e) {
+            throw new RuntimeException(e);
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * Perform the central password hashing step in the
+     * bcrypt scheme
+     * @param password	the password to hash
+     * @param salt	the binary salt to hash with the password
+     * @param log_rounds	the binary logarithm of the number
+     * of rounds of hashing to apply
+     * @param cdata         the plaintext to encrypt
+     * @return	an array containing the binary hashed password
+     */
+    public byte[] crypt_raw(byte password[], byte salt[], int log_rounds,
+                            int cdata[]) {
+        int rounds, i, j;
+        int clen = cdata.length;
+        byte ret[];
+
+        if (log_rounds < 4 || log_rounds > 30)
+            throw new IllegalArgumentException ("Bad number of rounds");
+        rounds = 1 << log_rounds;
+        if (salt.length != BCRYPT_SALT_LEN)
+            throw new IllegalArgumentException ("Bad salt length");
+
+        init_key();
+        ekskey(salt, password);
+        for (i = 0; i != rounds; i++) {
+            key(password);
+            key(salt);
+        }
+
+        for (i = 0; i < 64; i++) {
+            for (j = 0; j < (clen >> 1); j++)
+                encipher(cdata, j << 1);
+        }
+
+        ret = new byte[clen * 4];
+        for (i = 0, j = 0; i < clen; i++) {
+            ret[j++] = (byte)((cdata[i] >> 24) & 0xff);
+            ret[j++] = (byte)((cdata[i] >> 16) & 0xff);
+            ret[j++] = (byte)((cdata[i] >> 8) & 0xff);
+            ret[j++] = (byte)(cdata[i] & 0xff);
+        }
+        return ret;
+    }
+
+    /**
+     * Hash a password using the OpenBSD bcrypt scheme
+     * @param password	the password to hash
+     * @param salt	the salt to hash with (perhaps generated
+     * using BCrypt.gensalt)
+     * @return	the hashed password
+     */
+    public static String hashpw(String password, String salt) {
+        BCrypt B;
+        String real_salt;
+        byte passwordb[], saltb[], hashed[];
+        char minor = (char)0;
+        int rounds, off = 0;
+        StringBuffer rs = new StringBuffer();
+
+        if (salt.charAt(0) != '$' || salt.charAt(1) != '2')
+            throw new IllegalArgumentException ("Invalid salt version");
+        if (salt.charAt(2) == '$')
+            off = 3;
+        else {
+            minor = salt.charAt(2);
+            if (minor != 'a' || salt.charAt(3) != '$')
+                throw new IllegalArgumentException ("Invalid salt revision");
+            off = 4;
+        }
+
+        // Extract number of rounds
+        if (salt.charAt(off + 2) > '$')
+            throw new IllegalArgumentException ("Missing salt rounds");
+        rounds = Integer.parseInt(salt.substring(off, off + 2));
+
+        real_salt = salt.substring(off + 3, off + 25);
+        try {
+            passwordb = (password + (minor >= 'a' ? "\000" : "")).getBytes("UTF-8");
+        } catch (UnsupportedEncodingException uee) {
+            throw new AssertionError("UTF-8 is not supported");
+        }
+
+        saltb = decode_base64(real_salt, BCRYPT_SALT_LEN);
+
+        B = new BCrypt();
+        hashed = B.crypt_raw(passwordb, saltb, rounds,
+                (int[])bf_crypt_ciphertext.clone());
+
+        rs.append("$2");
+        if (minor >= 'a')
+            rs.append(minor);
+        rs.append("$");
+        if (rounds < 10)
+            rs.append("0");
+        if (rounds > 30) {
+            throw new IllegalArgumentException(
+                    "rounds exceeds maximum (30)");
+        }
+        rs.append(Integer.toString(rounds));
+        rs.append("$");
+        rs.append(encode_base64(saltb, saltb.length));
+        rs.append(encode_base64(hashed,
+                bf_crypt_ciphertext.length * 4 - 1));
+        return rs.toString();
+    }
+
+    /**
+     * Generate a salt for use with the BCrypt.hashpw() method
+     * @param log_rounds	the log2 of the number of rounds of
+     * hashing to apply - the work factor therefore increases as
+     * 2**log_rounds.
+     * @param random		an instance of SecureRandom to use
+     * @return	an encoded salt value
+     */
+    public static String gensalt(int log_rounds, SecureRandom random) {
+        StringBuffer rs = new StringBuffer();
+        byte rnd[] = new byte[BCRYPT_SALT_LEN];
+
+        random.nextBytes(rnd);
+
+        rs.append("$2a$");
+        if (log_rounds < 10)
+            rs.append("0");
+        if (log_rounds > 30) {
+            throw new IllegalArgumentException(
+                    "log_rounds exceeds maximum (30)");
+        }
+        rs.append(Integer.toString(log_rounds));
+        rs.append("$");
+        rs.append(encode_base64(rnd, rnd.length));
+        return rs.toString();
+    }
+
+    /**
+     * Generate a salt for use with the BCrypt.hashpw() method
+     * @param log_rounds	the log2 of the number of rounds of
+     * hashing to apply - the work factor therefore increases as
+     * 2**log_rounds.
+     * @return	an encoded salt value
+     */
+    public static String gensalt(int log_rounds) {
+        return gensalt(log_rounds, new SecureRandom());
+    }
+
+    /**
+     * Generate a salt for use with the BCrypt.hashpw() method,
+     * selecting a reasonable default for the number of hashing
+     * rounds to apply
+     * @return	an encoded salt value
+     */
+    public static String gensalt() {
+        return gensalt(GENSALT_DEFAULT_LOG2_ROUNDS);
+    }
+
+    /**
+     * Check that a plaintext password matches a previously hashed
+     * one
+     * @param plaintext	the plaintext password to verify
+     * @param hashed	the previously-hashed password
+     * @return	true if the passwords match, false otherwise
+     */
+    public static boolean checkpw(String plaintext, String hashed) {
+        byte hashed_bytes[];
+        byte try_bytes[];
+        try {
+            String try_pw = hashpw(plaintext, hashed);
+            hashed_bytes = hashed.getBytes("UTF-8");
+            try_bytes = try_pw.getBytes("UTF-8");
+        } catch (UnsupportedEncodingException uee) {
+            return false;
+        }
+        if (hashed_bytes.length != try_bytes.length)
+            return false;
+        byte ret = 0;
+        for (int i = 0; i < try_bytes.length; i++)
+            ret |= hashed_bytes[i] ^ try_bytes[i];
+        return ret == 0;
+    }
+}

src/test/groovy/com/hierynomus/sshj/transport/verification/KnownHostMatchersSpec.groovy

@@ -49,6 +49,11 @@ class KnownHostMatchersSpec extends Specification {
         "aaa.b??.com" | "aaa.bccd.com" | false
         "|1|F1E1KeoE/eEWhi10WpGv4OdiO6Y=|3988QV0VE8wmZL7suNrYQLITLCg=" | "192.168.1.61" | true
         "|1|F1E1KeoE/eEWhi10WpGv4OdiO6Y=|3988QV0VE8wmZL7suNrYQLITLCg=" | "192.168.2.61" | false
+        "[aaa.bbb.com]:2222" | "aaa.bbb.com" | false
+        "[aaa.bbb.com]:2222" | "[aaa.bbb.com]:2222" | true
+        "[aaa.?bb.com]:2222" | "[aaa.dbb.com]:2222" | true
+        "[aaa.?xb.com]:2222" | "[aaa.dbb.com]:2222" | false
+        "[*.bbb.com]:2222" | "[aaa.bbb.com]:2222" | true
         yesno = match ? "" : "no"
     }
 }

src/test/groovy/com/hierynomus/sshj/transport/verification/OpenSSHKnownHostsSpec.groovy

@@ -0,0 +1,140 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj.transport.verification
+
+import net.schmizz.sshj.common.Base64
+import net.schmizz.sshj.common.Buffer
+import net.schmizz.sshj.transport.verification.OpenSSHKnownHosts
+import net.schmizz.sshj.util.KeyUtil
+import org.junit.Rule
+import org.junit.rules.TemporaryFolder
+import spock.lang.Specification
+import spock.lang.Unroll
+
+import java.security.PublicKey
+
+class OpenSSHKnownHostsSpec extends Specification {
+
+    @Rule
+    public TemporaryFolder temp = new TemporaryFolder();
+
+    def "should parse and verify hashed host entry"() {
+        given:
+        def f = knownHosts("|1|F1E1KeoE/eEWhi10WpGv4OdiO6Y=|3988QV0VE8wmZL7suNrYQLITLCg= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6P9Hlwdahh250jGZYKg2snRq2j2lFJVdKSHyxqbJiVy9VX9gTkN3K2MD48qyrYLYOyGs3vTttyUk+cK++JMzURWsrP4piby7LpeOT+3Iq8CQNj4gXZdcH9w15Vuk2qS11at6IsQPVHpKD9HGg9//EFUccI/4w06k4XXLm/IxOGUwj6I2AeWmEOL3aDi+fe07TTosSdLUD6INtR0cyKsg0zC7Da24ixoShT8Oy3x2MpR7CY3PQ1pUVmvPkr79VeA+4qV9F1JM09WdboAMZgWQZ+XrbtuBlGsyhpUHSCQOya+kOJ+bYryS+U7A+6nmTW3C9FX4FgFqTF89UHOC7V0zZQ==");
+        final PublicKey key = KeyUtil
+                .newRSAPublicKey(
+                "e8ff4797075a861db9d2319960a836b2746ada3da514955d2921f2c6a6c9895cbd557f604e43772b6303e3cab2ad82d83b21acdef4edb72524f9c2bef893335115acacfe2989bcbb2e978e4fedc8abc090363e205d975c1fdc35e55ba4daa4b5d5ab7a22c40f547a4a0fd1c683dfff10551c708ff8c34ea4e175cb9bf2313865308fa23601e5a610e2f76838be7ded3b4d3a2c49d2d40fa20db51d1cc8ab20d330bb0dadb88b1a12853f0ecb7c7632947b098dcf435a54566bcf92befd55e03ee2a57d17524cd3d59d6e800c66059067e5eb6edb81946b3286950748240ec9afa4389f9b62bc92f94ec0fba9e64d6dc2f455f816016a4c5f3d507382ed5d3365",
+                "23");
+
+        when:
+        OpenSSHKnownHosts openSSHKnownHosts = new OpenSSHKnownHosts(f)
+
+        then:
+        openSSHKnownHosts.verify("192.168.1.61", 22, key)
+        !openSSHKnownHosts.verify("192.168.1.2", 22, key)
+    }
+
+    def "should parse and verify v1 host entry"() {
+        given:
+        def f = knownHosts("test.com,1.1.1.1 2048 35 22017496617994656680820635966392838863613340434802393112245951008866692373218840197754553998457793202561151141246686162285550121243768846314646395880632789308110750881198697743542374668273149584280424505890648953477691795864456749782348425425954366277600319096366690719901119774784695056100331902394094537054256611668966698242432417382422091372756244612839068092471592121759862971414741954991375710930168229171638843329213652899594987626853020377726482288618521941129157643483558764875338089684351824791983007780922947554898825663693324944982594850256042689880090306493029526546183035567296830604572253312294059766327")
+        def key = KeyUtil.newRSAPublicKey("ae6983ed63a33afc69fe0b88b4ba14393120a0b66e1460916a8390ff109139cd14f4e1701ab5c5feeb479441fe2091d04c0ba7d3fa1756b80ed103657ab53b5d7daa38af22f59f9cbfc16892d4ef1f8fd3ae49663c295be1f568a160d54328fbc2c0598f48d32296b1b9942336234952c440cda1bfac904e3391db98e52f9b1de229adc18fc34a9a569717aa9a5b1145e73b8a8394354028d02054ca760243fb8fc1575490607dd098e698e02b5d8bdf22d55ec958245222ef4c65b8836b9f13674a2d2895a587bfd4423b4eeb6d3ef98451640e3d63d2fc6a761ffd34446abab028494caf36d67ffd65298d69f19f2d90bae4c207b671db563a08f1bb9bf237",
+                    "23")
+        when:
+        OpenSSHKnownHosts knownHosts = new OpenSSHKnownHosts(f)
+
+        then:
+        knownHosts.verify("test.com", 22, key)
+    }
+
+    def "should check all host entries for key"() {
+        given:
+        def f = knownHosts("""
+host1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCiYp2IDgzDFhl8T4TRLIhEljvEixz1YN0XWh4dYh0REGK9T4QKiyb28EztPMdcOtz1uyX5rUGYXX9hj99S4SiU=
+host1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLTjA7hduYGmvV9smEEsIdGLdghSPD7kL8QarIIOkeXmBh+LTtT/T1K+Ot/rmXCZsP8hoUXxbvN+Tks440Ci0ck=
+""")
+        def pk = new Buffer.PlainBuffer(Base64.decode("AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLTjA7hduYGmvV9smEEsIdGLdghSPD7kL8QarIIOkeXmBh+LTtT/T1K+Ot/rmXCZsP8hoUXxbvN+Tks440Ci0ck=")).readPublicKey()
+        when:
+        def knownhosts = new OpenSSHKnownHosts(f)
+
+        then:
+        knownhosts.verify("host1", 22, pk)
+    }
+
+    def "should not fail on bad base64 entry"() {
+        given:
+        def f = knownHosts("""
+host1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTIDgzDFhl8T4TRLIhEljvEixz1YN0XWh4dYh0REGK9T4QKiyb28EztPMdcOtz1uyX5rUGYXX9hj99S4SiU=
+host1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLTjA7hduYGmvV9smEEsIdGLdghSPD7kL8QarIIOkeXmBh+LTtT/T1K+Ot/rmXCZsP8hoUXxbvN+Tks440Ci0ck=
+""")
+        def pk = new Buffer.PlainBuffer(Base64.decode("AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLTjA7hduYGmvV9smEEsIdGLdghSPD7kL8QarIIOkeXmBh+LTtT/T1K+Ot/rmXCZsP8hoUXxbvN+Tks440Ci0ck=")).readPublicKey()
+        when:
+        def knownhosts = new OpenSSHKnownHosts(f)
+
+        then:
+        knownhosts.verify("host1", 22, pk)
+    }
+
+    def "should mark bad line and not fail"() {
+        given:
+        def f = knownHosts("M36Lo+Ik5ukNugvvoNFlpnyiHMmtKxt3FpyEfYuryXjNqMNWHn/ARVnpUIl5jRLTB7WBzyLYMG7X5nuoFL9zYqKGtHxChbDunxMVbspw5WXI9VN+qxcLwmITmpEvI9ApyS/Ox2ZyN7zw==\n")
+
+        when:
+        def knownhosts = new OpenSSHKnownHosts(f)
+
+        then:
+        knownhosts.entries().size() == 1
+        knownhosts.entries().get(0) instanceof OpenSSHKnownHosts.BadHostEntry
+    }
+
+    @Unroll
+    def "should add comment for #type line"() {
+        given:
+        def f = knownHosts(s)
+
+        when:
+        def knownHosts = new OpenSSHKnownHosts(f)
+
+        then:
+        knownHosts.entries().size() == 1
+        knownHosts.entries().get(0) instanceof OpenSSHKnownHosts.CommentEntry
+
+        where:
+        type << ["newline", "comment"]
+        s << ["\n", "#comment\n"]
+    }
+
+    @Unroll
+    def "should match any host name from multi-host line"() {
+        given:
+        def f = knownHosts("schmizz.net,69.163.155.180 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6P9Hlwdahh250jGZYKg2snRq2j2lFJVdKSHyxqbJiVy9VX9gTkN3K2MD48qyrYLYOyGs3vTttyUk+cK++JMzURWsrP4piby7LpeOT+3Iq8CQNj4gXZdcH9w15Vuk2qS11at6IsQPVHpKD9HGg9//EFUccI/4w06k4XXLm/IxOGUwj6I2AeWmEOL3aDi+fe07TTosSdLUD6INtR0cyKsg0zC7Da24ixoShT8Oy3x2MpR7CY3PQ1pUVmvPkr79VeA+4qV9F1JM09WdboAMZgWQZ+XrbtuBlGsyhpUHSCQOya+kOJ+bYryS+U7A+6nmTW3C9FX4FgFqTF89UHOC7V0zZQ==")
+        def pk = new Buffer.PlainBuffer(Base64.decode("AAAAB3NzaC1yc2EAAAABIwAAAQEA6P9Hlwdahh250jGZYKg2snRq2j2lFJVdKSHyxqbJiVy9VX9gTkN3K2MD48qyrYLYOyGs3vTttyUk+cK++JMzURWsrP4piby7LpeOT+3Iq8CQNj4gXZdcH9w15Vuk2qS11at6IsQPVHpKD9HGg9//EFUccI/4w06k4XXLm/IxOGUwj6I2AeWmEOL3aDi+fe07TTosSdLUD6INtR0cyKsg0zC7Da24ixoShT8Oy3x2MpR7CY3PQ1pUVmvPkr79VeA+4qV9F1JM09WdboAMZgWQZ+XrbtuBlGsyhpUHSCQOya+kOJ+bYryS+U7A+6nmTW3C9FX4FgFqTF89UHOC7V0zZQ==")).readPublicKey()
+
+        when:
+        def knownHosts = new OpenSSHKnownHosts(f)
+
+        then:
+        knownHosts.verify(h, 22, pk)
+
+        where:
+        h << ["schmizz.net", "69.163.155.180"]
+    }
+
+    def knownHosts(String s) {
+        def f = temp.newFile("known_hosts")
+        f.write(s)
+        return f
+    }
+}

src/test/groovy/net/schmizz/sshj/xfer/FileSystemFileSpec.groovy

@@ -49,6 +49,6 @@ class FileSystemFileSpec extends Specification {
         def child = file.getChild("bar//etc/passwd")
 
         then:
-        child.getFile().getPath() endsWith "foo/bar/etc/passwd"
+        child.getFile().getPath().replace('\\', '/') endsWith "foo/bar/etc/passwd"
     }
 }

src/test/java/com/hierynomus/sshj/IntegrationTest.java

@@ -1,39 +0,0 @@
-/*
- * Copyright (C)2009 - SSHJ Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.hierynomus.sshj;
-
-import net.schmizz.sshj.DefaultConfig;
-import net.schmizz.sshj.SSHClient;
-import net.schmizz.sshj.transport.verification.OpenSSHKnownHosts;
-import org.junit.Ignore;
-import org.junit.Test;
-
-import java.io.File;
-import java.io.IOException;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-
-public class IntegrationTest {
-
-    @Test @Ignore // Should only be enabled for testing against VM
-    public void shouldConnect() throws IOException {
-        SSHClient sshClient = new SSHClient(new DefaultConfig());
-        sshClient.addHostKeyVerifier(new OpenSSHKnownHosts(new File("/Users/ajvanerp/.ssh/known_hosts")));
-        sshClient.connect("172.16.37.147");
-        sshClient.authPublickey("jeroen");
-        assertThat("Is connected", sshClient.isAuthenticated());
-    }
-}

src/test/java/com/hierynomus/sshj/sftp/RemoteFileTest.java

@@ -71,9 +71,7 @@ public class RemoteFileTest {
             n += rs.read(test, n, 3072 - n);
         }
 
-        if (test[3072] != 0) {
-            System.err.println("buffer overrun!");
-        }
+        assertThat("buffer overrun", test[3072] == 0);
 
         n += rs.read(test, n, test.length - n); // --> ArrayIndexOutOfBoundsException
 

src/test/java/com/hierynomus/sshj/test/SshFixture.java

@@ -127,7 +127,7 @@ public class SshFixture extends ExternalResource {
             }
         });
         sshServer.setCommandFactory(commandFactory);
-
+        sshServer.setShellFactory(new ProcessShellFactory("ls"));
         return sshServer;
     }
 

src/test/java/com/hierynomus/sshj/transport/DisconnectionTest.java

@@ -16,13 +16,17 @@
 package com.hierynomus.sshj.transport;
 
 import com.hierynomus.sshj.test.SshFixture;
+import net.schmizz.sshj.DefaultConfig;
 import net.schmizz.sshj.SSHClient;
 import net.schmizz.sshj.common.DisconnectReason;
+import net.schmizz.sshj.connection.channel.direct.Session;
 import net.schmizz.sshj.transport.DisconnectListener;
 import net.schmizz.sshj.transport.TransportException;
+import net.schmizz.sshj.transport.verification.PromiscuousVerifier;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.experimental.theories.suppliers.TestedOn;
 
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
@@ -89,4 +93,14 @@ public class DisconnectionTest {
         assertFalse(joinToClientTransport(2));
     }
 
+    @Test
+    public void shouldNotThrowTimeoutOnDisconnect() throws IOException {
+        fixture.getClient().authPassword("u", "u");
+        Session session = fixture.getClient().startSession();
+        session.allocateDefaultPTY();
+        Session.Shell shell = session.startShell();
+
+        session.close();
+        fixture.getClient().disconnect();
+    }
 }

src/test/java/net/schmizz/sshj/LoadsOfConnects.java

@@ -22,6 +22,8 @@ import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 
+import static org.junit.Assert.fail;
+
 public class LoadsOfConnects {
 
     protected final Logger log = LoggerFactory.getLogger(getClass());
@@ -29,15 +31,19 @@ public class LoadsOfConnects {
     private final SshFixture fixture = new SshFixture();
 
     @Test
-    public void loadsOfConnects()
-            throws IOException, InterruptedException {
-        for (int i = 0; i < 1000; i++) {
-            System.out.println("Try " + i);
-            fixture.start();
-            fixture.setupConnectedDefaultClient();
-            fixture.stopClient();
-            fixture.stopServer();
+    public void loadsOfConnects() {
+        try {
+            for (int i = 0; i < 1000; i++) {
+                log.info("Try " + i);
+                fixture.start();
+                fixture.setupConnectedDefaultClient();
+                fixture.stopClient();
+                fixture.stopServer();
+            }
+        } catch (Exception e) {
+            fail(e.getMessage());
         }
+
     }
 
 }

src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java

@@ -188,6 +188,24 @@ public class OpenSSHKeyFileTest {
         assertThat(aPrivate.getAlgorithm(), equalTo("EdDSA"));
     }
 
+    @Test
+    public void shouldLoadProtectedED25519PrivateKey() throws IOException {
+        OpenSSHKeyV1KeyFile keyFile = new OpenSSHKeyV1KeyFile();
+        keyFile.init(new File("src/test/resources/keytypes/ed25519_protected"), new PasswordFinder() {
+            @Override
+            public char[] reqPassword(Resource<?> resource) {
+                return "sshjtest".toCharArray();
+            }
+
+            @Override
+            public boolean shouldRetry(Resource<?> resource) {
+                return false;
+            }
+        });
+        PrivateKey aPrivate = keyFile.getPrivate();
+        assertThat(aPrivate.getAlgorithm(), equalTo("EdDSA"));
+    }
+
     @Test
     public void shouldSuccessfullyLoadSignedRSAPublicKey() throws IOException {
         FileKeyProvider keyFile = new OpenSSHKeyFile();
@@ -251,10 +269,10 @@ public class OpenSSHKeyFileTest {
     }
 
     @Before
-    public void setup()
-            throws UnsupportedEncodingException, GeneralSecurityException {
-        if (!SecurityUtils.isBouncyCastleRegistered())
+    public void checkBCRegistration() {
+        if (!SecurityUtils.isBouncyCastleRegistered()) {
             throw new AssertionError("bouncy castle needed");
+        }
     }
 
     private String readFile(String pathname)

src/test/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHostsTest.java

@@ -1,88 +0,0 @@
-/*
- * Copyright (C)2009 - SSHJ Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package net.schmizz.sshj.transport.verification;
-
-import net.schmizz.sshj.util.KeyUtil;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.TemporaryFolder;
-
-import java.io.BufferedWriter;
-import java.io.File;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.PublicKey;
-
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.hamcrest.CoreMatchers.instanceOf;
-import static org.junit.Assert.*;
-
-public class OpenSSHKnownHostsTest {
-
-    @Rule
-    public TemporaryFolder temp = new TemporaryFolder();
-
-    public File writeKnownHosts(String line)
-            throws IOException {
-        File known_hosts = temp.newFile("known_hosts");
-        FileWriter fileWriter = new FileWriter(known_hosts);
-        BufferedWriter writer = new BufferedWriter(fileWriter);
-        writer.write(line);
-        writer.write("\r\n");
-        writer.flush();
-        writer.close();
-        return known_hosts;
-    }
-
-    @Test
-    public void shouldAddCommentForEmptyLine()
-            throws IOException {
-        File file = writeKnownHosts("");
-        OpenSSHKnownHosts openSSHKnownHosts = new OpenSSHKnownHosts(file);
-        assertThat(openSSHKnownHosts.entries().size(), equalTo(1));
-        assertThat(openSSHKnownHosts.entries().get(0), instanceOf(OpenSSHKnownHosts.CommentEntry.class));
-    }
-
-    @Test
-    public void shouldAddCommentForCommentLine()
-            throws IOException {
-        File file = writeKnownHosts("# this is a comment");
-        OpenSSHKnownHosts openSSHKnownHosts = new OpenSSHKnownHosts(file);
-        assertThat(openSSHKnownHosts.entries().size(), equalTo(1));
-        assertThat(openSSHKnownHosts.entries().get(0), instanceOf(OpenSSHKnownHosts.CommentEntry.class));
-    }
-
-    @Test
-    public void testSchmizzEntry()
-            throws IOException, GeneralSecurityException {
-        OpenSSHKnownHosts kh = new OpenSSHKnownHosts(new File("src/test/resources/known_hosts"));
-        final PublicKey key = KeyUtil
-                .newRSAPublicKey(
-                        "e8ff4797075a861db9d2319960a836b2746ada3da514955d2921f2c6a6c9895cbd557f604e43772b6303e3cab2ad82d83b21acdef4edb72524f9c2bef893335115acacfe2989bcbb2e978e4fedc8abc090363e205d975c1fdc35e55ba4daa4b5d5ab7a22c40f547a4a0fd1c683dfff10551c708ff8c34ea4e175cb9bf2313865308fa23601e5a610e2f76838be7ded3b4d3a2c49d2d40fa20db51d1cc8ab20d330bb0dadb88b1a12853f0ecb7c7632947b098dcf435a54566bcf92befd55e03ee2a57d17524cd3d59d6e800c66059067e5eb6edb81946b3286950748240ec9afa4389f9b62bc92f94ec0fba9e64d6dc2f455f816016a4c5f3d507382ed5d3365",
-                        "23");
-
-        assertTrue(kh.verify("schmizz.net", 22, key));
-        assertTrue(kh.verify("69.163.155.180", 22, key));
-        assertFalse(kh.verify("69.163.155.18", 22, key));
-    }
-
-    @Test
-    public void testVerifyIndexError() throws Exception {
-        final OpenSSHKnownHosts v = new OpenSSHKnownHosts(new File("src/test/resources/known_hosts.invalid"));
-        assertTrue(v.entries().isEmpty());
-    }
-}

src/test/java/org/mindrot/jbcrypt/TestBCrypt.java

@@ -0,0 +1,294 @@
+// Copyright (c) 2006 Damien Miller <djm@mindrot.org>
+//
+// Permission to use, copy, modify, and distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+package org.mindrot.jbcrypt;
+
+import junit.framework.TestCase;
+
+import java.util.Arrays;
+
+/**
+ * JUnit unit tests for BCrypt routines
+ * @author Damien Miller
+ * @version 0.2
+ */
+public class TestBCrypt extends TestCase {
+    String test_vectors[][] = {
+            { "",
+                    "$2a$06$DCq7YPn5Rq63x1Lad4cll.",
+                    "$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s." },
+            { "",
+                    "$2a$08$HqWuK6/Ng6sg9gQzbLrgb.",
+                    "$2a$08$HqWuK6/Ng6sg9gQzbLrgb.Tl.ZHfXLhvt/SgVyWhQqgqcZ7ZuUtye" },
+            { "",
+                    "$2a$10$k1wbIrmNyFAPwPVPSVa/ze",
+                    "$2a$10$k1wbIrmNyFAPwPVPSVa/zecw2BCEnBwVS2GbrmgzxFUOqW9dk4TCW" },
+            { "",
+                    "$2a$12$k42ZFHFWqBp3vWli.nIn8u",
+                    "$2a$12$k42ZFHFWqBp3vWli.nIn8uYyIkbvYRvodzbfbK18SSsY.CsIQPlxO" },
+            { "a",
+                    "$2a$06$m0CrhHm10qJ3lXRY.5zDGO",
+                    "$2a$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe" },
+            { "a",
+                    "$2a$08$cfcvVd2aQ8CMvoMpP2EBfe",
+                    "$2a$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V." },
+            { "a",
+                    "$2a$10$k87L/MF28Q673VKh8/cPi.",
+                    "$2a$10$k87L/MF28Q673VKh8/cPi.SUl7MU/rWuSiIDDFayrKk/1tBsSQu4u" },
+            { "a",
+                    "$2a$12$8NJH3LsPrANStV6XtBakCe",
+                    "$2a$12$8NJH3LsPrANStV6XtBakCez0cKHXVxmvxIlcz785vxAIZrihHZpeS" },
+            { "abc",
+                    "$2a$06$If6bvum7DFjUnE9p2uDeDu",
+                    "$2a$06$If6bvum7DFjUnE9p2uDeDu0YHzrHM6tf.iqN8.yx.jNN1ILEf7h0i" },
+            { "abc",
+                    "$2a$08$Ro0CUfOqk6cXEKf3dyaM7O",
+                    "$2a$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm" },
+            { "abc",
+                    "$2a$10$WvvTPHKwdBJ3uk0Z37EMR.",
+                    "$2a$10$WvvTPHKwdBJ3uk0Z37EMR.hLA2W6N9AEBhEgrAOljy2Ae5MtaSIUi" },
+            { "abc",
+                    "$2a$12$EXRkfkdmXn2gzds2SSitu.",
+                    "$2a$12$EXRkfkdmXn2gzds2SSitu.MW9.gAVqa9eLS1//RYtYCmB1eLHg.9q" },
+            { "abcdefghijklmnopqrstuvwxyz",
+                    "$2a$06$.rCVZVOThsIa97pEDOxvGu",
+                    "$2a$06$.rCVZVOThsIa97pEDOxvGuRRgzG64bvtJ0938xuqzv18d3ZpQhstC" },
+            { "abcdefghijklmnopqrstuvwxyz",
+                    "$2a$08$aTsUwsyowQuzRrDqFflhge",
+                    "$2a$08$aTsUwsyowQuzRrDqFflhgekJ8d9/7Z3GV3UcgvzQW3J5zMyrTvlz." },
+            { "abcdefghijklmnopqrstuvwxyz",
+                    "$2a$10$fVH8e28OQRj9tqiDXs1e1u",
+                    "$2a$10$fVH8e28OQRj9tqiDXs1e1uxpsjN0c7II7YPKXua2NAKYvM6iQk7dq" },
+            { "abcdefghijklmnopqrstuvwxyz",
+                    "$2a$12$D4G5f18o7aMMfwasBL7Gpu",
+                    "$2a$12$D4G5f18o7aMMfwasBL7GpuQWuP3pkrZrOAnqP.bmezbMng.QwJ/pG" },
+            { "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+                    "$2a$06$fPIsBO8qRqkjj273rfaOI.",
+                    "$2a$06$fPIsBO8qRqkjj273rfaOI.HtSV9jLDpTbZn782DC6/t7qT67P6FfO" },
+            { "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+                    "$2a$08$Eq2r4G/76Wv39MzSX262hu",
+                    "$2a$08$Eq2r4G/76Wv39MzSX262huzPz612MZiYHVUJe/OcOql2jo4.9UxTW" },
+            { "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+                    "$2a$10$LgfYWkbzEvQ4JakH7rOvHe",
+                    "$2a$10$LgfYWkbzEvQ4JakH7rOvHe0y8pHKF9OaFgwUZ2q7W2FFZmZzJYlfS" },
+            { "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+                    "$2a$12$WApznUOJfkEGSmYRfnkrPO",
+                    "$2a$12$WApznUOJfkEGSmYRfnkrPOr466oFDCaj4b6HY3EXGvfxm43seyhgC" },
+    };
+
+    /**
+     * Entry point for unit tests
+     * @param args unused
+     */
+    public static void main(String[] args) {
+        junit.textui.TestRunner.run(TestBCrypt.class);
+    }
+
+    /**
+     * Test method for 'BCrypt.hashpw(String, String)'
+     */
+    public void testHashpw() {
+        System.out.print("BCrypt.hashpw(): ");
+        for (int i = 0; i < test_vectors.length; i++) {
+            String plain = test_vectors[i][0];
+            String salt = test_vectors[i][1];
+            String expected = test_vectors[i][2];
+            String hashed = BCrypt.hashpw(plain, salt);
+            assertEquals(hashed, expected);
+            System.out.print(".");
+        }
+        System.out.println("");
+    }
+
+    /**
+     * Test method for 'BCrypt.gensalt(int)'
+     */
+    public void testGensaltInt() {
+        System.out.print("BCrypt.gensalt(log_rounds):");
+        for (int i = 4; i <= 12; i++) {
+            System.out.print(" " + Integer.toString(i) + ":");
+            for (int j = 0; j < test_vectors.length; j += 4) {
+                String plain = test_vectors[j][0];
+                String salt = BCrypt.gensalt(i);
+                String hashed1 = BCrypt.hashpw(plain, salt);
+                String hashed2 = BCrypt.hashpw(plain, hashed1);
+                assertEquals(hashed1, hashed2);
+                System.out.print(".");
+            }
+        }
+        System.out.println("");
+    }
+
+    /**
+     * Test method for 'BCrypt.gensalt()'
+     */
+    public void testGensalt() {
+        System.out.print("BCrypt.gensalt(): ");
+        for (int i = 0; i < test_vectors.length; i += 4) {
+            String plain = test_vectors[i][0];
+            String salt = BCrypt.gensalt();
+            String hashed1 = BCrypt.hashpw(plain, salt);
+            String hashed2 = BCrypt.hashpw(plain, hashed1);
+            assertEquals(hashed1, hashed2);
+            System.out.print(".");
+        }
+        System.out.println("");
+    }
+
+    /**
+     * Test method for 'BCrypt.checkpw(String, String)'
+     * expecting success
+     */
+    public void testCheckpw_success() {
+        System.out.print("BCrypt.checkpw w/ good passwords: ");
+        for (int i = 0; i < test_vectors.length; i++) {
+            String plain = test_vectors[i][0];
+            String expected = test_vectors[i][2];
+            assertTrue(BCrypt.checkpw(plain, expected));
+            System.out.print(".");
+        }
+        System.out.println("");
+    }
+
+    /**
+     * Test method for 'BCrypt.checkpw(String, String)'
+     * expecting failure
+     */
+    public void testCheckpw_failure() {
+        System.out.print("BCrypt.checkpw w/ bad passwords: ");
+        for (int i = 0; i < test_vectors.length; i++) {
+            int broken_index = (i + 4) % test_vectors.length;
+            String plain = test_vectors[i][0];
+            String expected = test_vectors[broken_index][2];
+            assertFalse(BCrypt.checkpw(plain, expected));
+            System.out.print(".");
+        }
+        System.out.println("");
+    }
+
+    /**
+     * Test for correct hashing of non-US-ASCII passwords
+     */
+    public void testInternationalChars() {
+        System.out.print("BCrypt.hashpw w/ international chars: ");
+        String pw1 = "\u2605\u2605\u2605\u2605\u2605\u2605\u2605\u2605";
+        String pw2 = "????????";
+
+        String h1 = BCrypt.hashpw(pw1, BCrypt.gensalt());
+        assertFalse(BCrypt.checkpw(pw2, h1));
+        System.out.print(".");
+
+        String h2 = BCrypt.hashpw(pw2, BCrypt.gensalt());
+        assertFalse(BCrypt.checkpw(pw1, h2));
+        System.out.print(".");
+        System.out.println("");
+    }
+
+    private static class BCryptHashTV {
+        private final byte[] pass;
+        private final byte[] salt;
+        private final byte[] out;
+
+        public BCryptHashTV(byte[] pass, byte[] salt, byte[] out) {
+            this.pass = pass;
+            this.salt = salt;
+            this.out = out;
+        }
+    }
+
+    BCryptHashTV[] bcrypt_hash_test_vectors = new BCryptHashTV[]{
+            new BCryptHashTV(
+                    new byte[]{
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                    },
+                    new byte[]{
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                    },
+                    new byte[]{
+                            (byte) 0x46, (byte) 0x02, (byte) 0x86, (byte) 0xe9, (byte) 0x72, (byte) 0xfa, (byte) 0x83, (byte) 0x3f, (byte) 0x8b, (byte) 0x12, (byte) 0x83, (byte) 0xad, (byte) 0x8f, (byte) 0xa9, (byte) 0x19, (byte) 0xfa,
+                            (byte) 0x29, (byte) 0xbd, (byte) 0xe2, (byte) 0x0e, (byte) 0x23, (byte) 0x32, (byte) 0x9e, (byte) 0x77, (byte) 0x4d, (byte) 0x84, (byte) 0x22, (byte) 0xba, (byte) 0xc0, (byte) 0xa7, (byte) 0x92, (byte) 0x6c,
+                    }),
+            new BCryptHashTV(
+                    new byte[] {
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+                            0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+                            0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+                            0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, },
+                    new byte[] {
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+                            0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+                            0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+                            0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, },
+                    new byte[] {
+                            (byte) 0xc6, (byte) 0xa9, (byte) 0x5f, (byte) 0xe6, (byte) 0x41, (byte) 0x31, (byte) 0x15, (byte) 0xfb, (byte) 0x57, (byte) 0xe9, (byte) 0x9f, (byte) 0x75, (byte) 0x74, (byte) 0x98, (byte) 0xe8, (byte) 0x5d,
+                            (byte) 0xa3, (byte) 0xc6, (byte) 0xe1, (byte) 0xdf, (byte) 0x0c, (byte) 0x3c, (byte) 0x93, (byte) 0xaa, (byte) 0x97, (byte) 0x5c, (byte) 0x54, (byte) 0x8a, (byte) 0x34, (byte) 0x43, (byte) 0x26, (byte) 0xf8,
+                    }),
+    };
+
+    public void testBCryptHashTestVectors() throws Exception {
+        System.out.print("BCrypt.hash w/ known vectors: ");
+        for (BCryptHashTV tv : bcrypt_hash_test_vectors) {
+            byte[] output = new byte[tv.out.length];
+            new BCrypt().hash(tv.pass, tv.salt, output);
+            assertEquals(Arrays.toString(tv.out), Arrays.toString(output));
+            System.out.print(".");
+        }
+        System.out.println("");
+    }
+
+    private static class BCryptPbkdfTV {
+        private final byte[] pass;
+        private final byte[] salt;
+        private final int rounds;
+        private final byte[] out;
+
+        public BCryptPbkdfTV(byte[] pass, byte[] salt, int rounds, byte[] out) {
+            this.pass = pass;
+            this.salt = salt;
+            this.rounds = rounds;
+            this.out = out;
+        }
+    }
+
+    BCryptPbkdfTV[] bcrypt_pbkdf_test_vectors = new BCryptPbkdfTV[]{
+            new BCryptPbkdfTV("password".getBytes(), "salt".getBytes(), 4, new byte[]{
+                    (byte) 0x5b, (byte) 0xbf, (byte) 0x0c, (byte) 0xc2, (byte) 0x93, (byte) 0x58, (byte) 0x7f, (byte) 0x1c, (byte) 0x36, (byte) 0x35, (byte) 0x55, (byte) 0x5c, (byte) 0x27, (byte) 0x79, (byte) 0x65, (byte) 0x98,
+                    (byte) 0xd4, (byte) 0x7e, (byte) 0x57, (byte) 0x90, (byte) 0x71, (byte) 0xbf, (byte) 0x42, (byte) 0x7e, (byte) 0x9d, (byte) 0x8f, (byte) 0xbe, (byte) 0x84, (byte) 0x2a, (byte) 0xba, (byte) 0x34, (byte) 0xd9,
+            }),
+            new BCryptPbkdfTV("password".getBytes(), "salt".getBytes(), 8, new byte[]{
+                    (byte) 0xe1, (byte) 0x36, (byte) 0x7e, (byte) 0xc5, (byte) 0x15, (byte) 0x1a, (byte) 0x33, (byte) 0xfa, (byte) 0xac, (byte) 0x4c, (byte) 0xc1, (byte) 0xc1, (byte) 0x44, (byte) 0xcd, (byte) 0x23, (byte) 0xfa,
+                    (byte) 0x15, (byte) 0xd5, (byte) 0x54, (byte) 0x84, (byte) 0x93, (byte) 0xec, (byte) 0xc9, (byte) 0x9b, (byte) 0x9b, (byte) 0x5d, (byte) 0x9c, (byte) 0x0d, (byte) 0x3b, (byte) 0x27, (byte) 0xbe, (byte) 0xc7,
+                    (byte) 0x62, (byte) 0x27, (byte) 0xea, (byte) 0x66, (byte) 0x08, (byte) 0x8b, (byte) 0x84, (byte) 0x9b, (byte) 0x20, (byte) 0xab, (byte) 0x7a, (byte) 0xa4, (byte) 0x78, (byte) 0x01, (byte) 0x02, (byte) 0x46,
+                    (byte) 0xe7, (byte) 0x4b, (byte) 0xba, (byte) 0x51, (byte) 0x72, (byte) 0x3f, (byte) 0xef, (byte) 0xa9, (byte) 0xf9, (byte) 0x47, (byte) 0x4d, (byte) 0x65, (byte) 0x08, (byte) 0x84, (byte) 0x5e, (byte) 0x8d}),
+            new BCryptPbkdfTV("password".getBytes(), "salt".getBytes(), 42, new byte[]{
+                    (byte) 0x83, (byte) 0x3c, (byte) 0xf0, (byte) 0xdc, (byte) 0xf5, (byte) 0x6d, (byte) 0xb6, (byte) 0x56, (byte) 0x08, (byte) 0xe8, (byte) 0xf0, (byte) 0xdc, (byte) 0x0c, (byte) 0xe8, (byte) 0x82, (byte) 0xbd}),
+    };
+
+    public void testBCryptPbkdfTestVectors() throws Exception {
+        System.out.print("BCrypt.pbkdf w/ known vectors: ");
+        for (BCryptPbkdfTV tv : bcrypt_pbkdf_test_vectors) {
+            byte[] output = new byte[tv.out.length];
+            new BCrypt().pbkdf(tv.pass, tv.salt, tv.rounds, output);
+            assertEquals(Arrays.toString(tv.out), Arrays.toString(output));
+            System.out.print(".");
+        }
+        System.out.println("");
+    }
+}

src/test/resources/keytypes/ed25519_protected

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABB/aWL0WG
+iYPOTxGlFwvaCNAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIOaWrwt3drIOjeBq
+2LSHRavxAT7ja2f+5soOUJl/zKSIAAAAsKplAiFbOhzcOJYFYBYm8sqYbvhPF8jKdQFkbo
+LAOeq+vQ0YBV9XUWQQM2tmL+RPjykPJZ2thcHLpVp3PfUEgo4bImCt939b3Ji3cEwD3QuK
+MIhjhx1KvSJNF/uhjwPJnttwHG+ld8F5Gv7LpTOUmOzXKGLIgYRuwonhs5ezdNv5ERs+Cq
+M9p/SW5ehL5KPJhGa5a+ZQXRojwEH7J4Q5xztH1gviTdIEpFWWQBH8rX6y
+-----END OPENSSH PRIVATE KEY-----

src/test/resources/keytypes/ed25519_protected.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaWrwt3drIOjeBq2LSHRavxAT7ja2f+5soOUJl/zKSI ajvanerp@Heimdall.xebialabs.com

src/test/resources/known_hosts

@@ -1,4 +0,0 @@
-schmizz.net,69.163.155.180 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6P9Hlwdahh250jGZYKg2snRq2j2lFJVdKSHyxqbJiVy9VX9gTkN3K2MD48qyrYLYOyGs3vTttyUk+cK++JMzURWsrP4piby7LpeOT+3Iq8CQNj4gXZdcH9w15Vuk2qS11at6IsQPVHpKD9HGg9//EFUccI/4w06k4XXLm/IxOGUwj6I2AeWmEOL3aDi+fe07TTosSdLUD6INtR0cyKsg0zC7Da24ixoShT8Oy3x2MpR7CY3PQ1pUVmvPkr79VeA+4qV9F1JM09WdboAMZgWQZ+XrbtuBlGsyhpUHSCQOya+kOJ+bYryS+U7A+6nmTW3C9FX4FgFqTF89UHOC7V0zZQ==
-# Above we have a plain line, Below we have a hashed line, Last is a v1 line, This is a garbage line.
-|1|dy7xSefq6NmJms6AzANG3w45W28=|SSCTlHs4pZbc2uaRoPvjyEAHE1g= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu64GJcCkdtckPGt8uKTyhG1ShT1Np1kh10eE49imQ4Nh9Y/IrSPzDtYUAazQ88ABc2NffuOKkdn2qtUwZ1ulfcdNfN3oTim3BiVHqa041pKG0L+onQe8Bo+CaG5KBLy/C24eNGM9EcfQvDQOnq1eD3lnR/l8fFckldzjfxZgar0yT9Bb3pwp50oN+1wSEINJEHOgMIW8kZBQmyNr/B+b7yX+Y1s1vuYIP/i4WimCVmkdi9G87Ga8w7GxKalRD2QOG6Xms2YWRQDN6M/MOn4tda3EKolbWkctEWcQf/PcVJffTH4Wv5f0RjVyrQv4ha4FZcNAv6RkRd9WkiCsiTKioQ==
-test.com,1.1.1.1 2048 35 22017496617994656680820635966392838863613340434802393112245951008866692373218840197754553998457793202561151141246686162285550121243768846314646395880632789308110750881198697743542374668273149584280424505890648953477691795864456749782348425425954366277600319096366690719901119774784695056100331902394094537054256611668966698242432417382422091372756244612839068092471592121759862971414741954991375710930168229171638843329213652899594987626853020377726482288618521941129157643483558764875338089684351824791983007780922947554898825663693324944982594850256042689880090306493029526546183035567296830604572253312294059766327

src/test/resources/known_hosts.invalid

@@ -1 +0,0 @@
-M36Lo+Ik5ukNugvvoNFlpnyiHMmtKxt3FpyEfYuryXjNqMNWHn/ARVnpUIl5jRLTB7WBzyLYMG7X5nuoFL9zYqKGtHxChbDunxMVbspw5WXI9VN+qxcLwmITmpEvI9ApyS/Ox2ZyN7zw==