GUACAMOLE-1714: Merge update guacenc for const parameters/values introduced in FFmpeg 5.0.

GUACAMOLE-377: Merge correction ensuring users receive a proper frame boundary when joining.
GUACAMOLE-377: Send a sync instruction to users when synchronizing surfaces.
2023-02-02 20:36:32 -05:00 · 2023-01-24 14:25:09 -08:00 · 2023-01-23 20:55:01 +00:00 · 2023-01-10 21:54:05 -08:00 · 2023-01-10 17:16:43 -08:00 · 2023-01-10 17:08:15 -08:00
491 changed files with 42059 additions and 14922 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,3 +1,5 @@
+# Docker build spec
+Dockerfile

 # Git repository metadata
 .git
@ -54,5 +56,5 @@ tests/test_*
 !tests/test_*.[ch]

 # Generated docs
-doc/doxygen-output
+doc/*/doxygen-output

--- a/.gitignore
+++ b/.gitignore
@ -10,6 +10,10 @@
 *.gcov
 *.gcno

+# Test suite output
+*.log
+*.trs
+
 # Backup files
 *~

@ -23,32 +27,24 @@
 .deps/
 .dirstamp
 .libs/
+Doxyfile
 Makefile
 Makefile.in
 aclocal.m4
 autom4te.cache/
+build-aux/
+libtool
 m4/*
 !README
-compile
-config.guess
 config.h
 config.h.in
 config.log
 config.status
-config.sub
 configure
-depcomp
-install-sh
-libtool
-ltmain.sh
-missing
 stamp-h1
-test-driver
-
-# Test binaries
-tests/test_*
-!tests/test_*.[ch]

 # Generated docs
-doc/doxygen-output
+doc/*/doxygen-output

+# IDE metadata
+nbproject/
--- a/14
+++ b/14
@ -1,14 +0,0 @@
-Michael Jumper <mike.jumper@guac-dev.org>
-James Muehlner <james.muehlner@guac-dev.org>
-Matt Hortman <matt@FlintRiverSystems.com>
-Jocelyn Delalande <j.delalande@ulteo.com>
-David Lechevalier <david@ulteo.com>
-Alexandre Devely <alex@koumoula.com>
-Laurent Meunier <laurent@deltalima.net>
-Saul Gio Perez <gio.perez@sv.cmu.edu>
-Tom Sealy <tom.sealy@yahoo.com>
-Felipe Weckx <felipe@weckx.net>
-Ruggero Vecchio <ruggero.vecchio@datev.it>
-Denis Bernacci <dbernaci@hotmail.com>
-Frode Langelo <frode@skytap.com>
-Daryl Borth <dborth@gmail.com>
--- a/8
+++ b/8
@ -24,10 +24,10 @@ the review process.

    The Guacamole source is maintained in git repositories hosted on GitHub:

-        https://github.com/apache/incubator-guacamole-client
-        https://github.com/apache/incubator-guacamole-manual
-        https://github.com/apache/incubator-guacamole-server
-        https://github.com/apache/incubator-guacamole-website
+        https://github.com/apache/guacamole-client
+        https://github.com/apache/guacamole-manual
+        https://github.com/apache/guacamole-server
+        https://github.com/apache/guacamole-website

    To make your changes, fork the applicable repositories and make commits
    to a topic branch in your fork. Commits should be made in logical units
--- a/18
+++ b/18
@ -1,18 +0,0 @@
-2013-08-26 Michael Jumper <mike.jumper@guac-dev.org>
-
-	* Experimental sound support for VNC (ticket #369)
-	* Improved handling of frame flush (ticket #380)
-	* SSL transport for guacd (ticket #371)
-	* Fix segfault in RDP disconnect (ticket #385)
-	* Add security options to RDP (ticket #190)
-
-2013-07-02 Michael Jumper <mike.jumper@guac-dev.org>
-
-	* Optional threadsafety in guac_socket
-	* Printing support in for RDP (ticket #110)
-	* Fix ENABLE_OGG bug (ticket #355)
-
-2013-06-06 Michael Jumper <mike.jumper@guac-dev.org>
-
-	* Created new repository layout
-
--- a/7
+++ b/7
@ -1,7 +0,0 @@
-Apache Guacamole is an effort undergoing incubation at The Apache Software
-Foundation (ASF). Incubation is required of all newly accepted projects until a
-further review indicates that the infrastructure, communications, and decision
-making process have stabilized in a manner consistent with other successful ASF
-projects. While incubation status is not necessarily a reflection of the
-completeness or stability of the code, it does indicate that the project has
-yet to be fully endorsed by the ASF.
--- a/222
+++ b/222
@ -21,69 +21,181 @@
 # Dockerfile for guacamole-server
 #

-# Start from CentOS base image
-FROM centos:centos7
-MAINTAINER Michael Jumper <mike.jumper@guac-dev.org>
+# The Alpine Linux image that should be used as the basis for the guacd image
+ARG ALPINE_BASE_IMAGE=latest
+FROM alpine:${ALPINE_BASE_IMAGE} AS builder

-# Environment variables
-ENV \
-    BUILD_DIR=/tmp/guacd-docker-BUILD \
-    LC_ALL=en_US.UTF-8                \
-    RUNTIME_DEPENDENCIES="            \
-        cairo                         \
-        dejavu-sans-mono-fonts        \
-        freerdp                       \
-        freerdp-plugins               \
-        ghostscript                   \
-        libjpeg-turbo                 \
-        libssh2                       \
-        liberation-mono-fonts         \
-        libtelnet                     \
-        libvorbis                     \
-        libvncserver                  \
-        libwebp                       \
-        pango                         \
-        pulseaudio-libs               \
-        terminus-fonts                \
-        uuid"                         \
-    BUILD_DEPENDENCIES="              \
+# Install build dependencies
+RUN apk add --no-cache                \
        autoconf                      \
        automake                      \
-        cairo-devel                   \
-        freerdp-devel                 \
-        gcc                           \
-        libjpeg-turbo-devel           \
-        libssh2-devel                 \
+        build-base                    \
+        cairo-dev                     \
+        cmake                         \
+        git                           \
+        grep                          \
+        libjpeg-turbo-dev             \
+        libpng-dev                    \
        libtool                       \
-        libtelnet-devel               \
-        libvorbis-devel               \
-        libvncserver-devel            \
-        libwebp-devel                 \
+        libwebp-dev                   \
        make                          \
-        pango-devel                   \
-        pulseaudio-libs-devel         \
-        uuid-devel"
-
-# Bring environment up-to-date and install guacamole-server dependencies
-RUN yum -y update                        && \
-    yum -y install epel-release          && \
-    yum -y install $RUNTIME_DEPENDENCIES && \
-    yum clean all
-
-# Add configuration scripts
-COPY src/guacd-docker/bin /opt/guacd/bin/
+        openssl-dev                   \
+        pango-dev                     \
+        pulseaudio-dev                \
+        util-linux-dev

 # Copy source to container for sake of build
-COPY . "$BUILD_DIR"
+ARG BUILD_DIR=/tmp/guacamole-server
+COPY . ${BUILD_DIR}

-# Build guacamole-server from local source
-RUN yum -y install $BUILD_DEPENDENCIES         && \
-    /opt/guacd/bin/build-guacd.sh "$BUILD_DIR" && \
-    rm -Rf "$BUILD_DIR"                        && \
-    yum -y autoremove $BUILD_DEPENDENCIES      && \
-    yum clean all
+#
+# Base directory for installed build artifacts.
+#
+# NOTE: Due to limitations of the Docker image build process, this value is
+# duplicated in an ARG in the second stage of the build.
+#
+ARG PREFIX_DIR=/opt/guacamole
+
+#
+# Automatically select the latest versions of each core protocol support
+# library (these can be overridden at build time if a specific version is
+# needed)
+#
+ARG WITH_FREERDP='2(\.\d+)+'
+ARG WITH_LIBSSH2='libssh2-\d+(\.\d+)+'
+ARG WITH_LIBTELNET='\d+(\.\d+)+'
+ARG WITH_LIBVNCCLIENT='LibVNCServer-\d+(\.\d+)+'
+ARG WITH_LIBWEBSOCKETS='v\d+(\.\d+)+'
+
+#
+# Default build options for each core protocol support library, as well as
+# guacamole-server itself (these can be overridden at build time if different
+# options are needed)
+#
+
+ARG FREERDP_OPTS="\
+    -DBUILTIN_CHANNELS=OFF \
+    -DCHANNEL_URBDRC=OFF \
+    -DWITH_ALSA=OFF \
+    -DWITH_CAIRO=ON \
+    -DWITH_CHANNELS=ON \
+    -DWITH_CLIENT=ON \
+    -DWITH_CUPS=OFF \
+    -DWITH_DIRECTFB=OFF \
+    -DWITH_FFMPEG=OFF \
+    -DWITH_GSM=OFF \
+    -DWITH_GSSAPI=OFF \
+    -DWITH_IPP=OFF \
+    -DWITH_JPEG=ON \
+    -DWITH_LIBSYSTEMD=OFF \
+    -DWITH_MANPAGES=OFF \
+    -DWITH_OPENH264=OFF \
+    -DWITH_OPENSSL=ON \
+    -DWITH_OSS=OFF \
+    -DWITH_PCSC=OFF \
+    -DWITH_PULSE=OFF \
+    -DWITH_SERVER=OFF \
+    -DWITH_SERVER_INTERFACE=OFF \
+    -DWITH_SHADOW_MAC=OFF \
+    -DWITH_SHADOW_X11=OFF \
+    -DWITH_SSE2=ON \
+    -DWITH_WAYLAND=OFF \
+    -DWITH_X11=OFF \
+    -DWITH_X264=OFF \
+    -DWITH_XCURSOR=ON \
+    -DWITH_XEXT=ON \
+    -DWITH_XI=OFF \
+    -DWITH_XINERAMA=OFF \
+    -DWITH_XKBFILE=ON \
+    -DWITH_XRENDER=OFF \
+    -DWITH_XTEST=OFF \
+    -DWITH_XV=OFF \
+    -DWITH_ZLIB=ON"
+
+ARG GUACAMOLE_SERVER_OPTS="\
+    --disable-guaclog"
+
+ARG LIBSSH2_OPTS="\
+    -DBUILD_EXAMPLES=OFF \
+    -DBUILD_SHARED_LIBS=ON"
+
+ARG LIBTELNET_OPTS="\
+    --disable-static \
+    --disable-util"
+
+ARG LIBVNCCLIENT_OPTS=""
+
+ARG LIBWEBSOCKETS_OPTS="\
+    -DDISABLE_WERROR=ON \
+    -DLWS_WITHOUT_SERVER=ON \
+    -DLWS_WITHOUT_TESTAPPS=ON \
+    -DLWS_WITHOUT_TEST_CLIENT=ON \
+    -DLWS_WITHOUT_TEST_PING=ON \
+    -DLWS_WITHOUT_TEST_SERVER=ON \
+    -DLWS_WITHOUT_TEST_SERVER_EXTPOLL=ON \
+    -DLWS_WITH_STATIC=OFF"
+
+# Build guacamole-server and its core protocol library dependencies
+RUN ${BUILD_DIR}/src/guacd-docker/bin/build-all.sh
+
+# Record the packages of all runtime library dependencies
+RUN ${BUILD_DIR}/src/guacd-docker/bin/list-dependencies.sh \
+        ${PREFIX_DIR}/sbin/guacd               \
+        ${PREFIX_DIR}/lib/libguac-client-*.so  \
+        ${PREFIX_DIR}/lib/freerdp2/*guac*.so   \
+        > ${PREFIX_DIR}/DEPENDENCIES
+
+# Use same Alpine version as the base for the runtime image
+FROM alpine:${ALPINE_BASE_IMAGE}
+
+#
+# Base directory for installed build artifacts. See also the
+# CMD directive at the end of this build stage.
+#
+# NOTE: Due to limitations of the Docker image build process, this value is
+# duplicated in an ARG in the first stage of the build.
+#
+ARG PREFIX_DIR=/opt/guacamole
+
+# Runtime environment
+ENV LC_ALL=C.UTF-8
+ENV LD_LIBRARY_PATH=${PREFIX_DIR}/lib
+ENV GUACD_LOG_LEVEL=info
+
+# Copy build artifacts into this stage
+COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
+
+# Bring runtime environment up to date and install runtime dependencies
+RUN apk add --no-cache                \
+        ca-certificates               \
+        ghostscript                   \
+        netcat-openbsd                \
+        shadow                        \
+        terminus-font                 \
+        ttf-dejavu                    \
+        ttf-liberation                \
+        util-linux-login && \
+    xargs apk add --no-cache < ${PREFIX_DIR}/DEPENDENCIES
+
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Create a new user guacd
+ARG UID=1000
+ARG GID=1000
+RUN groupadd --gid $GID guacd
+RUN useradd --system --create-home --shell /sbin/nologin --uid $UID --gid $GID guacd
+
+# Run with user guacd
+USER guacd
+
+# Expose the default listener port
+EXPOSE 4822

 # Start guacd, listening on port 0.0.0.0:4822
-EXPOSE 4822
-CMD [ "/usr/local/sbin/guacd", "-b", "0.0.0.0", "-f" ]
+#
+# Note the path here MUST correspond to the value specified in the 
+# PREFIX_DIR build argument.
+#
+CMD /opt/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f

--- a/Makefile.am
+++ b/Makefile.am
@ -16,27 +16,34 @@
 # specific language governing permissions and limitations
 # under the License.
 #
+# NOTE: Parts of this file (Makefile.am) are automatically transcluded verbatim
+# into Makefile.in. Though the build system (GNU Autotools) automatically adds
+# its own license boilerplate to the generated Makefile.in, that boilerplate
+# does not apply to the transcluded portions of Makefile.am which are licensed
+# to you by the ASF under the Apache License, Version 2.0, as described above.
+#

 ACLOCAL_AMFLAGS = -I m4

 # Subprojects
-DIST_SUBDIRS =           \
-    src/libguac          \
-    src/common           \
-    src/common-ssh       \
-    src/terminal         \
-    src/guacd            \
-    src/guacenc          \
-    src/protocols/rdp    \
-    src/protocols/ssh    \
-    src/protocols/telnet \
-    src/protocols/vnc    \
-    tests
+DIST_SUBDIRS =               \
+    src/libguac              \
+    src/common               \
+    src/common-ssh           \
+    src/terminal             \
+    src/guacd                \
+    src/guacenc              \
+    src/guaclog              \
+    src/pulse                \
+    src/protocols/kubernetes \
+    src/protocols/rdp        \
+    src/protocols/ssh        \
+    src/protocols/telnet     \
+    src/protocols/vnc

-SUBDIRS =       \
-    src/libguac \
-    src/common  \
-    tests
+SUBDIRS =        \
+    src/libguac  \
+    src/common

 if ENABLE_COMMON_SSH
 SUBDIRS += src/common-ssh
@ -46,6 +53,14 @@ if ENABLE_TERMINAL
 SUBDIRS += src/terminal
 endif

+if ENABLE_PULSE
+SUBDIRS += src/pulse
+endif
+
+if ENABLE_KUBERNETES
+SUBDIRS += src/protocols/kubernetes
+endif
+
 if ENABLE_RDP
 SUBDIRS += src/protocols/rdp
 endif
@ -70,14 +85,19 @@ if ENABLE_GUACENC
 SUBDIRS += src/guacenc
 endif

-EXTRA_DIST =      \
-    .dockerignore \
-    CONTRIBUTING  \
-    DISCLAIMER    \
-    Dockerfile    \
-    LICENSE       \
-    NOTICE        \
-    bin/guacctl   \
-    doc/Doxyfile  \
-    src/guacd-docker
+if ENABLE_GUACLOG
+SUBDIRS += src/guaclog
+endif
+
+EXTRA_DIST =                         \
+    .dockerignore                    \
+    CONTRIBUTING                     \
+    Dockerfile                       \
+    LICENSE                          \
+    NOTICE                           \
+    bin/guacctl                      \
+    doc/libguac/Doxyfile.in          \
+    doc/libguac-terminal/Doxyfile.in \
+    src/guacd-docker                 \
+    util/generate-test-runner.pl

--- a/2
+++ b/2
@ -1,5 +1,5 @@
 Apache Guacamole
-Copyright 2016 The Apache Software Foundation
+Copyright 2020 The Apache Software Foundation

 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
--- a/6
+++ b/6
@ -8,11 +8,11 @@ technical users intending to compile parts of Apache Guacamole themselves.

 Source archives are available from the downloads section of the project website:
 
-    http://guacamole.incubator.apache.org/
+    http://guacamole.apache.org/

 A full manual is available as well:

-    http://guacamole.incubator.apache.org/doc/gug/
+    http://guacamole.apache.org/doc/gug/


 ------------------------------------------------------------
@ -25,7 +25,7 @@ libraries.

 guacd is the Guacamole proxy daemon used by the Guacamole web application and
 framework. As JavaScript cannot handle binary protocols (like VNC and remote
-desktop) efficiently, a new test-based protocol was developed which would
+desktop) efficiently, a new text-based protocol was developed which would
 contain a common superset of the operations needed for efficient remote desktop
 access, but would be easy for JavaScript programs to process. guacd is the
 proxy which translates between arbitrary protocols and the Guacamole protocol.
--- a/README-unit-testing.md
+++ b/README-unit-testing.md
@ -0,0 +1,89 @@
+
+Unit testing and guacamole-server
+=================================
+
+Unit tests within guacamole-server are implemented using the following:
+
+* automake, which allows arbitrary tests to be declared within `Makefile.am`
+  and uses `make check` to run those tests.
+* CUnit (libcunit), a unit testing framework.
+* `util/generate-test-runner.pl`, a Perl script which generates a test runner
+  written in C which leverages CUnit, running the unit tests declared in each
+  of the given `.c` files. The generated test runner produces output in [TAP
+  format](https://testanything.org/) which is consumed by the TAP test driver
+  provided by automake.
+
+Writing unit tests
+------------------
+
+All unit tests should be within reasonably-isolated C source files, with each
+logical test having its own function of the form:
+
+    void test_SUITENAME__TESTNAME() {
+        ...
+    }
+
+where `TESTNAME` is the arbitrary name of the test and `SUITENAME` is the
+arbitrary name of the test suite that this test belongs to.
+
+**This naming convention is required by `generate-test-runner.pl`.** Absolutely
+all tests MUST follow the above convention if they are to be picked up and
+organized by the test runner generation script. Functions which are not tests
+MUST NOT follow the above convention so that they are _not_ picked up mistakenly
+by the test runner generator as if they were tests.
+
+The `Makefile.am` for a subproject which contains such tests is typically
+modified to contain a sections like the following:
+
+    #
+    # Unit tests for myproj
+    #
+
+    check_PROGRAMS = test_myproj
+    TESTS = $(check_PROGRAMS)
+
+    test_myproj_SOURCES =      \
+        ...all source files...
+
+    test_myproj_CFLAGS =        \
+        -Werror -Wall -pedantic \
+        ...other flags...
+
+    test_myproj_LDADD = \
+        ...libraries...
+
+    #
+    # Autogenerate test runner
+    #
+
+    GEN_RUNNER = $(top_srcdir)/util/generate-test-runner.pl
+    CLEANFILES = _generated_runner.c
+
+    _generated_runner.c: $(test_myproj_SOURCES)
+    	$(AM_V_GEN) $(GEN_RUNNER) $(test_myproj_SOURCES) > $@
+
+    nodist_test_libguac_SOURCES = \
+        _generated_runner.c
+
+    # Use automake's TAP test driver for running any tests
+    LOG_DRIVER =                \
+        env AM_TAP_AWK='$(AWK)' \
+        $(SHELL) $(top_srcdir)/build-aux/tap-driver.sh
+
+The above declares ...
+
+* ... that a binary, `test_myproj` should be built from the given sources.
+  Note that `test_myproj_SOURCES` contains only the source which was actually
+  written by hand while `nodist_test_myproj_SOURCES` contains only the source
+  which was generated by `generate-test-runner.pl`.
+* ... that this `test_myproj` binary should be run to test this project when
+  `make check` is run, and that automake's TAP driver should be used to
+  consume its output.
+* ... that the `_generated_runner.c` source file is generated dynamically
+  (through running `generate-test-runner.pl` on all non-generated test source)
+  and should not be distributed as part of the source archive.
+
+With tests following the above naming convention in place, and with the
+necessary changes made to the applicable `Makefile.am`, all tests will be
+run automatically when `make check` is run.
+
--- a/bin/guacctl
+++ b/bin/guacctl
@ -90,6 +90,18 @@ send_close_pipe_stream() {
    printf "\033]482203;\007"
 }

+##
+## Sends the Guacamole-specific console code for resizing the scrollback
+## buffer.
+##
+## @param ROWS
+##     The number of rows that the scrollback buffer should contain.
+##
+send_resize_scrollback() {
+    ROWS="$1"
+    printf "\033]482204;%s\007" "$ROWS"
+}
+
 ##
 ## Prints the given error text to STDERR.
 ##
@ -105,7 +117,7 @@ error() {
 ##
 usage() {
    cat >&2 <<END
-guacctl 0.9.11-incubating, Guacamole terminal session control utility.
+guacctl 1.5.0, Apache Guacamole terminal session control utility.
 Usage: guacctl [OPTION] [FILE or NAME]...

    -d, --download         download each of the files listed.
@ -115,6 +127,8 @@ Usage: guacctl [OPTION] [FILE or NAME]...
                           name.
    -c, --close-pipe       close any existing pipe stream and redirect output
                           back to the terminal emulator.
+    -S, --scrollback       request that the scrollback buffer be limited to the
+                           given number of rows.
 END
 }

@ -243,6 +257,39 @@ close_pipe_stream() {

 }

+##
+## Resizes the scrollback buffer to the given number of rows.
+##
+## @param ...
+##     The number of rows that should be contained within the scrollback
+##     buffer, as provided to guacctl.
+##
+resize_scrollback() {
+
+    #
+    # Validate arguments
+    #
+
+    if [ $# -lt 1 ]; then
+        error "No row count specified."
+        return;
+    fi
+
+    if [ $# -gt 1 ]; then
+        error "Only one row count may be given."
+        return;
+    fi
+
+    #
+    # Send code for resizing scrollback
+    #
+
+    ROWS="$1"
+    send_resize_scrollback "$ROWS"
+
+}
+
+
 #
 # Get script name
 #
@ -300,6 +347,15 @@ case "$1" in
        close_pipe_stream "$@"
        ;;

+    #
+    # Resize scrollback
+    #
+
+    "--scrollback"|"-S")
+        shift
+        resize_scrollback "$@"
+        ;;
+
    #
    # Show usage info if options are invalid
    #
--- a/configure.ac
+++ b/configure.ac
--- a/doc/libguac-terminal/Doxyfile.in
+++ b/doc/libguac-terminal/Doxyfile.in
@ -0,0 +1,58 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#
+# Project name / version
+#
+
+PROJECT_NAME   = libguac-terminal
+PROJECT_NUMBER = @PACKAGE_VERSION@
+
+#
+# Warn about undocumented parameters and return values, but do not fill output
+# with verbose progress info.
+#
+
+QUIET            = YES
+WARN_NO_PARAMDOC = YES
+
+#
+# Output format
+#
+
+ALPHABETICAL_INDEX    = YES
+GENERATE_HTML         = YES
+GENERATE_LATEX        = NO
+OPTIMIZE_OUTPUT_FOR_C = YES
+OUTPUT_DIRECTORY      = doxygen-output
+RECURSIVE             = YES
+SHOW_INCLUDE_FILES    = NO
+
+#
+# Input format
+#
+
+CASE_SENSE_NAMES     = YES
+FILE_PATTERNS        = *.h
+STRIP_FROM_PATH      = ../../src/terminal
+INPUT                = ../../src/terminal/terminal/terminal.h
+JAVADOC_AUTOBRIEF    = YES
+TAB_SIZE             = 4
+TYPEDEF_HIDES_STRUCT = YES
+
--- a/doc/libguac/Doxyfile.in
+++ b/doc/libguac/Doxyfile.in
@ -22,7 +22,7 @@
 #

 PROJECT_NAME   = libguac
-PROJECT_NUMBER = 0.9.11-incubating
+PROJECT_NUMBER = @PACKAGE_VERSION@

 #
 # Warn about undocumented parameters and return values, but do not fill output
@ -52,9 +52,9 @@ SHOW_INCLUDE_FILES    = NO
 CASE_SENSE_NAMES     = YES
 EXCLUDE_SYMBOLS      = __* guac_palette*
 FILE_PATTERNS        = *.h
-INPUT                = ../src/libguac/guacamole
+INPUT                = ../../src/libguac/guacamole
 JAVADOC_AUTOBRIEF    = YES
-STRIP_FROM_PATH      = ../src/libguac
+STRIP_FROM_PATH      = ../../src/libguac
 TAB_SIZE             = 4
 TYPEDEF_HIDES_STRUCT = YES

--- a/src/common-ssh/.gitignore
+++ b/src/common-ssh/.gitignore
@ -0,0 +1,5 @@
+
+# Auto-generated test runner and binary
+_generated_runner.c
+test_common_ssh
+
--- a/src/common-ssh/Makefile.am
+++ b/src/common-ssh/Makefile.am
@ -16,25 +16,32 @@
 # specific language governing permissions and limitations
 # under the License.
 #
+# NOTE: Parts of this file (Makefile.am) are automatically transcluded verbatim
+# into Makefile.in. Though the build system (GNU Autotools) automatically adds
+# its own license boilerplate to the generated Makefile.in, that boilerplate
+# does not apply to the transcluded portions of Makefile.am which are licensed
+# to you by the ASF under the Apache License, Version 2.0, as described above.
+#

 AUTOMAKE_OPTIONS = foreign
 ACLOCAL_AMFLAGS = -I m4

 noinst_LTLIBRARIES = libguac_common_ssh.la
+SUBDIRS = . tests

 libguac_common_ssh_la_SOURCES = \
-    guac_sftp.c                 \
-    guac_ssh.c                  \
-    guac_ssh_buffer.c           \
-    guac_ssh_key.c              \
-    guac_ssh_user.c
+    buffer.c                    \
+    sftp.c                      \
+    ssh.c                       \
+    key.c                       \
+    user.c

-noinst_HEADERS =      \
-    guac_sftp.h       \
-    guac_ssh.h        \
-    guac_ssh_buffer.h \
-    guac_ssh_key.h    \
-    guac_ssh_user.h
+noinst_HEADERS =            \
+    common-ssh/buffer.h     \
+    common-ssh/key.h        \
+    common-ssh/sftp.h       \
+    common-ssh/ssh.h        \
+    common-ssh/user.h

 libguac_common_ssh_la_CFLAGS = \
    -Werror -Wall -pedantic    \
--- a/src/common-ssh/guac_ssh_buffer.c
+++ b/src/common-ssh/guac_ssh_buffer.c
@ -54,7 +54,7 @@ void guac_common_ssh_buffer_write_data(char** buffer, const char* data,
    *buffer += length;
 }

-void guac_common_ssh_buffer_write_bignum(char** buffer, BIGNUM* value) {
+void guac_common_ssh_buffer_write_bignum(char** buffer, const BIGNUM* value) {

    unsigned char* bn_buffer;
    int length;
--- a/src/common-ssh/common-ssh/buffer.h
+++ b/src/common-ssh/common-ssh/buffer.h
@ -76,7 +76,7 @@ void guac_common_ssh_buffer_write_string(char** buffer, const char* string,
 * @param value
 *     The value to write.
 */
-void guac_common_ssh_buffer_write_bignum(char** buffer, BIGNUM* value);
+void guac_common_ssh_buffer_write_bignum(char** buffer, const BIGNUM* value);

 /**
 * Writes the given data the given buffer, advancing the buffer pointer by the
--- a/src/common-ssh/common-ssh/key.h
+++ b/src/common-ssh/common-ssh/key.h
@ -0,0 +1,152 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#ifndef GUAC_COMMON_SSH_KEY_H
+#define GUAC_COMMON_SSH_KEY_H
+
+#include "config.h"
+
+#include <guacamole/client.h>
+#include <libssh2.h>
+
+/**
+ * OpenSSH v1 private keys are PEM-wrapped base64-encoded blobs. The encoded data begins with:
+ *   "openssh-key-v1\0"
+ */
+#define OPENSSH_V1_KEY_HEADER "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEA"
+
+/**
+ * The base64-encoded prefix indicating an OpenSSH v1 private key is NOT protected by a
+ * passphrase. Specifically, it is the following data fields and values:
+ *   pascal string: cipher name ("none")
+ *   pascal string: kdf name ("none")
+ *   pascal string: kdf params (NULL)
+ *   32-bit int: number of keys (1)
+ */
+#define OPENSSH_V1_UNENCRYPTED_KEY "AAAABG5vbmUAAAAEbm9uZQAAAAAAAAAB"
+
+/**
+ * Abstraction of a key used for SSH authentication.
+ */
+typedef struct guac_common_ssh_key {
+
+    /**
+     * The private key, encoded as necessary for SSH.
+     */
+    char* private_key;
+
+    /**
+     * The length of the private key, in bytes.
+     */
+    int private_key_length;
+
+    /**
+     * The private key's passphrase, if any.
+     */
+    char *passphrase;
+
+} guac_common_ssh_key;
+
+/**
+ * Allocates a new key containing the given private key data and specified
+ * passphrase. If unable to read the key, NULL is returned.
+ *
+ * @param data
+ *     The base64-encoded data to decode when reading the key.
+ *
+ * @param length
+ *     The length of the provided data, in bytes.
+ *
+ * @param passphrase
+ *     The passphrase to use when decrypting the key, if any, or an empty
+ *     string or NULL if no passphrase is needed.
+ *
+ * @return
+ *     The decoded, decrypted private key, or NULL if the key could not be
+ *     decoded.
+ */
+guac_common_ssh_key* guac_common_ssh_key_alloc(char* data, int length,
+        char* passphrase);
+
+/**
+ * Returns a statically-allocated string describing the most recent SSH key
+ * error.
+ *
+ * @return
+ *     A statically-allocated string describing the most recent SSH key error.
+ */
+const char* guac_common_ssh_key_error();
+
+/**
+ * Frees all memory associated with the given key.
+ *
+ * @param key
+ *     The key to free.
+ */
+void guac_common_ssh_key_free(guac_common_ssh_key* key);
+
+/**
+ * Verifies the host key for the given hostname/port combination against
+ * one or more known_hosts entries.  The known_host entries can either be a
+ * single host_key, provided by the client, or a set of known_hosts entries
+ * provided in the /etc/guacamole/ssh_known_hosts file.  Failure to correctly
+ * load the known_hosts entries will result in a connection abort and a returned
+ * error code.  A return code of zero indiciates that either no known_hosts entries
+ * were provided, or that the verification succeeded (match).  Negative values
+ * indicate internal libssh2 error codes; positive values indicate a failure
+ * during verification of the host key against the known hosts.
+ *
+ * @param session
+ *     A pointer to the LIBSSH2_SESSION structure of the SSH connection already
+ *     in progress.
+ *
+ * @param client
+ *     The current guac_client instance for which the known_hosts checking is
+ *     being performed.
+ *
+ * @param host_key
+ *     The known host entry provided by the client.  If this is non-null and not
+ *     empty, it will be the only host key loaded and used for verification.  If
+ *     this is null or empty an attempt will be made to read the
+ *     /etc/guacamole/ssh_known_hosts file and load entries from it.
+ *
+ * @param hostname
+ *     The hostname or IP of the server that is being verified.
+ *
+ * @param port
+ *     The port number of the server being verified.
+ *
+ * @param remote_hostkey
+ *     The host key of the remote system being verified.
+ *
+ * @param remote_hostkey_len
+ *     The length of the remote host key being verified
+ *
+ * @return
+ *     The status of the known_hosts check.  This will be zero if no entries
+ *     are provided or if the match succeeds, negative to indicate internal
+ *     libssh2 errors, or positive to indicate failures during host key
+ *     checking.
+ */
+int guac_common_ssh_verify_host_key(LIBSSH2_SESSION* session, guac_client* client,
+        const char* host_key, const char* hostname, int port, const char* remote_hostkey,
+        const size_t remote_hostkey_len);
+
+#endif
+
--- a/src/common-ssh/common-ssh/sftp.h
+++ b/src/common-ssh/common-ssh/sftp.h
@ -20,8 +20,8 @@
 #ifndef GUAC_COMMON_SSH_SFTP_H
 #define GUAC_COMMON_SSH_SFTP_H

-#include "guac_json.h"
-#include "guac_ssh.h"
+#include "common/json.h"
+#include "ssh.h"

 #include <guacamole/object.h>
 #include <guacamole/user.h>
@ -33,6 +33,11 @@
 */
 #define GUAC_COMMON_SSH_SFTP_MAX_PATH 2048

+/**
+ * Maximum number of path components per path.
+ */
+#define GUAC_COMMON_SSH_SFTP_MAX_DEPTH 1024
+
 /**
 * Representation of an SFTP-driven filesystem object. Unlike guac_object, this
 * structure is not tied to any particular user.
@ -54,11 +59,26 @@ typedef struct guac_common_ssh_sftp_filesystem {
     */
    LIBSSH2_SFTP* sftp_session;

+    /**
+     * The path to the directory to expose to the user as a filesystem object.
+     */
+    char root_path[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
    /**
     * The path files will be sent to, if uploaded directly via a "file"
     * instruction.
     */
    char upload_path[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+    
+    /**
+     * If downloads from SFTP to the local browser should be disabled.
+     */
+    int disable_download;
+    
+    /**
+     * If uploads from the local browser to SFTP should be disabled.
+     */
+    int disable_upload;

 } guac_common_ssh_sftp_filesystem;

@ -103,15 +123,29 @@ typedef struct guac_common_ssh_sftp_ls_state {
 *     The session to use to provide SFTP. This session will automatically be
 *     destroyed when this filesystem is destroyed.
 *
+ * @param root_path
+ *     The path accessible via SFTP to consider the root path of the filesystem
+ *     exposed to the user. Only the contents of this path will be available
+ *     via the filesystem object.
+ *
 * @param name
 *     The name to send as the name of the filesystem whenever it is exposed
- *     to a user.
+ *     to a user, or NULL to automatically generate a name from the provided
+ *     root_path.
+ * 
+ * @param disable_download
+ *     Whether downloads from the SFTP share to the local browser should be
+ *     disabled.
+ * 
+ * @param disable_upload
+ *     Whether uploads from the local browser to SFTP should be disabled.
 *
 * @return
 *     A new SFTP filesystem object, not yet exposed to users.
 */
 guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem(
-        guac_common_ssh_session* session, const char* name);
+        guac_common_ssh_session* session, const char* root_path,
+        const char* name, int disable_download, int disable_upload);

 /**
 * Destroys the given filesystem object, disconnecting from SFTP and freeing
@ -238,5 +272,30 @@ int guac_common_ssh_sftp_handle_file_stream(
 void guac_common_ssh_sftp_set_upload_path(
        guac_common_ssh_sftp_filesystem* filesystem, const char* path);

+/**
+ * Given an arbitrary absolute path, which may contain "..", ".", and
+ * backslashes, creates an equivalent absolute path which does NOT contain
+ * relative path components (".." or "."), backslashes, or empty path
+ * components. With the exception of paths referring to the root directory, the
+ * resulting path is guaranteed to not contain trailing slashes.
+ *
+ * Normalization will fail if the given path is not absolute, is too long, or
+ * contains more than GUAC_COMMON_SSH_SFTP_MAX_DEPTH path components.
+ *
+ * @param fullpath
+ *     The buffer to populate with the normalized path. The normalized path
+ *     will not contain relative path components like ".." or ".", nor will it
+ *     contain backslashes. This buffer MUST be at least
+ *     GUAC_COMMON_SSH_SFTP_MAX_PATH bytes in size.
+ *
+ * @param path
+ *     The absolute path to normalize.
+ *
+ * @return
+ *     Non-zero if normalization succeeded, zero otherwise.
+ */
+int guac_common_ssh_sftp_normalize_path(char* fullpath,
+        const char* path);
+
 #endif

--- a/src/common-ssh/common-ssh/ssh.h
+++ b/src/common-ssh/common-ssh/ssh.h
@ -20,11 +20,28 @@
 #ifndef GUAC_COMMON_SSH_H
 #define GUAC_COMMON_SSH_H

-#include "guac_ssh_user.h"
+#include "user.h"

 #include <guacamole/client.h>
 #include <libssh2.h>

+/**
+ * Handler for retrieving additional credentials.
+ * 
+ * @param client
+ *     The Guacamole Client associated with this need for additional
+ *     credentials.
+ * 
+ * @param cred_name
+ *     The name of the credential being requested, which will be shared
+ *     with the client in order to generate a meaningful prompt.
+ * 
+ * @return
+ *     A newly-allocated string containing the credentials provided by
+ *     the user, which must be freed by a call to free().
+ */
+typedef char* guac_ssh_credential_handler(guac_client* client, char* cred_name);
+
 /**
 * An SSH session, backed by libssh2 and associated with a particular
 * Guacamole client.
@ -50,6 +67,11 @@ typedef struct guac_common_ssh_session {
     * The file descriptor of the socket being used for the SSH connection.
     */
    int fd;
+    
+    /**
+     * Callback function to retrieve credentials.
+     */
+    guac_ssh_credential_handler* credential_handler;

 } guac_common_ssh_session;

@ -92,13 +114,32 @@ void guac_common_ssh_uninit();
 *
 * @param user
 *     The user to authenticate as, once connected.
+ * 
+ * @param keepalive
+ *     How frequently the connection should send keepalive packets, in
+ *     seconds.  Zero disables keepalive packets, and 2 is the minimum
+ *     configurable value.
+ * 
+ * @param host_key
+ *     The known public host key of the server, as provided by the client.  If
+ *     provided the identity of the server will be checked against this key,
+ *     and a mis-match between this and the server identity will cause the
+ *     connection to fail.  If not provided, no checks will be done and the
+ *     connection will proceed.
+ * 
+ * @param credential_handler
+ *     The handler function for retrieving additional credentials from the user
+ *     as required by the SSH server, or NULL if the user will not be asked
+ *     for additional credentials.
 *
 * @return
 *     A new SSH session if the connection and authentication succeed, or NULL
 *     if the connection or authentication were not successful.
 */
 guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
-        const char* hostname, const char* port, guac_common_ssh_user* user);
+        const char* hostname, const char* port, guac_common_ssh_user* user,
+        int keepalive, const char* host_key,
+        guac_ssh_credential_handler* credential_handler);

 /**
 * Disconnects and destroys the given SSH session, freeing all associated
--- a/src/common-ssh/common-ssh/user.h
+++ b/src/common-ssh/common-ssh/user.h
@ -20,7 +20,7 @@
 #ifndef GUAC_COMMON_SSH_USER_H
 #define GUAC_COMMON_SSH_USER_H

-#include "guac_ssh_key.h"
+#include "key.h"

 /**
 * Data describing an SSH user, including their credentials.
--- a/src/common-ssh/guac_ssh_key.c
+++ b/src/common-ssh/guac_ssh_key.c
@ -1,217 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#include "config.h"
-
-#include "guac_ssh_buffer.h"
-#include "guac_ssh_key.h"
-
-#include <openssl/bio.h>
-#include <openssl/bn.h>
-#include <openssl/dsa.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/obj_mac.h>
-#include <openssl/pem.h>
-#include <openssl/rsa.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-guac_common_ssh_key* guac_common_ssh_key_alloc(char* data, int length,
-        char* passphrase) {
-
-    guac_common_ssh_key* key;
-    BIO* key_bio;
-
-    char* public_key;
-    char* pos;
-
-    /* Create BIO for reading key from memory */
-    key_bio = BIO_new_mem_buf(data, length);
-
-    /* If RSA key, load RSA */
-    if (length > sizeof(SSH_RSA_KEY_HEADER)-1
-            && memcmp(SSH_RSA_KEY_HEADER, data,
-                      sizeof(SSH_RSA_KEY_HEADER)-1) == 0) {
-
-        RSA* rsa_key;
-
-        /* Read key */
-        rsa_key = PEM_read_bio_RSAPrivateKey(key_bio, NULL, NULL, passphrase);
-        if (rsa_key == NULL)
-            return NULL;
-
-        /* Allocate key */
-        key = malloc(sizeof(guac_common_ssh_key));
-        key->rsa = rsa_key;
-
-        /* Set type */
-        key->type = SSH_KEY_RSA;
-
-        /* Allocate space for public key */
-        public_key = malloc(4096);
-        pos = public_key;
-
-        /* Derive public key */
-        guac_common_ssh_buffer_write_string(&pos, "ssh-rsa", sizeof("ssh-rsa")-1);
-        guac_common_ssh_buffer_write_bignum(&pos, rsa_key->e);
-        guac_common_ssh_buffer_write_bignum(&pos, rsa_key->n);
-
-        /* Save public key to structure */
-        key->public_key = public_key;
-        key->public_key_length = pos - public_key;
-
-    }
-
-    /* If DSA key, load DSA */
-    else if (length > sizeof(SSH_DSA_KEY_HEADER)-1
-            && memcmp(SSH_DSA_KEY_HEADER, data,
-                      sizeof(SSH_DSA_KEY_HEADER)-1) == 0) {
-
-        DSA* dsa_key;
-
-        /* Read key */
-        dsa_key = PEM_read_bio_DSAPrivateKey(key_bio, NULL, NULL, passphrase);
-        if (dsa_key == NULL)
-            return NULL;
-
-        /* Allocate key */
-        key = malloc(sizeof(guac_common_ssh_key));
-        key->dsa = dsa_key;
-
-        /* Set type */
-        key->type = SSH_KEY_DSA;
-
-        /* Allocate space for public key */
-        public_key = malloc(4096);
-        pos = public_key;
-
-        /* Derive public key */
-        guac_common_ssh_buffer_write_string(&pos, "ssh-dss", sizeof("ssh-dss")-1);
-        guac_common_ssh_buffer_write_bignum(&pos, dsa_key->p);
-        guac_common_ssh_buffer_write_bignum(&pos, dsa_key->q);
-        guac_common_ssh_buffer_write_bignum(&pos, dsa_key->g);
-        guac_common_ssh_buffer_write_bignum(&pos, dsa_key->pub_key);
-
-        /* Save public key to structure */
-        key->public_key = public_key;
-        key->public_key_length = pos - public_key;
-
-    }
-
-    /* Otherwise, unsupported type */
-    else {
-        BIO_free(key_bio);
-        return NULL;
-    }
-
-    /* Copy private key to structure */
-    key->private_key_length = length;
-    key->private_key = malloc(length);
-    memcpy(key->private_key, data, length);
-
-    BIO_free(key_bio);
-    return key;
-
-}
-
-const char* guac_common_ssh_key_error() {
-
-    /* Return static error string */
-    return ERR_reason_error_string(ERR_get_error());
-
-}
-
-void guac_common_ssh_key_free(guac_common_ssh_key* key) {
-
-    /* Free key-specific data */
-    if (key->type == SSH_KEY_RSA)
-        RSA_free(key->rsa);
-    else if (key->type == SSH_KEY_DSA)
-        DSA_free(key->dsa);
-
-    free(key->private_key);
-    free(key->public_key);
-    free(key);
-}
-
-int guac_common_ssh_key_sign(guac_common_ssh_key* key, const char* data,
-        int length, unsigned char* sig) {
-
-    const EVP_MD* md;
-    EVP_MD_CTX md_ctx;
-
-    unsigned char digest[EVP_MAX_MD_SIZE];
-    unsigned int dlen, len;
-
-    /* Get SHA1 digest */
-    if ((md = EVP_get_digestbynid(NID_sha1)) == NULL)
-        return -1;
-
-    /* Digest data */
-    EVP_DigestInit(&md_ctx, md);
-    EVP_DigestUpdate(&md_ctx, data, length);
-    EVP_DigestFinal(&md_ctx, digest, &dlen);
-
-    /* Sign with key */
-    switch (key->type) {
-
-        case SSH_KEY_RSA:
-            if (RSA_sign(NID_sha1, digest, dlen, sig, &len, key->rsa) == 1)
-                return len;
-            break;
-
-        case SSH_KEY_DSA: {
-
-            DSA_SIG* dsa_sig = DSA_do_sign(digest, dlen, key->dsa);
-            if (dsa_sig != NULL) {
-
-                /* Compute size of each half of signature */
-                int rlen = BN_num_bytes(dsa_sig->r);
-                int slen = BN_num_bytes(dsa_sig->s);
-
-                /* Ensure each number is within the required size */
-                if (rlen > DSA_SIG_NUMBER_SIZE || slen > DSA_SIG_NUMBER_SIZE)
-                    return -1;
-
-                /* Init to all zeroes */
-                memset(sig, 0, DSA_SIG_SIZE);
-
-                /* Add R at the end of the first block of the signature */
-                BN_bn2bin(dsa_sig->r, sig + DSA_SIG_SIZE
-                                          - DSA_SIG_NUMBER_SIZE - rlen);
-
-                /* Add S at the end of the second block of the signature */
-                BN_bn2bin(dsa_sig->s, sig + DSA_SIG_SIZE - slen);
-
-                /* Done */
-                DSA_SIG_free(dsa_sig);
-                return DSA_SIG_SIZE;
-
-            }
-
-        }
-
-    }
-
-    return -1;
-
-}
-
--- a/src/common-ssh/guac_ssh_key.h
+++ b/src/common-ssh/guac_ssh_key.h
@ -1,170 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#ifndef GUAC_COMMON_SSH_KEY_H
-#define GUAC_COMMON_SSH_KEY_H
-
-#include "config.h"
-
-#include <openssl/ossl_typ.h>
-
-/**
- * The expected header of RSA private keys.
- */
-#define SSH_RSA_KEY_HEADER "-----BEGIN RSA PRIVATE KEY-----"
-
-/**
- * The expected header of DSA private keys.
- */
-#define SSH_DSA_KEY_HEADER "-----BEGIN DSA PRIVATE KEY-----"
-
-/**
- * The size of single number within a DSA signature, in bytes.
- */
-#define DSA_SIG_NUMBER_SIZE 20
-
-/**
- * The size of a DSA signature, in bytes.
- */
-#define DSA_SIG_SIZE DSA_SIG_NUMBER_SIZE*2 
-
-/**
- * The type of an SSH key.
- */
-typedef enum guac_common_ssh_key_type {
-
-    /**
-     * RSA key.
-     */
-    SSH_KEY_RSA,
-
-    /**
-     * DSA key.
-     */
-    SSH_KEY_DSA
-
-} guac_common_ssh_key_type;
-
-/**
- * Abstraction of a key used for SSH authentication.
- */
-typedef struct guac_common_ssh_key {
-
-    /**
-     * The type of this key.
-     */
-    guac_common_ssh_key_type type;
-
-    /**
-     * Underlying RSA private key, if any.
-     */
-    RSA* rsa;
-
-    /**
-     * Underlying DSA private key, if any.
-     */
-    DSA* dsa;
-
-    /**
-     * The associated public key, encoded as necessary for SSH.
-     */
-    char* public_key;
-
-    /**
-     * The length of the public key, in bytes.
-     */
-    int public_key_length;
-
-    /**
-     * The private key, encoded as necessary for SSH.
-     */
-    char* private_key;
-
-    /**
-     * The length of the private key, in bytes.
-     */
-    int private_key_length;
-
-} guac_common_ssh_key;
-
-/**
- * Allocates a new key containing the given private key data and specified
- * passphrase. If unable to read the key, NULL is returned.
- *
- * @param data
- *     The base64-encoded data to decode when reading the key.
- *
- * @param length
- *     The length of the provided data, in bytes.
- *
- * @param passphrase
- *     The passphrase to use when decrypting the key, if any, or an empty
- *     string or NULL if no passphrase is needed.
- *
- * @return
- *     The decoded, decrypted private key, or NULL if the key could not be
- *     decoded.
- */
-guac_common_ssh_key* guac_common_ssh_key_alloc(char* data, int length,
-        char* passphrase);
-
-/**
- * Returns a statically-allocated string describing the most recent SSH key
- * error.
- *
- * @return
- *     A statically-allocated string describing the most recent SSH key error.
- */
-const char* guac_common_ssh_key_error();
-
-/**
- * Frees all memory associated with the given key.
- *
- * @param key
- *     The key to free.
- */
-void guac_common_ssh_key_free(guac_common_ssh_key* key);
-
-/**
- * Signs the given data using the given key, returning the length of the
- * signature in bytes, or a value less than zero on error.
- *
- * @param key
- *     The key to use when signing the given data.
- *
- * @param data
- *     The arbitrary data to sign.
- *
- * @param length
- *     The length of the arbitrary data being signed, in bytes.
- *
- * @param sig
- *     The buffer into which the signature should be written. The buffer must
- *     be at least DSA_SIG_SIZE for DSA keys. For RSA keys, the signature size
- *     is dependent only on key size, and is equal to the length of the
- *     modulus, in bytes.
- *
- * @return
- *     The number of bytes in the resulting signature.
- */
-int guac_common_ssh_key_sign(guac_common_ssh_key* key, const char* data,
-        int length, unsigned char* sig);
-
-#endif
-
--- a/src/common-ssh/key.c
+++ b/src/common-ssh/key.c
@ -0,0 +1,248 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "config.h"
+
+#include "common-ssh/buffer.h"
+#include "common-ssh/key.h"
+
+#include <guacamole/string.h>
+
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/obj_mac.h>
+#include <openssl/pem.h>
+#include <openssl/rsa.h>
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+/**
+ * Check for a PKCS#1/PKCS#8 ENCRYPTED marker.
+ *
+ * @param data
+ *     The buffer to scan.
+ * @param length
+ *     The length of the buffer.
+ *
+ * @return
+ *     True if the buffer contains the marker, false otherwise.
+ */
+static bool is_pkcs_encrypted_key(char* data, int length) {
+    return guac_strnstr(data, "ENCRYPTED", length) != NULL;
+}
+
+/**
+ * Check for a PEM header & initial base64-encoded data indicating this is an
+ * OpenSSH v1 key.
+ *
+ * @param data
+ *     The buffer to scan.
+ * @param length
+ *     The length of the buffer.
+ *
+ * @return
+ *     True if the buffer contains a private key, false otherwise.
+ */
+static bool is_ssh_private_key(char* data, int length) {
+    if (length < sizeof(OPENSSH_V1_KEY_HEADER) - 1) {
+        return false;
+    }
+    return !strncmp(data, OPENSSH_V1_KEY_HEADER, sizeof(OPENSSH_V1_KEY_HEADER) - 1);
+}
+
+/**
+ * Assuming an offset into a key past the header, check for the base64-encoded
+ * data indicating this key is not protected by a passphrase.
+ *
+ * @param data
+ *     The buffer to scan.
+ * @param length
+ *     The length of the buffer.
+ *
+ * @return
+ *     True if the buffer contains an unencrypted key, false otherwise.
+ */
+static bool is_ssh_key_unencrypted(char* data, int length) {
+    if (length < sizeof(OPENSSH_V1_UNENCRYPTED_KEY) - 1) {
+        return false;
+    }
+    return !strncmp(data, OPENSSH_V1_UNENCRYPTED_KEY, sizeof(OPENSSH_V1_UNENCRYPTED_KEY) - 1);
+}
+
+/**
+ * A passphrase is needed if the key is an encrypted PKCS#1/PKCS#8 key OR if
+ * the key is both an OpenSSH v1 key AND there isn't a marker indicating the
+ * key is unprotected.
+ *
+ * @param data
+ *     The buffer to scan.
+ * @param length
+ *     The length of the buffer.
+ *
+ * @return
+ *     True if the buffer contains a key needing a passphrase, false otherwise.
+ */
+static bool is_passphrase_needed(char* data, int length) {
+    /* Is this an encrypted PKCS#1/PKCS#8 key? */
+    if (is_pkcs_encrypted_key(data, length)) {
+        return true;
+    }
+
+    /* Is this an OpenSSH v1 key? */
+    if (is_ssh_private_key(data, length)) {
+        /* This is safe due to the check in is_ssh_private_key. */
+        data += sizeof(OPENSSH_V1_KEY_HEADER) - 1;
+        length -= sizeof(OPENSSH_V1_KEY_HEADER) - 1;
+        /* If this is NOT unprotected, we need a passphrase. */
+        if (!is_ssh_key_unencrypted(data, length)) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+guac_common_ssh_key* guac_common_ssh_key_alloc(char* data, int length,
+        char* passphrase) {
+
+    /* Because libssh2 will do the actual key parsing (to let it deal with
+     * different key algorithms) we need to perform a heuristic here to check
+     * if a passphrase is needed. This could allow junk keys through that
+     * would never be able to auth. libssh2 should display errors to help
+     * admins track down malformed keys and delete or replace them.
+     */
+
+    if (is_passphrase_needed(data, length) && (passphrase == NULL || *passphrase == '\0'))
+        return NULL;
+
+    guac_common_ssh_key* key = malloc(sizeof(guac_common_ssh_key));
+
+    /* Copy private key to structure */
+    key->private_key_length = length;
+    key->private_key = malloc(length);
+    memcpy(key->private_key, data, length);
+    key->passphrase = strdup(passphrase);
+
+    return key;
+
+}
+
+const char* guac_common_ssh_key_error() {
+
+    /* Return static error string */
+    return ERR_reason_error_string(ERR_get_error());
+
+}
+
+void guac_common_ssh_key_free(guac_common_ssh_key* key) {
+
+    free(key->private_key);
+    free(key->passphrase);
+    free(key);
+}
+
+int guac_common_ssh_verify_host_key(LIBSSH2_SESSION* session, guac_client* client,
+        const char* host_key, const char* hostname, int port, const char* remote_hostkey,
+        const size_t remote_hostkey_len) {
+
+    LIBSSH2_KNOWNHOSTS* ssh_known_hosts = libssh2_knownhost_init(session);
+    int known_hosts = 0;
+
+    /* Add host key provided from settings */
+    if (host_key && strcmp(host_key, "") != 0) {
+
+        known_hosts = libssh2_knownhost_readline(ssh_known_hosts, host_key, strlen(host_key),
+                LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+
+        /* readline function returns 0 on success, so we increment to indicate a valid entry */
+        if (known_hosts == 0)
+            known_hosts++;
+
+    }
+
+    /* Otherwise, we look for a ssh_known_hosts file within GUACAMOLE_HOME and read that in. */
+    else {
+
+        const char *guac_known_hosts = "/etc/guacamole/ssh_known_hosts";
+        if (access(guac_known_hosts, F_OK) != -1)
+            known_hosts = libssh2_knownhost_readfile(ssh_known_hosts, guac_known_hosts, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+
+    }
+
+    /* If there's an error provided, abort connection and return that. */
+    if (known_hosts < 0) {
+
+        char* errmsg;
+        int errval = libssh2_session_last_error(session, &errmsg, NULL, 0);
+        guac_client_log(client, GUAC_LOG_ERROR,
+            "Error %d trying to load SSH host keys: %s", errval, errmsg);
+
+        libssh2_knownhost_free(ssh_known_hosts);
+        return known_hosts;
+
+    }
+
+    /* No host keys were loaded, so we bail out checking and continue the connection. */
+    else if (known_hosts == 0) {
+        guac_client_log(client, GUAC_LOG_WARNING,
+            "No known host keys provided, host identity will not be verified.");
+        libssh2_knownhost_free(ssh_known_hosts);
+        return known_hosts;
+    }
+
+
+    /* Check remote host key against known hosts */
+    int kh_check = libssh2_knownhost_checkp(ssh_known_hosts, hostname, port,
+                                            remote_hostkey, remote_hostkey_len,
+                                            LIBSSH2_KNOWNHOST_TYPE_PLAIN|
+                                            LIBSSH2_KNOWNHOST_KEYENC_RAW,
+                                            NULL);
+
+    /* Deal with the return of the host key check */
+    switch (kh_check) {
+        case LIBSSH2_KNOWNHOST_CHECK_MATCH:
+            guac_client_log(client, GUAC_LOG_DEBUG,
+                "Host key match found for %s", hostname);
+            break;
+        case LIBSSH2_KNOWNHOST_CHECK_NOTFOUND:
+            guac_client_log(client, GUAC_LOG_ERROR,
+                "Host key not found for %s.", hostname);
+            break;
+        case LIBSSH2_KNOWNHOST_CHECK_MISMATCH:
+            guac_client_log(client, GUAC_LOG_ERROR,
+                "Host key does not match known hosts entry for %s", hostname);
+            break;
+        case LIBSSH2_KNOWNHOST_CHECK_FAILURE:
+        default:
+            guac_client_log(client, GUAC_LOG_ERROR,
+                "Host %s could not be checked against known hosts.",
+                hostname);
+    }
+
+    /* Return the check value */
+    libssh2_knownhost_free(ssh_known_hosts);
+    return kh_check;
+
+}
--- a/src/common-ssh/guac_sftp.c
+++ b/src/common-ssh/guac_sftp.c
@ -17,13 +17,14 @@
 * under the License.
 */

-#include "guac_sftp.h"
-#include "guac_ssh.h"
+#include "common-ssh/sftp.h"
+#include "common-ssh/ssh.h"

 #include <guacamole/client.h>
 #include <guacamole/object.h>
 #include <guacamole/protocol.h>
 #include <guacamole/socket.h>
+#include <guacamole/string.h>
 #include <guacamole/user.h>
 #include <libssh2.h>

@ -32,6 +33,74 @@
 #include <stdlib.h>
 #include <string.h>

+int guac_common_ssh_sftp_normalize_path(char* fullpath,
+        const char* path) {
+
+    int path_depth = 0;
+    const char* path_components[GUAC_COMMON_SSH_SFTP_MAX_DEPTH];
+
+    /* If original path is not absolute, normalization fails */
+    if (path[0] != '\\' && path[0] != '/')
+        return 0;
+
+    /* Create scratch copy of path excluding leading slash (we will be
+     * replacing path separators with null terminators and referencing those
+     * substrings directly as path components) */
+    char path_scratch[GUAC_COMMON_SSH_SFTP_MAX_PATH - 1];
+    int length = guac_strlcpy(path_scratch, path + 1,
+            sizeof(path_scratch));
+
+    /* Fail if provided path is too long */
+    if (length >= sizeof(path_scratch))
+        return 0;
+
+    /* Locate all path components within path */
+    const char* current_path_component = &(path_scratch[0]);
+    for (int i = 0; i <= length; i++) {
+
+        /* If current character is a path separator, parse as component */
+        char c = path_scratch[i];
+        if (c == '/' || c == '\\' || c == '\0') {
+
+            /* Terminate current component */
+            path_scratch[i] = '\0';
+
+            /* If component refers to parent, just move up in depth */
+            if (strcmp(current_path_component, "..") == 0) {
+                if (path_depth > 0)
+                    path_depth--;
+            }
+
+            /* Otherwise, if component not current directory, add to list */
+            else if (strcmp(current_path_component, ".") != 0
+                    && strcmp(current_path_component, "") != 0) {
+
+                /* Fail normalization if path is too deep */
+                if (path_depth >= GUAC_COMMON_SSH_SFTP_MAX_DEPTH)
+                    return 0;
+
+                path_components[path_depth++] = current_path_component;
+
+            }
+
+            /* Update start of next component */
+            current_path_component = &(path_scratch[i+1]);
+
+        } /* end if separator */
+
+    } /* end for each character */
+
+    /* Add leading slash for resulting absolute path */
+    fullpath[0] = '/';
+
+    /* Append normalized components to path, separated by slashes */
+    guac_strljoin(fullpath + 1, path_components, path_depth,
+            "/", GUAC_COMMON_SSH_SFTP_MAX_PATH - 1);
+
+    return 1;
+
+}
+
 /**
 * Translates the last error message received by the SFTP layer of an SSH
 * session into a Guacamole protocol status code.
@ -124,7 +193,7 @@ static guac_protocol_status guac_sftp_get_status(
 static int guac_ssh_append_filename(char* fullpath, const char* path,
        const char* filename) {

-    int i;
+    int length;

    /* Disallow "." as a filename */
    if (strcmp(filename, ".") == 0)
@ -134,49 +203,80 @@ static int guac_ssh_append_filename(char* fullpath, const char* path,
    if (strcmp(filename, "..") == 0)
        return 0;

-    /* Copy path, append trailing slash */
-    for (i=0; i<GUAC_COMMON_SSH_SFTP_MAX_PATH; i++) {
-
-        /*
-         * Append trailing slash only if:
-         *  1) Trailing slash is not already present
-         *  2) Path is non-empty
-         */
-
-        char c = path[i];
-        if (c == '\0') {
-            if (i > 0 && path[i-1] != '/')
-                fullpath[i++] = '/';
-            break;
-        }
-
-        /* Copy character if not end of string */
-        fullpath[i] = c;
-
-    }
-
-    /* Append filename */
-    for (; i<GUAC_COMMON_SSH_SFTP_MAX_PATH; i++) {
-
-        char c = *(filename++);
-        if (c == '\0')
-            break;
-
-        /* Filenames may not contain slashes */
-        if (c == '\\' || c == '/')
-            return 0;
-
-        /* Append each character within filename */
-        fullpath[i] = c;
-
-    }
-
-    /* Verify path length is within maximum */
-    if (i == GUAC_COMMON_SSH_SFTP_MAX_PATH)
+    /* Filenames may not contain slashes */
+    if (strchr(filename, '/') != NULL)
        return 0;

-    /* Terminate path string */
-    fullpath[i] = '\0';
+    /* Copy base path */
+    length = guac_strlcpy(fullpath, path, GUAC_COMMON_SSH_SFTP_MAX_PATH);
+
+    /*
+     * Append trailing slash only if:
+     *  1) Trailing slash is not already present
+     *  2) Path is non-empty
+     */
+    if (length > 0 && fullpath[length - 1] != '/')
+        length += guac_strlcpy(fullpath + length, "/",
+                GUAC_COMMON_SSH_SFTP_MAX_PATH - length);
+
+    /* Append filename */
+    length += guac_strlcpy(fullpath + length, filename,
+            GUAC_COMMON_SSH_SFTP_MAX_PATH - length);
+
+    /* Verify path length is within maximum */
+    if (length >= GUAC_COMMON_SSH_SFTP_MAX_PATH)
+        return 0;
+
+    /* Append was successful */
+    return 1;
+
+}
+
+/**
+ * Concatenates the given paths, separating the two with a single forward
+ * slash. The full result must be no more than GUAC_COMMON_SSH_SFTP_MAX_PATH
+ * bytes long, counting null terminator.
+ *
+ * @param fullpath
+ *     The buffer to store the result within. This buffer must be at least
+ *     GUAC_COMMON_SSH_SFTP_MAX_PATH bytes long.
+ *
+ * @param path_a
+ *     The path to place at the beginning of the resulting path.
+ *
+ * @param path_b
+ *     The path to append after path_a within the resulting path.
+ *
+ * @return
+ *     Non-zero if the paths were successfully concatenated together, zero
+ *     otherwise.
+ */
+static int guac_ssh_append_path(char* fullpath, const char* path_a,
+        const char* path_b) {
+
+    int length;
+
+    /* Copy first half of path */
+    length = guac_strlcpy(fullpath, path_a, GUAC_COMMON_SSH_SFTP_MAX_PATH);
+    if (length >= GUAC_COMMON_SSH_SFTP_MAX_PATH)
+        return 0;
+
+    /* Ensure path ends with trailing slash */
+    if (length == 0 || fullpath[length - 1] != '/')
+        length += guac_strlcpy(fullpath + length, "/",
+                GUAC_COMMON_SSH_SFTP_MAX_PATH - length);
+
+    /* Skip past leading slashes in second path */
+    while (*path_b == '/')
+       path_b++;
+
+    /* Append final half of path */
+    length += guac_strlcpy(fullpath + length, path_b,
+            GUAC_COMMON_SSH_SFTP_MAX_PATH - length);
+
+    /* Verify path length is within maximum */
+    if (length >= GUAC_COMMON_SSH_SFTP_MAX_PATH)
+        return 0;

    /* Append was successful */
    return 1;
@ -276,6 +376,18 @@ int guac_common_ssh_sftp_handle_file_stream(
    char fullpath[GUAC_COMMON_SSH_SFTP_MAX_PATH];
    LIBSSH2_SFTP_HANDLE* file;

+    /* Ignore upload if uploads have been disabled */
+    if (filesystem->disable_upload) {
+        guac_user_log(user, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "SFTP: Upload disabled",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
    /* Concatenate filename with path */
    if (!guac_ssh_append_filename(fullpath, filesystem->upload_path,
                filename)) {
@ -329,7 +441,7 @@ int guac_common_ssh_sftp_handle_file_stream(

 /**
 * Handler for ack messages which continue an outbound SFTP data transfer
- * (download), signalling the current status and requesting additional data.
+ * (download), signaling the current status and requesting additional data.
 * The data associated with the given stream is expected to be a pointer to an
 * open LIBSSH2_SFTP_HANDLE for the file from which the data is to be read.
 *
@ -373,18 +485,29 @@ static int guac_common_ssh_sftp_ack_handler(guac_user* user,

        }

-        /* If EOF, send end */
-        else if (bytes_read == 0) {
-            guac_user_log(user, GUAC_LOG_DEBUG, "File sent");
-            guac_protocol_send_end(user->socket, stream);
-            guac_user_free_stream(user, stream);
-        }
-
-        /* Otherwise, fail stream */
+        /* If bytes could not be read, handle EOF or error condition */
        else {
-            guac_user_log(user, GUAC_LOG_INFO, "Error reading file");
-            guac_protocol_send_end(user->socket, stream);
-            guac_user_free_stream(user, stream);
+
+            /* If EOF, send end */
+            if (bytes_read == 0) {
+                guac_user_log(user, GUAC_LOG_DEBUG, "File sent");
+                guac_protocol_send_end(user->socket, stream);
+                guac_user_free_stream(user, stream);
+            }
+
+            /* Otherwise, fail stream */
+            else {
+                guac_user_log(user, GUAC_LOG_INFO, "Error reading file");
+                guac_protocol_send_end(user->socket, stream);
+                guac_user_free_stream(user, stream);
+            }
+
+            /* Close file */
+            if (libssh2_sftp_close(file) == 0)
+                guac_user_log(user, GUAC_LOG_DEBUG, "File closed");
+            else
+                guac_user_log(user, GUAC_LOG_INFO, "Unable to close file");
+
        }

        guac_socket_flush(user->socket);
@ -405,6 +528,15 @@ guac_stream* guac_common_ssh_sftp_download_file(
    guac_stream* stream;
    LIBSSH2_SFTP_HANDLE* file;

+    /* Ignore download if downloads have been disabled */
+    if (filesystem->disable_download) {
+        guac_user_log(user, GUAC_LOG_WARNING, "A download attempt has "
+                "been blocked due to downloads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        return NULL;
+    }
+
    /* Attempt to open file for reading */
    file = libssh2_sftp_open(filesystem->sftp_session, filename,
            LIBSSH2_FXF_READ, 0);
@ -475,7 +607,6 @@ static int guac_common_ssh_sftp_ls_ack_handler(guac_user* user,
        guac_stream* stream, char* message, guac_protocol_status status) {

    int bytes_read;
-    int blob_written = 0;

    char filename[GUAC_COMMON_SSH_SFTP_MAX_PATH];
    LIBSSH2_SFTP_ATTRIBUTES attributes;
@ -497,8 +628,7 @@ static int guac_common_ssh_sftp_ls_ack_handler(guac_user* user,

    /* While directory entries remain */
    while ((bytes_read = libssh2_sftp_readdir(list_state->directory,
-                filename, sizeof(filename), &attributes)) > 0
-            && !blob_written) {
+                filename, sizeof(filename), &attributes)) > 0) {

        char absolute_path[GUAC_COMMON_SSH_SFTP_MAX_PATH];

@ -528,9 +658,10 @@ static int guac_common_ssh_sftp_ls_ack_handler(guac_user* user,
        else
            mimetype = "application/octet-stream";

-        /* Write entry */
-        blob_written |= guac_common_json_write_property(user, stream,
-                &list_state->json_state, absolute_path, mimetype);
+        /* Write entry, waiting for next ack if a blob is written */
+        if (guac_common_json_write_property(user, stream,
+                    &list_state->json_state, absolute_path, mimetype))
+            break;

    }

@ -556,6 +687,38 @@ static int guac_common_ssh_sftp_ls_ack_handler(guac_user* user,

 }

+/**
+ * Translates a stream name for the given SFTP filesystem object into the
+ * absolute path corresponding to the actual file it represents.
+ *
+ * @param fullpath
+ *     The buffer to populate with the translated path. This buffer MUST be at
+ *     least GUAC_COMMON_SSH_SFTP_MAX_PATH bytes in size.
+ *
+ * @param object
+ *     The Guacamole protocol object associated with the SFTP filesystem.
+ *
+ * @param name
+ *     The name of the stream (file) to translate into an absolute path.
+ *
+ * @return
+ *     Non-zero if translation succeeded, zero otherwise.
+ */
+static int guac_common_ssh_sftp_translate_name(char* fullpath,
+        guac_object* object, char* name) {
+
+    char normalized_name[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    guac_common_ssh_sftp_filesystem* filesystem =
+        (guac_common_ssh_sftp_filesystem*) object->data;
+
+    /* Normalize stream name into a path, and append to the root path */
+    return guac_common_ssh_sftp_normalize_path(normalized_name, name)
+        && guac_ssh_append_path(fullpath, filesystem->root_path,
+                normalized_name);
+
+}
+
 /**
 * Handler for get messages. In context of SFTP and the filesystem exposed via
 * the Guacamole protocol, get messages request the body of a file within the
@ -576,16 +739,25 @@ static int guac_common_ssh_sftp_ls_ack_handler(guac_user* user,
 static int guac_common_ssh_sftp_get_handler(guac_user* user,
        guac_object* object, char* name) {

+    char fullpath[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
    guac_common_ssh_sftp_filesystem* filesystem =
        (guac_common_ssh_sftp_filesystem*) object->data;

    LIBSSH2_SFTP* sftp = filesystem->sftp_session;
    LIBSSH2_SFTP_ATTRIBUTES attributes;

+    /* Translate stream name into filesystem path */
+    if (!guac_common_ssh_sftp_translate_name(fullpath, object, name)) {
+        guac_user_log(user, GUAC_LOG_INFO, "Unable to generate real path "
+                "for stream \"%s\"", name);
+        return 0;
+    }
+
    /* Attempt to read file information */
-    if (libssh2_sftp_stat(sftp, name, &attributes)) {
+    if (libssh2_sftp_stat(sftp, fullpath, &attributes)) {
        guac_user_log(user, GUAC_LOG_INFO, "Unable to read file \"%s\"",
-                name);
+                fullpath);
        return 0;
    }

@ -593,10 +765,10 @@ static int guac_common_ssh_sftp_get_handler(guac_user* user,
    if (LIBSSH2_SFTP_S_ISDIR(attributes.permissions)) {

        /* Open as directory */
-        LIBSSH2_SFTP_HANDLE* dir = libssh2_sftp_opendir(sftp, name);
+        LIBSSH2_SFTP_HANDLE* dir = libssh2_sftp_opendir(sftp, fullpath);
        if (dir == NULL) {
            guac_user_log(user, GUAC_LOG_INFO,
-                    "Unable to read directory \"%s\"", name);
+                    "Unable to read directory \"%s\"", fullpath);
            return 0;
        }

@ -606,8 +778,17 @@ static int guac_common_ssh_sftp_get_handler(guac_user* user,

        list_state->directory = dir;
        list_state->filesystem = filesystem;
-        strncpy(list_state->directory_name, name,
-                sizeof(list_state->directory_name) - 1);
+
+        int length = guac_strlcpy(list_state->directory_name, name,
+                sizeof(list_state->directory_name));
+
+        /* Bail out if directory name is too long to store */
+        if (length >= sizeof(list_state->directory_name)) {
+            guac_user_log(user, GUAC_LOG_INFO, "Unable to read directory "
+                    "\"%s\": Path too long", fullpath);
+            free(list_state);
+            return 0;
+        }

        /* Allocate stream for body */
        guac_stream* stream = guac_user_alloc_stream(user);
@ -626,12 +807,20 @@ static int guac_common_ssh_sftp_get_handler(guac_user* user,
    /* Otherwise, send file contents */
    else {

+        /* If downloads are disabled, log and return. */
+        if (filesystem->disable_download) {
+            guac_user_log(user, GUAC_LOG_INFO,
+                    "Unable to download file \"%s\", "
+                    "file downloads have been disabled.", fullpath);
+            return 0;
+        }
+        
        /* Open as normal file */
-        LIBSSH2_SFTP_HANDLE* file = libssh2_sftp_open(sftp, name,
+        LIBSSH2_SFTP_HANDLE* file = libssh2_sftp_open(sftp, fullpath,
            LIBSSH2_FXF_READ, 0);
        if (file == NULL) {
            guac_user_log(user, GUAC_LOG_INFO,
-                    "Unable to read file \"%s\"", name);
+                    "Unable to read file \"%s\"", fullpath);
            return 0;
        }

@ -677,19 +866,40 @@ static int guac_common_ssh_sftp_get_handler(guac_user* user,
 static int guac_common_ssh_sftp_put_handler(guac_user* user,
        guac_object* object, guac_stream* stream, char* mimetype, char* name) {

+    char fullpath[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
    guac_common_ssh_sftp_filesystem* filesystem =
        (guac_common_ssh_sftp_filesystem*) object->data;

+    /* Ignore upload if uploads have been disabled */
+    if (filesystem->disable_upload) {
+        guac_user_log(user, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "SFTP: Upload disabled",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
    LIBSSH2_SFTP* sftp = filesystem->sftp_session;

+    /* Translate stream name into filesystem path */
+    if (!guac_common_ssh_sftp_translate_name(fullpath, object, name)) {
+        guac_user_log(user, GUAC_LOG_INFO, "Unable to generate real path "
+                "for stream \"%s\"", name);
+        return 0;
+    }
+
    /* Open file via SFTP */
-    LIBSSH2_SFTP_HANDLE* file = libssh2_sftp_open(sftp, name,
+    LIBSSH2_SFTP_HANDLE* file = libssh2_sftp_open(sftp, fullpath,
            LIBSSH2_FXF_WRITE | LIBSSH2_FXF_CREAT | LIBSSH2_FXF_TRUNC,
            S_IRUSR | S_IWUSR);

    /* Acknowledge stream if successful */
    if (file != NULL) {
-        guac_user_log(user, GUAC_LOG_DEBUG, "File \"%s\" opened", name);
+        guac_user_log(user, GUAC_LOG_DEBUG, "File \"%s\" opened", fullpath);
        guac_protocol_send_ack(user->socket, stream, "SFTP: File opened",
                GUAC_PROTOCOL_STATUS_SUCCESS);
    }
@ -697,7 +907,7 @@ static int guac_common_ssh_sftp_put_handler(guac_user* user,
    /* Abort on failure */
    else {
        guac_user_log(user, GUAC_LOG_INFO,
-                "Unable to open file \"%s\"", name);
+                "Unable to open file \"%s\"", fullpath);
        guac_protocol_send_ack(user->socket, stream, "SFTP: Open failed",
                guac_sftp_get_status(filesystem));
    }
@ -733,7 +943,11 @@ guac_object* guac_common_ssh_alloc_sftp_filesystem_object(
    /* Init filesystem */
    guac_object* fs_object = guac_user_alloc_object(user);
    fs_object->get_handler = guac_common_ssh_sftp_get_handler;
-    fs_object->put_handler = guac_common_ssh_sftp_put_handler;
+    
+    /* Only handle uploads if not disabled. */
+    if (!filesystem->disable_upload)
+        fs_object->put_handler = guac_common_ssh_sftp_put_handler;
+    
    fs_object->data = filesystem;

    /* Send filesystem to user */
@ -745,7 +959,8 @@ guac_object* guac_common_ssh_alloc_sftp_filesystem_object(
 }

 guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem(
-        guac_common_ssh_session* session, const char* name) {
+        guac_common_ssh_session* session, const char* root_path,
+        const char* name, int disable_download, int disable_upload) {

    /* Request SFTP */
    LIBSSH2_SFTP* sftp_session = libssh2_sftp_init(session->session);
@ -757,9 +972,27 @@ guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem(
        malloc(sizeof(guac_common_ssh_sftp_filesystem));

    /* Associate SSH session with SFTP data and user */
-    filesystem->name = strdup(name);
    filesystem->ssh_session = session;
    filesystem->sftp_session = sftp_session;
+    
+    /* Copy over disable flags */
+    filesystem->disable_download = disable_download;
+    filesystem->disable_upload = disable_upload;
+
+    /* Normalize and store the provided root path */
+    if (!guac_common_ssh_sftp_normalize_path(filesystem->root_path,
+                root_path)) {
+        guac_client_log(session->client, GUAC_LOG_WARNING, "Cannot create "
+                "SFTP filesystem - \"%s\" is not a valid path.", root_path);
+        free(filesystem);
+        return NULL;
+    }
+
+    /* Generate filesystem name from root path if no name is provided */
+    if (name != NULL)
+        filesystem->name = strdup(name);
+    else
+        filesystem->name = strdup(filesystem->root_path);

    /* Initially upload files to current directory */
    strcpy(filesystem->upload_path, ".");
--- a/src/common-ssh/guac_ssh.c
+++ b/src/common-ssh/guac_ssh.c
@ -17,11 +17,12 @@
 * under the License.
 */

-#include "guac_ssh.h"
-#include "guac_ssh_key.h"
-#include "guac_ssh_user.h"
+#include "common-ssh/key.h"
+#include "common-ssh/ssh.h"
+#include "common-ssh/user.h"

 #include <guacamole/client.h>
+#include <guacamole/fips.h>
 #include <libssh2.h>

 #ifdef LIBSSH2_USES_GCRYPT
@ -35,6 +36,7 @@
 #include <netdb.h>
 #include <netinet/in.h>
 #include <pthread.h>
+#include <pwd.h>
 #include <stddef.h>
 #include <stdlib.h>
 #include <string.h>
@ -45,6 +47,21 @@
 GCRY_THREAD_OPTION_PTHREAD_IMPL;
 #endif

+/**
+ * A list of all key exchange algorithms that are both FIPS-compliant, and
+ * OpenSSL-supported. Note that "ext-info-c" is also included. While not a key
+ * exchange algorithm per se, it must be in the list to ensure that the server
+ * will send a SSH_MSG_EXT_INFO response, which is required to perform RSA key
+ * upgrades.
+ */
+#define FIPS_COMPLIANT_KEX_ALGORITHMS "diffie-hellman-group-exchange-sha256,ext-info-c"
+
+/**
+ * A list of ciphers that are both FIPS-compliant, and OpenSSL-supported.
+ */
+#define FIPS_COMPLIANT_CIPHERS "aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc"
+
+#ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS
 /**
 * Array of mutexes, used by OpenSSL.
 */
@ -133,26 +150,41 @@ static void guac_common_ssh_openssl_free_locks(int count) {
    free(guac_common_ssh_openssl_locks);

 }
+#endif

 int guac_common_ssh_init(guac_client* client) {

 #ifdef LIBSSH2_USES_GCRYPT
-    /* Init threadsafety in libgcrypt */
-    gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-    if (!gcry_check_version(GCRYPT_VERSION)) {
-        guac_client_log(client, GUAC_LOG_ERROR, "libgcrypt version mismatch.");
-        return 1;
+    
+    if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) {
+    
+        /* Init threadsafety in libgcrypt */
+        gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+        
+        /* Initialize GCrypt */
+        if (!gcry_check_version(GCRYPT_VERSION)) {
+            guac_client_log(client, GUAC_LOG_ERROR, "libgcrypt version mismatch.");
+            return 1;
+        }
+
+        /* Mark initialization as completed. */
+        gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+    
    }
 #endif

+#ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS
    /* Init threadsafety in OpenSSL */
    guac_common_ssh_openssl_init_locks(CRYPTO_num_locks());
    CRYPTO_set_id_callback(guac_common_ssh_openssl_id_callback);
    CRYPTO_set_locking_callback(guac_common_ssh_openssl_locking_callback);
+#endif

-    /* Init OpenSSL */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    /* Init OpenSSL - only required for OpenSSL Versions < 1.1.0 */
    SSL_library_init();
    ERR_load_crypto_strings();
+#endif

    /* Init libssh2 */
    libssh2_init(0);
@ -163,56 +195,9 @@ int guac_common_ssh_init(guac_client* client) {
 }

 void guac_common_ssh_uninit() {
+#ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS
    guac_common_ssh_openssl_free_locks(CRYPTO_num_locks());
-}
-
-/**
- * Callback invoked by libssh2 when libssh2_userauth_publickkey() is invoked.
- * This callback must sign the given data, returning the signature as newly-
- * allocated buffer space.
- *
- * @param session
- *     The SSH session for which the signature is being generated.
- *
- * @param sig
- *     A pointer to the buffer space containing the signature. This callback
- *     MUST allocate and assign this space.
- *
- * @param sig_len
- *     The length of the signature within the allocated buffer space, in bytes.
- *     This value must be set to the size of the signature after the signing
- *     operation completes.
- *
- * @param data
- *     The arbitrary data that must be signed.
- *
- * @param data_len
- *     The length of the arbitrary data to be signed, in bytes.
- *
- * @param abstract
- *     The value of the abstract parameter provided with the corresponding call
- *     to libssh2_userauth_publickey().
- *
- * @return
- *     Zero on success, non-zero if the signing operation failed.
- */
-static int guac_common_ssh_sign_callback(LIBSSH2_SESSION* session,
-        unsigned char** sig, size_t* sig_len,
-        const unsigned char* data, size_t data_len, void **abstract) {
-
-    guac_common_ssh_key* key = (guac_common_ssh_key*) abstract;
-    int length;
-
-    /* Allocate space for signature */
-    *sig = malloc(4096);
-
-    /* Sign with key */
-    length = guac_common_ssh_key_sign(key, (const char*) data, data_len, *sig);
-    if (length < 0)
-        return 1;
-
-    *sig_len = length;
-    return 0;
+#endif
 }

 /**
@ -297,20 +282,27 @@ static int guac_common_ssh_authenticate(guac_common_ssh_session* common_session)
    LIBSSH2_SESSION* session = common_session->session;

    /* Get user credentials */
-    char* username = user->username;
-    char* password = user->password;
    guac_common_ssh_key* key = user->private_key;

    /* Validate username provided */
-    if (username == NULL) {
+    if (user->username == NULL) {
        guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
                "SSH authentication requires a username.");
        return 1;
    }

    /* Get list of supported authentication methods */
-    char* user_authlist = libssh2_userauth_list(session, username,
-            strlen(username));
+    size_t username_len = strlen(user->username);
+    char* user_authlist = libssh2_userauth_list(session, user->username,
+            username_len);
+
+    /* If auth list is NULL, then authentication has succeeded with NONE */
+    if (user_authlist == NULL) {
+        guac_client_log(client, GUAC_LOG_DEBUG,
+            "SSH NONE authentication succeeded.");
+        return 0;
+    }
+
    guac_client_log(client, GUAC_LOG_DEBUG,
            "Supported authentication methods: %s", user_authlist);

@ -326,9 +318,9 @@ static int guac_common_ssh_authenticate(guac_common_ssh_session* common_session)
        }

        /* Attempt public key auth */
-        if (libssh2_userauth_publickey(session, username,
-                    (unsigned char*) key->public_key, key->public_key_length,
-                    guac_common_ssh_sign_callback, (void**) key)) {
+        if (libssh2_userauth_publickey_frommemory(session, user->username,
+                    username_len, NULL, 0, key->private_key,
+                    key->private_key_length, key->passphrase)) {

            /* Abort on failure */
            char* error_message;
@ -345,14 +337,18 @@ static int guac_common_ssh_authenticate(guac_common_ssh_session* common_session)

    }

+    /* Attempt authentication with username + password. */
+    if (user->password == NULL && common_session->credential_handler)
+            user->password = common_session->credential_handler(client, "Password: ");
+    
    /* Authenticate with password, if provided */
-    else if (password != NULL) {
+    if (user->password != NULL) {

        /* Check if password auth is supported on the server */
        if (strstr(user_authlist, "password") != NULL) {

            /* Attempt password authentication */
-            if (libssh2_userauth_password(session, username, password)) {
+            if (libssh2_userauth_password(session, user->username, user->password)) {

                /* Abort on failure */
                char* error_message;
@ -373,7 +369,7 @@ static int guac_common_ssh_authenticate(guac_common_ssh_session* common_session)
        if (strstr(user_authlist, "keyboard-interactive") != NULL) {

            /* Attempt keyboard-interactive auth using provided password */
-            if (libssh2_userauth_keyboard_interactive(session, username,
+            if (libssh2_userauth_keyboard_interactive(session, user->username,
                        &guac_common_ssh_kbd_callback)) {

                /* Abort on failure */
@ -408,7 +404,9 @@ static int guac_common_ssh_authenticate(guac_common_ssh_session* common_session)
 }

 guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
-        const char* hostname, const char* port, guac_common_ssh_user* user) {
+        const char* hostname, const char* port, guac_common_ssh_user* user,
+        int keepalive, const char* host_key,
+        guac_ssh_credential_handler* credential_handler) {

    int retval;

@ -425,20 +423,11 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
        .ai_protocol = IPPROTO_TCP
    };

-    /* Get socket */
-    fd = socket(AF_INET, SOCK_STREAM, 0);
-    if (fd < 0) {
-        guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
-                "Unable to create socket: %s", strerror(errno));
-        return NULL;
-    }
-
    /* Get addresses connection */
    if ((retval = getaddrinfo(hostname, port, &hints, &addresses))) {
        guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                "Error parsing given address or port: %s",
                gai_strerror(retval));
-        close(fd);
        return NULL;
    }

@ -455,6 +444,15 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
            guac_client_log(client, GUAC_LOG_DEBUG,
                    "Unable to resolve host: %s", gai_strerror(retval));

+        /* Get socket */
+        fd = socket(current_address->ai_family, SOCK_STREAM, 0);
+        if (fd < 0) {
+            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
+                    "Unable to create socket: %s", strerror(errno));
+            freeaddrinfo(addresses);
+            return NULL;
+        }
+
        /* Connect */
        if (connect(fd, current_address->ai_addr,
                        current_address->ai_addrlen) == 0) {
@ -469,11 +467,11 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
        }

        /* Otherwise log information regarding bind failure */
-        else
-            guac_client_log(client, GUAC_LOG_DEBUG, "Unable to connect to "
-                    "host %s, port %s: %s",
-                    connected_address, connected_port, strerror(errno));
+        guac_client_log(client, GUAC_LOG_DEBUG, "Unable to connect to "
+                "host %s, port %s: %s",
+                connected_address, connected_port, strerror(errno));

+        close(fd);
        current_address = current_address->ai_next;

    }
@ -483,9 +481,8 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,

    /* If unable to connect to anything, fail */
    if (current_address == NULL) {
-        guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR,
+        guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_NOT_FOUND,
                "Unable to connect to any addresses.");
-        close(fd);
        return NULL;
    }

@ -504,6 +501,17 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
        return NULL;
    }

+    /*
+     * If FIPS mode is enabled, prefer only FIPS-compatible algorithms and
+     * ciphers that are also supported by libssh2. For more info, see:
+     * https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2906.pdf
+     */
+    if (guac_fips_enabled()) {
+        libssh2_session_method_pref(session, LIBSSH2_METHOD_KEX, FIPS_COMPLIANT_KEX_ALGORITHMS);
+        libssh2_session_method_pref(session, LIBSSH2_METHOD_CRYPT_CS, FIPS_COMPLIANT_CIPHERS);
+        libssh2_session_method_pref(session, LIBSSH2_METHOD_CRYPT_SC, FIPS_COMPLIANT_CIPHERS);
+    }
+
    /* Perform handshake */
    if (libssh2_session_handshake(session, fd)) {
        guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR,
@ -513,11 +521,48 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
        return NULL;
    }

+    /* Get host key of remote system we're connecting to */
+    size_t remote_hostkey_len;
+    const char *remote_hostkey = libssh2_session_hostkey(session, &remote_hostkey_len, NULL);
+
+    /* Failure to retrieve a host key means we should abort */
+    if (!remote_hostkey) {
+        guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
+            "Failed to get host key for %s", hostname);
+        free(common_session);
+        close(fd);
+        return NULL;
+    }
+
+    /* SSH known host key checking. */
+    int known_host_check = guac_common_ssh_verify_host_key(session, client, host_key,
+                                                           hostname, atoi(port), remote_hostkey,
+                                                           remote_hostkey_len);
+
+    /* Abort on any error codes */
+    if (known_host_check != 0) {
+        char* err_msg;
+        libssh2_session_last_error(session, &err_msg, NULL, 0);
+
+        if (known_host_check < 0)
+            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
+                "Error occurred attempting to check host key: %s", err_msg);
+
+        if (known_host_check > 0)
+            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
+                "Host key did not match any provided known host keys. %s", err_msg);
+
+        free(common_session);
+        close(fd);
+        return NULL;
+    }
+
    /* Store basic session data */
    common_session->client = client;
    common_session->user = user;
    common_session->session = session;
    common_session->fd = fd;
+    common_session->credential_handler = credential_handler;

    /* Attempt authentication */
    if (guac_common_ssh_authenticate(common_session)) {
@ -526,6 +571,20 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
        return NULL;
    }

+    /* Warn if keepalive below minimum value */
+    if (keepalive < 0) {
+        keepalive = 0;
+        guac_client_log(client, GUAC_LOG_WARNING, "negative keepalive intervals "
+            "are converted to 0, disabling keepalive.");
+    }
+    else if (keepalive == 1) {
+        guac_client_log(client, GUAC_LOG_WARNING, "keepalive interval will "
+            "be rounded up to minimum value of 2.");
+    }
+
+    /* Configure session keepalive */
+    libssh2_keepalive_config(common_session->session, 1, keepalive);
+
    /* Return created session */
    return common_session;

@ -541,4 +600,3 @@ void guac_common_ssh_destroy_session(guac_common_ssh_session* session) {
    free(session);

 }
-
--- a/src/common-ssh/tests/Makefile.am
+++ b/src/common-ssh/tests/Makefile.am
@ -0,0 +1,67 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# NOTE: Parts of this file (Makefile.am) are automatically transcluded verbatim
+# into Makefile.in. Though the build system (GNU Autotools) automatically adds
+# its own license boilerplate to the generated Makefile.in, that boilerplate
+# does not apply to the transcluded portions of Makefile.am which are licensed
+# to you by the ASF under the Apache License, Version 2.0, as described above.
+#
+
+AUTOMAKE_OPTIONS = foreign 
+ACLOCAL_AMFLAGS = -I m4
+
+#
+# Unit tests for common SSH support
+#
+
+check_PROGRAMS = test_common_ssh
+TESTS = $(check_PROGRAMS)
+
+test_common_ssh_SOURCES = \
+    sftp/normalize_path.c
+
+test_common_ssh_CFLAGS =    \
+    -Werror -Wall -pedantic \
+    @COMMON_INCLUDE@        \
+    @COMMON_SSH_INCLUDE@    \
+    @LIBGUAC_INCLUDE@
+
+test_common_ssh_LDADD = \
+    @CUNIT_LIBS@        \
+    @COMMON_SSH_LTLIB@  \
+    @COMMON_LTLIB@
+
+#
+# Autogenerate test runner
+#
+
+GEN_RUNNER = $(top_srcdir)/util/generate-test-runner.pl
+CLEANFILES = _generated_runner.c
+
+_generated_runner.c: $(test_common_ssh_SOURCES)
+	$(AM_V_GEN) $(GEN_RUNNER) $(test_common_ssh_SOURCES) > $@
+
+nodist_test_common_ssh_SOURCES = \
+    _generated_runner.c
+
+# Use automake's TAP test driver for running any tests
+LOG_DRIVER =                \
+    env AM_TAP_AWK='$(AWK)' \
+    $(SHELL) $(top_srcdir)/build-aux/tap-driver.sh
+
--- a/src/common-ssh/tests/sftp/normalize_path.c
+++ b/src/common-ssh/tests/sftp/normalize_path.c
@ -0,0 +1,263 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common-ssh/sftp.h"
+
+#include <CUnit/CUnit.h>
+#include <stdlib.h>
+
+/**
+ * Test which verifies absolute Windows-style paths are correctly normalized to
+ * absolute paths with UNIX separators and no relative components.
+ */
+void test_sftp__normalize_absolute_windows() {
+
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo\\bar\\baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/bar/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo\\bar\\..\\baz\\"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo\\bar\\..\\..\\baz\\a\\..\\b"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/baz/b", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo\\.\\bar\\baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/bar/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo\\bar\\..\\..\\..\\..\\..\\..\\baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/baz", sizeof(normalized));
+
+}
+
+/**
+ * Test which verifies absolute UNIX-style paths are correctly normalized to
+ * absolute paths with UNIX separators and no relative components.
+ */
+void test_sftp__normalize_absolute_unix() {
+
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "/"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "/foo/bar/baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/bar/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "/foo/bar/../baz/"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "/foo/bar/../../baz/a/../b"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/baz/b", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "/foo/./bar/baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/bar/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "/foo/bar/../../../../../../baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/baz", sizeof(normalized));
+
+}
+
+/**
+ * Test which verifies absolute paths consisting of mixed Windows and UNIX path
+ * separators are correctly normalized to absolute paths with UNIX separators
+ * and no relative components.
+ */
+void test_sftp__normalize_absolute_mixed() {
+
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo/bar\\baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/bar/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "/foo\\bar/..\\baz/"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo/bar\\../../baz\\a\\..\\b"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/baz/b", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo\\.\\bar/baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/foo/bar/baz", sizeof(normalized));
+
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "\\foo/bar\\../..\\..\\..\\../..\\baz"), 0);
+    CU_ASSERT_NSTRING_EQUAL(normalized, "/baz", sizeof(normalized));
+
+}
+
+/**
+ * Test which verifies relative Windows-style paths are always rejected.
+ */
+void test_sftp__normalize_relative_windows() {
+
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, ""), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "."), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, ".."), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "foo"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, ".\\foo"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "..\\foo"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "foo\\bar\\baz"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, ".\\foo\\bar\\baz"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "..\\foo\\bar\\baz"), 0);
+
+}
+
+/**
+ * Test which verifies relative UNIX-style paths are always rejected.
+ */
+void test_sftp__normalize_relative_unix() {
+
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, ""), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "."), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, ".."), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "foo"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "./foo"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "../foo"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "foo/bar/baz"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "./foo/bar/baz"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "../foo/bar/baz"), 0);
+
+}
+
+/**
+ * Test which verifies relative paths consisting of mixed Windows and UNIX path
+ * separators are always rejected.
+ */
+void test_sftp__normalize_relative_mixed() {
+
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "foo\\bar/baz"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, ".\\foo/bar/baz"), 0);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, "../foo\\bar\\baz"), 0);
+
+}
+
+/**
+ * Generates a dynamically-allocated path having the given number of bytes, not
+ * counting the null-terminator. The path will contain only UNIX-style path
+ * separators. The returned path must eventually be freed with a call to
+ * free().
+ *
+ * @param length
+ *     The number of bytes to include in the generated path, not counting the
+ *     null-terminator. If -1, the length of the path will be automatically
+ *     determined from the provided max_depth.
+ *
+ * @param max_depth
+ *     The maximum number of path components to include within the generated
+ *     path.
+ *
+ * @return
+ *     A dynamically-allocated path containing the given number of bytes, not
+ *     counting the null-terminator. This path must eventually be freed with a
+ *     call to free().
+ */
+static char* generate_path(int length, int max_depth) {
+
+    /* If no length given, calculate space required from max_depth */
+    if (length == -1)
+        length = max_depth * 2;
+
+    int i;
+    char* input = malloc(length + 1);
+
+    /* Fill path with /x/x/x/x/x/x/x/x/x/x/.../xxxxxxxxx... */
+    for (i = 0; i < length; i++) {
+        if (max_depth > 0 && i % 2 == 0) {
+            input[i] = '/';
+            max_depth--;
+        }
+        else
+            input[i] = 'x';
+    }
+
+    /* Add null terminator */
+    input[length] = '\0';
+
+    return input;
+
+}
+
+/**
+ * Test which verifies that paths exceeding the maximum path length are
+ * rejected.
+ */
+void test_sftp__normalize_long() {
+
+    char* input;
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    /* Exceeds maximum length by a factor of 2 */
+    input = generate_path(GUAC_COMMON_SSH_SFTP_MAX_PATH * 2, GUAC_COMMON_SSH_SFTP_MAX_DEPTH);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, input), 0);
+    free(input);
+
+    /* Exceeds maximum length by one byte */
+    input = generate_path(GUAC_COMMON_SSH_SFTP_MAX_PATH, GUAC_COMMON_SSH_SFTP_MAX_DEPTH);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, input), 0);
+    free(input);
+
+    /* Exactly maximum length */
+    input = generate_path(GUAC_COMMON_SSH_SFTP_MAX_PATH - 1, GUAC_COMMON_SSH_SFTP_MAX_DEPTH);
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, input), 0);
+    free(input);
+
+}
+
+/**
+ * Test which verifies that paths exceeding the maximum path depth are
+ * rejected.
+ */
+void test_sftp__normalize_deep() {
+
+    char* input;
+    char normalized[GUAC_COMMON_SSH_SFTP_MAX_PATH];
+
+    /* Exceeds maximum depth by a factor of 2 */
+    input = generate_path(-1, GUAC_COMMON_SSH_SFTP_MAX_DEPTH * 2);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, input), 0);
+    free(input);
+
+    /* Exceeds maximum depth by one component */
+    input = generate_path(-1, GUAC_COMMON_SSH_SFTP_MAX_DEPTH + 1);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, input), 0);
+    free(input);
+
+    /* Exactly maximum depth (should still be rejected as SFTP depth limits are
+     * set such that a path with the maximum depth will exceed the maximum
+     * length) */
+    input = generate_path(-1, GUAC_COMMON_SSH_SFTP_MAX_DEPTH);
+    CU_ASSERT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, input), 0);
+    free(input);
+
+    /* Less than maximum depth */
+    input = generate_path(-1, GUAC_COMMON_SSH_SFTP_MAX_DEPTH - 1);
+    CU_ASSERT_NOT_EQUAL(guac_common_ssh_sftp_normalize_path(normalized, input), 0);
+    free(input);
+
+}
+
--- a/src/common-ssh/guac_ssh_user.c
+++ b/src/common-ssh/guac_ssh_user.c
@ -17,8 +17,8 @@
 * under the License.
 */

-#include "guac_ssh_key.h"
-#include "guac_ssh_user.h"
+#include "common-ssh/key.h"
+#include "common-ssh/user.h"

 #include <stdlib.h>
 #include <string.h>
--- a/src/common/.gitignore
+++ b/src/common/.gitignore
@ -0,0 +1,5 @@
+
+# Auto-generated test runner and binary
+_generated_runner.c
+test_common
+
--- a/src/common/Makefile.am
+++ b/src/common/Makefile.am
@ -16,45 +16,51 @@
 # specific language governing permissions and limitations
 # under the License.
 #
+# NOTE: Parts of this file (Makefile.am) are automatically transcluded verbatim
+# into Makefile.in. Though the build system (GNU Autotools) automatically adds
+# its own license boilerplate to the generated Makefile.in, that boilerplate
+# does not apply to the transcluded portions of Makefile.am which are licensed
+# to you by the ASF under the Apache License, Version 2.0, as described above.
+#

 AUTOMAKE_OPTIONS = foreign 
 ACLOCAL_AMFLAGS = -I m4

 noinst_LTLIBRARIES = libguac_common.la
+SUBDIRS = . tests

-noinst_HEADERS =          \
-    guac_io.h             \
-    guac_blank_cursor.h   \
-    guac_clipboard.h      \
-    guac_cursor.h         \
-    guac_display.h        \
-    guac_dot_cursor.h     \
-    guac_ibar_cursor.h    \
-    guac_iconv.h          \
-    guac_json.h           \
-    guac_list.h           \
-    guac_pointer_cursor.h \
-    guac_recording.h      \
-    guac_rect.h           \
-    guac_string.h         \
-    guac_surface.h
+noinst_HEADERS =            \
+    common/io.h             \
+    common/blank_cursor.h   \
+    common/clipboard.h      \
+    common/cursor.h         \
+    common/defaults.h       \
+    common/display.h        \
+    common/dot_cursor.h     \
+    common/ibar_cursor.h    \
+    common/iconv.h          \
+    common/json.h           \
+    common/list.h           \
+    common/pointer_cursor.h \
+    common/rect.h           \
+    common/string.h         \
+    common/surface.h

 libguac_common_la_SOURCES = \
-    guac_io.c               \
-    guac_blank_cursor.c     \
-    guac_clipboard.c        \
-    guac_cursor.c           \
-    guac_display.c          \
-    guac_dot_cursor.c       \
-    guac_ibar_cursor.c      \
-    guac_iconv.c            \
-    guac_json.c             \
-    guac_list.c             \
-    guac_pointer_cursor.c   \
-    guac_recording.c        \
-    guac_rect.c             \
-    guac_string.c           \
-    guac_surface.c
+    io.c                    \
+    blank_cursor.c          \
+    clipboard.c             \
+    cursor.c                \
+    display.c               \
+    dot_cursor.c            \
+    ibar_cursor.c           \
+    iconv.c                 \
+    json.c                  \
+    list.c                  \
+    pointer_cursor.c        \
+    rect.c                  \
+    string.c                \
+    surface.c

 libguac_common_la_CFLAGS =  \
    -Werror -Wall -pedantic \
--- a/src/common/guac_blank_cursor.c
+++ b/src/common/guac_blank_cursor.c
--- a/src/common/guac_clipboard.c
+++ b/src/common/guac_clipboard.c
@ -18,31 +18,42 @@
 */

 #include "config.h"
-#include "guac_clipboard.h"
+#include "common/clipboard.h"

 #include <guacamole/client.h>
 #include <guacamole/protocol.h>
 #include <guacamole/stream.h>
+#include <guacamole/string.h>
 #include <guacamole/user.h>
+#include <pthread.h>
 #include <string.h>
 #include <stdlib.h>

-guac_common_clipboard* guac_common_clipboard_alloc(int size) {
+guac_common_clipboard* guac_common_clipboard_alloc() {

    guac_common_clipboard* clipboard = malloc(sizeof(guac_common_clipboard));

    /* Init clipboard */
    clipboard->mimetype[0] = '\0';
-    clipboard->buffer = malloc(size);
+    clipboard->buffer = malloc(GUAC_COMMON_CLIPBOARD_MAX_LENGTH);
+    clipboard->available = GUAC_COMMON_CLIPBOARD_MAX_LENGTH;
    clipboard->length = 0;
-    clipboard->available = size;
+
+    pthread_mutex_init(&(clipboard->lock), NULL);

    return clipboard;

 }

 void guac_common_clipboard_free(guac_common_clipboard* clipboard) {
+
+    /* Destroy lock */
+    pthread_mutex_destroy(&(clipboard->lock));
+
+    /* Free buffer */
    free(clipboard->buffer);
+
+    /* Free base structure */
    free(clipboard);
 }

@ -108,18 +119,36 @@ static void* __send_user_clipboard(guac_user* user, void* data) {
 }

 void guac_common_clipboard_send(guac_common_clipboard* clipboard, guac_client* client) {
+
+    pthread_mutex_lock(&(clipboard->lock));
+
    guac_client_log(client, GUAC_LOG_DEBUG, "Broadcasting clipboard to all connected users.");
    guac_client_foreach_user(client, __send_user_clipboard, clipboard);
    guac_client_log(client, GUAC_LOG_DEBUG, "Broadcast of clipboard complete.");
+
+    pthread_mutex_unlock(&(clipboard->lock));
+
 }

-void guac_common_clipboard_reset(guac_common_clipboard* clipboard, const char* mimetype) {
+void guac_common_clipboard_reset(guac_common_clipboard* clipboard,
+        const char* mimetype) {
+
+    pthread_mutex_lock(&(clipboard->lock));
+
+    /* Clear clipboard contents */
    clipboard->length = 0;
-    strncpy(clipboard->mimetype, mimetype, sizeof(clipboard->mimetype)-1);
+
+    /* Assign given mimetype */
+    guac_strlcpy(clipboard->mimetype, mimetype, sizeof(clipboard->mimetype));
+
+    pthread_mutex_unlock(&(clipboard->lock));
+
 }

 void guac_common_clipboard_append(guac_common_clipboard* clipboard, const char* data, int length) {

+    pthread_mutex_lock(&(clipboard->lock));
+
    /* Truncate data to available length */
    int remaining = clipboard->available - clipboard->length;
    if (remaining < length)
@ -131,5 +160,7 @@ void guac_common_clipboard_append(guac_common_clipboard* clipboard, const char*
    /* Update length */
    clipboard->length += length;

+    pthread_mutex_unlock(&(clipboard->lock));
+
 }

--- a/src/common/common/blank_cursor.h
+++ b/src/common/common/blank_cursor.h
--- a/src/common/common/clipboard.h
+++ b/src/common/common/clipboard.h
@ -23,6 +23,7 @@
 #include "config.h"

 #include <guacamole/client.h>
+#include <pthread.h>

 /**
 * The maximum number of bytes to send in an individual blob when
@ -30,11 +31,23 @@
 */
 #define GUAC_COMMON_CLIPBOARD_BLOCK_SIZE 4096

+/**
+ * The maximum number of bytes to allow within the clipboard.
+ */
+#define GUAC_COMMON_CLIPBOARD_MAX_LENGTH 262144
+
 /**
 * Generic clipboard structure.
 */
 typedef struct guac_common_clipboard {

+    /**
+     * Lock which restricts simultaneous access to the clipboard, guaranteeing
+     * ordered modifications to the clipboard and that changes to the clipboard
+     * are not allowed while the clipboard is being broadcast to all users.
+     */
+    pthread_mutex_t lock;
+
    /**
     * The mimetype of the contained clipboard data.
     */
@ -58,12 +71,9 @@ typedef struct guac_common_clipboard {
 } guac_common_clipboard;

 /**
- * Creates a new clipboard having the given initial size.
- *
- * @param size The maximum number of bytes to allow within the clipboard.
- * @return A newly-allocated clipboard.
+ * Creates a new clipboard.
 */
-guac_common_clipboard* guac_common_clipboard_alloc(int size);
+guac_common_clipboard* guac_common_clipboard_alloc();

 /**
 * Frees the given clipboard.
--- a/src/common/common/cursor.h
+++ b/src/common/common/cursor.h
@ -21,7 +21,7 @@
 #ifndef GUAC_COMMON_CURSOR_H
 #define GUAC_COMMON_CURSOR_H

-#include "guac_surface.h"
+#include "surface.h"

 #include <cairo/cairo.h>
 #include <guacamole/client.h>
@ -45,10 +45,9 @@ typedef struct guac_common_cursor {
    guac_client* client;

    /**
-     * The cursor layer. This layer will be available to all connected users,
-     * but will be visible only to those users who are not moving the mouse.
+     * The buffer containing the current cursor image.
     */
-    guac_layer* layer;
+    guac_layer* buffer;

    /**
     * The width of the cursor image, in pixels.
@ -103,6 +102,27 @@ typedef struct guac_common_cursor {
     */
    int y;

+    /**
+     * An integer value representing the current state of each button, where
+     * the Nth bit within the integer is set to 1 if and only if the Nth mouse
+     * button is currently pressed. The lowest-order bit is the left mouse
+     * button, followed by the middle button, right button, and finally the up
+     * and down buttons of the scroll wheel.
+     *
+     * @see GUAC_CLIENT_MOUSE_LEFT
+     * @see GUAC_CLIENT_MOUSE_MIDDLE
+     * @see GUAC_CLIENT_MOUSE_RIGHT
+     * @see GUAC_CLIENT_MOUSE_SCROLL_UP
+     * @see GUAC_CLIENT_MOUSE_SCROLL_DOWN
+     */
+    int button_mask;
+
+    /**
+     * The server timestamp representing the point in time when the mousr
+     * location was last updated.
+     */
+    guac_timestamp timestamp;
+
 } guac_common_cursor;

 /**
@ -143,12 +163,12 @@ void guac_common_cursor_dup(guac_common_cursor* cursor, guac_user* user,
        guac_socket* socket);

 /**
- * Moves the mouse cursor, marking the given user as the most recent user of
- * the mouse. The remote mouse cursor will be hidden for this user and shown
- * for all others.
+ * Updates the current position and button state of the mouse cursor, marking
+ * the given user as the most recent user of the mouse. The remote mouse cursor
+ * will be hidden for this user and shown for all others.
 *
 * @param cursor
- *     The cursor being moved.
+ *     The cursor being updated.
 *
 * @param user
 *     The user that moved the cursor.
@ -158,9 +178,22 @@ void guac_common_cursor_dup(guac_common_cursor* cursor, guac_user* user,
 *
 * @param y
 *     The new Y coordinate of the cursor.
+ *
+ * @param button_mask
+ *     An integer value representing the current state of each button, where
+ *     the Nth bit within the integer is set to 1 if and only if the Nth mouse
+ *     button is currently pressed. The lowest-order bit is the left mouse
+ *     button, followed by the middle button, right button, and finally the up
+ *     and down buttons of the scroll wheel.
+ *
+ *     @see GUAC_CLIENT_MOUSE_LEFT
+ *     @see GUAC_CLIENT_MOUSE_MIDDLE
+ *     @see GUAC_CLIENT_MOUSE_RIGHT
+ *     @see GUAC_CLIENT_MOUSE_SCROLL_UP
+ *     @see GUAC_CLIENT_MOUSE_SCROLL_DOWN
 */
-void guac_common_cursor_move(guac_common_cursor* cursor, guac_user* user,
-        int x, int y);
+void guac_common_cursor_update(guac_common_cursor* cursor, guac_user* user,
+        int x, int y, int button_mask);

 /**
 * Sets the cursor image to the given raw image data. This raw image data must
--- a/src/common/common/defaults.h
+++ b/src/common/common/defaults.h
@ -0,0 +1,31 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#ifndef GUAC_COMMON_DEFAULTS_H
+#define GUAC_COMMON_DEFAULTS_H
+
+/**
+ * The default number of seconds to wait after sending the Wake-on-LAN packet
+ * for the destination host to start responding.
+ */
+#define GUAC_WOL_DEFAULT_BOOT_WAIT_TIME 0
+
+
+#endif /* GUAC_COMMON_DEFAULTS_H */
+
--- a/src/common/common/display.h
+++ b/src/common/common/display.h
@ -20,12 +20,14 @@
 #ifndef GUAC_COMMON_DISPLAY_H
 #define GUAC_COMMON_DISPLAY_H

-#include "guac_cursor.h"
-#include "guac_surface.h"
+#include "cursor.h"
+#include "surface.h"

 #include <guacamole/client.h>
 #include <guacamole/socket.h>

+#include <pthread.h>
+
 /**
 * A list element representing a pairing of a Guacamole layer with a
 * corresponding guac_common_surface which wraps that layer. Adjacent layers
@ -97,6 +99,20 @@ typedef struct guac_common_display {
     */
    guac_common_display_layer* buffers;

+    /**
+     * Non-zero if all graphical updates for this display should use lossless
+     * compression, 0 otherwise. By default, newly-created displays will use
+     * lossy compression when heuristics determine it is appropriate.
+     */
+    int lossless;
+
+    /**
+     * Mutex which is locked internally when access to the display must be
+     * synchronized. All public functions of guac_common_display should be
+     * considered threadsafe.
+     */
+    pthread_mutex_t _lock;
+
 } guac_common_display;

 /**
@ -219,5 +235,27 @@ void guac_common_display_free_layer(guac_common_display* display,
 void guac_common_display_free_buffer(guac_common_display* display,
        guac_common_display_layer* display_buffer);

+/**
+ * Sets the overall lossless compression policy of the given display to the
+ * given value, affecting all current and future layers/buffers maintained by
+ * the display. By default, newly-created displays will use lossy compression
+ * for graphical updates when heuristics determine that doing so is
+ * appropriate. Specifying a non-zero value here will force all graphical
+ * updates to always use lossless compression, whereas specifying zero will
+ * restore the default policy.
+ *
+ * Note that this can also be adjusted on a per-layer / per-buffer basis with
+ * guac_common_surface_set_lossless().
+ *
+ * @param display
+ *     The display to modify.
+ *
+ * @param lossless
+ *     Non-zero if all graphical updates for this display should use lossless
+ *     compression, 0 otherwise.
+ */
+void guac_common_display_set_lossless(guac_common_display* display,
+        int lossless);
+
 #endif

--- a/src/common/common/dot_cursor.h
+++ b/src/common/common/dot_cursor.h
--- a/src/common/common/ibar_cursor.h
+++ b/src/common/common/ibar_cursor.h
--- a/src/common/common/iconv.h
+++ b/src/common/common/iconv.h
@ -76,6 +76,30 @@ guac_iconv_read GUAC_READ_CP1252;
 */
 guac_iconv_read GUAC_READ_ISO8859_1;

+/**
+ * Read function for UTF-8 which normalizes newline character sequences like
+ * "\r\n" to Unix-style newlines ('\n').
+ */
+guac_iconv_read GUAC_READ_UTF8_NORMALIZED;
+
+/**
+ * Read function for UTF-16 which normalizes newline character sequences like
+ * "\r\n" to Unix-style newlines ('\n').
+ */
+guac_iconv_read GUAC_READ_UTF16_NORMALIZED;
+
+/**
+ * Read function for CP-1252 which normalizes newline character sequences like
+ * "\r\n" to Unix-style newlines ('\n').
+ */
+guac_iconv_read GUAC_READ_CP1252_NORMALIZED;
+
+/**
+ * Read function for ISO 8859-1 which normalizes newline character sequences
+ * like "\r\n" to Unix-style newlines ('\n').
+ */
+guac_iconv_read GUAC_READ_ISO8859_1_NORMALIZED;
+
 /**
 * Write function for UTF8.
 */
@ -96,5 +120,29 @@ guac_iconv_write GUAC_WRITE_CP1252;
 */
 guac_iconv_write GUAC_WRITE_ISO8859_1;

+/**
+ * Write function for UTF-8 which writes newline characters ('\n') as
+ * Windows-style newlines ("\r\n").
+ */
+guac_iconv_write GUAC_WRITE_UTF8_CRLF;
+
+/**
+ * Write function for UTF-16 which writes newline characters ('\n') as
+ * Windows-style newlines ("\r\n").
+ */
+guac_iconv_write GUAC_WRITE_UTF16_CRLF;
+
+/**
+ * Write function for CP-1252 which writes newline characters ('\n') as
+ * Windows-style newlines ("\r\n").
+ */
+guac_iconv_write GUAC_WRITE_CP1252_CRLF;
+
+/**
+ * Write function for ISO 8859-1 which writes newline characters ('\n') as
+ * Windows-style newlines ("\r\n").
+ */
+guac_iconv_write GUAC_WRITE_ISO8859_1_CRLF;
+
 #endif

--- a/src/common/common/io.h
+++ b/src/common/common/io.h
--- a/src/common/common/json.h
+++ b/src/common/common/json.h
--- a/src/common/common/list.h
+++ b/src/common/common/list.h
--- a/src/common/common/pointer_cursor.h
+++ b/src/common/common/pointer_cursor.h
--- a/src/common/common/rect.h
+++ b/src/common/common/rect.h
--- a/src/common/common/string.h
+++ b/src/common/common/string.h
--- a/src/common/common/surface.h
+++ b/src/common/common/surface.h
@ -21,7 +21,7 @@
 #define __GUAC_COMMON_SURFACE_H

 #include "config.h"
-#include "guac_rect.h"
+#include "rect.h"

 #include <cairo/cairo.h>
 #include <guacamole/client.h>
@ -29,6 +29,8 @@
 #include <guacamole/protocol.h>
 #include <guacamole/socket.h>

+#include <pthread.h>
+
 /**
 * The maximum number of updates to allow within the bitmap queue.
 */
@ -118,6 +120,53 @@ typedef struct guac_common_surface {
     */
    guac_socket* socket;

+    /**
+     * The number of simultaneous touches that this surface can accept, where 0
+     * indicates that the surface does not support touch events at all.
+     */
+    int touches;
+
+    /**
+     * Non-zero if all graphical updates for this surface should use lossless
+     * compression, 0 otherwise. By default, newly-created surfaces will use
+     * lossy compression when heuristics determine it is appropriate.
+     */
+    int lossless;
+
+    /**
+     * The X coordinate of the upper-left corner of this layer, in pixels,
+     * relative to its parent layer. This is only applicable to visible
+     * (non-buffer) layers which are not the default layer.
+     */
+    int x;
+
+    /**
+     * The Y coordinate of the upper-left corner of this layer, in pixels,
+     * relative to its parent layer. This is only applicable to visible
+     * (non-buffer) layers which are not the default layer.
+     */
+    int y;
+
+    /**
+     * The Z-order of this layer, relative to sibling layers. This is only
+     * applicable to visible (non-buffer) layers which are not the default
+     * layer.
+     */
+    int z;
+
+    /**
+     * The level of opacity applied to this layer. Fully opaque is 255, while
+     * fully transparent is 0. This is only applicable to visible (non-buffer)
+     * layers which are not the default layer.
+     */
+    int opacity;
+
+    /**
+     * The layer which contains this layer. This is only applicable to visible
+     * (non-buffer) layers which are not the default layer.
+     */
+    const guac_layer* parent;
+
    /**
     * The width of this layer, in pixels.
     */
@ -138,6 +187,18 @@ typedef struct guac_common_surface {
     */
    unsigned char* buffer;

+    /**
+     * Non-zero if the location or parent layer of this surface has been
+     * changed and needs to be flushed, 0 otherwise.
+     */
+    int location_dirty;
+
+    /**
+     * Non-zero if the opacity of this surface has been changed and needs to be
+     * flushed, 0 otherwise.
+     */
+    int opacity_dirty;
+
    /**
     * Non-zero if this surface is dirty and needs to be flushed, 0 otherwise.
     */
@ -180,6 +241,13 @@ typedef struct guac_common_surface {
     */
    guac_common_surface_heat_cell* heat_map;

+    /**
+     * Mutex which is locked internally when access to the surface must be
+     * synchronized. All public functions of guac_common_surface should be
+     * considered threadsafe.
+     */
+    pthread_mutex_t _lock;
+
 } guac_common_surface;

 /**
@ -224,14 +292,25 @@ void guac_common_surface_free(guac_common_surface* surface);
 void guac_common_surface_resize(guac_common_surface* surface, int w, int h);

 /**
- * Draws the given data to the given guac_common_surface.
+ * Draws the given data to the given guac_common_surface. If the source surface
+ * is ARGB, the draw operation will be performed using the Porter-Duff "over"
+ * composite operator. If the source surface is RGB (no alpha channel), no
+ * compositing is performed and destination pixels are ignored.
 *
- * @param surface The surface to draw to.
- * @param x The X coordinate of the draw location.
- * @param y The Y coordinate of the draw location.
- * @param src The Cairo surface to retrieve data from.
+ * @param surface
+ *     The surface to draw to.
+ *
+ * @param x
+ *     The X coordinate of the draw location.
+ *
+ * @param y
+ *     The Y coordinate of the draw location.
+ *
+ * @param src
+ *     The Cairo surface to retrieve data from.
 */
-void guac_common_surface_draw(guac_common_surface* surface, int x, int y, cairo_surface_t* src);
+void guac_common_surface_draw(guac_common_surface* surface, int x, int y,
+        cairo_surface_t* src);

 /**
 * Paints to the given guac_common_surface using the given data as a stencil,
@ -281,20 +360,43 @@ void guac_common_surface_transfer(guac_common_surface* src, int sx, int sy, int
                                  guac_transfer_function op, guac_common_surface* dst, int dx, int dy);

 /**
- * Draws a solid color rectangle at the given coordinates on the given surface.
+ * Assigns the given value to all pixels within a rectangle of the given
+ * surface. The color of all pixels within the rectangle, including the alpha
+ * component, is entirely replaced.
 *
- * @param surface The surface to draw upon.
- * @param x The X coordinate of the upper-left corner of the rectangle.
- * @param y The Y coordinate of the upper-left corner of the rectangle.
- * @param w The width of the rectangle.
- * @param h The height of the rectangle.
- * @param red The red component of the color of the rectangle.
- * @param green The green component of the color of the rectangle.
- * @param blue The blue component of the color of the rectangle.
+ * @param surface
+ *     The surface to draw upon.
+ *
+ * @param x
+ *     The X coordinate of the upper-left corner of the rectangle.
+ *
+ * @param y
+ *     The Y coordinate of the upper-left corner of the rectangle.
+ *
+ * @param w
+ *     The width of the rectangle.
+ *
+ * @param h
+ *     The height of the rectangle.
+ *
+ * @param red
+ *     The red component of the color value to assign to all pixels within the
+ *     rectangle.
+ *
+ * @param green
+ *     The green component of the color value to assign to all pixels within
+ *     the rectangle.
+ *
+ * @param blue 
+ *     The blue component of the color value to assign to all pixels within the
+ *     rectangle.
+ *
+ * @param alpha 
+ *     The alpha component of the color value to assign to all pixels within
+ *     the rectangle.
 */
-void guac_common_surface_rect(guac_common_surface* surface,
-                              int x, int y, int w, int h,
-                              int red, int green, int blue);
+void guac_common_surface_set(guac_common_surface* surface, int x, int y,
+        int w, int h, int red, int green, int blue, int alpha);

 /**
 * Given the coordinates and dimensions of a rectangle, clips all future
@ -317,22 +419,69 @@ void guac_common_surface_clip(guac_common_surface* surface, int x, int y, int w,
 void guac_common_surface_reset_clip(guac_common_surface* surface);

 /**
- * Flushes the given surface, drawing any pending operations on the remote
- * display.
+ * Changes the location of the surface relative to its parent layer. If the
+ * surface does not represent a non-default visible layer, then this function
+ * has no effect.
 *
- * @param surface The surface to flush.
+ * @param surface
+ *     The surface to move relative to its parent layer.
+ *
+ * @param x
+ *     The new X coordinate for the upper-left corner of the layer, in pixels.
+ *
+ * @param y
+ *     The new Y coordinate for the upper-left corner of the layer, in pixels.
 */
-void guac_common_surface_flush(guac_common_surface* surface);
+void guac_common_surface_move(guac_common_surface* surface, int x, int y);

 /**
- * Schedules a deferred flush of the given surface. This will not immediately
- * flush the surface to the client. Instead, the result of the flush is
- * added to a queue which is reinspected and combined (if possible) with other
- * deferred flushes during the call to guac_common_surface_flush().
+ * Changes the stacking order of the surface relative to other surfaces within
+ * the same parent layer. If the surface does not represent a non-default
+ * visible layer, then this function has no effect.
 *
- * @param surface The surface to flush.
+ * @param surface
+ *     The surface to reorder relative to sibling layers.
+ *
+ * @param z
+ *     The new Z-order for this layer, relative to sibling layers.
 */
-void guac_common_surface_flush_deferred(guac_common_surface* surface);
+void guac_common_surface_stack(guac_common_surface* surface, int z);
+
+/**
+ * Changes the parent layer of ths given surface. By default, layers will be
+ * children of the default layer. If the surface does not represent a
+ * non-default visible layer, then this function has no effect.
+ *
+ * @param surface
+ *     The surface whose parent layer should be changed.
+ *
+ * @param parent
+ *     The layer which should be set as the new parent of the given surface.
+ */
+void guac_common_surface_set_parent(guac_common_surface* surface,
+        const guac_layer* parent);
+
+/**
+ * Sets the opacity of the surface. If the surface does not represent a
+ * non-default visible layer, then this function has no effect.
+ *
+ * @param surface
+ *     The surface whose opacity should be changed.
+ *
+ * @param opacity
+ *     The level of opacity applied to this surface, where fully opaque is 255,
+ *     and fully transparent is 0.
+ */
+void guac_common_surface_set_opacity(guac_common_surface* surface, int opacity);
+
+/**
+ * Flushes the given surface, including any applicable properties, drawing any
+ * pending operations on the remote display.
+ *
+ * @param surface
+ *     The surface to flush.
+ */
+void guac_common_surface_flush(guac_common_surface* surface);

 /**
 * Duplicates the contents of the current surface to the given socket. Pending
@ -350,5 +499,41 @@ void guac_common_surface_flush_deferred(guac_common_surface* surface);
 void guac_common_surface_dup(guac_common_surface* surface, guac_user* user,
        guac_socket* socket);

+/**
+ * Declares that the given surface should receive touch events. By default,
+ * surfaces are assumed to not expect touch events. This value is advisory, and
+ * the client is not required to honor the declared level of touch support.
+ * Implementations are expected to safely handle or ignore any received touch
+ * events, regardless of the level of touch support declared.  regardless of
+ * the level of touch support declared.
+ *
+ * @param surface
+ *     The surface to modify.
+ *
+ * @param touches
+ *     The number of simultaneous touches that this surface can accept, where 0
+ *     indicates that the surface does not support touch events at all.
+ */
+void guac_common_surface_set_multitouch(guac_common_surface* surface,
+        int touches);
+
+/**
+ * Sets the lossless compression policy of the given surface to the given
+ * value. By default, newly-created surfaces will use lossy compression for
+ * graphical updates when heuristics determine that doing so is appropriate.
+ * Specifying a non-zero value here will force all graphical updates to always
+ * use lossless compression, whereas specifying zero will restore the default
+ * policy.
+ *
+ * @param surface
+ *     The surface to modify.
+ *
+ * @param lossless
+ *     Non-zero if all graphical updates for this surface should use lossless
+ *     compression, 0 otherwise.
+ */
+void guac_common_surface_set_lossless(guac_common_surface* surface,
+        int lossless);
+
 #endif

--- a/src/common/guac_cursor.c
+++ b/src/common/guac_cursor.c
@ -17,32 +17,43 @@
 * under the License.
 */

-#include "guac_blank_cursor.h"
-#include "guac_dot_cursor.h"
-#include "guac_cursor.h"
-#include "guac_ibar_cursor.h"
-#include "guac_pointer_cursor.h"
-#include "guac_surface.h"
+#include "common/blank_cursor.h"
+#include "common/dot_cursor.h"
+#include "common/cursor.h"
+#include "common/ibar_cursor.h"
+#include "common/pointer_cursor.h"
+#include "common/surface.h"

 #include <cairo/cairo.h>
 #include <guacamole/client.h>
-#include <guacamole/layer.h>
 #include <guacamole/protocol.h>
 #include <guacamole/socket.h>
+#include <guacamole/timestamp.h>
 #include <guacamole/user.h>

+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>

+
+/**
+ * Allocates a cursor as well as an image buffer where the cursor is rendered.
+ *
+ * @param client
+ *     The client owning the cursor.
+ *
+ * @return
+ *     The newly-allocated cursor or NULL if cursor cannot be allocated.
+ */
 guac_common_cursor* guac_common_cursor_alloc(guac_client* client) {

    guac_common_cursor* cursor = malloc(sizeof(guac_common_cursor));
    if (cursor == NULL)
        return NULL;

-    /* Associate cursor with client and allocate cursor layer */
+    /* Associate cursor with client and allocate cursor buffer */
    cursor->client = client;
-    cursor->layer= guac_client_alloc_layer(client);
+    cursor->buffer = guac_client_alloc_buffer(client);

    /* Allocate initial image buffer */
    cursor->image_buffer_size = GUAC_COMMON_CURSOR_DEFAULT_SIZE;
@ -57,6 +68,7 @@ guac_common_cursor* guac_common_cursor_alloc(guac_client* client) {

    /* No user has moved the mouse yet */
    cursor->user = NULL;
+    cursor->timestamp = guac_timestamp_current();

    /* Start cursor in upper-left */
    cursor->x = 0;
@ -69,7 +81,7 @@ guac_common_cursor* guac_common_cursor_alloc(guac_client* client) {
 void guac_common_cursor_free(guac_common_cursor* cursor) {

    guac_client* client = cursor->client;
-    guac_layer* layer = cursor->layer;
+    guac_layer* buffer = cursor->buffer;
    cairo_surface_t* surface = cursor->surface;

    /* Free image buffer and surface */
@ -77,11 +89,11 @@ void guac_common_cursor_free(guac_common_cursor* cursor) {
    if (surface != NULL)
        cairo_surface_destroy(surface);

-    /* Destroy layer within remotely-connected client */
-    guac_protocol_send_dispose(client->socket, layer);
+    /* Destroy buffer within remotely-connected client */
+    guac_protocol_send_dispose(client->socket, buffer);

-    /* Return layer to pool */
-    guac_client_free_layer(client, layer);
+    /* Return buffer to pool */
+    guac_client_free_buffer(client, buffer);

    free(cursor);

@ -91,18 +103,20 @@ void guac_common_cursor_dup(guac_common_cursor* cursor, guac_user* user,
        guac_socket* socket) {

    /* Synchronize location */
-    guac_protocol_send_move(socket, cursor->layer, GUAC_DEFAULT_LAYER,
-            cursor->x - cursor->hotspot_x,
-            cursor->y - cursor->hotspot_y,
-            0);
+    guac_protocol_send_mouse(socket, cursor->x, cursor->y, cursor->button_mask,
+            cursor->timestamp);

    /* Synchronize cursor image */
    if (cursor->surface != NULL) {
-        guac_protocol_send_size(socket, cursor->layer,
+        guac_protocol_send_size(socket, cursor->buffer,
                cursor->width, cursor->height);

        guac_user_stream_png(user, socket, GUAC_COMP_SRC,
-                cursor->layer, 0, 0, cursor->surface);
+                cursor->buffer, 0, 0, cursor->surface);
+
+        guac_protocol_send_cursor(socket,
+                cursor->hotspot_x, cursor->hotspot_y,
+                cursor->buffer, 0, 0, cursor->width, cursor->height);
    }

    guac_socket_flush(socket);
@ -110,28 +124,26 @@ void guac_common_cursor_dup(guac_common_cursor* cursor, guac_user* user,
 }

 /**
- * Callback for guac_client_for_user() which shows the cursor layer for the
- * given user (if they exist). The cursor layer is normally hidden when a user
- * is moving the mouse, and will only be shown if a DIFFERENT user is moving
- * the mouse.
- *
- * @param user
- *     The user to show the cursor to, or NULL if that user does not exist.
+ * Callback for guac_client_foreach_user() which sends the current cursor
+ * position and button state to any given user except the user that moved the
+ * cursor last.
 *
 * @param data
- *     A pointer to the guac_common_cursor structure describing the cursor to
- *     be shown.
+ *     A pointer to the guac_common_cursor whose state should be broadcast to
+ *     all users except the user that moved the cursor last.
 *
 * @return
 *     Always NULL.
 */
-static void* guac_common_cursor_show(guac_user* user, void* data) {
+static void* guac_common_cursor_broadcast_state(guac_user* user,
+        void* data) {

    guac_common_cursor* cursor = (guac_common_cursor*) data;

-    /* Make cursor layer visible to given user */
-    if (user != NULL) {
-        guac_protocol_send_shade(user->socket, cursor->layer, 255);
+    /* Send cursor state only if the user is not moving the cursor */
+    if (user != cursor->user) {
+        guac_protocol_send_mouse(user->socket, cursor->x, cursor->y,
+                cursor->button_mask, cursor->timestamp);
        guac_socket_flush(user->socket);
    }

@ -139,42 +151,23 @@ static void* guac_common_cursor_show(guac_user* user, void* data) {

 }

-void guac_common_cursor_move(guac_common_cursor* cursor, guac_user* user,
-        int x, int y) {
-
-    guac_user* last_user = cursor->user;
+void guac_common_cursor_update(guac_common_cursor* cursor, guac_user* user,
+        int x, int y, int button_mask) {

    /* Update current user of cursor */
-    if (last_user != user) {
+    cursor->user = user;

-        cursor->user = user;
-
-        /* Make cursor layer visible to previous user */
-        guac_client_for_user(cursor->client, last_user,
-                guac_common_cursor_show, cursor);
-
-        /* Show hardware cursor */
-        guac_protocol_send_cursor(user->socket,
-                cursor->hotspot_x, cursor->hotspot_y,
-                cursor->layer, 0, 0, cursor->width, cursor->height);
-
-        /* Hide cursor layer from new user */
-        guac_protocol_send_shade(user->socket, cursor->layer, 0);
-        guac_socket_flush(user->socket);
-
-    }
-
-    /* Update cursor position */
+    /* Update cursor state */
    cursor->x = x;
    cursor->y = y;
+    cursor->button_mask = button_mask;

-    guac_protocol_send_move(cursor->client->socket, cursor->layer,
-            GUAC_DEFAULT_LAYER,
-            x - cursor->hotspot_x,
-            y - cursor->hotspot_y,
-            0);
+    /* Store time at which cursor was updated */
+    cursor->timestamp = guac_timestamp_current();

-    guac_socket_flush(cursor->client->socket);
+    /* Notify all other users of change in cursor state */
+    guac_client_foreach_user(cursor->client,
+            guac_common_cursor_broadcast_state, cursor);

 }

@ -216,65 +209,6 @@ static void guac_common_cursor_resize(guac_common_cursor* cursor,

 }

-/**
- * Callback for guac_client_foreach_user() which sends the current cursor image
- * as PNG data to each connected client.
- *
- * @param user
- *     The user to send the cursor image to.
- *
- * @param data
- *     A pointer to the guac_common_cursor structure containing the cursor
- *     image that should be sent to the given user.
- *
- * @return
- *     Always NULL.
- */
-static void* __send_user_cursor_image(guac_user* user, void* data) {
-
-    guac_common_cursor* cursor = (guac_common_cursor*) data;
-
-    guac_user_stream_png(user, user->socket, GUAC_COMP_SRC,
-            cursor->layer, 0, 0, cursor->surface);
-
-    return NULL;
-
-}
-
-/**
- * Callback for guac_client_for_user() which updates the hardware cursor and
- * hotspot for the given user (if they exist). The hardware cursor image is
- * normally hidden when a user is not moving the mouse, and will only be shown
- * if that user begins moving the mouse.
- *
- * @param user
- *     The user whose hardware cursor should be updated, or NULL if that user
- *     does not exist.
- *
- * @param data
- *     A pointer to the guac_common_cursor structure describing the cursor to
- *     be sent as the hardware cursor.
- *
- * @return
- *     Always NULL.
- */
-static void* guac_common_cursor_update(guac_user* user, void* data) {
-
-    guac_common_cursor* cursor = (guac_common_cursor*) data;
-
-    /* Update hardware cursor of current user */
-    if (user != NULL) {
-        guac_protocol_send_cursor(user->socket,
-                cursor->hotspot_x, cursor->hotspot_y,
-                cursor->layer, 0, 0, cursor->width, cursor->height);
-
-        guac_socket_flush(user->socket);
-    }
-
-    return NULL;
-
-}
-
 void guac_common_cursor_set_argb(guac_common_cursor* cursor, int hx, int hy,
    unsigned const char* data, int width, int height, int stride) {

@ -294,26 +228,20 @@ void guac_common_cursor_set_argb(guac_common_cursor* cursor, int hx, int hy,
    cursor->hotspot_x = hx;
    cursor->hotspot_y = hy;

-    /* Update location based on new hotspot */
-    guac_protocol_send_move(cursor->client->socket, cursor->layer,
-            GUAC_DEFAULT_LAYER,
-            cursor->x - hx,
-            cursor->y - hy,
-            0);
-
    /* Broadcast new cursor image to all users */
-    guac_protocol_send_size(cursor->client->socket, cursor->layer,
+    guac_protocol_send_size(cursor->client->socket, cursor->buffer,
            width, height);

-    guac_client_foreach_user(cursor->client, __send_user_cursor_image, cursor);
+    guac_client_stream_png(cursor->client, cursor->client->socket,
+            GUAC_COMP_SRC, cursor->buffer, 0, 0, cursor->surface);
+
+    /* Update cursor image */
+    guac_protocol_send_cursor(cursor->client->socket,
+            cursor->hotspot_x, cursor->hotspot_y,
+            cursor->buffer, 0, 0, cursor->width, cursor->height);

    guac_socket_flush(cursor->client->socket);

-    /* Update hardware cursor of current user (if they are indeed valid) */
-    if (cursor->user != NULL)
-        guac_client_for_user(cursor->client, cursor->user,
-                guac_common_cursor_update, cursor);
-
 }

 void guac_common_cursor_set_surface(guac_common_cursor* cursor, int hx, int hy,
--- a/src/common/guac_display.c
+++ b/src/common/guac_display.c
@ -17,13 +17,14 @@
 * under the License.
 */

-#include "guac_cursor.h"
-#include "guac_display.h"
-#include "guac_surface.h"
+#include "common/cursor.h"
+#include "common/display.h"
+#include "common/surface.h"

 #include <guacamole/client.h>
 #include <guacamole/socket.h>

+#include <pthread.h>
 #include <stdlib.h>
 #include <string.h>

@ -98,6 +99,22 @@ static void guac_common_display_free_layers(guac_common_display_layer* layers,

 }

+/**
+ * Allocates a display and a cursor which are used to represent the remote
+ * display and cursor.
+ *
+ * @param client
+ *     The client owning the cursor.
+ *
+ * @param width
+ *     The desired width of the display.
+ *
+ * @param height
+ *     The desired height of the display.
+ *
+ * @return
+ *     The newly-allocated display or NULL if display cannot be allocated.
+ */
 guac_common_display* guac_common_display_alloc(guac_client* client,
        int width, int height) {

@ -106,11 +123,17 @@ guac_common_display* guac_common_display_alloc(guac_client* client,
    if (display == NULL)
        return NULL;

-    /* Associate display with given client */
-    display->client = client;
-
    /* Allocate shared cursor */
    display->cursor = guac_common_cursor_alloc(client);
+    if (display->cursor == NULL) {
+        free(display);
+        return NULL;
+    }
+
+    pthread_mutex_init(&display->_lock, NULL);
+
+    /* Associate display with given client */
+    display->client = client;

    display->default_surface = guac_common_surface_alloc(client,
            client->socket, GUAC_DEFAULT_LAYER, width, height);
@ -135,6 +158,7 @@ void guac_common_display_free(guac_common_display* display) {
    guac_common_display_free_layers(display->buffers, display->client);
    guac_common_display_free_layers(display->layers, display->client);

+    pthread_mutex_destroy(&display->_lock);
    free(display);

 }
@ -142,6 +166,10 @@ void guac_common_display_free(guac_common_display* display) {
 void guac_common_display_dup(guac_common_display* display, guac_user* user,
        guac_socket* socket) {

+    guac_client* client = user->client;
+
+    pthread_mutex_lock(&display->_lock);
+
    /* Sunchronize shared cursor */
    guac_common_cursor_dup(display->cursor, user, socket);

@ -152,10 +180,53 @@ void guac_common_display_dup(guac_common_display* display, guac_user* user,
    guac_common_display_dup_layers(display->layers, user, socket);
    guac_common_display_dup_layers(display->buffers, user, socket);

+    /* Sends a sync instruction to mark the boundary of the first frame */
+    guac_protocol_send_sync(socket, client->last_sent_timestamp, 1);
+
+    pthread_mutex_unlock(&display->_lock);
+
+}
+
+void guac_common_display_set_lossless(guac_common_display* display,
+        int lossless) {
+
+    pthread_mutex_lock(&display->_lock);
+
+    /* Update lossless setting to be applied to all newly-allocated
+     * layers/buffers */
+    display->lossless = lossless;
+
+    /* Update losslessness of all allocated layers/buffers */
+    guac_common_display_layer* current = display->layers;
+    while (current != NULL) {
+        guac_common_surface_set_lossless(current->surface, lossless);
+        current = current->next;
+    }
+
+    /* Update losslessness of default display layer (not included within layers
+     * list) */
+    guac_common_surface_set_lossless(display->default_surface, lossless);
+
+    pthread_mutex_unlock(&display->_lock);
+
 }

 void guac_common_display_flush(guac_common_display* display) {
+
+    pthread_mutex_lock(&display->_lock);
+
+    guac_common_display_layer* current = display->layers;
+
+    /* Flush all surfaces */
+    while (current != NULL) {
+        guac_common_surface_flush(current->surface);
+        current = current->next;
+    }
+
    guac_common_surface_flush(display->default_surface);
+
+    pthread_mutex_unlock(&display->_lock);
+
 }

 /**
@ -236,42 +307,56 @@ static void guac_common_display_remove_layer(guac_common_display_layer** head,
 guac_common_display_layer* guac_common_display_alloc_layer(
        guac_common_display* display, int width, int height) {

-    guac_layer* layer;
-    guac_common_surface* surface;
+    pthread_mutex_lock(&display->_lock);

    /* Allocate Guacamole layer */
-    layer = guac_client_alloc_layer(display->client);
+    guac_layer* layer = guac_client_alloc_layer(display->client);

    /* Allocate corresponding surface */
-    surface = guac_common_surface_alloc(display->client,
+    guac_common_surface* surface = guac_common_surface_alloc(display->client,
            display->client->socket, layer, width, height);

+    /* Apply current display losslessness */
+    guac_common_surface_set_lossless(surface, display->lossless);
+
    /* Add layer and surface to list */
-    return guac_common_display_add_layer(&display->layers, layer, surface);
+    guac_common_display_layer* display_layer =
+        guac_common_display_add_layer(&display->layers, layer, surface);
+
+    pthread_mutex_unlock(&display->_lock);
+    return display_layer;

 }

 guac_common_display_layer* guac_common_display_alloc_buffer(
        guac_common_display* display, int width, int height) {

-    guac_layer* buffer;
-    guac_common_surface* surface;
+    pthread_mutex_lock(&display->_lock);

    /* Allocate Guacamole buffer */
-    buffer = guac_client_alloc_buffer(display->client);
+    guac_layer* buffer = guac_client_alloc_buffer(display->client);

    /* Allocate corresponding surface */
-    surface = guac_common_surface_alloc(display->client,
+    guac_common_surface* surface = guac_common_surface_alloc(display->client,
            display->client->socket, buffer, width, height);

+    /* Apply current display losslessness */
+    guac_common_surface_set_lossless(surface, display->lossless);
+
    /* Add buffer and surface to list */
-    return guac_common_display_add_layer(&display->buffers, buffer, surface);
+    guac_common_display_layer* display_layer =
+        guac_common_display_add_layer(&display->buffers, buffer, surface);
+
+    pthread_mutex_unlock(&display->_lock);
+    return display_layer;

 }

 void guac_common_display_free_layer(guac_common_display* display,
        guac_common_display_layer* display_layer) {

+    pthread_mutex_lock(&display->_lock);
+
    /* Remove list element from list */
    guac_common_display_remove_layer(&display->layers, display_layer);

@ -282,11 +367,15 @@ void guac_common_display_free_layer(guac_common_display* display,
    /* Free list element */
    free(display_layer);

+    pthread_mutex_unlock(&display->_lock);
+
 }

 void guac_common_display_free_buffer(guac_common_display* display,
        guac_common_display_layer* display_buffer) {

+    pthread_mutex_lock(&display->_lock);
+
    /* Remove list element from list */
    guac_common_display_remove_layer(&display->buffers, display_buffer);

@ -297,5 +386,6 @@ void guac_common_display_free_buffer(guac_common_display* display,
    /* Free list element */
    free(display_buffer);

-}
+    pthread_mutex_unlock(&display->_lock);

+}
--- a/src/common/guac_dot_cursor.c
+++ b/src/common/guac_dot_cursor.c
--- a/src/common/guac_recording.h
+++ b/src/common/guac_recording.h
@ -1,78 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#ifndef GUAC_COMMON_RECORDING_H
-#define GUAC_COMMON_RECORDING_H
-
-#include <guacamole/client.h>
-
-/**
- * The maximum numeric value allowed for the .1, .2, .3, etc. suffix appended
- * to the end of the session recording filename if a recording having the
- * requested name already exists.
- */
-#define GUAC_COMMON_RECORDING_MAX_SUFFIX 255
-
-/**
- * The maximum length of the string containing a sequential numeric suffix
- * between 1 and GUAC_COMMON_RECORDING_MAX_SUFFIX inclusive, in bytes,
- * including NULL terminator.
- */
-#define GUAC_COMMON_RECORDING_MAX_SUFFIX_LENGTH 4
-
-/**
- * The maximum overall length of the full path to the session recording file,
- * including any additional suffix and NULL terminator, in bytes.
- */
-#define GUAC_COMMON_RECORDING_MAX_NAME_LENGTH 2048
-
-/**
- * Replaces the socket of the given client such that all further Guacamole
- * protocol output will be copied into a file within the given path and having
- * the given name. If the create_path flag is non-zero, the given path will be
- * created if it does not yet exist. If creation of the recording file or path
- * fails, error messages will automatically be logged, and no recording will be
- * written. The recording will automatically be closed once the client is
- * freed.
- *
- * @param client
- *     The client whose output should be copied to a recording file.
- *
- * @param path
- *     The full absolute path to a directory in which the recording file should
- *     be created.
- *
- * @param name
- *     The base name to use for the recording file created within the specified
- *     path.
- *
- * @param create_path
- *     Zero if the specified path MUST exist for the recording file to be
- *     written, or non-zero if the path should be created if it does not yet
- *     exist.
- *
- * @return
- *     Zero if the recording file has been successfully created and a recording
- *     will be written, non-zero otherwise.
- */
-int guac_common_recording_create(guac_client* client, const char* path,
-        const char* name, int create_path);
-
-#endif
-
--- a/src/common/guac_ibar_cursor.c
+++ b/src/common/guac_ibar_cursor.c
--- a/src/common/guac_iconv.c
+++ b/src/common/guac_iconv.c
@ -18,7 +18,7 @@
 */

 #include "config.h"
-#include "guac_iconv.h"
+#include "common/iconv.h"

 #include <guacamole/unicode.h>
 #include <stdint.h>
@ -138,6 +138,70 @@ int GUAC_READ_ISO8859_1(const char** input, int remaining) {

 }

+/**
+ * Invokes the given reader function, automatically normalizing newline
+ * sequences as Unix-style newline characters ('\n').  All other charaters are
+ * read verbatim.
+ *
+ * @param reader
+ *     The reader to use to read the given character.
+ *
+ * @param input
+ *     Pointer to the location within the input buffer that the next character
+ *     should be read from.
+ *
+ * @param remaining
+ *     The number of bytes remaining in the input buffer.
+ *
+ * @return
+ *     The codepoint that was read, or zero if the end of the input string has
+ *     been reached.
+ */
+static int guac_iconv_read_normalized(guac_iconv_read* reader,
+        const char** input, int remaining) {
+
+    /* Read requested character */
+    const char* input_start = *input;
+    int value = reader(input, remaining);
+
+    /* Automatically translate CRLF pairs to simple newlines */
+    if (value == '\r') {
+
+        /* Peek ahead by one character, adjusting remaining bytes relative to
+         * last read */
+        int peek_remaining = remaining - (*input - input_start);
+        const char* peek_input = *input;
+        int peek_value = reader(&peek_input, peek_remaining);
+
+        /* Consider read value to be a newline if we have encountered a "\r\n"
+         * (CRLF) pair */
+        if (peek_value == '\n') {
+            value = '\n';
+            *input = peek_input;
+        }
+
+    }
+
+    return value;
+
+}
+
+int GUAC_READ_UTF8_NORMALIZED(const char** input, int remaining) {
+    return guac_iconv_read_normalized(GUAC_READ_UTF8, input, remaining);
+}
+
+int GUAC_READ_UTF16_NORMALIZED(const char** input, int remaining) {
+    return guac_iconv_read_normalized(GUAC_READ_UTF16, input, remaining);
+}
+
+int GUAC_READ_CP1252_NORMALIZED(const char** input, int remaining) {
+    return guac_iconv_read_normalized(GUAC_READ_CP1252, input, remaining);
+}
+
+int GUAC_READ_ISO8859_1_NORMALIZED(const char** input, int remaining) {
+    return guac_iconv_read_normalized(GUAC_READ_ISO8859_1, input, remaining);
+}
+
 void GUAC_WRITE_UTF8(char** output, int remaining, int value) {
    *output += guac_utf8_write(value, *output, remaining);
 }
@ -190,3 +254,53 @@ void GUAC_WRITE_ISO8859_1(char** output, int remaining, int value) {
    (*output)++;
 }

+/**
+ * Invokes the given writer function, automatically writing newline characters
+ * ('\n') as CRLF ("\r\n"). All other charaters are written verbatim.
+ *
+ * @param writer
+ *     The writer to use to write the given character.
+ *
+ * @param output
+ *     Pointer to the location within the output buffer that the next character
+ *     should be written.
+ *
+ * @param remaining
+ *     The number of bytes remaining in the output buffer.
+ *
+ * @param value
+ *     The codepoint of the character to write.
+ */
+static void guac_iconv_write_crlf(guac_iconv_write* writer, char** output,
+        int remaining, int value) {
+
+    if (value != '\n') {
+        writer(output, remaining, value);
+        return;
+    }
+
+    char* output_start = *output;
+    writer(output, remaining, '\r');
+
+    remaining -= *output - output_start;
+    if (remaining > 0)
+        writer(output, remaining, '\n');
+
+}
+
+void GUAC_WRITE_UTF8_CRLF(char** output, int remaining, int value) {
+    guac_iconv_write_crlf(GUAC_WRITE_UTF8, output, remaining, value);
+}
+
+void GUAC_WRITE_UTF16_CRLF(char** output, int remaining, int value) {
+    guac_iconv_write_crlf(GUAC_WRITE_UTF16, output, remaining, value);
+}
+
+void GUAC_WRITE_CP1252_CRLF(char** output, int remaining, int value) {
+    guac_iconv_write_crlf(GUAC_WRITE_CP1252, output, remaining, value);
+}
+
+void GUAC_WRITE_ISO8859_1_CRLF(char** output, int remaining, int value) {
+    guac_iconv_write_crlf(GUAC_WRITE_ISO8859_1, output, remaining, value);
+}
+
--- a/src/common/guac_io.c
+++ b/src/common/guac_io.c
@ -18,7 +18,7 @@
 */

 #include "config.h"
-#include "guac_io.h"
+#include "common/io.h"

 #include <unistd.h>

--- a/src/common/guac_json.c
+++ b/src/common/guac_json.c
@ -19,7 +19,7 @@

 #include "config.h"

-#include "guac_json.h"
+#include "common/json.h"

 #include <assert.h>
 #include <stdlib.h>
@ -97,15 +97,15 @@ int guac_common_json_write_string(guac_user* user,
    const char* current = str;
    for (; *current != '\0'; current++) {

-        /* Escape all quotes */
-        if (*current == '"') {
+        /* Escape all quotes and back-slashes */
+        if (*current == '"' || *current == '\\') {

            /* Write any string content up to current character */
            if (current != str)
                blob_written |= guac_common_json_write(user, stream,
                        json_state, str, current - str);

-            /* Escape the quote that was just read */
+            /* Escape the character that was just read */
            blob_written |= guac_common_json_write(user, stream,
                    json_state, "\\", 1);

--- a/src/common/guac_list.c
+++ b/src/common/guac_list.c
@ -18,7 +18,7 @@
 */

 #include "config.h"
-#include "guac_list.h"
+#include "common/list.h"

 #include <stdlib.h>
 #include <pthread.h>
--- a/src/common/guac_pointer_cursor.c
+++ b/src/common/guac_pointer_cursor.c
--- a/src/common/guac_rect.c
+++ b/src/common/guac_rect.c
@ -18,7 +18,7 @@
 */

 #include "config.h"
-#include "guac_rect.h"
+#include "common/rect.h"

 void guac_common_rect_init(guac_common_rect* rect, int x, int y, int width, int height) {
    rect->x      = x;
--- a/src/common/guac_string.c
+++ b/src/common/guac_string.c
@ -19,7 +19,7 @@

 #include "config.h"

-#include "guac_string.h"
+#include "common/string.h"

 #include <stdlib.h>
 #include <string.h>
--- a/src/common/guac_surface.c
+++ b/src/common/guac_surface.c
--- a/src/common/tests/Makefile.am
+++ b/src/common/tests/Makefile.am
@ -0,0 +1,76 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# NOTE: Parts of this file (Makefile.am) are automatically transcluded verbatim
+# into Makefile.in. Though the build system (GNU Autotools) automatically adds
+# its own license boilerplate to the generated Makefile.in, that boilerplate
+# does not apply to the transcluded portions of Makefile.am which are licensed
+# to you by the ASF under the Apache License, Version 2.0, as described above.
+#
+
+AUTOMAKE_OPTIONS = foreign 
+ACLOCAL_AMFLAGS = -I m4
+
+#
+# Unit tests for libguac_common
+#
+
+check_PROGRAMS = test_common
+TESTS = $(check_PROGRAMS)
+
+noinst_HEADERS =               \
+    iconv/convert-test-data.h
+
+test_common_SOURCES =          \
+    iconv/convert.c            \
+    iconv/convert-test-data.c  \
+    rect/clip_and_split.c      \
+    rect/constrain.c           \
+    rect/expand_to_grid.c      \
+    rect/extend.c              \
+    rect/init.c                \
+    rect/intersects.c          \
+    string/count_occurrences.c \
+    string/split.c
+
+test_common_CFLAGS =        \
+    -Werror -Wall -pedantic \
+    @COMMON_INCLUDE@
+
+test_common_LDADD =  \
+    @COMMON_LTLIB@   \
+    @CUNIT_LIBS@
+
+#
+# Autogenerate test runner
+#
+
+GEN_RUNNER = $(top_srcdir)/util/generate-test-runner.pl
+CLEANFILES = _generated_runner.c
+
+_generated_runner.c: $(test_common_SOURCES)
+	$(AM_V_GEN) $(GEN_RUNNER) $(test_common_SOURCES) > $@
+
+nodist_test_common_SOURCES = \
+    _generated_runner.c
+
+# Use automake's TAP test driver for running any tests
+LOG_DRIVER =                \
+    env AM_TAP_AWK='$(AWK)' \
+    $(SHELL) $(top_srcdir)/build-aux/tap-driver.sh
+
--- a/src/common/tests/iconv/convert-test-data.c
+++ b/src/common/tests/iconv/convert-test-data.c
@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/iconv.h"
+#include "convert-test-data.h"
+
+encoding_test_parameters test_params[NUM_SUPPORTED_ENCODINGS] = {
+
+    /*
+     * UTF-8
+     */
+
+    {
+        "UTF-8",
+        GUAC_READ_UTF8,  GUAC_READ_UTF8_NORMALIZED,
+        GUAC_WRITE_UTF8, GUAC_WRITE_UTF8_CRLF,
+        .test_mixed = TEST_STRING(
+            "pap\xC3\xA0 \xC3\xA8 bello\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\r\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\r\n"
+            "pap\xC3\xA0 \xC3\xA8 bello"
+        ),
+        .test_unix = TEST_STRING(
+            "pap\xC3\xA0 \xC3\xA8 bello\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\n"
+            "pap\xC3\xA0 \xC3\xA8 bello"
+        ),
+        .test_windows = TEST_STRING(
+            "pap\xC3\xA0 \xC3\xA8 bello\r\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\r\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\r\n"
+            "pap\xC3\xA0 \xC3\xA8 bello\r\n"
+            "pap\xC3\xA0 \xC3\xA8 bello"
+        )
+    },
+
+    /*
+     * UTF-16
+     */
+
+    {
+        "UTF-16",
+        GUAC_READ_UTF16,  GUAC_READ_UTF16_NORMALIZED,
+        GUAC_WRITE_UTF16, GUAC_WRITE_UTF16_CRLF,
+        .test_mixed = TEST_STRING(
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\r\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\r\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00"
+            "\x00"
+        ),
+        .test_unix = TEST_STRING(
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00"
+            "\x00"
+        ),
+        .test_windows = TEST_STRING(
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\r\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\r\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\r\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00" "\r\x00" "\n\x00"
+            "p\x00" "a\x00" "p\x00" "\xE0\x00" " \x00" "\xE8\x00" " \x00" "b\x00" "e\x00" "l\x00" "l\x00" "o\x00"
+            "\x00"
+        )
+    },
+
+    /*
+     * ISO 8859-1
+     */
+
+    {
+        "ISO 8859-1",
+        GUAC_READ_ISO8859_1,  GUAC_READ_ISO8859_1_NORMALIZED,
+        GUAC_WRITE_ISO8859_1, GUAC_WRITE_ISO8859_1_CRLF,
+        .test_mixed = TEST_STRING(
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello"
+        ),
+        .test_unix = TEST_STRING(
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello"
+        ),
+        .test_windows = TEST_STRING(
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello"
+        )
+    },
+
+    /*
+     * CP-1252
+     */
+
+    {
+        "CP-1252",
+        GUAC_READ_CP1252,  GUAC_READ_CP1252_NORMALIZED,
+        GUAC_WRITE_CP1252, GUAC_WRITE_CP1252_CRLF,
+        .test_mixed = TEST_STRING(
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello"
+        ),
+        .test_unix = TEST_STRING(
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello\n"
+            "pap\xE0 \xE8 bello"
+        ),
+        .test_windows = TEST_STRING(
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello\r\n"
+            "pap\xE0 \xE8 bello"
+        )
+    }
+
+};
+
--- a/src/common/tests/iconv/convert-test-data.h
+++ b/src/common/tests/iconv/convert-test-data.h
@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/iconv.h"
+
+/**
+ * Representation of test string data and its length in bytes.
+ */
+typedef struct test_string {
+
+    /**
+     * The raw content of the test string.
+     */
+    unsigned char* buffer;
+
+    /**
+     * The number of bytes within the test string, including null terminator.
+     */
+    int size;
+
+} test_string;
+
+/**
+ * Convenience macro which statically-initializes a test_string with the given
+ * string value, automatically calculating its size in bytes.
+ *
+ * @param value
+ *     The string value.
+ */
+#define TEST_STRING(value) {            \
+    .buffer = (unsigned char*) (value), \
+    .size = sizeof(value)               \
+}
+
+/**
+ * The parameters applicable to a unit test for a particular encoding supported
+ * by guac_iconv().
+ */
+typedef struct encoding_test_parameters {
+
+    /**
+     * The human-readable name of this encoding. This will be logged to the
+     * test suite log to assist with debugging test failures.
+     */
+    const char* name;
+
+    /**
+     * Reader function which reads using this encoding and does not perform any
+     * transformation on newline characters.
+     */
+    guac_iconv_read* reader;
+
+    /**
+     * Reader function which reads using this encoding and automatically
+     * normalizes newline sequences to Unix-style newline characters.
+     */
+    guac_iconv_read* reader_normalized;
+
+    /**
+     * Writer function which writes using this encoding and does not perform
+     * any transformation on newline characters.
+     */
+    guac_iconv_write* writer;
+
+    /**
+     * Writer function which writes using this encoding, but writes newline
+     * characters as CRLF sequences.
+     */
+    guac_iconv_write* writer_crlf;
+
+    /**
+     * A test string having both Windows- and Unix-style line endings. Except
+     * for the line endings, the characters represented within this test string
+     * must be identical to all other test strings.
+     */
+    test_string test_mixed;
+
+    /**
+     * A test string having only Unix-style line endings. Except for the line
+     * endings, the characters represented within this test string must be
+     * identical to all other test strings.
+     */
+    test_string test_unix;
+
+    /**
+     * A test string having only Windows-style line endings. Except for the
+     * line endings, the characters represented within this test string must be
+     * identical to all other test strings.
+     */
+    test_string test_windows;
+
+} encoding_test_parameters;
+
+/**
+ * The total number of encodings supported by guac_iconv().
+ */
+#define NUM_SUPPORTED_ENCODINGS 4
+
+/**
+ * Test parameters for each supported encoding. The test strings included each
+ * consist of five repeated lines of "papà è bello", omitting the line ending
+ * of the final line.
+ */
+extern encoding_test_parameters test_params[NUM_SUPPORTED_ENCODINGS];
+
--- a/src/common/tests/iconv/convert.c
+++ b/src/common/tests/iconv/convert.c
@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/iconv.h"
+#include "convert-test-data.h"
+
+#include <CUnit/CUnit.h>
+#include <stdio.h>
+
+/**
+ * Tests that conversion between character sets using the given guac_iconv_read
+ * and guac_iconv_write implementations matches expectations.
+ *
+ * @param reader
+ *     The guac_iconv_read implementation to use to read the input string.
+ *
+ * @param in_string
+ *     A pointer to the test_string structure describing the input string being
+ *     tested.
+ *
+ * @param writer
+ *     The guac_iconv_write implementation to use to write the output string
+ *     (the converted input string).
+ *
+ * @param out_string
+ *     A pointer to the test_string structure describing the expected result of
+ *     the conversion.
+ */
+static void verify_conversion(
+        guac_iconv_read* reader,  test_string* in_string,
+        guac_iconv_write* writer, test_string* out_string) {
+
+    char output[4096];
+    char input[4096];
+
+    const char* current_input = input;
+    char* current_output = output;
+
+    memcpy(input, in_string->buffer, in_string->size);
+    guac_iconv(reader, &current_input,  sizeof(input),
+               writer, &current_output, sizeof(output));
+
+    /* Verify output length */
+    CU_ASSERT_EQUAL(out_string->size, current_output - output);
+
+    /* Verify entire input read */
+    CU_ASSERT_EQUAL(in_string->size, current_input - input);
+
+    /* Verify output content */
+    CU_ASSERT_EQUAL(0, memcmp(output, out_string->buffer, out_string->size));
+
+}
+
+/**
+ * Test which verifies that every supported encoding can be correctly converted
+ * to every other supported encoding, with all line endings preserved verbatim
+ * (not normalized).
+ */
+void test_iconv__preserve() {
+    for (int i = 0; i < NUM_SUPPORTED_ENCODINGS; i++) {
+        for (int j = 0; j < NUM_SUPPORTED_ENCODINGS; j++) {
+
+            encoding_test_parameters* from = &test_params[i];
+            encoding_test_parameters* to = &test_params[j];
+
+            printf("# \"%s\" -> \"%s\" ...\n", from->name, to->name);
+            verify_conversion(from->reader, &from->test_mixed,
+                    to->writer, &to->test_mixed);
+
+        }
+    }
+}
+
+/**
+ * Test which verifies that every supported encoding can be correctly converted
+ * to every other supported encoding, normalizing all line endings to
+ * Unix-style line endings.
+ */
+void test_iconv__normalize_unix() {
+    for (int i = 0; i < NUM_SUPPORTED_ENCODINGS; i++) {
+        for (int j = 0; j < NUM_SUPPORTED_ENCODINGS; j++) {
+
+            encoding_test_parameters* from = &test_params[i];
+            encoding_test_parameters* to = &test_params[j];
+
+            printf("# \"%s\" -> \"%s\" ...\n", from->name, to->name);
+            verify_conversion(from->reader_normalized, &from->test_mixed,
+                    to->writer, &to->test_unix);
+
+        }
+    }
+}
+
+/**
+ * Test which verifies that every supported encoding can be correctly converted
+ * to every other supported encoding, normalizing all line endings to
+ * Windows-style line endings.
+ */
+void test_iconv__normalize_crlf() {
+    for (int i = 0; i < NUM_SUPPORTED_ENCODINGS; i++) {
+        for (int j = 0; j < NUM_SUPPORTED_ENCODINGS; j++) {
+
+            encoding_test_parameters* from = &test_params[i];
+            encoding_test_parameters* to = &test_params[j];
+
+            printf("# \"%s\" -> \"%s\" ...\n", from->name, to->name);
+            verify_conversion(from->reader_normalized, &from->test_mixed,
+                    to->writer_crlf, &to->test_windows);
+
+        }
+    }
+}
+
--- a/src/common/tests/rect/clip_and_split.c
+++ b/src/common/tests/rect/clip_and_split.c
@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/rect.h"
+
+#include <CUnit/CUnit.h>
+
+/**
+ * Test which verifies that guac_common_rect_clip_and_split() divides a
+ * rectangle into subrectangles after removing a "hole" rectangle.
+ */
+void test_rect__clip_and_split() {
+
+    int res;
+
+    guac_common_rect cut;
+    guac_common_rect min;
+    guac_common_rect rect;
+
+    guac_common_rect_init(&min, 10, 10, 10, 10);
+
+    /* Clip top */
+    guac_common_rect_init(&rect, 10, 5, 10, 10);
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(1, res);
+    CU_ASSERT_EQUAL(10, cut.x);
+    CU_ASSERT_EQUAL(5, cut.y);
+    CU_ASSERT_EQUAL(10, cut.width);
+    CU_ASSERT_EQUAL(5, cut.height);
+
+    CU_ASSERT_EQUAL(10, rect.x);
+    CU_ASSERT_EQUAL(10, rect.y);
+    CU_ASSERT_EQUAL(10, rect.width);
+    CU_ASSERT_EQUAL(5, rect.height);
+
+    /* Clip bottom */
+    guac_common_rect_init(&rect, 10, 15, 10, 10);
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(1, res);
+    CU_ASSERT_EQUAL(10, cut.x);
+    CU_ASSERT_EQUAL(20, cut.y);
+    CU_ASSERT_EQUAL(10, cut.width);
+    CU_ASSERT_EQUAL(5, cut.height);
+
+    CU_ASSERT_EQUAL(10, rect.x);
+    CU_ASSERT_EQUAL(15, rect.y);
+    CU_ASSERT_EQUAL(10, rect.width);
+    CU_ASSERT_EQUAL(5, rect.height);
+
+    /* Clip left */
+    guac_common_rect_init(&rect, 5, 10, 10, 10);
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(1, res);
+    CU_ASSERT_EQUAL(5, cut.x);
+    CU_ASSERT_EQUAL(10, cut.y);
+    CU_ASSERT_EQUAL(5, cut.width);
+    CU_ASSERT_EQUAL(10, cut.height);
+
+    CU_ASSERT_EQUAL(10, rect.x);
+    CU_ASSERT_EQUAL(10, rect.y);
+    CU_ASSERT_EQUAL(5, rect.width);
+    CU_ASSERT_EQUAL(10, rect.height);
+
+    /* Clip right */
+    guac_common_rect_init(&rect, 15, 10, 10, 10);
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(1, res);
+    CU_ASSERT_EQUAL(20, cut.x);
+    CU_ASSERT_EQUAL(10, cut.y);
+    CU_ASSERT_EQUAL(5, cut.width);
+    CU_ASSERT_EQUAL(10, cut.height);
+
+    CU_ASSERT_EQUAL(15, rect.x);
+    CU_ASSERT_EQUAL(10, rect.y);
+    CU_ASSERT_EQUAL(5, rect.width);
+    CU_ASSERT_EQUAL(10, rect.height);
+
+    /*
+     * Test a rectangle which completely covers the hole.
+     * Clip and split until done.
+     */
+    guac_common_rect_init(&rect, 5, 5, 20, 20);
+
+    /* Clip top */
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(1, res);
+    CU_ASSERT_EQUAL(5, cut.x);
+    CU_ASSERT_EQUAL(5, cut.y);
+    CU_ASSERT_EQUAL(20, cut.width);
+    CU_ASSERT_EQUAL(5, cut.height);
+
+    CU_ASSERT_EQUAL(5, rect.x);
+    CU_ASSERT_EQUAL(10, rect.y);
+    CU_ASSERT_EQUAL(20, rect.width);
+    CU_ASSERT_EQUAL(15, rect.height);
+
+    /* Clip left */
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(1, res);
+    CU_ASSERT_EQUAL(5, cut.x);
+    CU_ASSERT_EQUAL(10, cut.y);
+    CU_ASSERT_EQUAL(5, cut.width);
+    CU_ASSERT_EQUAL(15, cut.height);
+
+    CU_ASSERT_EQUAL(10, rect.x);
+    CU_ASSERT_EQUAL(10, rect.y);
+    CU_ASSERT_EQUAL(15, rect.width);
+    CU_ASSERT_EQUAL(15, rect.height);
+
+    /* Clip bottom */
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(1, res);
+    CU_ASSERT_EQUAL(10, cut.x);
+    CU_ASSERT_EQUAL(20, cut.y);
+    CU_ASSERT_EQUAL(15, cut.width);
+    CU_ASSERT_EQUAL(5, cut.height);
+
+    CU_ASSERT_EQUAL(10, rect.x);
+    CU_ASSERT_EQUAL(10, rect.y);
+    CU_ASSERT_EQUAL(15, rect.width);
+    CU_ASSERT_EQUAL(10, rect.height);
+
+    /* Clip right */
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(20, cut.x);
+    CU_ASSERT_EQUAL(10, cut.y);
+    CU_ASSERT_EQUAL(5, cut.width);
+    CU_ASSERT_EQUAL(10, cut.height);
+
+    CU_ASSERT_EQUAL(10, rect.x);
+    CU_ASSERT_EQUAL(10, rect.y);
+    CU_ASSERT_EQUAL(10, rect.width);
+    CU_ASSERT_EQUAL(10, rect.height);
+
+    /* Make sure nothing is left to do */
+    res = guac_common_rect_clip_and_split(&rect, &min, &cut);
+    CU_ASSERT_EQUAL(0, res);
+
+}
+
--- a/src/common/tests/rect/constrain.c
+++ b/src/common/tests/rect/constrain.c
@ -17,31 +17,27 @@
 * under the License.
 */

-#include "config.h"
+#include "common/rect.h"

-#include "client/client_suite.h"
-#include "common/common_suite.h"
-#include "protocol/suite.h"
-#include "util/util_suite.h"
+#include <CUnit/CUnit.h>

-#include <CUnit/Basic.h>
+/**
+ * Test which verifies that guac_common_rect_constrain() restricts a given
+ * rectangle to arbitrary bounds.
+ */
+void test_rect__constrain() {

-int main() {
+    guac_common_rect max;
+    guac_common_rect rect;

-    /* Init registry */
-    if (CU_initialize_registry() != CUE_SUCCESS)
-        return CU_get_error();
+    guac_common_rect_init(&rect, -10, -10, 110, 110);
+    guac_common_rect_init(&max, 0, 0, 100, 100);
+    guac_common_rect_constrain(&rect, &max);

-    /* Register suites */
-    register_protocol_suite();
-    register_client_suite();
-    register_util_suite();
-
-    /* Run tests */
-    CU_basic_set_mode(CU_BRM_VERBOSE);
-    CU_basic_run_tests();
-    CU_cleanup_registry();
-    return CU_get_error();
+    CU_ASSERT_EQUAL(0, rect.x);
+    CU_ASSERT_EQUAL(0, rect.y);
+    CU_ASSERT_EQUAL(100, rect.width);
+    CU_ASSERT_EQUAL(100, rect.height);

 }

--- a/src/common/tests/rect/expand_to_grid.c
+++ b/src/common/tests/rect/expand_to_grid.c
@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/rect.h"
+
+#include <CUnit/CUnit.h>
+
+/**
+ * Test which verifies guac_common_rect_expand_to_grid() properly shifts and
+ * resizes rectangles to fit an NxN grid.
+ */
+void test_rect__expand_to_grid() {
+
+    int cell_size = 16;
+
+    guac_common_rect max;
+    guac_common_rect rect;
+
+    /* Simple adjustment */
+    guac_common_rect_init(&rect, 0, 0, 25, 25);
+    guac_common_rect_init(&max, 0, 0, 100, 100);
+    guac_common_rect_expand_to_grid(cell_size, &rect, &max);
+    CU_ASSERT_EQUAL(0, rect.x);
+    CU_ASSERT_EQUAL(0, rect.y);
+    CU_ASSERT_EQUAL(32, rect.width);
+    CU_ASSERT_EQUAL(32, rect.height);
+
+    /* Adjustment with moving of rect */
+    guac_common_rect_init(&rect, 75, 75, 25, 25);
+    guac_common_rect_init(&max, 0, 0, 100, 100);
+    guac_common_rect_expand_to_grid(cell_size, &rect, &max);
+    CU_ASSERT_EQUAL(max.width - 32, rect.x);
+    CU_ASSERT_EQUAL(max.height - 32, rect.y);
+    CU_ASSERT_EQUAL(32, rect.width);
+    CU_ASSERT_EQUAL(32, rect.height);
+
+    guac_common_rect_init(&rect, -5, -5, 25, 25);
+    guac_common_rect_init(&max, 0, 0, 100, 100);
+    guac_common_rect_expand_to_grid(cell_size, &rect, &max);
+    CU_ASSERT_EQUAL(0, rect.x);
+    CU_ASSERT_EQUAL(0, rect.y);
+    CU_ASSERT_EQUAL(32, rect.width);
+    CU_ASSERT_EQUAL(32, rect.height);
+
+    /* Adjustment with moving and clamping of rect */
+    guac_common_rect_init(&rect, 0, 0, 25, 15);
+    guac_common_rect_init(&max, 0, 5, 32, 15);
+    guac_common_rect_expand_to_grid(cell_size, &rect, &max);
+    CU_ASSERT_EQUAL(max.x, rect.x);
+    CU_ASSERT_EQUAL(max.y, rect.y);
+    CU_ASSERT_EQUAL(max.width, rect.width);
+    CU_ASSERT_EQUAL(max.height, rect.height);
+
+}
+
--- a/src/common/tests/rect/extend.c
+++ b/src/common/tests/rect/extend.c
@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/rect.h"
+
+#include <CUnit/CUnit.h>
+
+/**
+ * Test which verifies that guac_common_rect_extend() expands the given
+ * rectangle as necessary to contain at least the given bounds.
+ */
+void test_rect__extend() {
+
+    guac_common_rect max;
+    guac_common_rect rect;
+
+    guac_common_rect_init(&rect, 10, 10, 90, 90);
+    guac_common_rect_init(&max, 0, 0, 100, 100);
+    guac_common_rect_extend(&rect, &max);
+    CU_ASSERT_EQUAL(0, rect.x);
+    CU_ASSERT_EQUAL(0, rect.y);
+    CU_ASSERT_EQUAL(100, rect.width);
+    CU_ASSERT_EQUAL(100, rect.height);
+
+}
+
--- a/src/common/tests/rect/init.c
+++ b/src/common/tests/rect/init.c
@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/rect.h"
+
+#include <CUnit/CUnit.h>
+
+/**
+ * Test which verifies rectangle initialization via guac_common_rect_init().
+ */
+void test_rect__init() {
+
+    guac_common_rect max;
+
+    guac_common_rect_init(&max, 0, 0, 100, 100);
+
+    CU_ASSERT_EQUAL(0, max.x);
+    CU_ASSERT_EQUAL(0, max.y);
+    CU_ASSERT_EQUAL(100, max.width);
+    CU_ASSERT_EQUAL(100, max.height);
+
+}
+
--- a/src/common/tests/rect/intersects.c
+++ b/src/common/tests/rect/intersects.c
@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/rect.h"
+
+#include <CUnit/CUnit.h>
+
+/**
+ * Test which verifies intersection testing via guac_common_rect_intersects().
+ */
+void test_rect__intersects() {
+
+    int res;
+
+    guac_common_rect min;
+    guac_common_rect rect;
+
+    guac_common_rect_init(&min, 10, 10, 10, 10);
+
+    /* Rectangle intersection - empty
+     * rectangle is outside */
+    guac_common_rect_init(&rect, 25, 25, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(0, res);
+
+    /* Rectangle intersection - complete
+     * rectangle is completely inside */
+    guac_common_rect_init(&rect, 11, 11, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(2, res);
+
+    /* Rectangle intersection - partial
+     * rectangle intersects UL */
+    guac_common_rect_init(&rect, 8, 8, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(1, res);
+
+    /* Rectangle intersection - partial
+     * rectangle intersects LR */
+    guac_common_rect_init(&rect, 18, 18, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(1, res);
+
+    /* Rectangle intersection - complete
+     * rect intersects along UL but inside */
+    guac_common_rect_init(&rect, 10, 10, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(2, res);
+
+    /* Rectangle intersection - partial
+     * rectangle intersects along L but outside */
+    guac_common_rect_init(&rect, 5, 10, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(1, res);
+
+    /* Rectangle intersection - complete
+     * rectangle intersects along LR but rest is inside */
+    guac_common_rect_init(&rect, 15, 15, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(2, res);
+
+    /* Rectangle intersection - partial
+     * rectangle intersects along R but rest is outside */
+    guac_common_rect_init(&rect, 20, 10, 5, 5);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(1, res);
+
+    /* Rectangle intersection - partial
+     * rectangle encloses min; which is a partial intersection */
+    guac_common_rect_init(&rect, 5, 5, 20, 20);
+    res = guac_common_rect_intersects(&rect, &min);
+    CU_ASSERT_EQUAL(1, res);
+
+}
+
--- a/src/common/tests/string/count_occurrences.c
+++ b/src/common/tests/string/count_occurrences.c
@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "common/string.h"
+
+#include <CUnit/CUnit.h>
+
+/**
+ * Test which verifies that guac_count_occurrences() counts the number of
+ * occurrences of an arbitrary character within a given string.
+ */
+void test_string__guac_count_occurrences() {
+    CU_ASSERT_EQUAL(4, guac_count_occurrences("this is a test string", 's'));
+    CU_ASSERT_EQUAL(3, guac_count_occurrences("this is a test string", 'i'));
+    CU_ASSERT_EQUAL(0, guac_count_occurrences("", 's'));
+}
+
--- a/src/common/tests/string/split.c
+++ b/src/common/tests/string/split.c
@ -17,26 +17,20 @@
 * under the License.
 */

-#include "config.h"
+#include "common/string.h"

-#include "common_suite.h"
-#include "guac_string.h"
+#include <CUnit/CUnit.h>

 #include <stdlib.h>
-#include <CUnit/Basic.h>

-void test_guac_string() {
-
-    char** tokens;
-
-    /* Test occurrence counting */
-    CU_ASSERT_EQUAL(4, guac_count_occurrences("this is a test string", 's'));
-    CU_ASSERT_EQUAL(3, guac_count_occurrences("this is a test string", 'i'));
-    CU_ASSERT_EQUAL(0, guac_count_occurrences("", 's'));
+/**
+ * Test which verifies that guac_split() splits a string on occurrences of a
+ * given character.
+ */
+void test_string__split() {

    /* Split test string */
-    tokens = guac_split("this is a test string", ' ');
-
+    char** tokens = guac_split("this is a test string", ' ');
    CU_ASSERT_PTR_NOT_NULL(tokens);

    /* Check resulting tokens */
@ -57,7 +51,6 @@ void test_guac_string() {

    CU_ASSERT_PTR_NULL(tokens[5]);

-
    /* Clean up */
    free(tokens[0]);
    free(tokens[1]);
--- a/src/guacd-docker/README.md
+++ b/src/guacd-docker/README.md
@ -1,11 +1,11 @@
 What is guacd?
 ==============

-[guacd](https://github.com/apache/incubator/guacamole-server/) is the native
+[guacd](https://github.com/apache/guacamole-server/) is the native
 server-side proxy used by the [Apache Guacamole web
-application](http://guacamole.incubator.apache.org/).  If you wish to deploy
+application](http://guacamole.apache.org/).  If you wish to deploy
 Guacamole, or an application using the [Guacamole core
-APIs](http://guacamole.incubator.apache.org/api-documentation), you will need a
+APIs](http://guacamole.apache.org/api-documentation), you will need a
 copy of guacd running.

 How to use this image
--- a/src/guacd-docker/bin/build-all.sh
+++ b/src/guacd-docker/bin/build-all.sh
@ -0,0 +1,115 @@
+#!/bin/sh -e
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+##
+## @fn build-all.sh
+##
+## Builds the source of guacamole-server and its various core protocol library
+## dependencies.
+##
+
+# Pre-populate build control variables such that the custom build prefix is
+# used for C headers, locating libraries, etc.
+export CFLAGS="-I${PREFIX_DIR}/include"
+export LDFLAGS="-L${PREFIX_DIR}/lib"
+export PKG_CONFIG_PATH="${PREFIX_DIR}/lib/pkgconfig" 
+
+# Ensure thread stack size will be 8 MB (glibc's default on Linux) rather than
+# 128 KB (musl's default)
+export LDFLAGS="$LDFLAGS -Wl,-z,stack-size=8388608"
+
+##
+## Builds and installs the source at the given git repository, automatically
+## switching to the version of the source at the tag/commit that matches the
+## given pattern.
+##
+## @param URL
+##     The URL of the git repository that the source should be downloaded from.
+##
+## @param PATTERN
+##     The Perl-compatible regular expression that the tag must match. If no
+##     tag matches the regular expression, the pattern is assumed to be an
+##     exact reference to a commit, branch, etc. acceptable by git checkout.
+##
+## @param ...
+##     Any additional command-line options that should be provided to CMake or
+##     the configure script.
+##
+install_from_git() {
+
+    URL="$1"
+    PATTERN="$2"
+    shift 2
+
+    # Calculate top-level directory name of resulting repository from the
+    # provided URL
+    REPO_DIR="$(basename "$URL" .git)"
+
+    # Allow dependencies to be manually omitted with the tag/commit pattern "NO"
+    if [ "$PATTERN" = "NO" ]; then
+        echo "NOT building $REPO_DIR (explicitly skipped)"
+        return
+    fi
+
+    # Clone repository and change to top-level directory of source
+    cd /tmp
+    git clone "$URL"
+    cd $REPO_DIR/
+
+    # Locate tag/commit based on provided pattern
+    VERSION="$(git tag -l --sort=-v:refname | grep -Px -m1 "$PATTERN" \
+        || echo "$PATTERN")"
+
+    # Switch to desired version of source
+    echo "Building $REPO_DIR @ $VERSION ..."
+    git -c advice.detachedHead=false checkout "$VERSION"
+
+    # Configure build using CMake or GNU Autotools, whichever happens to be
+    # used by the library being built
+    if [ -e CMakeLists.txt ]; then
+        cmake -DCMAKE_INSTALL_PREFIX:PATH="$PREFIX_DIR" "$@" .
+    else
+        [ -e configure ] || autoreconf -fi
+        ./configure --prefix="$PREFIX_DIR" "$@"
+    fi
+
+    # Build and install
+    make && make install
+
+}
+
+#
+# Build and install core protocol library dependencies
+#
+
+install_from_git "https://github.com/FreeRDP/FreeRDP" "$WITH_FREERDP" $FREERDP_OPTS
+install_from_git "https://github.com/libssh2/libssh2" "$WITH_LIBSSH2" $LIBSSH2_OPTS
+install_from_git "https://github.com/seanmiddleditch/libtelnet" "$WITH_LIBTELNET" $LIBTELNET_OPTS
+install_from_git "https://github.com/LibVNC/libvncserver" "$WITH_LIBVNCCLIENT" $LIBVNCCLIENT_OPTS
+install_from_git "https://libwebsockets.org/repo/libwebsockets" "$WITH_LIBWEBSOCKETS" $LIBWEBSOCKETS_OPTS
+
+#
+# Build guacamole-server
+#
+
+cd "$BUILD_DIR"
+autoreconf -fi && ./configure --prefix="$PREFIX_DIR" $GUACAMOLE_SERVER_OPTS
+make && make install
+
--- a/src/guacd-docker/bin/build-guacd.sh
+++ b/src/guacd-docker/bin/build-guacd.sh
@ -1,62 +0,0 @@
-#!/bin/sh -e
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-##
-## @fn build-guacd.sh
-##
-## Builds the source of guacamole-server, automatically creating any required
-## symbolic links for the proper loading of FreeRDP plugins.
-##
-## @param BUILD_DIR
-##     The directory which currently contains the guacamole-server source and
-##     in which the build should be performed.
-##
-
-BUILD_DIR="$1"
-
-##
-## Locates the directory in which the FreeRDP libraries (.so files) are
-## located, printing the result to STDOUT.
-##
-where_is_freerdp() {
-    dirname `rpm -ql freerdp-libs | grep 'libfreerdp.*\.so' | head -n1`
-}
-
-#
-# Build guacamole-server
-#
-
-cd "$BUILD_DIR"
-autoreconf -fi
-./configure
-make
-make install
-ldconfig
-
-#
-# Add FreeRDP plugins to proper path
-#
-
-FREERDP_DIR=`where_is_freerdp`
-FREERDP_PLUGIN_DIR="$FREERDP_DIR/freerdp"
-
-mkdir -p "$FREERDP_PLUGIN_DIR"
-ln -s /usr/local/lib/freerdp/*.so "$FREERDP_PLUGIN_DIR"
-
--- a/src/guacd-docker/bin/list-dependencies.sh
+++ b/src/guacd-docker/bin/list-dependencies.sh
@ -0,0 +1,51 @@
+#!/bin/sh -e
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+##
+## @fn list-dependencies.sh
+##
+## Lists the Alpine Linux package names for all library dependencies of the
+## given binaries. Each package is only listed once, even if multiple binaries
+## provided by the same package are given.
+##
+## @param ...
+##     The full paths to all binaries being checked.
+##
+
+while [ -n "$1" ]; do
+
+    # For all non-Guacamole library dependencies
+    ldd "$1" | grep -v 'libguac' | awk '/=>/{print $(NF-1)}' \
+        | while read LIBRARY; do
+
+        # List the package providing that library, if any
+        apk info -W "$LIBRARY" 2> /dev/null \
+            | grep 'is owned by' | grep -o '[^ ]*$' || true
+
+    done
+
+    # Next binary
+    shift
+
+# Strip the "-VERSION" suffix from each package name, listing each resulting
+# package uniquely ("apk add" cannot handle package names that include the
+# version number)
+done | sed 's/\(.*\)-[0-9]\+\..*$/\1/' | sort -u
+
--- a/src/guacd/.gitignore
+++ b/src/guacd/.gitignore
@ -2,42 +2,14 @@
 # Compiled init script
 init.d/guacd

+# Compiled systemd unit
+systemd/guacd.service
+
 # Compiled proxy
 guacd
 guacd.exe

-# Object code
-*.o
-*.so
-*.lo
-*.la
-
-# Backup files
-*~
-
-# Release files
-*.tar.gz
-
-# Files currently being edited by vim or vi
-*.swp
-
-# automake/autoconf
-.deps/
-.libs/
-Makefile
-Makefile.in
-aclocal.m4
-autom4te.cache/
-m4/
-config.guess
-config.log
-config.status
-config.sub
-configure
-depcomp
-install-sh
-libtool
-ltmain.sh
-missing
-
+# Documentation (built from .in files)
+man/guacd.8
+man/guacd.conf.5

--- a/src/guacd/Makefile.am
+++ b/src/guacd/Makefile.am
@ -16,6 +16,12 @@
 # specific language governing permissions and limitations
 # under the License.
 #
+# NOTE: Parts of this file (Makefile.am) are automatically transcluded verbatim
+# into Makefile.in. Though the build system (GNU Autotools) automatically adds
+# its own license boilerplate to the generated Makefile.in, that boilerplate
+# does not apply to the transcluded portions of Makefile.am which are licensed
+# to you by the ASF under the Apache License, Version 2.0, as described above.
+#

 AUTOMAKE_OPTIONS = foreign 

@ -26,6 +32,7 @@ man_MANS =           \
    man/guacd.conf.5

 noinst_HEADERS =  \
+    conf.h        \
    conf-args.h   \
    conf-file.h   \
    conf-parse.h  \
@ -33,8 +40,7 @@ noinst_HEADERS =  \
    log.h         \
    move-fd.h     \
    proc.h        \
-    proc-map.h    \
-    user.h
+    proc-map.h

 guacd_SOURCES =  \
    conf-args.c  \
@ -45,34 +51,28 @@ guacd_SOURCES =  \
    log.c        \
    move-fd.c    \
    proc.c       \
-    proc-map.c   \
-    user.c
+    proc-map.c

 guacd_CFLAGS =              \
    -Werror -Wall -pedantic \
    @COMMON_INCLUDE@        \
    @LIBGUAC_INCLUDE@

-guacd_LDADD =       \
-    @COMMON_LTLIB@  \
+guacd_LDADD =        \
+    @COMMON_LTLIB@   \
    @LIBGUAC_LTLIB@

 guacd_LDFLAGS =    \
    @PTHREAD_LIBS@ \
    @SSL_LIBS@

-EXTRA_DIST =         \
-    init.d/guacd.in  \
-    man/guacd.8      \
-    man/guacd.conf.5
+EXTRA_DIST =            \
+    init.d/guacd.in          \
+    systemd/guacd.service.in \
+    man/guacd.8.in           \
+    man/guacd.conf.5.in

-CLEANFILES = $(init_SCRIPTS)
-
-# SSL support
-if ENABLE_SSL
-noinst_HEADERS += socket-ssl.h
-guacd_SOURCES  += socket-ssl.c
-endif
+CLEANFILES = $(init_SCRIPTS) $(systemd_UNITS)

 # Init script
 if ENABLE_INIT
@ -84,3 +84,12 @@ init.d/guacd: init.d/guacd.in
 	chmod +x init.d/guacd
 endif

+# Systemd service
+if ENABLE_SYSTEMD
+systemddir = @systemd_dir@
+systemd_DATA = systemd/guacd.service
+
+systemd/guacd.service: systemd/guacd.service.in
+	sed -e 's,[@]sbindir[@],$(sbindir),g' < systemd/guacd.service.in > systemd/guacd.service
+endif
+
--- a/src/guacd/conf-args.c
+++ b/src/guacd/conf-args.c
@ -19,8 +19,8 @@

 #include "config.h"

+#include "conf.h"
 #include "conf-args.h"
-#include "conf-file.h"
 #include "conf-parse.h"

 #include <getopt.h>
@ -32,7 +32,7 @@ int guacd_conf_parse_args(guacd_config* config, int argc, char** argv) {

    /* Parse arguments */
    int opt;
-    while ((opt = getopt(argc, argv, "l:b:p:L:C:K:f")) != -1) {
+    while ((opt = getopt(argc, argv, "l:b:p:L:C:K:fv")) != -1) {

        /* -l: Bind port */
        if (opt == 'l') {
@ -51,6 +51,11 @@ int guacd_conf_parse_args(guacd_config* config, int argc, char** argv) {
            config->foreground = 1;
        }

+        /* -v: Print version and exit */
+        else if (opt == 'v') {
+            config->print_version = 1;
+        }
+
        /* -p: PID file */
        else if (opt == 'p') {
            free(config->pidfile);
@ -63,7 +68,7 @@ int guacd_conf_parse_args(guacd_config* config, int argc, char** argv) {
            /* Validate and parse log level */
            int level = guacd_parse_log_level(optarg);
            if (level == -1) {
-                fprintf(stderr, "Invalid log level. Valid levels are: \"debug\", \"info\", \"warning\", and \"error\".\n");
+                fprintf(stderr, "Invalid log level. Valid levels are: \"trace\", \"debug\", \"info\", \"warning\", and \"error\".\n");
                return 1;
            }

@ -105,7 +110,8 @@ int guacd_conf_parse_args(guacd_config* config, int argc, char** argv) {
                    " [-C CERTIFICATE_FILE]"
                    " [-K PEM_FILE]"
 #endif
-                    " [-f]\n", argv[0]);
+                    " [-f]"
+                    " [-v]\n", argv[0]);

            return 1;
        }
--- a/src/guacd/conf-args.h
+++ b/src/guacd/conf-args.h
@ -22,7 +22,7 @@

 #include "config.h"

-#include "conf-file.h"
+#include "conf.h"

 /**
 * Parses the given arguments into the given configuration. Zero is returned on
--- a/src/guacd/conf-file.c
+++ b/src/guacd/conf-file.c
@ -19,6 +19,7 @@

 #include "config.h"

+#include "conf.h"
 #include "conf-file.h"
 #include "conf-parse.h"

@ -78,7 +79,7 @@ static int guacd_conf_callback(const char* section, const char* param, const cha

            /* Invalid log level */
            if (level < 0) {
-                guacd_conf_parse_error = "Invalid log level. Valid levels are: \"debug\", \"info\", \"warning\", and \"error\".";
+                guacd_conf_parse_error = "Invalid log level. Valid levels are: \"trace\", \"debug\", \"info\", \"warning\", and \"error\".";
                return 1;
            }

@ -175,10 +176,11 @@ guacd_config* guacd_conf_load() {
        return NULL;

    /* Load defaults */
-    conf->bind_host = NULL;
-    conf->bind_port = strdup("4822");
+    conf->bind_host = strdup(GUACD_DEFAULT_BIND_HOST);
+    conf->bind_port = strdup(GUACD_DEFAULT_BIND_PORT);
    conf->pidfile = NULL;
    conf->foreground = 0;
+    conf->print_version = 0;
    conf->max_log_level = GUAC_LOG_INFO;

 #ifdef ENABLE_SSL
@ -195,6 +197,7 @@ guacd_config* guacd_conf_load() {

        if (retval != 0) {
            fprintf(stderr, "Unable to parse \"" GUACD_CONF_FILE "\".\n");
+            free(conf);
            return NULL;
        }

@ -203,6 +206,7 @@ guacd_config* guacd_conf_load() {
    /* Notify of errors preventing reading */
    else if (errno != ENOENT) {
        fprintf(stderr, "Unable to open \"" GUACD_CONF_FILE "\": %s\n", strerror(errno));
+        free(conf);
        return NULL;
    }

--- a/src/guacd/conf-file.h
+++ b/src/guacd/conf-file.h
@ -22,51 +22,7 @@

 #include "config.h"

-#include <guacamole/client.h>
-
-/**
- * The contents of a guacd configuration file.
- */
-typedef struct guacd_config {
-
-    /**
-     * The host to bind on.
-     */
-    char* bind_host;
-
-    /**
-     * The port to bind on.
-     */
-    char* bind_port;
-
-    /**
-     * The file to write the PID in, if any.
-     */
-    char* pidfile;
-
-    /**
-     * Whether guacd should run in the foreground.
-     */
-    int foreground;
-
-#ifdef ENABLE_SSL
-    /**
-     * SSL certificate file.
-     */
-    char* cert_file;
-
-    /**
-     * SSL private key file.
-     */
-    char* key_file;
-#endif
-
-    /**
-     * The maximum log level to be logged by guacd.
-     */
-    guac_client_log_level max_log_level;
-
-} guacd_config;
+#include "conf.h"

 /**
 * Reads the given file descriptor, parsing its contents into the guacd_config.
--- a/src/guacd/conf-parse.c
+++ b/src/guacd/conf-parse.c
@ -19,6 +19,7 @@

 #include "config.h"

+#include "conf.h"
 #include "conf-parse.h"

 #include <guacamole/client.h>
@ -527,6 +528,7 @@ int guacd_parse_log_level(const char* name) {
    if (strcmp(name, "error")   == 0) return GUAC_LOG_ERROR;
    if (strcmp(name, "warning") == 0) return GUAC_LOG_WARNING;
    if (strcmp(name, "debug")   == 0) return GUAC_LOG_DEBUG;
+    if (strcmp(name, "trace")   == 0) return GUAC_LOG_TRACE;

    /* No such log level */
    return -1;
--- a/src/guacd/conf.h
+++ b/src/guacd/conf.h
@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#ifndef GUACD_CONF_H
+#define GUACD_CONF_H
+
+#include "config.h"
+
+#include <guacamole/client.h>
+
+/**
+ * The default host that guacd should bind to, if no other host is explicitly
+ * specified.
+ */
+#define GUACD_DEFAULT_BIND_HOST "localhost"
+
+/**
+ * The default port that guacd should bind to, if no other port is explicitly
+ * specified.
+ */
+#define GUACD_DEFAULT_BIND_PORT "4822"
+
+/**
+ * The contents of a guacd configuration file.
+ */
+typedef struct guacd_config {
+
+    /**
+     * The host to bind on.
+     */
+    char* bind_host;
+
+    /**
+     * The port to bind on.
+     */
+    char* bind_port;
+
+    /**
+     * The file to write the PID in, if any.
+     */
+    char* pidfile;
+
+    /**
+     * Whether guacd should run in the foreground.
+     */
+    int foreground;
+
+    /**
+     * Whether guacd should simply print its version information and exit.
+     */
+    int print_version;
+
+#ifdef ENABLE_SSL
+    /**
+     * SSL certificate file.
+     */
+    char* cert_file;
+
+    /**
+     * SSL private key file.
+     */
+    char* key_file;
+#endif
+
+    /**
+     * The maximum log level to be logged by guacd.
+     */
+    guac_client_log_level max_log_level;
+
+} guacd_config;
+
+#endif
+
--- a/src/guacd/connection.c
+++ b/src/guacd/connection.c
@ -24,7 +24,6 @@
 #include "move-fd.h"
 #include "proc.h"
 #include "proc-map.h"
-#include "user.h"

 #include <guacamole/client.h>
 #include <guacamole/error.h>
@ -36,7 +35,7 @@

 #ifdef ENABLE_SSL
 #include <openssl/ssl.h>
-#include "socket-ssl.h"
+#include <guacamole/socket-ssl.h>
 #endif

 #include <errno.h>
@ -279,10 +278,13 @@ static int guacd_route_connection(guacd_proc_map* map, guac_socket* socket) {
        proc = guacd_proc_map_retrieve(map, identifier);
        new_process = 0;

-        /* Warn if requested connection does not exist */
-        if (proc == NULL)
-            guacd_log(GUAC_LOG_INFO, "Connection \"%s\" does not exist.",
-                    identifier);
+        /* Warn and ward off client if requested connection does not exist */
+        if (proc == NULL) {
+            guacd_log(GUAC_LOG_INFO, "Connection \"%s\" does not exist", identifier);
+            guac_protocol_send_error(socket, "No such connection.",
+                    GUAC_PROTOCOL_STATUS_RESOURCE_NOT_FOUND);
+        }
+
        else
            guacd_log(GUAC_LOG_INFO, "Joining existing connection \"%s\"",
                    identifier);
--- a/src/guacd/daemon.c
+++ b/src/guacd/daemon.c
@ -19,12 +19,12 @@

 #include "config.h"

-#include "connection.h"
+#include "conf.h"
 #include "conf-args.h"
 #include "conf-file.h"
+#include "connection.h"
 #include "log.h"
 #include "proc-map.h"
-#include "user.h"

 #ifdef ENABLE_SSL
 #include <openssl/ssl.h>
@ -152,6 +152,99 @@ static int daemonize() {

 }

+#ifdef ENABLE_SSL
+#ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS
+/**
+ * Array of mutexes, used by OpenSSL.
+ */
+static pthread_mutex_t* guacd_openssl_locks = NULL;
+
+/**
+ * Called by OpenSSL when locking or unlocking the Nth mutex.
+ *
+ * @param mode
+ *     A bitmask denoting the action to be taken on the Nth lock, such as
+ *     CRYPTO_LOCK or CRYPTO_UNLOCK.
+ *
+ * @param n
+ *     The index of the lock to lock or unlock.
+ *
+ * @param file
+ *     The filename of the function setting the lock, for debugging purposes.
+ *
+ * @param line
+ *     The line number of the function setting the lock, for debugging
+ *     purposes.
+ */
+static void guacd_openssl_locking_callback(int mode, int n,
+        const char* file, int line){
+
+    /* Lock given mutex upon request */
+    if (mode & CRYPTO_LOCK)
+        pthread_mutex_lock(&(guacd_openssl_locks[n]));
+
+    /* Unlock given mutex upon request */
+    else if (mode & CRYPTO_UNLOCK)
+        pthread_mutex_unlock(&(guacd_openssl_locks[n]));
+
+}
+
+/**
+ * Called by OpenSSL when determining the current thread ID.
+ *
+ * @return
+ *     An ID which uniquely identifies the current thread.
+ */
+static unsigned long guacd_openssl_id_callback() {
+    return (unsigned long) pthread_self();
+}
+
+/**
+ * Creates the given number of mutexes, such that OpenSSL will have at least
+ * this number of mutexes at its disposal.
+ *
+ * @param count
+ *     The number of mutexes (locks) to create.
+ */
+static void guacd_openssl_init_locks(int count) {
+
+    int i;
+
+    /* Allocate required number of locks */
+    guacd_openssl_locks =
+        malloc(sizeof(pthread_mutex_t) * count);
+
+    /* Initialize each lock */
+    for (i=0; i < count; i++)
+        pthread_mutex_init(&(guacd_openssl_locks[i]), NULL);
+
+}
+
+/**
+ * Frees the given number of mutexes.
+ *
+ * @param count
+ *     The number of mutexes (locks) to free.
+ */
+static void guacd_openssl_free_locks(int count) {
+
+    int i;
+
+    /* SSL lock array was not initialized */
+    if (guacd_openssl_locks == NULL)
+        return;
+
+    /* Free all locks */
+    for (i=0; i < count; i++)
+        pthread_mutex_destroy(&(guacd_openssl_locks[i]));
+
+    /* Free lock array */
+    free(guacd_openssl_locks);
+
+}
+#endif
+#endif
+
 int main(int argc, char* argv[]) {

    /* Server */
@ -187,6 +280,13 @@ int main(int argc, char* argv[]) {
    if (config == NULL || guacd_conf_parse_args(config, argc, argv))
       exit(EXIT_FAILURE);

+    /* If requested, simply print version and exit, without initializing the
+     * logging system, etc. */
+    if (config->print_version) {
+        printf("Guacamole proxy daemon (guacd) version " VERSION "\n");
+        exit(EXIT_SUCCESS);
+    }
+
    /* Init logging as early as possible */
    guacd_log_level = config->max_log_level;
    openlog(GUACD_LOG_NAME, LOG_PID, LOG_DAEMON);
@ -204,20 +304,6 @@ int main(int argc, char* argv[]) {

    }

-    /* Get socket */
-    socket_fd = socket(AF_INET, SOCK_STREAM, 0);
-    if (socket_fd < 0) {
-        guacd_log(GUAC_LOG_ERROR, "Error opening socket: %s", strerror(errno));
-        exit(EXIT_FAILURE);
-    }
-
-    /* Allow socket reuse */
-    if (setsockopt(socket_fd, SOL_SOCKET, SO_REUSEADDR,
-                (void*) &opt_on, sizeof(opt_on))) {
-        guacd_log(GUAC_LOG_WARNING, "Unable to set socket options for reuse: %s",
-                strerror(errno));
-    }
-
    /* Attempt binding of each address until success */
    current_address = addresses;
    while (current_address != NULL) {
@ -233,27 +319,47 @@ int main(int argc, char* argv[]) {
            guacd_log(GUAC_LOG_ERROR, "Unable to resolve host: %s",
                    gai_strerror(retval));

+        /* Get socket */
+        socket_fd = socket(current_address->ai_family, SOCK_STREAM, 0);
+        if (socket_fd < 0) {
+            guacd_log(GUAC_LOG_ERROR, "Error opening socket: %s", strerror(errno));
+
+            /* Unable to get a socket for the resolved address family, try next */
+            current_address = current_address->ai_next;
+            continue;
+        }
+
+        /* Allow socket reuse */
+        if (setsockopt(socket_fd, SOL_SOCKET, SO_REUSEADDR,
+                    (void*) &opt_on, sizeof(opt_on))) {
+            guacd_log(GUAC_LOG_WARNING, "Unable to set socket options for reuse: %s",
+                    strerror(errno));
+        }
+
        /* Attempt to bind socket to address */
        if (bind(socket_fd,
                    current_address->ai_addr,
                    current_address->ai_addrlen) == 0) {

-            guacd_log(GUAC_LOG_DEBUG, "Successfully bound socket to "
-                    "host %s, port %s", bound_address, bound_port);
+            guacd_log(GUAC_LOG_DEBUG, "Successfully bound "
+                    "%s socket to host %s, port %s",
+                    (current_address->ai_family == AF_INET) ? "AF_INET" : "AF_INET6",
+                    bound_address, bound_port);

            /* Done if successful bind */
            break;
-
        }

        /* Otherwise log information regarding bind failure */
-        else
-            guacd_log(GUAC_LOG_DEBUG, "Unable to bind socket to "
-                    "host %s, port %s: %s",
-                    bound_address, bound_port, strerror(errno));
+        close(socket_fd);
+        socket_fd = -1;
+        guacd_log(GUAC_LOG_DEBUG, "Unable to bind %s socket to "
+                "host %s, port %s: %s",
+                (current_address->ai_family == AF_INET) ? "AF_INET" : "AF_INET6",
+                bound_address, bound_port, strerror(errno));

+        /* Try next address */
        current_address = current_address->ai_next;
-
    }

    /* If unable to bind to anything, fail */
@ -266,11 +372,24 @@ int main(int argc, char* argv[]) {
    /* Init SSL if enabled */
    if (config->key_file != NULL || config->cert_file != NULL) {

-        /* Init SSL */
        guacd_log(GUAC_LOG_INFO, "Communication will require SSL/TLS.");
+
+#ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS
+        /* Init threadsafety in OpenSSL */
+        guacd_openssl_init_locks(CRYPTO_num_locks());
+        CRYPTO_set_id_callback(guacd_openssl_id_callback);
+        CRYPTO_set_locking_callback(guacd_openssl_locking_callback);
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+        /* Init OpenSSL for OpenSSL Versions < 1.1.0 */
        SSL_library_init();
        SSL_load_error_strings();
        ssl_context = SSL_CTX_new(SSLv23_server_method());
+#else
+        /* Set up OpenSSL for OpenSSL Versions >= 1.1.0 */
+        ssl_context = SSL_CTX_new(TLS_server_method());
+#endif

        /* Load key */
        if (config->key_file != NULL) {
@ -391,6 +510,15 @@ int main(int argc, char* argv[]) {
        return 3;
    }

+#ifdef ENABLE_SSL
+    if (ssl_context != NULL) {
+#ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS
+        guacd_openssl_free_locks(CRYPTO_num_locks());
+#endif
+        SSL_CTX_free(ssl_context);
+    }
+#endif
+
    return 0;

 }
--- a/src/guacd/log.c
+++ b/src/guacd/log.c
@ -72,6 +72,12 @@ void vguacd_log(guac_client_log_level level, const char* format,
            priority_name = "DEBUG";
            break;

+        /* Trace log level */
+        case GUAC_LOG_TRACE:
+            priority = LOG_DEBUG;
+            priority_name = "TRACE";
+            break;
+
        /* Any unknown/undefined log level */
        default:
            priority = LOG_INFO;
@ -124,35 +130,10 @@ void guacd_log_guac_error(guac_client_log_level level, const char* message) {

 }

-void guacd_client_log_guac_error(guac_client* client,
-        guac_client_log_level level, const char* message) {
-
-    if (guac_error != GUAC_STATUS_SUCCESS) {
-
-        /* If error message provided, include in log */
-        if (guac_error_message != NULL)
-            guac_client_log(client, level, "%s: %s",
-                    message,
-                    guac_error_message);
-
-        /* Otherwise just log with standard status string */
-        else
-            guac_client_log(client, level, "%s: %s",
-                    message,
-                    guac_status_string(guac_error));
-
-    }
-
-    /* Just log message if no status code */
-    else
-        guac_client_log(client, level, "%s", message);
-
-}
-
 void guacd_log_handshake_failure() {

    if (guac_error == GUAC_STATUS_CLOSED)
-        guacd_log(GUAC_LOG_INFO,
+        guacd_log(GUAC_LOG_DEBUG,
                "Guacamole connection closed during handshake");
    else if (guac_error == GUAC_STATUS_PROTOCOL_ERROR)
        guacd_log(GUAC_LOG_ERROR,
--- a/src/guacd/log.h
+++ b/src/guacd/log.h
@ -62,14 +62,6 @@ void guacd_client_log(guac_client* client, guac_client_log_level level,
 */
 void guacd_log_guac_error(guac_client_log_level level, const char* message);

-/**
- * Prints an error message using the logging facilities of the given client,
- * automatically including any information present in guac_error. This function
- * accepts parameters identically to printf.
- */
-void guacd_client_log_guac_error(guac_client* client,
-        guac_client_log_level level, const char* message);
-
 /**
 * Logs a reasonable explanatory message regarding handshake failure based on
 * the current value of guac_error.
--- a/src/guacd/man/guacd.8.in
+++ b/src/guacd/man/guacd.8.in
@ -16,7 +16,7 @@
 .\" specific language governing permissions and limitations
 .\" under the License.
 .\"
-.TH guacd 8 "9 Jan 2017" "version 0.9.11-incubating" "Guacamole"
+.TH guacd 8 "1 Jun 2017" "version @PACKAGE_VERSION@" "Apache Guacamole"
 .
 .SH NAME
 guacd \- Guacamole proxy daemon
@ -30,6 +30,7 @@ guacd \- Guacamole proxy daemon
 [\fB-C\fR \fICERTIFICATE FILE\fR]
 [\fB-K\fR \fIKEY FILE\fR]
 [\fB-f\fR]
+[\fB-v\fR]
 .
 .SH DESCRIPTION
 .B guacd
@ -66,6 +67,7 @@ Sets the maximum level at which
 .B guacd
 will log messages to syslog and, if running in the foreground, the console.
 Legal values are
+.B trace,
 .B debug,
 .B info,
 .B warning,
@ -79,6 +81,11 @@ Causes
 .B guacd
 to run in the foreground, rather than automatically forking into the
 background.
+.TP
+\fB\-v\fR
+Causes
+.B guacd
+to simply print its version information and exit.
 .
 .SH SSL/TLS OPTIONS
 If libssl was present at the time
@ -112,6 +119,3 @@ this option is not given, communication with guacd must be unencrypted.
 .
 .SH SEE ALSO
 .BR guacd.conf (5)
-.
-.SH AUTHOR
-Written by Michael Jumper <mike.jumper@guac-dev.org>
--- a/src/guacd/man/guacd.conf.5.in
+++ b/src/guacd/man/guacd.conf.5.in
@ -16,7 +16,7 @@
 .\" specific language governing permissions and limitations
 .\" under the License.
 .\"
-.TH guacd.conf 5 "9 Jan 2017" "version 0.9.11-incubating" "Guacamole"
+.TH guacd.conf 5 "1 Jun 2017" "version @PACKAGE_VERSION@" "Apache Guacamole"
 .
 .SH NAME
 /etc/guacamole/guacd.conf \- Configuration file for guacd
@ -109,6 +109,7 @@ Sets the maximum level at which
 .B guacd
 will log messages to syslog and, if running in the foreground, the console.
 Legal values are
+.B trace,
 .B debug,
 .B info,
 .B warning,
@ -175,6 +176,3 @@ server_certificate = /etc/ssl/certs/guacd.crt
 server_key = /etc/ssl/private/guacd.key
 .RE
 .fi
-.
-.SH AUTHOR
-Written by Michael Jumper <mike.jumper@guac-dev.org>
--- a/src/guacd/move-fd.c
+++ b/src/guacd/move-fd.c
@ -44,7 +44,7 @@ int guacd_send_fd(int sock, int fd) {
    message.msg_iovlen = 1;

    /* Assign ancillary data buffer */
-    char buffer[CMSG_SPACE(sizeof(fd))];
+    char buffer[CMSG_SPACE(sizeof(fd))] = {0};
    message.msg_control = buffer;
    message.msg_controllen = sizeof(buffer);

--- a/src/guacd/proc-map.c
+++ b/src/guacd/proc-map.c
@ -18,10 +18,9 @@
 */

 #include "config.h"
-#include "guac_list.h"
+#include "common/list.h"
 #include "proc.h"
 #include "proc-map.h"
-#include "user.h"

 #include <guacamole/client.h>

--- a/src/guacd/proc-map.h
+++ b/src/guacd/proc-map.h
@ -22,12 +22,17 @@
 #define _GUACD_PROC_MAP_H

 #include "config.h"
-#include "guac_list.h"
+#include "common/list.h"
 #include "proc.h"
-#include "user.h"

 #include <guacamole/client.h>

+/**
+ * The maximum number of concurrent connections to a single instance
+ * of guacd.
+ */
+#define GUACD_CLIENT_MAX_CONNECTIONS 65536
+
 /**
 * The number of hash buckets in each process map.
 */
--- a/src/guacd/proc.c
+++ b/src/guacd/proc.c
@ -23,7 +23,6 @@
 #include "move-fd.h"
 #include "proc.h"
 #include "proc-map.h"
-#include "user.h"

 #include <guacamole/client.h>
 #include <guacamole/error.h>
@ -34,221 +33,15 @@
 #include <guacamole/user.h>

 #include <errno.h>
+#include <pthread.h>
+#include <signal.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <sys/time.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-
-/**
- * Copies the given array of mimetypes (strings) into a newly-allocated NULL-
- * terminated array of strings. Both the array and the strings within the array
- * are newly-allocated and must be later freed via guacd_free_mimetypes().
- *
- * @param mimetypes
- *     The array of mimetypes to copy.
- *
- * @param count
- *     The number of mimetypes in the given array.
- *
- * @return
- *     A newly-allocated, NULL-terminated array containing newly-allocated
- *     copies of each of the mimetypes provided in the original mimetypes
- *     array.
- */
-static char** guacd_copy_mimetypes(char** mimetypes, int count) {
-
-    int i;
-
-    /* Allocate sufficient space for NULL-terminated array of mimetypes */
-    char** mimetypes_copy = malloc(sizeof(char*) * (count+1));
-
-    /* Copy each provided mimetype */
-    for (i = 0; i < count; i++)
-        mimetypes_copy[i] = strdup(mimetypes[i]);
-
-    /* Terminate with NULL */
-    mimetypes_copy[count] = NULL;
-
-    return mimetypes_copy;
-
-}
-
-/**
- * Frees the given array of mimetypes, including the space allocated to each
- * mimetype string within the array. The provided array of mimetypes MUST have
- * been allocated with guacd_copy_mimetypes().
- *
- * @param mimetypes
- *     The NULL-terminated array of mimetypes to free. This array MUST have
- *     been previously allocated with guacd_copy_mimetypes().
- */
-static void guacd_free_mimetypes(char** mimetypes) {
-
-    char** current_mimetype = mimetypes;
-
-    /* Free all strings within NULL-terminated mimetype array */
-    while (*current_mimetype != NULL) {
-        free(*current_mimetype);
-        current_mimetype++;
-    }
-
-    /* Free the array itself, now that its contents have been freed */
-    free(mimetypes);
-
-}
-
-/**
- * Handles the initial handshake of a user and all subsequent I/O. This
- * function blocks until the user disconnects.
- *
- * @param user
- *     The user whose handshake and entire Guacamole protocol exchange should
- *     be handled.
- *
- * @return
- *     Zero if the user's Guacamole connection was successfully handled and
- *     the user has disconnected, or non-zero if an error prevented the user's
- *     connection from being handled properly.
- */
-static int guacd_handle_user(guac_user* user) {
-
-    guac_socket* socket = user->socket;
-    guac_client* client = user->client;
-
-    /* Send args */
-    if (guac_protocol_send_args(socket, client->args)
-            || guac_socket_flush(socket)) {
-
-        /* Log error */
-        guacd_log_handshake_failure();
-        guacd_log_guac_error(GUAC_LOG_DEBUG, "Error sending \"args\" to new user");
-
-        return 1;
-    }
-
-    guac_parser* parser = guac_parser_alloc();
-
-    /* Get optimal screen size */
-    if (guac_parser_expect(parser, socket, GUACD_USEC_TIMEOUT, "size")) {
-
-        /* Log error */
-        guacd_log_handshake_failure();
-        guacd_log_guac_error(GUAC_LOG_DEBUG, "Error reading \"size\"");
-
-        guac_parser_free(parser);
-        return 1;
-    }
-
-    /* Validate content of size instruction */
-    if (parser->argc < 2) {
-        guacd_log(GUAC_LOG_ERROR, "Received \"size\" instruction lacked required arguments.");
-        guac_parser_free(parser);
-        return 1;
-    }
-
-    /* Parse optimal screen dimensions from size instruction */
-    user->info.optimal_width  = atoi(parser->argv[0]);
-    user->info.optimal_height = atoi(parser->argv[1]);
-
-    /* If DPI given, set the client resolution */
-    if (parser->argc >= 3)
-        user->info.optimal_resolution = atoi(parser->argv[2]);
-
-    /* Otherwise, use a safe default for rough backwards compatibility */
-    else
-        user->info.optimal_resolution = 96;
-
-    /* Get supported audio formats */
-    if (guac_parser_expect(parser, socket, GUACD_USEC_TIMEOUT, "audio")) {
-
-        /* Log error */
-        guacd_log_handshake_failure();
-        guacd_log_guac_error(GUAC_LOG_DEBUG, "Error reading \"audio\"");
-
-        guac_parser_free(parser);
-        return 1;
-    }
-
-    /* Store audio mimetypes */
-    char** audio_mimetypes = guacd_copy_mimetypes(parser->argv, parser->argc);
-    user->info.audio_mimetypes = (const char**) audio_mimetypes;
-
-    /* Get supported video formats */
-    if (guac_parser_expect(parser, socket, GUACD_USEC_TIMEOUT, "video")) {
-
-        /* Log error */
-        guacd_log_handshake_failure();
-        guacd_log_guac_error(GUAC_LOG_DEBUG, "Error reading \"video\"");
-
-        guac_parser_free(parser);
-        return 1;
-    }
-
-    /* Store video mimetypes */
-    char** video_mimetypes = guacd_copy_mimetypes(parser->argv, parser->argc);
-    user->info.video_mimetypes = (const char**) video_mimetypes;
-
-    /* Get supported image formats */
-    if (guac_parser_expect(parser, socket, GUACD_USEC_TIMEOUT, "image")) {
-
-        /* Log error */
-        guacd_log_handshake_failure();
-        guacd_log_guac_error(GUAC_LOG_DEBUG, "Error reading \"image\"");
-
-        guac_parser_free(parser);
-        return 1;
-    }
-
-    /* Store image mimetypes */
-    char** image_mimetypes = guacd_copy_mimetypes(parser->argv, parser->argc);
-    user->info.image_mimetypes = (const char**) image_mimetypes;
-
-    /* Get args from connect instruction */
-    if (guac_parser_expect(parser, socket, GUACD_USEC_TIMEOUT, "connect")) {
-
-        /* Log error */
-        guacd_log_handshake_failure();
-        guacd_log_guac_error(GUAC_LOG_DEBUG, "Error reading \"connect\"");
-
-        guac_parser_free(parser);
-        return 1;
-    }
-
-    /* Acknowledge connection availability */
-    guac_protocol_send_ready(socket, client->connection_id);
-    guac_socket_flush(socket);
-
-    /* Attempt join */
-    if (guac_client_add_user(client, user, parser->argc, parser->argv))
-        guacd_log(GUAC_LOG_ERROR, "User \"%s\" could NOT join connection \"%s\"", user->user_id, client->connection_id);
-
-    /* Begin user connection if join successful */
-    else {
-
-        guacd_log(GUAC_LOG_INFO, "User \"%s\" joined connection \"%s\" (%i users now present)",
-                user->user_id, client->connection_id, client->connected_users);
-
-        /* Handle user I/O, wait for connection to terminate */
-        guacd_user_start(parser, user);
-
-        /* Remove/free user */
-        guac_client_remove_user(client, user);
-        guacd_log(GUAC_LOG_INFO, "User \"%s\" disconnected (%i users remain)", user->user_id, client->connected_users);
-
-    }
-
-    /* Free mimetype lists */
-    guacd_free_mimetypes(audio_mimetypes);
-    guacd_free_mimetypes(video_mimetypes);
-    guacd_free_mimetypes(image_mimetypes);
-
-    guac_parser_free(parser);
-
-    /* Successful disconnect */
-    return 0;
-
-}
+#include <sys/wait.h>

 /**
 * Parameters for the user thread.
@ -302,7 +95,7 @@ static void* guacd_user_thread(void* data) {
    user->owner  = params->owner;

    /* Handle user connection from handshake until disconnect/completion */
-    guacd_handle_user(user);
+    guac_user_handle_connection(user, GUACD_USEC_TIMEOUT);

    /* Stop client and prevent future users if all users are disconnected */
    if (client->connected_users == 0) {
@ -349,6 +142,151 @@ static void guacd_proc_add_user(guacd_proc* proc, int fd, int owner) {

 }

+/**
+ * Forcibly kills all processes within the current process group, including the
+ * current process and all child processes. This function is only safe to call
+ * if the process group ID has been correctly set. Calling this function within
+ * a process which does not have a PGID separate from the main guacd process
+ * can result in guacd itself being terminated.
+ */
+static void guacd_kill_current_proc_group() {
+
+    /* Forcibly kill all children within process group */
+    if (kill(0, SIGKILL))
+        guacd_log(GUAC_LOG_WARNING, "Unable to forcibly terminate "
+                "client process: %s ", strerror(errno));
+
+}
+
+/**
+ * The current status of a background attempt to free a guac_client instance.
+ */
+typedef struct guacd_client_free {
+
+    /**
+     * The guac_client instance being freed.
+     */
+    guac_client* client;
+
+    /**
+     * The condition which is signalled whenever changes are made to the
+     * completed flag. The completed flag only changes from zero (not yet
+     * freed) to non-zero (successfully freed).
+     */
+    pthread_cond_t completed_cond;
+
+    /**
+     * Mutex which must be acquired before any changes are made to the
+     * completed flag.
+     */
+    pthread_mutex_t completed_mutex;
+
+    /**
+     * Whether the guac_client has been successfully freed. Initially, this
+     * will be zero, indicating that the free operation has not yet been
+     * attempted. If the client is eventually successfully freed, this will be
+     * set to a non-zero value. Changes to this flag are signalled through
+     * the completed_cond condition.
+     */
+    int completed;
+
+} guacd_client_free;
+
+/**
+ * Thread which frees a given guac_client instance in the background. If the
+ * free operation succeeds, a flag is set on the provided structure, and the
+ * change in that flag is signalled with a pthread condition.
+ *
+ * At the time this function is provided to a pthread_create() call, the
+ * completed flag of the associated guacd_client_free structure MUST be
+ * initialized to zero, the pthread mutex and condition MUST both be
+ * initialized, and the client pointer must point to the guac_client being
+ * freed.
+ *
+ * @param data
+ *     A pointer to a guacd_client_free structure describing the free
+ *     operation.
+ *
+ * @return
+ *     Always NULL.
+ */
+static void* guacd_client_free_thread(void* data) {
+
+    guacd_client_free* free_operation = (guacd_client_free*) data;
+
+    /* Attempt to free client (this may never return if the client is
+     * malfunctioning) */
+    guac_client_free(free_operation->client);
+
+    /* Signal that the client was successfully freed */
+    pthread_mutex_lock(&free_operation->completed_mutex);
+    free_operation->completed = 1;
+    pthread_cond_broadcast(&free_operation->completed_cond);
+    pthread_mutex_unlock(&free_operation->completed_mutex);
+
+    return NULL;
+
+}
+
+/**
+ * Attempts to free the given guac_client, restricting the time taken by the
+ * free handler of the guac_client to a finite number of seconds. If the free
+ * handler does not complete within the time alotted, this function returns
+ * and the intended free operation is left in an undefined state.
+ *
+ * @param client
+ *     The guac_client instance to free.
+ *
+ * @param timeout
+ *     The maximum amount of time to wait for the guac_client to be freed,
+ *     in seconds.
+ *
+ * @return
+ *     Zero if the guac_client was successfully freed within the time alotted,
+ *     non-zero otherwise.
+ */
+static int guacd_timed_client_free(guac_client* client, int timeout) {
+
+    pthread_t client_free_thread;
+
+    guacd_client_free free_operation = {
+        .client = client,
+        .completed_cond = PTHREAD_COND_INITIALIZER,
+        .completed_mutex = PTHREAD_MUTEX_INITIALIZER,
+        .completed = 0
+    };
+
+    /* Get current time */
+    struct timeval current_time;
+    if (gettimeofday(&current_time, NULL))
+        return 1;
+
+    /* Calculate exact time that the free operation MUST complete by */
+    struct timespec deadline = {
+        .tv_sec  = current_time.tv_sec + timeout,
+        .tv_nsec = current_time.tv_usec * 1000
+    };
+
+    /* The mutex associated with the pthread conditional and flag MUST be
+     * acquired before attempting to wait for the condition */
+    if (pthread_mutex_lock(&free_operation.completed_mutex))
+        return 1;
+
+    /* Free the client in a separate thread, so we can time the free operation */
+    if (!pthread_create(&client_free_thread, NULL,
+                guacd_client_free_thread, &free_operation)) {
+
+        /* Wait a finite amount of time for the free operation to finish */
+        (void) pthread_cond_timedwait(&free_operation.completed_cond,
+                    &free_operation.completed_mutex, &deadline);
+    }
+
+    (void) pthread_mutex_unlock(&free_operation.completed_mutex);
+
+    /* Return status of free operation */
+    return !free_operation.completed;
+}
+
 /**
 * Starts protocol-specific handling on the given process by loading the client
 * plugin for that protocol. This function does NOT return. It initializes the
@ -365,8 +303,18 @@ static void guacd_proc_add_user(guacd_proc* proc, int fd, int owner) {
 */
 static void guacd_exec_proc(guacd_proc* proc, const char* protocol) {

+    int result = 1;
+   
+    /* Set process group ID to match PID */ 
+    if (setpgid(0, 0)) {
+        guacd_log(GUAC_LOG_ERROR, "Cannot set PGID for connection process: %s",
+                strerror(errno));
+        goto cleanup_process;
+    }
+
    /* Init client for selected protocol */
-    if (guac_client_load_plugin(proc->client, protocol)) {
+    guac_client* client = proc->client;
+    if (guac_client_load_plugin(client, protocol)) {

        /* Log error */
        if (guac_error == GUAC_STATUS_NOT_FOUND)
@ -376,15 +324,15 @@ static void guacd_exec_proc(guacd_proc* proc, const char* protocol) {
            guacd_log_guac_error(GUAC_LOG_ERROR,
                    "Unable to load client plugin");

-        guac_client_free(proc->client);
-        close(proc->fd_socket);
-        free(proc);
-        exit(1);
+        goto cleanup_client;
    }

    /* The first file descriptor is the owner */
    int owner = 1;

+    /* Enable keep alive on the broadcast socket */
+    guac_socket_require_keep_alive(client->socket);
+
    /* Add each received file descriptor as a new user */
    int received_fd;
    while ((received_fd = guacd_recv_fd(proc->fd_socket)) != -1) {
@ -395,15 +343,48 @@ static void guacd_exec_proc(guacd_proc* proc, const char* protocol) {
        owner = 0;

    }
+    
+cleanup_client:

-    /* Stop and free client */
-    guac_client_stop(proc->client);
-    guac_client_free(proc->client);
+    /* Request client to stop/disconnect */
+    guac_client_stop(client);

-    /* Child is finished */
+    /* Attempt to free client cleanly */
+    guacd_log(GUAC_LOG_DEBUG, "Requesting termination of client...");
+    result = guacd_timed_client_free(client, GUACD_CLIENT_FREE_TIMEOUT);
+
+    /* If client was unable to be freed, warn and forcibly kill */
+    if (result) {
+        guacd_log(GUAC_LOG_WARNING, "Client did not terminate in a timely "
+                "manner. Forcibly terminating client and any child "
+                "processes.");
+        guacd_kill_current_proc_group();
+    }
+    else
+        guacd_log(GUAC_LOG_DEBUG, "Client terminated successfully.");
+
+    /* Verify whether children were all properly reaped */
+    pid_t child_pid;
+    while ((child_pid = waitpid(0, NULL, WNOHANG)) > 0) {
+        guacd_log(GUAC_LOG_DEBUG, "Automatically reaped unreaped "
+                "(zombie) child process with PID %i.", child_pid);
+    }
+
+    /* If running children remain, warn and forcibly kill */
+    if (child_pid == 0) {
+        guacd_log(GUAC_LOG_WARNING, "Client reported successful termination, "
+                "but child processes remain. Forcibly terminating client and "
+                "child processes.");
+        guacd_kill_current_proc_group();
+    }
+
+cleanup_process:
+
+    /* Free up all internal resources outside the client */
    close(proc->fd_socket);
    free(proc);
-    exit(0);
+
+    exit(result);

 }

--- a/src/guacd/proc.h
+++ b/src/guacd/proc.h
@ -27,6 +27,27 @@

 #include <unistd.h>

+/**
+ * The number of milliseconds to wait for messages in any phase before
+ * timing out and closing the connection with an error.
+ */
+#define GUACD_TIMEOUT 15000
+
+/**
+ * The number of microseconds to wait for messages in any phase before
+ * timing out and closing the conncetion with an error. This is always
+ * equal to GUACD_TIMEOUT * 1000.
+ */
+#define GUACD_USEC_TIMEOUT (GUACD_TIMEOUT*1000)
+
+/**
+ * The number of seconds to wait for any particular guac_client instance
+ * to be freed following disconnect. If the free operation does not complete
+ * within this period of time, the associated process will be forcibly
+ * terminated.
+ */
+#define GUACD_CLIENT_FREE_TIMEOUT 5
+
 /**
 * Process information of the internal remote desktop client.
 */
--- a/src/guacd/systemd/guacd.service.in
+++ b/src/guacd/systemd/guacd.service.in
@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[Unit]
+Description=Guacamole Server
+Documentation=man:guacd(8)
+After=network.target
+
+[Service]
+User=daemon
+ExecStart=@sbindir@/guacd -f
+Restart=on-abnormal
+
+[Install]
+WantedBy=multi-user.target
--- a/src/guacd/user.c
+++ b/src/guacd/user.c
@ -1,113 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#include "config.h"
-
-#include "log.h"
-#include "user.h"
-
-#include <guacamole/client.h>
-#include <guacamole/error.h>
-#include <guacamole/parser.h>
-#include <guacamole/protocol.h>
-#include <guacamole/socket.h>
-#include <guacamole/user.h>
-
-#include <pthread.h>
-#include <stdlib.h>
-
-void* guacd_user_input_thread(void* data) {
-
-    guacd_user_input_thread_params* params = (guacd_user_input_thread_params*) data;
-    guac_user* user = params->user;
-    guac_parser* parser = params->parser;
-    guac_client* client = user->client;
-    guac_socket* socket = user->socket;
-
-    /* Guacamole user input loop */
-    while (client->state == GUAC_CLIENT_RUNNING && user->active) {
-
-        /* Read instruction, stop on error */
-        if (guac_parser_read(parser, socket, GUACD_USEC_TIMEOUT)) {
-
-            if (guac_error == GUAC_STATUS_TIMEOUT)
-                guac_user_abort(user, GUAC_PROTOCOL_STATUS_CLIENT_TIMEOUT, "User is not responding.");
-
-            else {
-                if (guac_error != GUAC_STATUS_CLOSED)
-                    guacd_client_log_guac_error(client, GUAC_LOG_WARNING,
-                            "Guacamole connection failure");
-                guac_user_stop(user);
-            }
-
-            return NULL;
-        }
-
-        /* Reset guac_error and guac_error_message (user/client handlers are not
-         * guaranteed to set these) */
-        guac_error = GUAC_STATUS_SUCCESS;
-        guac_error_message = NULL;
-
-        /* Call handler, stop on error */
-        if (guac_user_handle_instruction(user, parser->opcode, parser->argc, parser->argv) < 0) {
-
-            /* Log error */
-            guacd_client_log_guac_error(client, GUAC_LOG_WARNING,
-                    "User connection aborted");
-
-            /* Log handler details */
-            guac_user_log(user, GUAC_LOG_DEBUG, "Failing instruction handler in user was \"%s\"", parser->opcode);
-
-            guac_user_stop(user);
-            return NULL;
-        }
-
-    }
-
-    return NULL;
-
-}
-
-int guacd_user_start(guac_parser* parser, guac_user* user) {
-
-    guacd_user_input_thread_params params = {
-        .parser = parser,
-        .user = user
-    };
-
-    pthread_t input_thread;
-
-    if (pthread_create(&input_thread, NULL, guacd_user_input_thread, (void*) &params)) {
-        guac_user_log(user, GUAC_LOG_ERROR, "Unable to start input thread");
-        guac_user_stop(user);
-        return -1;
-    }
-
-    /* Wait for I/O threads */
-    pthread_join(input_thread, NULL);
-
-    /* Explicitly signal disconnect */
-    guac_protocol_send_disconnect(user->socket);
-    guac_socket_flush(user->socket);
-
-    /* Done */
-    return 0;
-
-}
-
--- a/Show More
+++ b/Show More