diff --git a/Makefile.am b/Makefile.am
index 23f76a6c..cf1366e1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,220 +1,214 @@
 #
 # Copyright (C) 2010-2020 Red Hat, Inc.  All rights reserved.
 #
 # Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 MAINTAINERCLEANFILES	= Makefile.in aclocal.m4 configure depcomp \
 			  config.guess config.sub missing install-sh \
 			  ltmain.sh compile config.h.in config.h.in~ \
 			  autoscan.log configure.scan test-driver \
 			  m4/libtool.m4 m4/lt~obsolete.m4 m4/ltoptions.m4 \
 			  m4/ltsugar.m4 m4/ltversion.m4
 
 include $(top_srcdir)/build-aux/check.mk
 
 AUTOMAKE_OPTIONS	= foreign
 
 ACLOCAL_AMFLAGS		= -I m4
 
 SPEC			= $(PACKAGE_NAME).spec
 
 TARGZFILE		= $(PACKAGE_NAME)-$(VERSION).tar.gz
 
 EXTRA_DIST		= autogen.sh .version \
 			  NOTES_TO_PACKAGE_MAINTAINERS \
 			  $(SPEC).in build-aux
 
 SUBDIRS			= init libnozzle libknet kronosnetd
 
 if BUILD_MAN
 SUBDIRS			+= man
 endif
 
 if BUILD_POC
 SUBDIRS			+= poc-code
 endif
 
 dist_doc_DATA		= \
 			  COPYING.applications \
 			  COPYING.libraries \
 			  COPYRIGHT \
 			  README.licence \
 			  README
 
 all-local: $(SPEC)
 
 clean-local:
 	rm -rf $(SPEC) cov*
 
 distclean-local:
 	rm -f $(PACKAGE_NAME)-*.tar.* $(PACKAGE_NAME)-*.sha256* tag-*
 
 ## make rpm/srpm section.
 
 $(SPEC): $(SPEC).in .version config.status
 	rm -f $@-t $@
 	date="`LC_ALL=C $(UTC_DATE_AT)$(SOURCE_EPOCH) "+%a %b %d %Y"`" && \
-	if [ -f $(abs_srcdir)/.tarball-version ]; then \
-		gitver="`cat $(abs_srcdir)/.tarball-version`" && \
-		rpmver=$$gitver && \
+	gvgver="`cd $(abs_srcdir); build-aux/git-version-gen --fallback $(VERSION) .tarball-version .gitarchivever`" && \
+	if [ "$$gvgver" = "`echo $$gvgver | sed 's/-/./'`" ];then \
+		rpmver="$$gvgver" && \
 		alphatag="" && \
 		dirty="" && \
 		numcomm="0"; \
-	elif [ "`git log -1 --pretty=format:x . 2>&1`" = "x" ]; then \
-		gitver="`GIT_DIR=$(abs_srcdir)/.git git describe --abbrev=4 --match='v*' HEAD 2>/dev/null`" && \
-		rpmver=`echo $$gitver | sed -e "s/^v//" -e "s/-.*//g"` && \
-		alphatag=`echo $$gitver | sed -e "s/.*-//" -e "s/^g//"` && \
-		vtag=`echo $$gitver | sed -e "s/-.*//g"` && \
-		numcomm=`GIT_DIR=$(abs_srcdir)/.git git rev-list $$vtag..HEAD | wc -l` && \
-		cd $(abs_srcdir) && \
-		git update-index --refresh > /dev/null 2>&1 || true && \
-		dirty=`git diff-index --name-only HEAD 2>/dev/null` && cd - 2>/dev/null; \
 	else \
-		gitver="`cd $(abs_srcdir); build-aux/git-version-gen .tarball-version .gitarchivever`" && \
-		rpmver=$$gitver && \
-		alphatag="" && \
+		gitver="`echo $$gvgver | sed 's/\(.*\)\./\1-/'`" && \
+		rpmver=`echo $$gitver | sed 's/-.*//g'` && \
+		alphatag=`echo $$gvgver | sed 's/[^-]*-\([^-]*\).*/\1/'` && \
+		numcomm=`echo $$gitver | sed 's/[^-]*-\([^-]*\).*/\1/'` && \
 		dirty="" && \
-		numcomm="0"; \
+		if [ "`echo $$gitver | sed 's/^.*-dirty$$//g'`" = "" ];then \
+			dirty="dirty"; \
+		fi \
 	fi && \
 	if [ -n "$$dirty" ]; then dirty="dirty"; else dirty=""; fi && \
 	if [ "$$numcomm" = "0" ]; then \
 		sed \
 			-e "s#@version@#$$rpmver#g" \
 			-e "s#%glo.*alpha.*##g" \
 			-e "s#%glo.*numcomm.*##g" \
 			-e "s#@dirty@#$$dirty#g" \
 			-e "s#@date@#$$date#g" \
 		$(abs_srcdir)/$@.in > $@-t; \
 	else \
 		sed \
 			-e "s#@version@#$$rpmver#g" \
 			-e "s#@alphatag@#$$alphatag#g" \
 			-e "s#@numcomm@#$$numcomm#g" \
 			-e "s#@dirty@#$$dirty#g" \
 			-e "s#@date@#$$date#g" \
 		$(abs_srcdir)/$@.in > $@-t; \
 	fi; \
 	if [ -z "$$dirty" ]; then sed -i -e "s#%glo.*dirty.*##g" $@-t; fi
 if BUILD_SCTP
 	sed -i -e "s#@sctp@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@sctp@#bcond_with#g" $@-t
 endif
 if BUILD_CRYPTO_NSS
 	sed -i -e "s#@nss@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@nss@#bcond_with#g" $@-t
 endif
 if BUILD_CRYPTO_OPENSSL
 	sed -i -e "s#@openssl@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@openssl@#bcond_with#g" $@-t
 endif
 if BUILD_COMPRESS_ZLIB
 	sed -i -e "s#@zlib@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@zlib@#bcond_with#g" $@-t
 endif
 if BUILD_COMPRESS_LZ4
 	sed -i -e "s#@lz4@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@lz4@#bcond_with#g" $@-t
 endif
 if BUILD_COMPRESS_LZO2
 	sed -i -e "s#@lzo2@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@lzo2@#bcond_with#g" $@-t
 endif
 if BUILD_COMPRESS_LZMA
 	sed -i -e "s#@lzma@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@lzma@#bcond_with#g" $@-t
 endif
 if BUILD_COMPRESS_BZIP2
 	sed -i -e "s#@bzip2@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@bzip2@#bcond_with#g" $@-t
 endif
 if BUILD_COMPRESS_ZSTD
 	sed -i -e "s#@zstd@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@zstd@#bcond_with#g" $@-t
 endif
 if BUILD_KRONOSNETD
 	sed -i -e "s#@kronosnetd@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@kronosnetd@#bcond_with#g" $@-t
 endif
 if BUILD_LIBNOZZLE
 	sed -i -e "s#@libnozzle@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@libnozzle@#bcond_with#g" $@-t
 endif
 if BUILD_RUNAUTOGEN
 	sed -i -e "s#@runautogen@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@runautogen@#bcond_with#g" $@-t
 endif
 if OVERRIDE_RPM_DEBUGINFO
 	sed -i -e "s#@overriderpmdebuginfo@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@overriderpmdebuginfo@#bcond_with#g" $@-t
 endif
 if BUILD_RPM_DEBUGINFO
 	sed -i -e "s#@rpmdebuginfo@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@rpmdebuginfo@#bcond_with#g" $@-t
 endif
 if BUILD_MAN
 	sed -i -e "s#@buildman@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@buildman@#bcond_with#g" $@-t
 endif
 if INSTALL_TESTS
 	sed -i -e "s#@installtests@#bcond_without#g" $@-t
 else
 	sed -i -e "s#@installtests@#bcond_with#g" $@-t
 endif
 	sed -i -e "s#@defaultadmgroup@#$(DEFAULTADMGROUP)#g" $@-t
 	chmod a-w $@-t
 	mv $@-t $@
 	rm -f $@-t*
 
 $(TARGZFILE):
 	$(MAKE) dist
 
 RPMBUILDOPTS	= --define "_sourcedir $(abs_builddir)" \
 		  --define "_specdir $(abs_builddir)" \
 		  --define "_builddir $(abs_builddir)" \
 		  --define "_srcrpmdir $(abs_builddir)" \
 		  --define "_rpmdir $(abs_builddir)"
 
 srpm: clean
 	$(MAKE) $(SPEC) $(TARGZFILE)
 	rpmbuild $(RPMBUILDOPTS) --nodeps -bs $(SPEC)
 
 rpm: clean
 	$(MAKE) $(SPEC) $(TARGZFILE)
 	rpmbuild $(RPMBUILDOPTS) -ba $(SPEC)
 
 # release/versioning
 BUILT_SOURCES	= .version
 .version:
 	echo $(VERSION) > $@-t && mv $@-t $@
 
 dist-hook: gen-ChangeLog
 	echo $(VERSION) > $(distdir)/.tarball-version
 	echo $(SOURCE_EPOCH) > $(distdir)/source_epoch
 
 gen_start_date = 2000-01-01
 .PHONY: gen-ChangeLog
 gen-ChangeLog:
 	if test -d $(abs_srcdir)/.git; then				\
 		LC_ALL=C $(top_srcdir)/build-aux/gitlog-to-changelog	\
 			--since=$(gen_start_date) > $(distdir)/cl-t;	\
 		rm -f $(distdir)/ChangeLog;				\
 		mv $(distdir)/cl-t $(distdir)/ChangeLog;		\
 	fi
diff --git a/build-aux/check.mk b/build-aux/check.mk
index 890bf903..7b8911f5 100644
--- a/build-aux/check.mk
+++ b/build-aux/check.mk
@@ -1,46 +1,51 @@
 #
 # Copyright (C) 2012-2020 Red Hat, Inc.  All rights reserved.
 #
 # Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 VALGRIND = $(VALGRIND_EXEC) -q --error-exitcode=127 --gen-suppressions=all
 
 MEMCHECK = $(VALGRIND) --track-fds=yes --leak-check=full --alignment=16 --suppressions=$(abs_top_srcdir)/build-aux/knet_valgrind_memcheck.supp
 HELGRIND = $(VALGRIND) --tool=helgrind --suppressions=$(abs_top_srcdir)/build-aux/knet_valgrind_helgrind.supp
 
 check-memcheck: $(check_PROGRAMS)
 if HAS_VALGRIND
 	export KNETMEMCHECK=yes && \
 		$(MAKE) check LOG_COMPILE="libtool --mode=execute $(MEMCHECK)"
 else
 	@echo valgrind not available on this platform
 endif
 
 check-helgrind: $(check_PROGRAMS)
 if HAS_VALGRIND
 	export KNETHELGRIND=yes && \
 		$(MAKE) check LOG_COMPILE="libtool --mode=execute $(HELGRIND)"
 else
 	@echo valgrind not available on this platform
 endif
 
 check-covscan:
 if HAS_COVBUILD
 	rm -rf $(abs_top_builddir)/cov*
 	$(MAKE) -C $(abs_top_builddir) clean
 	$(COVBUILD_EXEC) --dir=$(abs_top_builddir)/cov $(MAKE) -C $(abs_top_builddir)
 if HAS_COVANALYZE
-	$(COVANALYZE_EXEC) --dir=$(abs_top_builddir)/cov --wait-for-license $(covoptions)
+	if [ -z "$(covoptions)" ]; then \
+		COVOPTS="--all --disable STACK_USE --disable-parse-warnings";\
+	else \
+		COVOPTS="$(covoptions)";\
+	fi; \
+	$(COVANALYZE_EXEC) --dir=$(abs_top_builddir)/cov --wait-for-license $$COVOPTS
 if HAS_COVFORMATERRORS
 	$(COVFORMATERRORS_EXEC) --dir=$(abs_top_builddir)/cov --emacs-style > $(abs_top_builddir)/cov.output.txt
 	$(COVFORMATERRORS_EXEC) --dir=$(abs_top_builddir)/cov --html-output $(abs_top_builddir)/cov.html
 endif
 else
 	@echo directory $(abs_top_builddir)/cov ready to be uploaded to https://scan.coverity.com
 endif
 else
 	@echo cov-build not available on this platform
 endif
diff --git a/build-aux/git-version-gen b/build-aux/git-version-gen
index e1a07790..ff0c5347 100755
--- a/build-aux/git-version-gen
+++ b/build-aux/git-version-gen
@@ -1,263 +1,265 @@
 #!/bin/sh
 # Print a version string.
 scriptversion=2018-08-31.20; # UTC
 
 # Copyright (C) 2012-2020 Red Hat, Inc.
 # Copyright (C) 2007-2016 Free Software Foundation, Inc.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # This script is derived from GIT-VERSION-GEN from GIT: http://git.or.cz/.
 # It may be run two ways:
 # - from a git repository in which the "git describe" command below
 #   produces useful output (thus requiring at least one signed tag)
 # - from a non-git-repo directory containing a .tarball-version file, which
 #   presumes this script is invoked like "./git-version-gen .tarball-version".
 
 # In order to use intra-version strings in your project, you will need two
 # separate generated version string files:
 #
 # .tarball-version - present only in a distribution tarball, and not in
 #   a checked-out repository.  Created with contents that were learned at
 #   the last time autoconf was run, and used by git-version-gen.  Must not
 #   be present in either $(srcdir) or $(builddir) for git-version-gen to
 #   give accurate answers during normal development with a checked out tree,
 #   but must be present in a tarball when there is no version control system.
 #   Therefore, it cannot be used in any dependencies.  GNUmakefile has
 #   hooks to force a reconfigure at distribution time to get the value
 #   correct, without penalizing normal development with extra reconfigures.
 #
 # .version - present in a checked-out repository and in a distribution
 #   tarball.  Usable in dependencies, particularly for files that don't
 #   want to depend on config.h but do want to track version changes.
 #   Delete this file prior to any autoconf run where you want to rebuild
 #   files to pick up a version string change; and leave it stale to
 #   minimize rebuild time after unrelated changes to configure sources.
 #
 # As with any generated file in a VC'd directory, you should add
 # /.version to .gitignore, so that you don't accidentally commit it.
 # .tarball-version is never generated in a VC'd directory, so needn't
 # be listed there.
 #
 # In order to use git archive versions another two files has to be presented:
 #
 # .gitarchive-version - present in checked-out repository and git
 #   archive tarball, but not in the distribution tarball. Used as a last
 #   option for version. File must contain special string $Format:%d$,
 #   which is substitued by git on archive operation.
 #
 # .gitattributes - present in checked-out repository and git archive
 #   tarball, but not in the distribution tarball. Must set export-subst
 #   attribute for .gitarchive-version file.
 #
 # Use the following line in your configure.ac, so that $(VERSION) will
 # automatically be up-to-date each time configure is run (and note that
 # since configure.ac no longer includes a version string, Makefile rules
 # should not depend on configure.ac for version updates).
 #
 # AC_INIT([GNU project],
 #         m4_esyscmd([build-aux/git-version-gen .tarball-version]),
 #         [bug-project@example])
 #
 # Then use the following lines in your Makefile.am, so that .version
 # will be present for dependencies, and so that .version and
 # .tarball-version will exist in distribution tarballs.
 #
 # EXTRA_DIST = $(top_srcdir)/.version
 # BUILT_SOURCES = $(top_srcdir)/.version
 # $(top_srcdir)/.version:
 #	echo $(VERSION) > $@-t && mv $@-t $@
 # dist-hook:
 #	echo $(VERSION) > $(distdir)/.tarball-version
 
 
 me=$0
 
 version="git-version-gen $scriptversion
 
 Copyright 2011 Free Software Foundation, Inc.
 There is NO warranty.  You may redistribute this software
 under the terms of the GNU General Public License.
 For more information about these matters, see the files named COPYING."
 
 usage="\
 Usage: $me [OPTION]... \$srcdir/.tarball-version [\$srcdir/.gitarchive-version] [TAG-NORMALIZATION-SED-SCRIPT]
 Print a version string.
 
 Options:
 
    --prefix PREFIX    prefix of git tags (default 'v')
    --fallback VERSION
                       fallback version to use if \"git --version\" fails
 
    --help             display this help and exit
    --version          output version information and exit
 
 Running without arguments will suffice in most cases."
 
 prefix=v
 fallback=
 
 while test $# -gt 0; do
   case $1 in
     --help) echo "$usage"; exit 0;;
     --version) echo "$version"; exit 0;;
     --prefix) shift; prefix="$1";;
     --fallback) shift; fallback="$1";;
     -*)
       echo "$0: Unknown option '$1'." >&2
       echo "$0: Try '--help' for more information." >&2
       exit 1;;
     *)
       if test "x$tarball_version_file" = x; then
         tarball_version_file="$1"
       elif test "x$gitarchive_version_file" = x; then
         gitarchive_version_file="$1"
       elif test "x$tag_sed_script" = x; then
         tag_sed_script="$1"
       else
         echo "$0: extra non-option argument '$1'." >&2
         exit 1
       fi;;
   esac
   shift
 done
 
 if test "x$tarball_version_file" = x; then
     echo "$usage"
     exit 1
 fi
 
 tag_sed_script="${tag_sed_script:-s/x/x/}"
 
 nl='
 '
 
 # Avoid meddling by environment variable of the same name.
 v=
 v_from_git=
 
 # First see if there is a tarball-only version file.
 # then try "git describe", then default.
 if test -f $tarball_version_file
 then
     v=`cat $tarball_version_file` || v=
     case $v in
         *$nl*) v= ;; # reject multi-line output
         [0-9]*) ;;
         *) v= ;;
     esac
     test "x$v" = x \
         && echo "$0: WARNING: $tarball_version_file is missing or damaged" 1>&2
 fi
 
 if test "x$v" != x
 then
     : # use $v
 # Otherwise, if there is at least one git commit involving the working
 # directory, and "git describe" output looks sensible, use that to
 # derive a version string.
 elif test "`git log -1 --pretty=format:x . 2>&1`" = x \
     && v=`git describe --abbrev=4 --match="$prefix*" HEAD 2>/dev/null \
           || git describe --abbrev=4 HEAD 2>/dev/null` \
     && v=`printf '%s\n' "$v" | sed "$tag_sed_script"` \
     && case $v in
          $prefix[0-9]*) ;;
          *) (exit 1) ;;
        esac
 then
     # Is this a new git that lists number of commits since the last
     # tag or the previous older version that did not?
     #   Newer: v6.10-77-g0f8faeb
     #   Older: v6.10-g0f8faeb
     case $v in
         *-*-*) : git describe is okay three part flavor ;;
         *-*)
             : git describe is older two part flavor
             # Recreate the number of commits and rewrite such that the
             # result is the same as if we were using the newer version
             # of git describe.
             vtag=`echo "$v" | sed 's/-.*//'`
             commit_list=`git rev-list "$vtag"..HEAD 2>/dev/null` \
                 || { commit_list=failed;
                      echo "$0: WARNING: git rev-list failed" 1>&2; }
             numcommits=`echo "$commit_list" | wc -l`
             v=`echo "$v" | sed "s/\(.*\)-\(.*\)/\1-$numcommits-\2/"`;
             test "$commit_list" = failed && v=UNKNOWN
             ;;
     esac
 
     # Change the first '-' to a '.', so version-comparing tools work properly.
     # Remove the "g" in git describe's output string, to save a byte.
     v=`echo "$v" | sed 's/-/./;s/\(.*\)-g/\1-/'`;
     v_from_git=1
 elif test "x$fallback" = x || git --version >/dev/null 2>&1; then
     if test -f $gitarchive_version_file
     then
         v=`sed "s/^.*tag: \($prefix[0-9)][^,)]*\).*\$/\1/" $gitarchive_version_file \
             | sed "$tag_sed_script"` || exit 1
         case $v in
             *$nl*) v= ;; # reject multi-line output
             $prefix[0-9]*) ;;
             *) v= ;;
         esac
 
         test -z "$v" \
             && echo "$0: WARNING: $gitarchive_version_file doesn't contain valid version tag" 1>&2 \
             && v=UNKNOWN
-    else
+    elif test "x$fallback" = x; then
         v=UNKNOWN
+    else
+        v=$fallback
     fi
 else
     v=$fallback
 fi
 
 if test "x$fallback" = x -a "$v" = "UNKNOWN"
 then
   echo "$0: ERROR: Can't find valid version. Please use valid git repository," \
     "released tarball or version tagged archive" 1>&2
 
   exit 1
 fi
 
 v=`echo "$v" |sed "s/^$prefix//"`
 
 # Test whether to append the "-dirty" suffix only if the version
 # string we're using came from git.  I.e., skip the test if it's "UNKNOWN"
 # or if it came from .tarball-version.
 if test "x$v_from_git" != x; then
   # Don't declare a version "dirty" merely because a time stamp has changed.
   git update-index --refresh > /dev/null 2>&1
 
   dirty=`exec 2>/dev/null;git diff-index --name-only HEAD` || dirty=
   case "$dirty" in
       '') ;;
       *) # Append the suffix only if there isn't one already.
           case $v in
             *-dirty) ;;
             *) v="$v-dirty" ;;
           esac ;;
   esac
 fi
 
 # Omit the trailing newline, so that m4_esyscmd can use the result directly.
 printf %s "$v"
 
 # Local variables:
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
diff --git a/build-aux/knet_valgrind_memcheck.supp b/build-aux/knet_valgrind_memcheck.supp
index b877a59f..06a3ec00 100644
--- a/build-aux/knet_valgrind_memcheck.supp
+++ b/build-aux/knet_valgrind_memcheck.supp
@@ -1,841 +1,375 @@
 {
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_stream_header_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_crc32
-   fun:lzma_stream_header_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_crc32
-   fun:lzma_stream_header_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_block_header_encode
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:is_overlap
-   fun:memcpy@@GLIBC_2.14
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:memcpy@@GLIBC_2.14
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:memcpy@@GLIBC_2.14
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_vli_encode
-   fun:lzma_filter_flags_encode
-   fun:lzma_block_header_encode
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_filter_flags_encode
-   fun:lzma_block_header_encode
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:memset
-   fun:lzma_block_header_encode
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:memset
-   fun:lzma_block_header_encode
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_block_unpadded_size
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_index_append
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_vli_size
-   fun:lzma_index_append
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_index_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_index_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_index_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_vli_encode
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_index_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_vli_encode
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_index_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_crc32
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_index_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_crc32
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_index_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_stream_footer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Value8
-   fun:lzma_crc32
-   fun:lzma_stream_footer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   fun:lzma_crc32
-   fun:lzma_stream_footer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   lzma internal stuff
-   Memcheck:Cond
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   obj:/usr/lib64/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-}
-{
-   lzma internal stuff (Debian Unstable)
-   Memcheck:Cond
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-}
-{
-   lzma internal stuff (Debian Experimental)
-   Memcheck:Cond
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   obj:*/libknet/.libs/compress_lzma.so
-   obj:*
-}
-{
-   lzma internal stuff (Debian / Ubuntu)
-   Memcheck:Cond
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
-   fun:lzma_block_buffer_encode
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:compress_lib_test
-   fun:compress_cfg
-   fun:knet_handle_compress
-   fun:test
-}
-{
-   lzma internal stuff (Ubuntu 17.10 i386)
-   Memcheck:Cond
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-}
-{
-   lzma internal stuff (Ubuntu 17.10 i386)
-   Memcheck:Cond
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:compress
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-}
-{
-   lzma internal stuff (Ubuntu 17.10 i386)
-   Memcheck:Cond
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
-   fun:lzma_stream_buffer_encode
-   fun:lzma_easy_buffer_encode
-   fun:lzma_compress
-   fun:compress_lib_test
-   fun:compress_cfg
-   fun:knet_handle_compress
-}
-{
-   nss internal leak (3.38+) non recurring
-   Memcheck:Leak
-   match-leak-kinds: definite
-   fun:malloc
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   fun:init_nss
-   fun:nsscrypto_init
-   fun:crypto_init
-   fun:knet_handle_crypto
-   fun:test
-   fun:main
-}
-{
-   nss internal leak (3.38+) non recurring
-   Memcheck:Leak
-   match-leak-kinds: definite
-   fun:calloc
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   fun:init_nss
-   fun:nsscrypto_init
-   fun:crypto_init
-   fun:knet_handle_crypto
-   fun:test
-   fun:main
-}
-{
-   nss internal leak (3.38+) non recurring
-   Memcheck:Addr8
-   obj:/usr/lib64/libp11-kit.so.0.3.0
-   obj:/usr/lib64/libp11-kit.so.0.3.0
-   fun:_dl_close_worker
-   fun:_dl_close
-   fun:_dl_catch_exception
-   fun:_dl_catch_error
-   fun:_dlerror_run
-   fun:dlclose
-   fun:PR_UnloadLibrary
-   obj:/usr/lib64/libnss3.so
-   obj:/usr/lib64/libnss3.so
-   obj:/usr/lib64/libnss3.so
-}
-{
-   nss internal leak (3.41) non recurring (spotted on f29)
-   Memcheck:Leak
-   match-leak-kinds: definite
-   fun:malloc
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:*
-   obj:/usr/lib64/libnss3.so
-}
-{
-   arm internal memory leak
-   Memcheck:Leak
-   match-leak-kinds: definite
-   fun:malloc
-   fun:dl_open_worker
-}
-{
-   openssl 1.1.1c missing fix from master
-   Memcheck:Cond
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_instantiate
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_get0_public
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-   fun:start_thread
-}
-{
-   openssl 1.1.1c missing fix from master
-   Memcheck:Cond
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_instantiate
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_get0_public
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-}
-{
-   openssl 1.1.1c missing fix from master
-   Memcheck:Cond
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   fun:RAND_DRBG_bytes
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   openssl 1.1.1c missing fix from master
-   Memcheck:Cond
-   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   fun:RAND_DRBG_bytes
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   openssl 1.1.1c missing fix from master
-   Memcheck:Param
-   socketcall.sendto(msg)
-   fun:sendto
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-   fun:start_thread
-   fun:clone
-}
-{
-
-   openssl 1.1.1c missing fix from master
-   Memcheck:Param
-   socketcall.sendto(msg)
-   fun:sendto
-   fun:_parse_recv_from_links
-   fun:_handle_recv_from_links
-   fun:_handle_recv_from_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   openssl 1.1.1c missing fix from master
-   Memcheck:Param
-   socketcall.sendto(msg)
-   fun:sendto
-   fun:_handle_check_link_pmtud
-   fun:_handle_check_pmtud
-   fun:_handle_pmtud_link_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   openssl 1.1.1c missing fix from master
-   Memcheck:Param
-   sendmsg(msg.msg_iov[0])
-   fun:__libc_sendmsg
-   fun:sendmsg
-   fun:_sendmmsg
-   fun:_dispatch_to_links
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   Opensuse 15 libnss
-   Memcheck:Cond
-   fun:__memcmp_sse4_1
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:FIPS_selftest
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:FIPS_mode_set
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:call_init.part.0
-   fun:_dl_init
-   fun:dl_open_worker
-   fun:_dl_catch_error
-   fun:_dl_open
-   fun:dlopen_doit
-}
-{
-   Opensuse 15 libnss
-   Memcheck:Cond
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:FIPS_mode_set
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:call_init.part.0
-   fun:_dl_init
-   fun:dl_open_worker
-   fun:_dl_catch_error
-   fun:_dl_open
-   fun:dlopen_doit
-   fun:_dl_catch_error
-   fun:_dlerror_run
-   fun:dlopen@@GLIBC_2.2.5
-}
-{
-   Opensuse tumbleweed libnss
-   Memcheck:Cond
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_instantiate
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_get0_public
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-   fun:start_thread
-}
-{
-   Opensuse tumbleweed libnss
-   Memcheck:Cond
-   obj:/usr/lib64/libcrypto.so.1.1
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_instantiate
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_get0_public
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-}
-{
-   Opensuse tumbleweed libnss
-   Memcheck:Cond
-   obj:/usr/lib64/libcrypto.so.1.1
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   fun:RAND_DRBG_bytes
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   Opensuse tumbleweed libnss
-   Memcheck:Cond
-   obj:/usr/lib64/libcrypto.so.1.1
-   fun:RAND_DRBG_generate
-   fun:RAND_DRBG_bytes
-   fun:encrypt_openssl
-   fun:opensslcrypto_encrypt_and_signv
-   fun:opensslcrypto_encrypt_and_sign
-   fun:_handle_check_each
-   fun:_send_pings
-   fun:_handle_heartbt_thread
-   fun:start_thread
-   fun:clone
-}
-{
-   Opensuse tumbleweed libnss
-   Memcheck:Param
-   sendmsg(msg.msg_iov[0])
-   fun:sendmsg
-   fun:_sendmmsg
-   fun:_dispatch_to_links
-   fun:_parse_recv_from_sock
-   fun:_handle_send_to_links
-   fun:_handle_send_to_links_thread
-   fun:start_thread
-   fun:clone
+  lzma internals (spotted on Debian 9 and Ubuntu 18.04 LTS x86-64)
+  Memcheck:Cond
+  obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/x86_64-linux-gnu/liblzma.so.5.2.2
+  fun:lzma_block_buffer_encode
+  fun:lzma_stream_buffer_encode
+  fun:lzma_easy_buffer_encode
+  fun:lzma_compress
+  fun:compress_lib_test
+  fun:compress_cfg
+  fun:knet_handle_compress
+  fun:test
+}
+{
+  lzma internals (spotted on Ubuntu 18.04 LTS i386)
+  Memcheck:Cond
+  obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
+  obj:/lib/i386-linux-gnu/liblzma.so.5.2.2
+  fun:lzma_stream_buffer_encode
+  fun:lzma_easy_buffer_encode
+  fun:lzma_compress
+  fun:compress_lib_test
+  fun:compress_cfg
+  fun:knet_handle_compress
+}
+{
+  openssl internals (spotted on OpenSUSE 15)
+  Memcheck:Cond
+  fun:__memcmp_sse4_1
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:FIPS_selftest
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:FIPS_mode_set
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:call_init.part.0
+  fun:_dl_init
+  fun:dl_open_worker
+  fun:_dl_catch_error
+  fun:_dl_open
+  fun:dlopen_doit
+}
+{
+  openssl internals (spotted on OpenSUSE Tumbleweed)
+  Memcheck:Cond
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_instantiate
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_get0_public
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_instantiate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_get0_public
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+}
+{
+  openssl internals (spotted on OpenSUSE Tumbleweed)
+  Memcheck:Cond
+  obj:/usr/lib64/libcrypto.so.1.1
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_instantiate
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_get0_public
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_instantiate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_get0_public
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+}
+{
+  openssl internals (spotted on OpenSUSE Tumbleweed)
+  Memcheck:Cond
+  obj:/usr/lib64/libcrypto.so.1.1
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  fun:RAND_DRBG_bytes
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  fun:RAND_DRBG_bytes
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl internals (spotted on OpenSUSE Tumbleweed)
+  Memcheck:Cond
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  fun:RAND_DRBG_bytes
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  fun:RAND_DRBG_bytes
+  fun:encrypt_openssl.isra.0
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl internals (spotted on OpenSUSE 15)
+  Memcheck:Cond
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:FIPS_mode_set
+  obj:/usr/lib64/libcrypto.so.1.1
+  fun:call_init.part.0
+  fun:_dl_init
+  fun:dl_open_worker
+  fun:_dl_catch_error
+  fun:_dl_open
+  fun:dlopen_doit
+  fun:_dl_catch_error
+  fun:_dlerror_run
+  fun:dlopen@@GLIBC_2.2.5
+}
+{
+  openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed and Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Param
+  socketcall.sendto(msg)
+  fun:sendto
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed and Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Param
+  socketcall.sendto(msg)
+  fun:sendto
+  fun:_parse_recv_from_links
+  fun:_handle_recv_from_links
+  fun:_handle_recv_from_links_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed and Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Param
+  socketcall.sendto(msg)
+  fun:sendto
+  fun:_handle_check_link_pmtud
+  fun:_handle_check_pmtud
+  fun:_handle_pmtud_link_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl uninitialised byte(s) (spotted on OpenSUSE Tumbleweed)
+  Memcheck:Param
+  sendmsg(msg.msg_iov[0])
+  fun:sendmsg
+  fun:_sendmmsg
+  fun:_dispatch_to_links
+  fun:_parse_recv_from_sock
+  fun:_handle_send_to_links
+  fun:_handle_send_to_links_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2019-10-30)
+  Memcheck:Param
+  sendmsg(msg.msg_iov[0])
+  fun:__libc_sendmsg
+  fun:sendmsg
+  fun:_sendmmsg
+  fun:_dispatch_to_links
+  fun:_parse_recv_from_sock
+  fun:_handle_send_to_links
+  fun:_handle_send_to_links_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  fun:RAND_DRBG_bytes
+  fun:encrypt_openssl
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_instantiate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_get0_public
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:encrypt_openssl
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_instantiate
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_get0_public
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:encrypt_openssl
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+}
+{
+  openssl internals (spotted on Ubuntu Devel x86-64 - 2020-07-10)
+  Memcheck:Cond
+  obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
+  fun:RAND_DRBG_generate
+  fun:RAND_DRBG_bytes
+  fun:encrypt_openssl
+  fun:opensslcrypto_encrypt_and_signv
+  fun:opensslcrypto_encrypt_and_sign
+  fun:_handle_check_each
+  fun:_send_pings
+  fun:_handle_heartbt_thread
+  fun:start_thread
+  fun:clone
+}
+{
+  nss internal leak (3.41) non recurring (spotted on f29)
+  Memcheck:Leak
+  match-leak-kinds: definite
+  fun:malloc
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:/usr/lib64/libnss3.so
+}
+{
+  nss internal leak (3.41) non recurring
+  Memcheck:Leak
+  match-leak-kinds: definite
+  fun:calloc
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  fun:init_nss
+  fun:nsscrypto_init
+  fun:crypto_init
+  fun:knet_handle_crypto_set_config
+  fun:test
+  fun:main
+}
+{
+  nss internal leak (3.41) non recurring
+  Memcheck:Leak
+  match-leak-kinds: definite
+  fun:malloc
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  obj:*
+  fun:init_nss
+  fun:nsscrypto_init
+  fun:crypto_init
+  fun:knet_handle_crypto_set_config
+  fun:test
+  fun:main
 }
diff --git a/configure.ac b/configure.ac
index 56124540..88695c77 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,506 +1,506 @@
 #
 # Copyright (C) 2010-2020 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #          Federico Simoncelli <fsimon@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 #                                               -*- Autoconf -*-
 # Process this file with autoconf to produce a configure script.
 #
 
 AC_PREREQ([2.63])
 AC_INIT([kronosnet],
 	m4_esyscmd([build-aux/git-version-gen .tarball-version .gitarchivever]),
 	[devel@lists.kronosnet.org])
 # Don't let AC_PROC_CC (invoked by AC_USE_SYSTEM_EXTENSIONS) replace
 # undefined CFLAGS with -g -O2, overriding our special OPT_CFLAGS.
 : ${CFLAGS=""}
 AC_USE_SYSTEM_EXTENSIONS
 AM_INIT_AUTOMAKE([1.13 dist-bzip2 dist-xz color-tests -Wno-portability subdir-objects])
 
 LT_PREREQ([2.2.6])
 # --enable-new-dtags: Use RUNPATH instead of RPATH.
 # It is necessary to have this done before libtool does linker detection.
 # See also: https://github.com/kronosnet/kronosnet/issues/107
 # --as-needed: Modern systems have builtin ceil() making -lm superfluous but
 # AC_SEARCH_LIBS can't detect this because it tests with a false prototype
 AX_CHECK_LINK_FLAG([-Wl,--enable-new-dtags],
 		   [AM_LDFLAGS=-Wl,--enable-new-dtags],
 		   [AC_MSG_ERROR(["Linker support for --enable-new-dtags is required"])])
 AX_CHECK_LINK_FLAG([-Wl,--as-needed], [AM_LDFLAGS="$AM_LDFLAGS -Wl,--as-needed"])
 
 AC_SUBST([AM_LDFLAGS])
 saved_LDFLAGS="$LDFLAGS"
 LDFLAGS="$AM_LDFLAGS $LDFLAGS"
 LT_INIT
 LDFLAGS="$saved_LDFLAGS"
 
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_SRCDIR([kronosnetd/main.c])
 AC_CONFIG_HEADERS([config.h])
 
 AC_CANONICAL_HOST
 
 AC_LANG([C])
 
 systemddir=${prefix}/lib/systemd/system
 
 if test "$prefix" = "NONE"; then
 	prefix="/usr"
 	if test "$localstatedir" = "\${prefix}/var"; then
 		localstatedir="/var"
 	fi
 	if test "$sysconfdir" = "\${prefix}/etc"; then
 		sysconfdir="/etc"
 	fi
 	if test "$systemddir" = "NONE/lib/systemd/system"; then
 		systemddir=/lib/systemd/system
 	fi
 	if test "$libdir" = "\${exec_prefix}/lib"; then
 		if test -e /usr/lib64; then
 			libdir="/usr/lib64"
 		else
 			libdir="/usr/lib"
 		fi
 	fi
 fi
 
 AC_PROG_AWK
 AC_PROG_GREP
 AC_PROG_SED
 AC_PROG_CPP
 AC_PROG_CC
 AC_PROG_CC_C99
 if test "x$ac_cv_prog_cc_c99" = "xno"; then
 	AC_MSG_ERROR(["C99 support is required"])
 fi
 AC_PROG_LN_S
 AC_PROG_INSTALL
 AC_PROG_MAKE_SET
 PKG_PROG_PKG_CONFIG
 
 AC_CHECK_PROGS([VALGRIND_EXEC], [valgrind])
 AM_CONDITIONAL([HAS_VALGRIND], [test x$VALGRIND_EXEC != "x"])
 
 AC_CHECK_PROGS([COVBUILD_EXEC], [cov-build])
 AM_CONDITIONAL([HAS_COVBUILD], [test x$COVBUILD_EXEC != "x"])
 
 AC_CHECK_PROGS([COVANALYZE_EXEC], [cov-analyze])
 AM_CONDITIONAL([HAS_COVANALYZE], [test x$COVANALYZE_EXEC != "x"])
 
 AC_CHECK_PROGS([COVFORMATERRORS_EXEC], [cov-format-errors])
 AM_CONDITIONAL([HAS_COVFORMATERRORS], [test x$COVFORMATERRORS_EXEC != "x"])
 
 # KNET_OPTION_DEFINES(stem,type,detection code)
 # stem: enters name of option, Automake conditional and preprocessor define
 # type: compress or crypto, determines where the default comes from
 AC_DEFUN([KNET_OPTION_DEFINES],[
 AC_ARG_ENABLE([$2-$1],[AS_HELP_STRING([--disable-$2-$1],[disable libknet $1 support])],,
 	[enable_$2_$1="$enable_$2_all"])
 AM_CONDITIONAL([BUILD_]m4_toupper([$2_$1]),[test "x$enable_$2_$1" = xyes])
 if test "x$enable_$2_$1" = xyes; then
 	$3
 fi
 AC_DEFINE_UNQUOTED([WITH_]m4_toupper([$2_$1]), [`test "x$enable_$2_$1" != xyes; echo $?`], $1 $2 [built in])
 ])
 
 AC_ARG_ENABLE([man],
 	[AS_HELP_STRING([--disable-man],[disable man page creation])],,
 	[ enable_man="yes" ])
 AM_CONDITIONAL([BUILD_MAN], [test x$enable_man = xyes])
 
 AC_ARG_ENABLE([libknet-sctp],
 	[AS_HELP_STRING([--disable-libknet-sctp],[disable libknet SCTP support])],,
 	[ enable_libknet_sctp="yes" ])
 AM_CONDITIONAL([BUILD_SCTP], [test x$enable_libknet_sctp = xyes])
 
 AC_ARG_ENABLE([crypto-all],
 	[AS_HELP_STRING([--disable-crypto-all],[disable libknet all crypto modules support])],,
 	[ enable_crypto_all="yes" ])
 
 KNET_OPTION_DEFINES([nss],[crypto],[PKG_CHECK_MODULES([nss], [nss])])
 KNET_OPTION_DEFINES([openssl],[crypto],[PKG_CHECK_MODULES([openssl],[libcrypto])])
 
 AC_ARG_ENABLE([compress-all],
 	[AS_HELP_STRING([--disable-compress-all],[disable libknet all compress modules support])],,
 	[ enable_compress_all="yes" ])
 
 KNET_OPTION_DEFINES([zstd],[compress],[PKG_CHECK_MODULES([libzstd], [libzstd])])
 KNET_OPTION_DEFINES([zlib],[compress],[PKG_CHECK_MODULES([zlib], [zlib])])
 KNET_OPTION_DEFINES([lz4],[compress],[PKG_CHECK_MODULES([liblz4], [liblz4])])
 KNET_OPTION_DEFINES([lzo2],[compress],[
 	PKG_CHECK_MODULES([lzo2], [lzo2],
 		[# work around broken pkg-config file in v2.10
 		 AC_SUBST([lzo2_CFLAGS],[`echo $lzo2_CFLAGS | sed 's,/lzo *, ,'`])],
 		[AC_CHECK_HEADERS([lzo/lzo1x.h],
 			[AC_CHECK_LIB([lzo2], [lzo1x_decompress_safe],
 				[AC_SUBST([lzo2_LIBS], [-llzo2])])],
 				[AC_MSG_ERROR(["missing required lzo/lzo1x.h header"])])])
 ])
 KNET_OPTION_DEFINES([lzma],[compress],[PKG_CHECK_MODULES([liblzma], [liblzma])])
 KNET_OPTION_DEFINES([bzip2],[compress],[
 	PKG_CHECK_MODULES([bzip2], [bzip2],,
 		[AC_CHECK_HEADERS([bzlib.h],
 			[AC_CHECK_LIB([bz2], [BZ2_bzBuffToBuffCompress],
 				[AC_SUBST([bzip2_LIBS], [-lbz2])])],
 				[AC_MSG_ERROR(["missing required bzlib.h"])])])
 ])
 
 AC_ARG_ENABLE([install-tests],
 	[AS_HELP_STRING([--enable-install-tests],[install tests])],,
 	[ enable_install_tests="no" ])
 AM_CONDITIONAL([INSTALL_TESTS], [test x$enable_install_tests = xyes])
 
 AC_ARG_ENABLE([poc],
 	[AS_HELP_STRING([--enable-poc],[enable building poc code])],,
 	[ enable_poc="no" ])
 AM_CONDITIONAL([BUILD_POC], [test x$enable_poc = xyes])
 
 AC_ARG_ENABLE([kronosnetd],
 	[AS_HELP_STRING([--enable-kronosnetd],[Kronosnetd support])],,
 	[ enable_kronosnetd="no" ])
 AM_CONDITIONAL([BUILD_KRONOSNETD], [test x$enable_kronosnetd = xyes])
 
 AC_ARG_ENABLE([runautogen],
 	[AS_HELP_STRING([--enable-runautogen],[run autogen.sh])],,
 	[ enable_runautogen="no" ])
 AM_CONDITIONAL([BUILD_RUNAUTOGEN], [test x$enable_runautogen = xyes])
 
 override_rpm_debuginfo_option="yes"
 AC_ARG_ENABLE([rpm-debuginfo],
 	[AS_HELP_STRING([--enable-rpm-debuginfo],[build debuginfo packages])],,
 	[ enable_rpm_debuginfo="no", override_rpm_debuginfo_option="no" ])
 AM_CONDITIONAL([BUILD_RPM_DEBUGINFO], [test x$enable_rpm_debuginfo = xyes])
 AM_CONDITIONAL([OVERRIDE_RPM_DEBUGINFO], [test x$override_rpm_debuginfo_option = xyes])
 
 AC_ARG_ENABLE([libnozzle],
 	[AS_HELP_STRING([--enable-libnozzle],[libnozzle support])],,
 	[ enable_libnozzle="yes" ])
 
 if test "x$enable_kronosnetd" = xyes; then
 	enable_libnozzle=yes
 fi
 AM_CONDITIONAL([BUILD_LIBNOZZLE], [test x$enable_libnozzle = xyes])
 
 # Checks for libraries.
 AX_PTHREAD(,[AC_MSG_ERROR([POSIX threads support is required])])
 saved_LIBS="$LIBS"
 LIBS=
 AC_SEARCH_LIBS([ceil], [m], , [AC_MSG_ERROR([ceil not found])])
 AC_SUBST([m_LIBS], [$LIBS])
 LIBS=
 AC_SEARCH_LIBS([clock_gettime], [rt], , [AC_MSG_ERROR([clock_gettime not found])])
 AC_SUBST([rt_LIBS], [$LIBS])
 LIBS=
 AC_SEARCH_LIBS([dlopen], [dl dld], , [AC_MSG_ERROR([dlopen not found])])
 AC_SUBST([dl_LIBS], [$LIBS])
 LIBS="$saved_LIBS"
 
 # Check RTLD_DI_ORIGIN (not decalred by musl. glibc has it as an enum so cannot use ifdef)
 AC_CHECK_DECL([RTLD_DI_ORIGIN], [AC_DEFINE([HAVE_RTLD_DI_ORIGIN], 1,
     [define when RTLD_DI_ORIGIN is declared])], ,[[#include <dlfcn.h>]])
 
 # OS detection
 
 AC_MSG_CHECKING([for os in ${host_os}])
 case "$host_os" in
 	*linux*)
 		AC_DEFINE_UNQUOTED([KNET_LINUX], [1], [Compiling for Linux platform])
 		AC_MSG_RESULT([Linux])
 		;;
 	*bsd*)
 		AC_DEFINE_UNQUOTED([KNET_BSD], [1], [Compiling for BSD platform])
 		AC_MSG_RESULT([BSD])
 		;;
 	*)
 		AC_MSG_ERROR([Unsupported OS? hmmmm])
 		;;
 esac
 
 # Checks for header files.
 AC_CHECK_HEADERS([sys/epoll.h])
 AC_CHECK_FUNCS([kevent])
 # if neither sys/epoll.h nor kevent are present, we should fail.
 
 if test "x$ac_cv_header_sys_epoll_h" = xno && test "x$ac_cv_func_kevent" = xno; then
 	AC_MSG_ERROR([Both epoll and kevent unavailable on this OS])
 fi
 
 if test "x$ac_cv_header_sys_epoll_h" = xyes && test "x$ac_cv_func_kevent" = xyes; then
 	AC_MSG_ERROR([Both epoll and kevent available on this OS, please contact the maintainers to fix the code])
 fi
 
 if test "x$enable_libknet_sctp" = xyes; then
 	AC_CHECK_HEADERS([netinet/sctp.h],, [AC_MSG_ERROR(["missing required SCTP headers"])])
 fi
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_INLINE
 AC_TYPE_PID_T
 AC_TYPE_SIZE_T
 AC_TYPE_SSIZE_T
 AC_TYPE_UINT8_T
 AC_TYPE_UINT16_T
 AC_TYPE_UINT32_T
 AC_TYPE_UINT64_T
 AC_TYPE_INT8_T
 AC_TYPE_INT16_T
 AC_TYPE_INT32_T
 AC_TYPE_INT64_T
 
 PKG_CHECK_MODULES([libqb], [libqb])
 
 if test "x$enable_man" = "xyes"; then
 	AC_ARG_VAR([DOXYGEN], [override doxygen executable])
 	AC_CHECK_PROGS([DOXYGEN], [doxygen], [no])
 	if test "x$DOXYGEN" = xno; then
 		AC_MSG_ERROR(["Doxygen command not found"])
 	fi
 
 	AC_ARG_VAR([DOXYGEN2MAN], [override doxygen2man executable])
 	if test "x$cross_compiling" = "xno"; then
 		PKG_CHECK_VAR([libqb_PREFIX], [libqb], [prefix])
 		AC_PATH_PROG([DOXYGEN2MAN], [doxygen2man], [no], [$libqb_PREFIX/bin$PATH_SEPARATOR$PATH])
 	fi
 	if test "x$DOXYGEN2MAN" = "xno"; then
 		# required by doxyxml to build man pages dynamically
 		# Don't let AC_PROC_CC (invoked by AX_PROG_CC_FOR_BUILD) replace
 		# undefined CFLAGS_FOR_BUILD with -g -O2, overriding our special OPT_CFLAGS.
 		: ${CFLAGS_FOR_BUILD=""}
 		AX_PROG_CC_FOR_BUILD
 		saved_PKG_CONFIG="$PKG_CONFIG"
 		saved_ac_cv_path_PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
 		unset PKG_CONFIG ac_cv_path_PKG_CONFIG
 		AC_PATH_PROG([PKG_CONFIG], [pkg-config])
 		PKG_CHECK_MODULES([libqb_BUILD], [libqb])
 		PKG_CHECK_VAR([libqb_BUILD_PREFIX], [libqb], [prefix])
 		AC_PATH_PROG([DOXYGEN2MAN], [doxygen2man], [no], [$libqb_BUILD_PREFIX/bin$PATH_SEPARATOR$PATH])
 		if test "x$DOXYGEN2MAN" = "xno"; then
 			PKG_CHECK_MODULES([libxml_BUILD], [libxml-2.0])
 			DOXYGEN2MAN="\${abs_top_builddir}/man/doxyxml"
 			build_doxy=yes
 		fi
 		PKG_CONFIG="$saved_PKG_CONFIG"
 		ac_cv_path_PKG_CONFIG="$saved_ac_cv_path_PKG_CONFIG"
 	fi
 	AC_SUBST([DOXYGEN2MAN])
-	AM_CONDITIONAL([BUILD_DOXYXML], [test "x$build_doxy" = "xyes"])
 fi
+AM_CONDITIONAL([BUILD_DOXYXML], [test "x$build_doxy" = "xyes"])
 
 # checks for libnozzle
 if test "x$enable_libnozzle" = xyes; then
 	if `echo $host_os | grep -q linux`; then
 		PKG_CHECK_MODULES([libnl], [libnl-3.0])
 		PKG_CHECK_MODULES([libnlroute], [libnl-route-3.0 >= 3.3], [],
 			[PKG_CHECK_MODULES([libnlroute], [libnl-route-3.0 < 3.3],
 					   [AC_DEFINE_UNQUOTED([LIBNL3_WORKAROUND], [1], [Enable libnl < 3.3 build workaround])], [])])
 	fi
 fi
 
 # checks for kronosnetd
 if test "x$enable_kronosnetd" = xyes; then
 	AC_CHECK_HEADERS([security/pam_appl.h],
 			 [AC_CHECK_LIB([pam], [pam_start],
 				       [AC_SUBST([pam_LIBS], [-lpam])],
 				       [AC_MSG_ERROR([Unable to find LinuxPAM devel files])])])
 
 	AC_CHECK_HEADERS([security/pam_misc.h],
 			 [AC_CHECK_LIB([pam_misc], [misc_conv],
 				       [AC_SUBST([pam_misc_LIBS], [-lpam_misc])],
 				       [AC_MSG_ERROR([Unable to find LinuxPAM MISC devel files])])])
 
 	AC_CHECK_LIB([qb], [qb_log_thread_priority_set],
 		     [have_qb_log_thread_priority_set="yes"],
 		     [have_qb_log_thread_priority_set="no"])
 	if test "x${have_qb_log_thread_priority_set}" = xyes; then
 		AC_DEFINE_UNQUOTED([HAVE_QB_LOG_THREAD_PRIORITY_SET], [1], [have qb_log_thread_priority_set])
 	fi
 fi
 
 # local options
 AC_ARG_ENABLE([debug],
 	[AS_HELP_STRING([--enable-debug],[enable debug build])])
 
 AC_ARG_WITH([testdir],
 	[AS_HELP_STRING([--with-testdir=DIR],[path to /usr/lib../kronosnet/tests/ dir where to install the test suite])],
 	[ TESTDIR="$withval" ],
 	[ TESTDIR="$libdir/kronosnet/tests" ])
 
 AC_ARG_WITH([initdefaultdir],
 	[AS_HELP_STRING([--with-initdefaultdir=DIR],[path to /etc/sysconfig or /etc/default dir])],
 	[ INITDEFAULTDIR="$withval" ],
 	[ INITDEFAULTDIR="$sysconfdir/default" ])
 
 AC_ARG_WITH([initddir],
 	[AS_HELP_STRING([--with-initddir=DIR],[path to init script directory])],
 	[ INITDDIR="$withval" ],
 	[ INITDDIR="$sysconfdir/init.d" ])
 
 AC_ARG_WITH([systemddir],
 	[AS_HELP_STRING([--with-systemddir=DIR],[path to systemd unit files directory])],
 	[ SYSTEMDDIR="$withval" ],
 	[ SYSTEMDDIR="$systemddir" ])
 
 AC_ARG_WITH([syslogfacility],
 	[AS_HELP_STRING([--with-syslogfacility=FACILITY],[default syslog facility])],
 	[ SYSLOGFACILITY="$withval" ],
 	[ SYSLOGFACILITY="LOG_DAEMON" ])
 
 AC_ARG_WITH([sysloglevel],
 	[AS_HELP_STRING([--with-sysloglevel=LEVEL],[default syslog level])],
 	[ SYSLOGLEVEL="$withval" ],
 	[ SYSLOGLEVEL="LOG_INFO" ])
 
 AC_ARG_WITH([defaultadmgroup],
 	[AS_HELP_STRING([--with-defaultadmgroup=GROUP],
 		[define PAM group. Users part of this group will be allowed to configure
 		 kronosnet. Others will only receive read-only rights.])],
 	[ DEFAULTADMGROUP="$withval" ],
 	[ DEFAULTADMGROUP="kronosnetadm" ])
 
 ## random vars
 LOGDIR=${localstatedir}/log/
 RUNDIR=${localstatedir}/run/
 DEFAULT_CONFIG_DIR=${sysconfdir}/kronosnet
 
 ## do subst
 
 AC_SUBST([TESTDIR])
 AC_SUBST([DEFAULT_CONFIG_DIR])
 AC_SUBST([INITDEFAULTDIR])
 AC_SUBST([INITDDIR])
 AC_SUBST([SYSTEMDDIR])
 AC_SUBST([LOGDIR])
 AC_SUBST([DEFAULTADMGROUP])
 
 AC_DEFINE_UNQUOTED([DEFAULT_CONFIG_DIR],
 		   ["$(eval echo ${DEFAULT_CONFIG_DIR})"],
 		   [Default config directory])
 
 AC_DEFINE_UNQUOTED([DEFAULT_CONFIG_FILE],
 		   ["$(eval echo ${DEFAULT_CONFIG_DIR}/kronosnetd.conf)"],
 		   [Default config file])
 
 AC_DEFINE_UNQUOTED([LOGDIR],
 		   ["$(eval echo ${LOGDIR})"],
 		   [Default logging directory])
 
 AC_DEFINE_UNQUOTED([DEFAULT_LOG_FILE],
 		   ["$(eval echo ${LOGDIR}/kronosnetd.log)"],
 		   [Default log file])
 
 AC_DEFINE_UNQUOTED([RUNDIR],
 		   ["$(eval echo ${RUNDIR})"],
 		   [Default run directory])
 
 AC_DEFINE_UNQUOTED([SYSLOGFACILITY],
 		   [$(eval echo ${SYSLOGFACILITY})],
 		   [Default syslog facility])
 
 AC_DEFINE_UNQUOTED([SYSLOGLEVEL],
 		   [$(eval echo ${SYSLOGLEVEL})],
 		   [Default syslog level])
 
 AC_DEFINE_UNQUOTED([DEFAULTADMGROUP],
 		   ["$(eval echo ${DEFAULTADMGROUP})"],
 		   [Default admin group])
 
 # debug build stuff
 if test "x${enable_debug}" = xyes; then
 	AC_DEFINE_UNQUOTED([DEBUG], [1], [Compiling Debugging code])
 	OPT_CFLAGS="-O0"
 else
 	OPT_CFLAGS="-O3"
 fi
 
 # gdb flags
 if test "x${GCC}" = xyes; then
 	GDB_FLAGS="-ggdb3"
 else
 	GDB_FLAGS="-g"
 fi
 
 DEFAULT_CFLAGS="-Werror -Wall -Wextra"
 
 # manual overrides
 # generates too much noise for stub APIs
 UNWANTED_CFLAGS="-Wno-unused-parameter"
 
 AC_SUBST([AM_CFLAGS],["$OPT_CFLAGS $GDB_FLAGS $DEFAULT_CFLAGS $UNWANTED_CFLAGS"])
 
 AX_PROG_DATE
 AS_IF([test "$ax_cv_prog_date_gnu_date:$ax_cv_prog_date_gnu_utc" = yes:yes],
 	[UTC_DATE_AT="date -u -d@"],
 	[AS_IF([test "x$ax_cv_prog_date_bsd_date" = xyes],
 		[UTC_DATE_AT="date -u -r"],
 		[AC_MSG_ERROR([date utility unable to convert epoch to UTC])])])
 AC_SUBST([UTC_DATE_AT])
 
 AC_ARG_VAR([SOURCE_EPOCH],[last modification date of the source])
 AC_MSG_NOTICE([trying to determine source epoch])
 AC_MSG_CHECKING([for source epoch in \$SOURCE_EPOCH])
 AS_IF([test -n "$SOURCE_EPOCH"],
 	[AC_MSG_RESULT([yes])],
 	[AC_MSG_RESULT([no])
 	 AC_MSG_CHECKING([for source epoch in source_epoch file])
 	 AS_IF([test -e "$srcdir/source_epoch"],
 		[read SOURCE_EPOCH <"$srcdir/source_epoch"
 		 AC_MSG_RESULT([yes])],
 		[AC_MSG_RESULT([no])
 		 AC_MSG_CHECKING([for source epoch baked in by gitattributes export-subst])
 		 SOURCE_EPOCH='$Format:%at$' # template for rewriting by git-archive
 		 AS_CASE([$SOURCE_EPOCH],
 			[?Format:*], # was not rewritten
 				[AC_MSG_RESULT([no])
 				 AC_MSG_CHECKING([for source epoch in \$SOURCE_DATE_EPOCH])
 				 AS_IF([test "x$SOURCE_DATE_EPOCH" != x],
 					[SOURCE_EPOCH="$SOURCE_DATE_EPOCH"
 					 AC_MSG_RESULT([yes])],
 					[AC_MSG_RESULT([no])
 					 AC_MSG_CHECKING([whether git log can provide a source epoch])
 					 SOURCE_EPOCH=f${SOURCE_EPOCH#\$F} # convert into git log --pretty format
 					 SOURCE_EPOCH=$(cd "$srcdir" && git log -1 --pretty=${SOURCE_EPOCH%$} 2>/dev/null)
 					 AS_IF([test -n "$SOURCE_EPOCH"],
 						[AC_MSG_RESULT([yes])],
 						[AC_MSG_RESULT([no, using current time and breaking reproducibility])
 						 SOURCE_EPOCH=$(date +%s)])])],
 			[AC_MSG_RESULT([yes])]
 		 )])
 	])
 AC_MSG_NOTICE([using source epoch $($UTC_DATE_AT$SOURCE_EPOCH +'%F %T %Z')])
 
 AC_CONFIG_FILES([
 		Makefile
 		init/Makefile
 		libnozzle/Makefile
 		libnozzle/libnozzle.pc
 		libnozzle/tests/Makefile
 		kronosnetd/Makefile
 		kronosnetd/kronosnetd.logrotate
 		libknet/Makefile
 		libknet/libknet.pc
 		libknet/tests/Makefile
 		man/Makefile
 		man/Doxyfile-knet
 		man/Doxyfile-nozzle
 		poc-code/Makefile
 		poc-code/iov-hash/Makefile
 		])
 
 if test "x$VERSION" = "xUNKNOWN"; then
 	AC_MSG_ERROR([m4_text_wrap([
   configure was unable to determine the source tree's current version. This
   generally happens when using git archive (or the github download button)
   generated tarball/zip file. In order to workaround this issue, either use git
   clone https://github.com/kronosnet/kronosnet.git or use an official release
   tarball, available at https://kronosnet.org/releases/.  Alternatively you
   can add a compatible version in a .tarball-version file at the top of the
   source tree, wipe your autom4te.cache dir and generated configure, and rerun
   autogen.sh.
   ], [  ], [   ], [76])])
 fi
 
 AC_OUTPUT
diff --git a/libknet/crypto.c b/libknet/crypto.c
index 8f0aa8f3..0c475d0f 100644
--- a/libknet/crypto.c
+++ b/libknet/crypto.c
@@ -1,235 +1,319 @@
 /*
  * Copyright (C) 2012-2020 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 #include <pthread.h>
 #include <time.h>
 
 #include "crypto.h"
 #include "crypto_model.h"
 #include "internals.h"
 #include "logging.h"
 #include "common.h"
 
 /*
  * internal module switch data
  */
 
 static crypto_model_t crypto_modules_cmds[] = {
 	{ "nss", WITH_CRYPTO_NSS, 0, NULL },
 	{ "openssl", WITH_CRYPTO_OPENSSL, 0, NULL },
 	{ NULL, 0, 0, NULL }
 };
 
 static int crypto_get_model(const char *model)
 {
 	int idx = 0;
 
 	while (crypto_modules_cmds[idx].model_name != NULL) {
 		if (!strcmp(crypto_modules_cmds[idx].model_name, model))
 			return idx;
 		idx++;
 	}
 	return -1;
 }
 
 /*
  * exported API
  */
 
 int crypto_encrypt_and_sign (
 	knet_handle_t knet_h,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	return crypto_modules_cmds[knet_h->crypto_instance->model].ops->crypt(knet_h, buf_in, buf_in_len, buf_out, buf_out_len);
+	return crypto_modules_cmds[knet_h->crypto_instance[knet_h->crypto_in_use_config]->model].ops->crypt(knet_h, knet_h->crypto_instance[knet_h->crypto_in_use_config], buf_in, buf_in_len, buf_out, buf_out_len);
 }
 
 int crypto_encrypt_and_signv (
 	knet_handle_t knet_h,
 	const struct iovec *iov_in,
 	int iovcnt_in,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	return crypto_modules_cmds[knet_h->crypto_instance->model].ops->cryptv(knet_h, iov_in, iovcnt_in, buf_out, buf_out_len);
+	return crypto_modules_cmds[knet_h->crypto_instance[knet_h->crypto_in_use_config]->model].ops->cryptv(knet_h, knet_h->crypto_instance[knet_h->crypto_in_use_config], iov_in, iovcnt_in, buf_out, buf_out_len);
 }
 
 int crypto_authenticate_and_decrypt (
 	knet_handle_t knet_h,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	return crypto_modules_cmds[knet_h->crypto_instance->model].ops->decrypt(knet_h, buf_in, buf_in_len, buf_out, buf_out_len);
+	int i, err = 0;
+	int multiple_configs = 0;
+	uint8_t log_level = KNET_LOG_ERR;
+
+	for (i = 1; i <= KNET_MAX_CRYPTO_INSTANCES; i++) {
+		if (knet_h->crypto_instance[i]) {
+			multiple_configs++;
+		}
+	}
+
+	/*
+	 * attempt to decrypt first with the in-use config
+	 * to avoid excessive performance hit.
+	 */
+
+	if (multiple_configs > 1) {
+		log_level = KNET_LOG_DEBUG;
+	}
+
+	if (knet_h->crypto_in_use_config) {
+		err = crypto_modules_cmds[knet_h->crypto_instance[knet_h->crypto_in_use_config]->model].ops->decrypt(knet_h, knet_h->crypto_instance[knet_h->crypto_in_use_config], buf_in, buf_in_len, buf_out, buf_out_len, log_level);
+	} else {
+		err = -1;
+	}
+
+	/*
+	 * if we fail, try to use the other configurations
+	 */
+	if (err) {
+		for (i = 1; i <= KNET_MAX_CRYPTO_INSTANCES; i++) {
+			/*
+			 * in-use config was already attempted
+			 */
+			if (i == knet_h->crypto_in_use_config) {
+				continue;
+			}
+			if (knet_h->crypto_instance[i]) {
+				log_debug(knet_h, KNET_SUB_CRYPTO, "Alternative crypto configuration found, attempting to decrypt with config %u", i);
+				err = crypto_modules_cmds[knet_h->crypto_instance[i]->model].ops->decrypt(knet_h, knet_h->crypto_instance[i], buf_in, buf_in_len, buf_out, buf_out_len, KNET_LOG_ERR);
+				if (!err) {
+					errno = 0; /* clear errno from previous failures */
+					return err;
+				}
+				log_debug(knet_h, KNET_SUB_CRYPTO, "Packet failed to decrypt with crypto config %u", i);
+			}
+		}
+	}
+	return err;
+}
+
+int crypto_use_config(
+	knet_handle_t knet_h,
+	uint8_t config_num)
+{
+	if ((config_num) && (!knet_h->crypto_instance[config_num])) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	knet_h->crypto_in_use_config = config_num;
+
+	if (config_num) {
+		knet_h->sec_block_size = knet_h->crypto_instance[config_num]->sec_block_size;
+		knet_h->sec_hash_size = knet_h->crypto_instance[config_num]->sec_hash_size;
+		knet_h->sec_salt_size = knet_h->crypto_instance[config_num]->sec_salt_size;
+	} else {
+		knet_h->sec_block_size = 0;
+		knet_h->sec_hash_size = 0;
+		knet_h->sec_salt_size = 0;
+	}
+
+	force_pmtud_run(knet_h, KNET_SUB_CRYPTO, 1);
+
+	return 0;
 }
 
 int crypto_init(
 	knet_handle_t knet_h,
-	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
+	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg,
+	uint8_t config_num)
 {
 	int err = 0, savederrno = 0;
 	int model = 0;
 	struct crypto_instance *current = NULL, *new = NULL;
 
-	current = knet_h->crypto_instance;
+	current = knet_h->crypto_instance[config_num];
 
 	model = crypto_get_model(knet_handle_crypto_cfg->crypto_model);
 	if (model < 0) {
 		log_err(knet_h, KNET_SUB_CRYPTO, "model %s not supported", knet_handle_crypto_cfg->crypto_model);
 		return -1;
 	}
 
 	if (crypto_modules_cmds[model].built_in == 0) {
 		log_err(knet_h, KNET_SUB_CRYPTO, "this version of libknet was built without %s support. Please contact your vendor or fix the build.", knet_handle_crypto_cfg->crypto_model);
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_wrlock(&shlib_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to get write lock: %s",
 			strerror(savederrno));
 		return -1;
 	}
 
 	if (!crypto_modules_cmds[model].loaded) {
 		crypto_modules_cmds[model].ops = load_module (knet_h, "crypto", crypto_modules_cmds[model].model_name);
 		if (!crypto_modules_cmds[model].ops) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_CRYPTO, "Unable to load %s lib", crypto_modules_cmds[model].model_name);
 			goto out;
 		}
 		if (crypto_modules_cmds[model].ops->abi_ver != KNET_CRYPTO_MODEL_ABI) {
 			savederrno = EINVAL;
 			err = -1;
 			log_err(knet_h, KNET_SUB_CRYPTO,
 				"ABI mismatch loading module %s. knet ver: %d, module ver: %d",
 				crypto_modules_cmds[model].model_name, KNET_CRYPTO_MODEL_ABI,
 				crypto_modules_cmds[model].ops->abi_ver);
 			goto out;
 		}
 		crypto_modules_cmds[model].loaded = 1;
 	}
 
 	log_debug(knet_h, KNET_SUB_CRYPTO,
 		  "Initizializing crypto module [%s/%s/%s]",
 		  knet_handle_crypto_cfg->crypto_model,
 		  knet_handle_crypto_cfg->crypto_cipher_type,
 		  knet_handle_crypto_cfg->crypto_hash_type);
 
 	new = malloc(sizeof(struct crypto_instance));
 
 	if (!new) {
 		savederrno = ENOMEM;
 		err = -1;
 		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto instance");
 		goto out;
 	}
 
 	/*
 	 * if crypto_modules_cmds.ops->init fails, it is expected that
 	 * it will clean everything by itself.
 	 * crypto_modules_cmds.ops->fini is not invoked on error.
 	 */
 	new->model = model;
 	if (crypto_modules_cmds[model].ops->init(knet_h, new, knet_handle_crypto_cfg)) {
 		savederrno = errno;
 		err = -1;
 		goto out;
 	}
 
 out:
 	if (!err) {
-		knet_h->crypto_instance = new;
-		knet_h->sec_block_size = new->sec_block_size;
-		knet_h->sec_hash_size = new->sec_hash_size;
-		knet_h->sec_salt_size = new->sec_salt_size;
-
-		log_debug(knet_h, KNET_SUB_CRYPTO, "Hash size: %zu salt size: %zu block size: %zu",
-			  knet_h->sec_hash_size,
-			  knet_h->sec_salt_size,
-			  knet_h->sec_block_size);
+		knet_h->crypto_instance[config_num] = new;
 
 		if (current) {
+			/*
+			 * if we are replacing the current config, we need to enable it right away
+			 */
+			if (knet_h->crypto_in_use_config == config_num) {
+				crypto_use_config(knet_h, config_num);
+			}
+
 			if (crypto_modules_cmds[current->model].ops->fini != NULL) {
 				crypto_modules_cmds[current->model].ops->fini(knet_h, current);
 			}
 			free(current);
 		}
 	} else {
 		if (new) {
 			free(new);
 		}
 	}
 
 	pthread_rwlock_unlock(&shlib_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
+static void crypto_fini_config(
+	knet_handle_t knet_h,
+	uint8_t config_num)
+{
+	if (knet_h->crypto_instance[config_num]) {
+		if (crypto_modules_cmds[knet_h->crypto_instance[config_num]->model].ops->fini != NULL) {
+			crypto_modules_cmds[knet_h->crypto_instance[config_num]->model].ops->fini(knet_h, knet_h->crypto_instance[config_num]);
+		}
+		free(knet_h->crypto_instance[config_num]);
+		knet_h->crypto_instance[config_num] = NULL;
+	}
+}
+
 void crypto_fini(
-	knet_handle_t knet_h)
+	knet_handle_t knet_h,
+	uint8_t config_num)
 {
-	int savederrno = 0;
+	int savederrno = 0, i;
 
 	savederrno = pthread_rwlock_wrlock(&shlib_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to get write lock: %s",
 			strerror(savederrno));
 		return;
 	}
 
-	if (knet_h->crypto_instance) {
-		if (crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini != NULL) {
-			crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini(knet_h, knet_h->crypto_instance);
+	if (config_num > KNET_MAX_CRYPTO_INSTANCES) {
+		for (i = 1; i <= KNET_MAX_CRYPTO_INSTANCES; i++) {
+			crypto_fini_config(knet_h, i);
 		}
-		free(knet_h->crypto_instance);
-		knet_h->sec_block_size = 0;
-		knet_h->sec_hash_size = 0;
-		knet_h->sec_salt_size = 0;
-		knet_h->crypto_instance = NULL;
+	} else {
+		crypto_fini_config(knet_h, config_num);
 	}
 
 	pthread_rwlock_unlock(&shlib_rwlock);
 	return;
 }
 
 int knet_get_crypto_list(struct knet_crypto_info *crypto_list, size_t *crypto_list_entries)
 {
 	int err = 0;
 	int idx = 0;
 	int outidx = 0;
 
 	if (!crypto_list_entries) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	while (crypto_modules_cmds[idx].model_name != NULL) {
 		if (crypto_modules_cmds[idx].built_in) {
 			if (crypto_list) {
 				crypto_list[outidx].name = crypto_modules_cmds[idx].model_name;
 			}
 			outidx++;
 		}
 		idx++;
 	}
 	*crypto_list_entries = outidx;
 
 	if (!err)
 		errno = 0;
 	return err;
 }
diff --git a/libknet/crypto.h b/libknet/crypto.h
index cc476d14..d04bc484 100644
--- a/libknet/crypto.h
+++ b/libknet/crypto.h
@@ -1,42 +1,48 @@
 /*
  * Copyright (C) 2012-2020 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_CRYPTO_H__
 #define __KNET_CRYPTO_H__
 
 #include "internals.h"
 
 int crypto_authenticate_and_decrypt (
 	knet_handle_t knet_h,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len);
 
 int crypto_encrypt_and_sign (
 	knet_handle_t knet_h,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len);
 
 int crypto_encrypt_and_signv (
 	knet_handle_t knet_h,
 	const struct iovec *iov_in,
 	int iovcnt_in,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len);
 
+int crypto_use_config (
+	knet_handle_t knet_h,
+	uint8_t config_num);
+
 int crypto_init(
 	knet_handle_t knet_h,
-	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg);
+	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg,
+	uint8_t config_num);
 
 void crypto_fini(
-	knet_handle_t knet_h);
+	knet_handle_t knet_h,
+	uint8_t config_num);
 
 #endif
diff --git a/libknet/crypto_model.h b/libknet/crypto_model.h
index 06e10a0d..0e6ccb4e 100644
--- a/libknet/crypto_model.h
+++ b/libknet/crypto_model.h
@@ -1,58 +1,62 @@
 /*
  * Copyright (C) 2012-2020 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_CRYPTO_MODEL_H__
 #define __KNET_CRYPTO_MODEL_H__
 
 #include "internals.h"
 
 struct crypto_instance {
 	int	model;
 	void	*model_instance;
 	size_t	sec_block_size;
 	size_t	sec_hash_size;
 	size_t	sec_salt_size;
 };
 
-#define KNET_CRYPTO_MODEL_ABI 3
+#define KNET_CRYPTO_MODEL_ABI 4
 
 /*
  * see compress_model.h for explanation of the various lib related functions
  */
 typedef struct {
 	uint8_t abi_ver;
 	int (*init)	(knet_handle_t knet_h,
 			 struct crypto_instance *crypto_instance,
 			 struct knet_handle_crypto_cfg *knet_handle_crypto_cfg);
 	void (*fini)	(knet_handle_t knet_h,
 			 struct crypto_instance *crypto_instance);
 	int (*crypt)	(knet_handle_t knet_h,
+			 struct crypto_instance *crypto_instance,
 			 const unsigned char *buf_in,
 			 const ssize_t buf_in_len,
 			 unsigned char *buf_out,
 			 ssize_t *buf_out_len);
 	int (*cryptv)	(knet_handle_t knet_h,
+			 struct crypto_instance *crypto_instance,
 			 const struct iovec *iov_in,
 			 int iovcnt_in,
 			 unsigned char *buf_out,
 			 ssize_t *buf_out_len);
 	int (*decrypt)	(knet_handle_t knet_h,
+			 struct crypto_instance *crypto_instance,
 			 const unsigned char *buf_in,
 			 const ssize_t buf_in_len,
 			 unsigned char *buf_out,
-			 ssize_t *buf_out_len);
+			 ssize_t *buf_out_len,
+			 uint8_t log_level);
 } crypto_ops_t;
 
 typedef struct {
 	const char	*model_name;
 	uint8_t		built_in;
 	uint8_t		loaded;
 	crypto_ops_t	*ops;
 } crypto_model_t;
 
 #endif
diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
index bf4cdc1a..d0b5e4f2 100644
--- a/libknet/crypto_nss.c
+++ b/libknet/crypto_nss.c
@@ -1,840 +1,875 @@
 /*
  * Copyright (C) 2012-2020 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 #define KNET_MODULE
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdlib.h>
 #include <nss.h>
 #include <nspr.h>
 #include <pk11pub.h>
 #include <pkcs11.h>
 #include <prerror.h>
 #include <blapit.h>
 #include <hasht.h>
 #include <pthread.h>
 #include <secerr.h>
 #include <prinit.h>
 
 #include "crypto_model.h"
 #include "logging.h"
 
 static int nss_db_is_init = 0;
 
 static void nss_atexit_handler(void)
 {
 	if (nss_db_is_init) {
 		NSS_Shutdown();
 		if (PR_Initialized()) {
 			PL_ArenaFinish();
 			PR_Cleanup();
 		}
 	}
 	return;
 }
 
 /*
  * crypto definitions and conversion tables
  */
 
 #define SALT_SIZE 16
 
 /*
  * This are defined in new NSS. For older one, we will define our own
  */
 #ifndef AES_256_KEY_LENGTH
 #define AES_256_KEY_LENGTH 32
 #endif
 
 #ifndef AES_192_KEY_LENGTH
 #define AES_192_KEY_LENGTH 24
 #endif
 
 #ifndef AES_128_KEY_LENGTH
 #define AES_128_KEY_LENGTH 16
 #endif
 
 enum nsscrypto_crypt_t {
 	CRYPTO_CIPHER_TYPE_NONE = 0,
 	CRYPTO_CIPHER_TYPE_AES256 = 1,
 	CRYPTO_CIPHER_TYPE_AES192 = 2,
 	CRYPTO_CIPHER_TYPE_AES128 = 3
 };
 
 CK_MECHANISM_TYPE cipher_to_nss[] = {
 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
 	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES256 */
 	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES192 */
 	CKM_AES_CBC_PAD			/* CRYPTO_CIPHER_TYPE_AES128 */
 };
 
 size_t nsscipher_key_len[] = {
 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
 	AES_256_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES256 */
 	AES_192_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES192 */
 	AES_128_KEY_LENGTH		/* CRYPTO_CIPHER_TYPE_AES128 */
 };
 
 size_t nsscypher_block_len[] = {
 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
 	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES256 */
 	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES192 */
 	AES_BLOCK_SIZE			/* CRYPTO_CIPHER_TYPE_AES128 */
 };
 
 /*
  * hash definitions and conversion tables
  */
 
 enum nsscrypto_hash_t {
 	CRYPTO_HASH_TYPE_NONE	= 0,
 	CRYPTO_HASH_TYPE_MD5	= 1,
 	CRYPTO_HASH_TYPE_SHA1	= 2,
 	CRYPTO_HASH_TYPE_SHA256	= 3,
 	CRYPTO_HASH_TYPE_SHA384	= 4,
 	CRYPTO_HASH_TYPE_SHA512	= 5
 };
 
 CK_MECHANISM_TYPE hash_to_nss[] = {
 	 0,				/* CRYPTO_HASH_TYPE_NONE */
 	CKM_MD5_HMAC,			/* CRYPTO_HASH_TYPE_MD5 */
 	CKM_SHA_1_HMAC,			/* CRYPTO_HASH_TYPE_SHA1 */
 	CKM_SHA256_HMAC,		/* CRYPTO_HASH_TYPE_SHA256 */
 	CKM_SHA384_HMAC,		/* CRYPTO_HASH_TYPE_SHA384 */
 	CKM_SHA512_HMAC			/* CRYPTO_HASH_TYPE_SHA512 */
 };
 
 size_t nsshash_len[] = {
 	 0,				/* CRYPTO_HASH_TYPE_NONE */
 	MD5_LENGTH,			/* CRYPTO_HASH_TYPE_MD5 */
 	SHA1_LENGTH,			/* CRYPTO_HASH_TYPE_SHA1 */
 	SHA256_LENGTH,			/* CRYPTO_HASH_TYPE_SHA256 */
 	SHA384_LENGTH,			/* CRYPTO_HASH_TYPE_SHA384 */
 	SHA512_LENGTH			/* CRYPTO_HASH_TYPE_SHA512 */
 };
 
 enum sym_key_type {
 	SYM_KEY_TYPE_CRYPT,
 	SYM_KEY_TYPE_HASH
 };
 
 struct nsscrypto_instance {
 	PK11SymKey   *nss_sym_key;
 	PK11SymKey   *nss_sym_key_sign;
 
 	unsigned char *private_key;
 
 	unsigned int private_key_len;
 
 	int crypto_cipher_type;
 
 	int crypto_hash_type;
 };
 
 /*
  * crypt/decrypt functions
  */
 
 static int nssstring_to_crypto_cipher_type(const char* crypto_cipher_type)
 {
 	if (strcmp(crypto_cipher_type, "none") == 0) {
 		return CRYPTO_CIPHER_TYPE_NONE;
 	} else if (strcmp(crypto_cipher_type, "aes256") == 0) {
 		return CRYPTO_CIPHER_TYPE_AES256;
 	} else if (strcmp(crypto_cipher_type, "aes192") == 0) {
 		return CRYPTO_CIPHER_TYPE_AES192;
 	} else if (strcmp(crypto_cipher_type, "aes128") == 0) {
 		return CRYPTO_CIPHER_TYPE_AES128;
 	}
 	return -1;
 }
 
 static PK11SymKey *nssimport_symmetric_key(knet_handle_t knet_h,
 					   struct crypto_instance *crypto_instance,
 					   enum sym_key_type key_type)
 {
 	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	SECItem key_item;
 	PK11SlotInfo *slot;
 	PK11SymKey *res_key;
 	CK_MECHANISM_TYPE cipher;
 	CK_ATTRIBUTE_TYPE operation;
 	CK_MECHANISM_TYPE wrap_mechanism;
 	int wrap_key_len;
 	PK11SymKey *wrap_key;
 	PK11Context *wrap_key_crypt_context;
 	SECItem tmp_sec_item;
 	SECItem wrapped_key;
 	int wrapped_key_len;
 	int wrap_key_block_size;
 	unsigned char wrapped_key_data[KNET_MAX_KEY_LEN];
 	unsigned char pad_key_data[KNET_MAX_KEY_LEN];
 
 	memset(&key_item, 0, sizeof(key_item));
 	slot = NULL;
 	wrap_key = NULL;
 	res_key = NULL;
 	wrap_key_crypt_context = NULL;
 
 	if (instance->private_key_len > sizeof(pad_key_data)) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Import symmetric key failed. Private key is too long");
 		goto exit_res_key;
 	}
 	memset(pad_key_data, 0, sizeof(pad_key_data));
 	memcpy(pad_key_data, instance->private_key, instance->private_key_len);
 
 	key_item.type = siBuffer;
 	key_item.data = pad_key_data;
 
 	switch (key_type) {
 		case SYM_KEY_TYPE_CRYPT:
 			key_item.len = nsscipher_key_len[instance->crypto_cipher_type];
 			cipher = cipher_to_nss[instance->crypto_cipher_type];
 			operation = CKA_ENCRYPT|CKA_DECRYPT;
 			break;
 		case SYM_KEY_TYPE_HASH:
 			key_item.len = instance->private_key_len;
 			cipher = hash_to_nss[instance->crypto_hash_type];
 			operation = CKA_SIGN;
 			break;
 		default:
 			log_err(knet_h, KNET_SUB_NSSCRYPTO, "Import symmetric key failed. Unknown keyimport request");
 			goto exit_res_key;
 			break;
 	}
 
 	slot = PK11_GetBestSlot(cipher, NULL);
 	if (slot == NULL) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to find security slot (%d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto exit_res_key;
 	}
 
 	/*
 	 * Without FIPS it would be possible to just use
 	 * 	res_key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, operation, &key_item, NULL);
 	 * with FIPS NSS Level 2 certification has to be "workarounded" (so it becomes Level 1) by using
 	 * following method:
 	 * 1. Generate wrap key
 	 * 2. Encrypt authkey with wrap key
 	 * 3. Unwrap encrypted authkey using wrap key
 	 */
 
 	/*
 	 * Generate wrapping key
 	 */
 	wrap_mechanism = PK11_GetBestWrapMechanism(slot);
 	wrap_key_len = PK11_GetBestKeyLength(slot, wrap_mechanism);
 	wrap_key = PK11_KeyGen(slot, wrap_mechanism, NULL, wrap_key_len, NULL);
 	if (wrap_key == NULL) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to generate wrapping key (%d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto exit_res_key;
 	}
 
 	/*
 	 * Encrypt authkey with wrapping key
 	 */
 
 	/*
 	 * Key must be padded to a block size
 	 */
 	wrap_key_block_size = PK11_GetBlockSize(wrap_mechanism, 0);
 	if (wrap_key_block_size < 0) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to get wrap key block size (%d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto exit_res_key;
 	}
 	if (sizeof(pad_key_data) % wrap_key_block_size != 0) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Padded key buffer size (%zu) is not dividable by "
 			"wrap key block size (%u).", sizeof(pad_key_data), (unsigned int)wrap_key_block_size);
 		goto exit_res_key;
 	}
 
 	/*
 	 * Initialization of IV is not needed because PK11_GetBestWrapMechanism should return ECB mode
 	 */
 	memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
 	wrap_key_crypt_context = PK11_CreateContextBySymKey(wrap_mechanism, CKA_ENCRYPT,
 							    wrap_key, &tmp_sec_item);
 	if (wrap_key_crypt_context == NULL) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to create encrypt context (%d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto exit_res_key;
 	}
 
 	wrapped_key_len = (int)sizeof(wrapped_key_data);
 
 	if (PK11_CipherOp(wrap_key_crypt_context, wrapped_key_data, &wrapped_key_len,
 			  sizeof(wrapped_key_data), key_item.data, sizeof(pad_key_data)) != SECSuccess) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to encrypt authkey (%d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto exit_res_key;
 	}
 
 	if (PK11_Finalize(wrap_key_crypt_context) != SECSuccess) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to finalize encryption of authkey (%d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto exit_res_key;
 	}
 
 	/*
 	 * Finally unwrap sym key
 	 */
 	memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
 	wrapped_key.data = wrapped_key_data;
 	wrapped_key.len = wrapped_key_len;
 
 	res_key = PK11_UnwrapSymKey(wrap_key, wrap_mechanism, &tmp_sec_item, &wrapped_key,
 				    cipher, operation, key_item.len);
 	if (res_key == NULL) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Failure to import key into NSS (%d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 
 		if (PR_GetError() == SEC_ERROR_BAD_DATA) {
 			/*
 			 * Maximum key length for FIPS enabled softtoken is limited to
 			 * MAX_KEY_LEN (pkcs11i.h - 256) and checked in NSC_UnwrapKey. Returned
 			 * error is CKR_TEMPLATE_INCONSISTENT which is mapped to SEC_ERROR_BAD_DATA.
 			 */
 			log_err(knet_h, KNET_SUB_NSSCRYPTO, "Secret key is probably too long. "
 				"Try reduce it to 256 bytes");
 		}
 		goto exit_res_key;
 	}
 
 exit_res_key:
 	if (wrap_key_crypt_context != NULL) {
 		PK11_DestroyContext(wrap_key_crypt_context, PR_TRUE);
 	}
 
 	if (wrap_key != NULL) {
 		PK11_FreeSymKey(wrap_key);
 	}
 
 	if (slot != NULL) {
 		PK11_FreeSlot(slot);
 	}
 
 	return (res_key);
 }
 
 static int init_nss_crypto(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
 {
 	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 
 	if (!cipher_to_nss[instance->crypto_cipher_type]) {
 		return 0;
 	}
 
 	instance->nss_sym_key = nssimport_symmetric_key(knet_h, crypto_instance, SYM_KEY_TYPE_CRYPT);
 	if (instance->nss_sym_key == NULL) {
 		errno = ENXIO; /* NSS reported error */
 		return -1;
 	}
 
 	return 0;
 }
 
 static int encrypt_nss(
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const struct iovec *iov,
 	int iovcnt,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	PK11Context*	crypt_context = NULL;
 	SECItem		crypt_param;
 	SECItem		*nss_sec_param = NULL;
 	int		tmp_outlen = 0, tmp1_outlen = 0;
 	unsigned int	tmp2_outlen = 0;
 	unsigned char	*salt = buf_out;
 	unsigned char	*data = buf_out + SALT_SIZE;
 	int		err = -1;
 	int		i;
 
 	if (PK11_GenerateRandom(salt, SALT_SIZE) != SECSuccess) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Failure to generate a random number (err %d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto out;
 	}
 
 	crypt_param.type = siBuffer;
 	crypt_param.data = salt;
 	crypt_param.len = SALT_SIZE;
 
 	nss_sec_param = PK11_ParamFromIV(cipher_to_nss[instance->crypto_cipher_type],
 					 &crypt_param);
 	if (nss_sec_param == NULL) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Failure to set up PKCS11 param (err %d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto out;
 	}
 
 	/*
 	 * Create cipher context for encryption
 	 */
 	crypt_context = PK11_CreateContextBySymKey(cipher_to_nss[instance->crypto_cipher_type],
 						   CKA_ENCRYPT,
 						   instance->nss_sym_key,
 						   nss_sec_param);
 	if (!crypt_context) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CreateContext failed (encrypt) crypt_type=%d (err %d): %s",
 			   (int)cipher_to_nss[instance->crypto_cipher_type],
 			   PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto out;
 	}
 
 	for (i=0; i<iovcnt; i++) {
 		if (PK11_CipherOp(crypt_context, data,
 				  &tmp_outlen,
 				  KNET_DATABUFSIZE_CRYPT,
 				  (unsigned char *)iov[i].iov_base,
 				  iov[i].iov_len) != SECSuccess) {
 			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CipherOp failed (encrypt) crypt_type=%d (err %d): %s",
 				(int)cipher_to_nss[instance->crypto_cipher_type],
 				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 			goto out;
 		}
 		tmp1_outlen = tmp1_outlen + tmp_outlen;
 	}
 
 	if (PK11_DigestFinal(crypt_context, data + tmp1_outlen,
 				     &tmp2_outlen, KNET_DATABUFSIZE_CRYPT - tmp1_outlen) != SECSuccess) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinal failed (encrypt) crypt_type=%d (err %d): %s",
 			(int)cipher_to_nss[instance->crypto_cipher_type],
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto out;
 
 	}
 
 	*buf_out_len = tmp1_outlen + tmp2_outlen + SALT_SIZE;
 
 	err = 0;
 
 out:
 	if (crypt_context) {
 		PK11_DestroyContext(crypt_context, PR_TRUE);
 	}
 	if (nss_sec_param) {
 		SECITEM_FreeItem(nss_sec_param, PR_TRUE);
 	}
 	return err;
 }
 
 static int decrypt_nss (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	PK11Context*	decrypt_context = NULL;
 	SECItem		decrypt_param;
 	int		tmp1_outlen = 0;
 	unsigned int	tmp2_outlen = 0;
 	unsigned char	*salt = (unsigned char *)buf_in;
 	unsigned char	*data = salt + SALT_SIZE;
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = -1;
 
 	if (datalen <= 0) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Packet is too short");
 		goto out;
 	}
 
 	/* Create cipher context for decryption */
 	decrypt_param.type = siBuffer;
 	decrypt_param.data = salt;
 	decrypt_param.len = SALT_SIZE;
 
 	decrypt_context = PK11_CreateContextBySymKey(cipher_to_nss[instance->crypto_cipher_type],
 						     CKA_DECRYPT,
 						     instance->nss_sym_key, &decrypt_param);
 	if (!decrypt_context) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CreateContext (decrypt) failed (err %d): %s",
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto out;
 	}
 
 	if (PK11_CipherOp(decrypt_context, buf_out, &tmp1_outlen,
 			  KNET_DATABUFSIZE_CRYPT, data, datalen) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CipherOp (decrypt) failed (err %d): %s",
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CipherOp (decrypt) failed (err %d): %s",
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CipherOp (decrypt) failed (err %d): %s",
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
 	if (PK11_DigestFinal(decrypt_context, buf_out + tmp1_outlen, &tmp2_outlen,
 			     KNET_DATABUFSIZE_CRYPT - tmp1_outlen) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinal (decrypt) failed (err %d): %s",
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinal (decrypt) failed (err %d): %s",
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinal (decrypt) failed (err %d): %s",
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
 	*buf_out_len = tmp1_outlen + tmp2_outlen;
 
 	err = 0;
 
 out:
 	if (decrypt_context) {
 		PK11_DestroyContext(decrypt_context, PR_TRUE);
 	}
 
 	return err;
 }
 
 /*
  * hash/hmac/digest functions
  */
 
 static int nssstring_to_crypto_hash_type(const char* crypto_hash_type)
 {
 	if (strcmp(crypto_hash_type, "none") == 0) {
 		return CRYPTO_HASH_TYPE_NONE;
 	} else if (strcmp(crypto_hash_type, "md5") == 0) {
 		return CRYPTO_HASH_TYPE_MD5;
 	} else if (strcmp(crypto_hash_type, "sha1") == 0) {
 		return CRYPTO_HASH_TYPE_SHA1;
 	} else if (strcmp(crypto_hash_type, "sha256") == 0) {
 		return CRYPTO_HASH_TYPE_SHA256;
 	} else if (strcmp(crypto_hash_type, "sha384") == 0) {
 		return CRYPTO_HASH_TYPE_SHA384;
 	} else if (strcmp(crypto_hash_type, "sha512") == 0) {
 		return CRYPTO_HASH_TYPE_SHA512;
 	}
 
 	return -1;
 }
 
 static int init_nss_hash(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
 {
 	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 
 	if (!hash_to_nss[instance->crypto_hash_type]) {
 		return 0;
 	}
 
 	instance->nss_sym_key_sign = nssimport_symmetric_key(knet_h, crypto_instance, SYM_KEY_TYPE_HASH);
 	if (instance->nss_sym_key_sign == NULL) {
 		errno = ENXIO; /* NSS reported error */
 		return -1;
 	}
 
 	return 0;
 }
 
 static int calculate_nss_hash(
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf,
 	const size_t buf_len,
-	unsigned char *hash)
+	unsigned char *hash,
+	uint8_t log_level)
 {
-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	PK11Context*	hash_context = NULL;
 	SECItem		hash_param;
 	unsigned int	hash_tmp_outlen = 0;
 	int		err = -1;
 
 	/* Now do the digest */
 	hash_param.type = siBuffer;
 	hash_param.data = 0;
 	hash_param.len = 0;
 
 	hash_context = PK11_CreateContextBySymKey(hash_to_nss[instance->crypto_hash_type],
 						  CKA_SIGN,
 						  instance->nss_sym_key_sign,
 						  &hash_param);
 
 	if (!hash_context) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CreateContext failed (hash) hash_type=%d (err %d): %s",
 			(int)hash_to_nss[instance->crypto_hash_type],
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto out;
 	}
 
 	if (PK11_DigestBegin(hash_context) != SECSuccess) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestBegin failed (hash) hash_type=%d (err %d): %s",
 			(int)hash_to_nss[instance->crypto_hash_type],
 			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 		goto out;
 	}
 
 	if (PK11_DigestOp(hash_context, buf, buf_len) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestOp failed (hash) hash_type=%d (err %d): %s",
-			(int)hash_to_nss[instance->crypto_hash_type],
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestOp failed (hash) hash_type=%d (err %d): %s",
+				  (int)hash_to_nss[instance->crypto_hash_type],
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestOp failed (hash) hash_type=%d (err %d): %s",
+				(int)hash_to_nss[instance->crypto_hash_type],
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
 	if (PK11_DigestFinal(hash_context, hash,
 			     &hash_tmp_outlen, nsshash_len[instance->crypto_hash_type]) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinale failed (hash) hash_type=%d (err %d): %s",
-			(int)hash_to_nss[instance->crypto_hash_type],
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinale failed (hash) hash_type=%d (err %d): %s",
+				  (int)hash_to_nss[instance->crypto_hash_type],
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinale failed (hash) hash_type=%d (err %d): %s",
+				(int)hash_to_nss[instance->crypto_hash_type],
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
 	err = 0;
 
 out:
 	if (hash_context) {
 		PK11_DestroyContext(hash_context, PR_TRUE);
 	}
 
 	return err;
 }
 
 /*
  * global/glue nss functions
  */
 
 static int init_nss(knet_handle_t knet_h, struct crypto_instance *crypto_instance)
 {
 	static int at_exit_registered = 0;
 
 	if (!at_exit_registered) {
 		if (atexit(nss_atexit_handler)) {
 			log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to register NSS atexit handler");
 			errno = EAGAIN;
 			return -1;
 		}
 		at_exit_registered = 1;
 	}
 
 	if (!nss_db_is_init) {
 		if (NSS_NoDB_Init(NULL) != SECSuccess) {
 			log_err(knet_h, KNET_SUB_NSSCRYPTO, "NSS DB initialization failed (err %d): %s",
 				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
 			errno = EAGAIN;
 			return -1;
 		}
 		nss_db_is_init = 1;
 	}
 
 	if (init_nss_crypto(knet_h, crypto_instance) < 0) {
 		return -1;
 	}
 
 	if (init_nss_hash(knet_h, crypto_instance) < 0) {
 		return -1;
 	}
 
 	return 0;
 }
 
 /*
  * exported API
  */
 
 static int nsscrypto_encrypt_and_signv (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const struct iovec *iov_in,
 	int iovcnt_in,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	int i;
 
 	if (cipher_to_nss[instance->crypto_cipher_type]) {
-		if (encrypt_nss(knet_h, iov_in, iovcnt_in, buf_out, buf_out_len) < 0) {
+		if (encrypt_nss(knet_h, crypto_instance, iov_in, iovcnt_in, buf_out, buf_out_len) < 0) {
 			return -1;
 		}
 	} else {
 		*buf_out_len = 0;
 		for (i=0; i<iovcnt_in; i++) {
 			memmove(buf_out + *buf_out_len, iov_in[i].iov_base, iov_in[i].iov_len);
 			*buf_out_len = *buf_out_len + iov_in[i].iov_len;
 		}
 	}
 
 	if (hash_to_nss[instance->crypto_hash_type]) {
-		if (calculate_nss_hash(knet_h, buf_out, *buf_out_len, buf_out + *buf_out_len) < 0) {
+		if (calculate_nss_hash(knet_h, crypto_instance, buf_out, *buf_out_len, buf_out + *buf_out_len, KNET_LOG_ERR) < 0) {
 			return -1;
 		}
 		*buf_out_len = *buf_out_len + nsshash_len[instance->crypto_hash_type];
 	}
 
 	return 0;
 }
 
 static int nsscrypto_encrypt_and_sign (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct iovec iov_in;
 
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (unsigned char *)buf_in;
 	iov_in.iov_len = buf_in_len;
 
-	return nsscrypto_encrypt_and_signv(knet_h, &iov_in, 1, buf_out, buf_out_len);
+	return nsscrypto_encrypt_and_signv(knet_h, crypto_instance, &iov_in, 1, buf_out, buf_out_len);
 }
 
 static int nsscrypto_authenticate_and_decrypt (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
-	struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	ssize_t temp_len = buf_in_len;
 
 	if (hash_to_nss[instance->crypto_hash_type]) {
 		unsigned char tmp_hash[nsshash_len[instance->crypto_hash_type]];
 		ssize_t temp_buf_len = buf_in_len - nsshash_len[instance->crypto_hash_type];
 
 		if ((temp_buf_len <= 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
 			log_err(knet_h, KNET_SUB_NSSCRYPTO, "Incorrect packet size.");
 			return -1;
 		}
 
-		if (calculate_nss_hash(knet_h, buf_in, temp_buf_len, tmp_hash) < 0) {
+		if (calculate_nss_hash(knet_h, crypto_instance, buf_in, temp_buf_len, tmp_hash, log_level) < 0) {
 			return -1;
 		}
 
 		if (memcmp(tmp_hash, buf_in + temp_buf_len, nsshash_len[instance->crypto_hash_type]) != 0) {
-			log_err(knet_h, KNET_SUB_NSSCRYPTO, "Digest does not match");
+			if (log_level == KNET_LOG_DEBUG) {
+				log_debug(knet_h, KNET_SUB_NSSCRYPTO, "Digest does not match");
+			} else {
+				log_err(knet_h, KNET_SUB_NSSCRYPTO, "Digest does not match");
+			}
 			return -1;
 		}
 
 		temp_len = temp_len - nsshash_len[instance->crypto_hash_type];
 		*buf_out_len = temp_len;
 	}
 
 	if (cipher_to_nss[instance->crypto_cipher_type]) {
-		if (decrypt_nss(knet_h, buf_in, temp_len, buf_out, buf_out_len) < 0) {
+		if (decrypt_nss(knet_h, crypto_instance, buf_in, temp_len, buf_out, buf_out_len, log_level) < 0) {
 			return -1;
 		}
 	} else {
 		memmove(buf_out, buf_in, temp_len);
 		*buf_out_len = temp_len;
 	}
 
 	return 0;
 }
 
 static void nsscrypto_fini(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance)
 {
 	struct nsscrypto_instance *nsscrypto_instance = crypto_instance->model_instance;
 
 	if (nsscrypto_instance) {
 		if (nsscrypto_instance->nss_sym_key) {
 			PK11_FreeSymKey(nsscrypto_instance->nss_sym_key);
 			nsscrypto_instance->nss_sym_key = NULL;
 		}
 		if (nsscrypto_instance->nss_sym_key_sign) {
 			PK11_FreeSymKey(nsscrypto_instance->nss_sym_key_sign);
 			nsscrypto_instance->nss_sym_key_sign = NULL;
 		}
 		free(nsscrypto_instance);
 		crypto_instance->model_instance = NULL;
 	}
 
 	return;
 }
 
 static int nsscrypto_init(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
 {
 	struct nsscrypto_instance *nsscrypto_instance = NULL;
 	int savederrno;
 
 	log_debug(knet_h, KNET_SUB_NSSCRYPTO,
 		  "Initizializing nss crypto module [%s/%s]",
 		  knet_handle_crypto_cfg->crypto_cipher_type,
 		  knet_handle_crypto_cfg->crypto_hash_type);
 
 	crypto_instance->model_instance = malloc(sizeof(struct nsscrypto_instance));
 	if (!crypto_instance->model_instance) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to allocate memory for nss model instance");
 		errno = ENOMEM;
 		return -1;
 	}
 
 	nsscrypto_instance = crypto_instance->model_instance;
 
 	memset(nsscrypto_instance, 0, sizeof(struct nsscrypto_instance));
 
 	nsscrypto_instance->crypto_cipher_type = nssstring_to_crypto_cipher_type(knet_handle_crypto_cfg->crypto_cipher_type);
 	if (nsscrypto_instance->crypto_cipher_type < 0) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "unknown crypto cipher type requested");
 		savederrno = ENXIO;
 		goto out_err;
 	}
 
 	nsscrypto_instance->crypto_hash_type = nssstring_to_crypto_hash_type(knet_handle_crypto_cfg->crypto_hash_type);
 	if (nsscrypto_instance->crypto_hash_type < 0) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "unknown crypto hash type requested");
 		savederrno = ENXIO;
 		goto out_err;
 	}
 
 	if ((nsscrypto_instance->crypto_cipher_type > 0) &&
 	    (nsscrypto_instance->crypto_hash_type == 0)) {
 		log_err(knet_h, KNET_SUB_NSSCRYPTO, "crypto communication requires hash specified");
 		savederrno = EINVAL;
 		goto out_err;
 	}
 
 	nsscrypto_instance->private_key = knet_handle_crypto_cfg->private_key;
 	nsscrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
 
 	if (init_nss(knet_h, crypto_instance) < 0) {
 		savederrno = errno;
 		goto out_err;
 	}
 
 	if (nsscrypto_instance->crypto_hash_type > 0) {
 		crypto_instance->sec_hash_size = nsshash_len[nsscrypto_instance->crypto_hash_type];
 	}
 
 	if (nsscrypto_instance->crypto_cipher_type > 0) {
 		int block_size;
 
 		if (nsscypher_block_len[nsscrypto_instance->crypto_cipher_type]) {
 			block_size = nsscypher_block_len[nsscrypto_instance->crypto_cipher_type];
 		} else {
 			block_size = PK11_GetBlockSize(nsscrypto_instance->crypto_cipher_type, NULL);
 			if (block_size < 0) {
 				savederrno = ENXIO;
 				goto out_err;
 			}
 		}
 
 		crypto_instance->sec_salt_size = SALT_SIZE;
 		crypto_instance->sec_block_size = block_size;
 	}
 
 	return 0;
 
 out_err:
 	nsscrypto_fini(knet_h, crypto_instance);
 	errno = savederrno;
 	return -1;
 }
 
 crypto_ops_t crypto_model = {
 	KNET_CRYPTO_MODEL_ABI,
 	nsscrypto_init,
 	nsscrypto_fini,
 	nsscrypto_encrypt_and_sign,
 	nsscrypto_encrypt_and_signv,
 	nsscrypto_authenticate_and_decrypt
 };
diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
index fe3684a4..5ae663cf 100644
--- a/libknet/crypto_openssl.c
+++ b/libknet/crypto_openssl.c
@@ -1,595 +1,643 @@
 /*
  * Copyright (C) 2017-2020 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 #define KNET_MODULE
 
 #include "config.h"
 
+/*
+ * allow to build with openssl 3.0 that has deprecated
+ * use of direct access to HMAC API.
+ *
+ * knet will require some heavy rewrite to port to 3.0,
+ * but it clashes with the re-key feature branch.
+ *
+ * use path of less resistance for now, then we will
+ * port at a later stage.
+ */
+#define OPENSSL_API_COMPAT 0x1010000L
+
 #include <string.h>
 #include <errno.h>
 #include <dlfcn.h>
 #include <stdlib.h>
 #include <openssl/conf.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 
 #include "logging.h"
 #include "crypto_model.h"
 
 /*
  * 1.0.2 requires at least 120 bytes
  * 1.1.0 requires at least 256 bytes
  */
 #define SSLERR_BUF_SIZE 512
 
 /*
  * crypto definitions and conversion tables
  */
 
 #define SALT_SIZE 16
 
 struct opensslcrypto_instance {
 	void *private_key;
 
 	int private_key_len;
 
 	const EVP_CIPHER *crypto_cipher_type;
 
 	const EVP_MD *crypto_hash_type;
 };
 
 static int openssl_is_init = 0;
 
 /*
  * crypt/decrypt functions openssl1.0
  */
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 static int encrypt_openssl(
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const struct iovec *iov,
 	int iovcnt,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	ctx;
 	int		tmplen = 0, offset = 0;
 	unsigned char	*salt = buf_out;
 	unsigned char	*data = buf_out + SALT_SIZE;
 	int		err = 0;
 	int		i;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	EVP_CIPHER_CTX_init(&ctx);
 
 	if (!RAND_bytes(salt, SALT_SIZE)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_EncryptInit_ex(&ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	for (i=0; i<iovcnt; i++) {
 		if (!EVP_EncryptUpdate(&ctx,
 				       data + offset, &tmplen,
 				       (unsigned char *)iov[i].iov_base, iov[i].iov_len)) {
 			ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to encrypt: %s", sslerr);
 			err = -1;
 			goto out;
 		}
 		offset = offset + tmplen;
 	}
 
 	if (!EVP_EncryptFinal_ex(&ctx, data + offset, &tmplen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize encrypt: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = offset + tmplen + SALT_SIZE;
 
 out:
 	EVP_CIPHER_CTX_cleanup(&ctx);
 	return err;
 }
 
 static int decrypt_openssl (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
-	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	ctx;
 	int		tmplen1 = 0, tmplen2 = 0;
 	unsigned char	*salt = (unsigned char *)buf_in;
 	unsigned char	*data = salt + SALT_SIZE;
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = 0;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	EVP_CIPHER_CTX_init(&ctx);
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_DecryptInit_ex(&ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	if (!EVP_DecryptUpdate(&ctx, buf_out, &tmplen1, data, datalen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
 
 	if (!EVP_DecryptFinal_ex(&ctx, buf_out + tmplen1, &tmplen2)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = tmplen1 + tmplen2;
 
 out:
 	EVP_CIPHER_CTX_cleanup(&ctx);
 	return err;
 }
 #else /* (OPENSSL_VERSION_NUMBER < 0x10100000L) */
 static int encrypt_openssl(
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const struct iovec *iov,
 	int iovcnt,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	*ctx;
 	int		tmplen = 0, offset = 0;
 	unsigned char	*salt = buf_out;
 	unsigned char	*data = buf_out + SALT_SIZE;
 	int		err = 0;
 	int		i;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	ctx = EVP_CIPHER_CTX_new();
 
 	if (!RAND_bytes(salt, SALT_SIZE)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_EncryptInit_ex(ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	for (i=0; i<iovcnt; i++) {
 		if (!EVP_EncryptUpdate(ctx,
 				       data + offset, &tmplen,
 				       (unsigned char *)iov[i].iov_base, iov[i].iov_len)) {
 			ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to encrypt: %s", sslerr);
 			err = -1;
 			goto out;
 		}
 		offset = offset + tmplen;
 	}
 
 	if (!EVP_EncryptFinal_ex(ctx, data + offset, &tmplen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize encrypt: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = offset + tmplen + SALT_SIZE;
 
 out:
 	EVP_CIPHER_CTX_free(ctx);
 	return err;
 }
 
 static int decrypt_openssl (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
-	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	*ctx = NULL;
 	int		tmplen1 = 0, tmplen2 = 0;
 	unsigned char	*salt = (unsigned char *)buf_in;
 	unsigned char	*data = salt + SALT_SIZE;
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = 0;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	if (datalen <= 0) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Packet is too short");
 		err = -1;
 		goto out;
 	}
 
 	ctx = EVP_CIPHER_CTX_new();
 
 	/*
 	 * add warning re keylength
 	 */
 	EVP_DecryptInit_ex(ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	if (!EVP_DecryptUpdate(ctx, buf_out, &tmplen1, data, datalen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
 
 	if (!EVP_DecryptFinal_ex(ctx, buf_out + tmplen1, &tmplen2)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = tmplen1 + tmplen2;
 
 out:
 	if (ctx) {
 		EVP_CIPHER_CTX_free(ctx);
 	}
 	return err;
 }
 #endif
 
 /*
  * hash/hmac/digest functions
  */
 
 static int calculate_openssl_hash(
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf,
 	const size_t buf_len,
-	unsigned char *hash)
+	unsigned char *hash,
+	uint8_t log_level)
 {
-	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	unsigned int hash_len = 0;
 	unsigned char *hash_out = NULL;
 	char sslerr[SSLERR_BUF_SIZE];
 
 	hash_out = HMAC(instance->crypto_hash_type,
 			instance->private_key, instance->private_key_len,
 			buf, buf_len,
 			hash, &hash_len);
 
-	if ((!hash_out) || (hash_len != knet_h->sec_hash_size)) {
+	if ((!hash_out) || (hash_len != crypto_instance->sec_hash_size)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
+		}
 		return -1;
 	}
 
 	return 0;
 }
 
 /*
  * exported API
  */
 
 static int opensslcrypto_encrypt_and_signv (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const struct iovec *iov_in,
 	int iovcnt_in,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
-	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	int i;
 
 	if (instance->crypto_cipher_type) {
-		if (encrypt_openssl(knet_h, iov_in, iovcnt_in, buf_out, buf_out_len) < 0) {
+		if (encrypt_openssl(knet_h, crypto_instance, iov_in, iovcnt_in, buf_out, buf_out_len) < 0) {
 			return -1;
 		}
 	} else {
 		*buf_out_len = 0;
 		for (i=0; i<iovcnt_in; i++) {
 			memmove(buf_out + *buf_out_len, iov_in[i].iov_base, iov_in[i].iov_len);
 			*buf_out_len = *buf_out_len + iov_in[i].iov_len;
 		}
 	}
 
 	if (instance->crypto_hash_type) {
-		if (calculate_openssl_hash(knet_h, buf_out, *buf_out_len, buf_out + *buf_out_len) < 0) {
+		if (calculate_openssl_hash(knet_h, crypto_instance, buf_out, *buf_out_len, buf_out + *buf_out_len, KNET_LOG_ERR) < 0) {
 			return -1;
 		}
-		*buf_out_len = *buf_out_len + knet_h->sec_hash_size;
+		*buf_out_len = *buf_out_len + crypto_instance->sec_hash_size;
 	}
 
 	return 0;
 }
 
 static int opensslcrypto_encrypt_and_sign (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct iovec iov_in;
 
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (unsigned char *)buf_in;
 	iov_in.iov_len = buf_in_len;
 
-	return opensslcrypto_encrypt_and_signv(knet_h, &iov_in, 1, buf_out, buf_out_len);
+	return opensslcrypto_encrypt_and_signv(knet_h, crypto_instance, &iov_in, 1, buf_out, buf_out_len);
 }
 
 static int opensslcrypto_authenticate_and_decrypt (
 	knet_handle_t knet_h,
+	struct crypto_instance *crypto_instance,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
-	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	ssize_t temp_len = buf_in_len;
 
 	if (instance->crypto_hash_type) {
-		unsigned char tmp_hash[knet_h->sec_hash_size];
-		ssize_t temp_buf_len = buf_in_len - knet_h->sec_hash_size;
+		unsigned char tmp_hash[crypto_instance->sec_hash_size];
+		ssize_t temp_buf_len = buf_in_len - crypto_instance->sec_hash_size;
 
 		if ((temp_buf_len <= 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Incorrect packet size.");
 			return -1;
 		}
 
-		if (calculate_openssl_hash(knet_h, buf_in, temp_buf_len, tmp_hash) < 0) {
+		if (calculate_openssl_hash(knet_h, crypto_instance, buf_in, temp_buf_len, tmp_hash, log_level) < 0) {
 			return -1;
 		}
 
-		if (memcmp(tmp_hash, buf_in + temp_buf_len, knet_h->sec_hash_size) != 0) {
-			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
+		if (memcmp(tmp_hash, buf_in + temp_buf_len, crypto_instance->sec_hash_size) != 0) {
+			if (log_level == KNET_LOG_DEBUG) {
+				log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
+			} else {
+				log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
+			}
 			return -1;
 		}
 
-		temp_len = temp_len - knet_h->sec_hash_size;
+		temp_len = temp_len - crypto_instance->sec_hash_size;
 		*buf_out_len = temp_len;
 	}
 	if (instance->crypto_cipher_type) {
-		if (decrypt_openssl(knet_h, buf_in, temp_len, buf_out, buf_out_len) < 0) {
+		if (decrypt_openssl(knet_h, crypto_instance, buf_in, temp_len, buf_out, buf_out_len, log_level) < 0) {
 			return -1;
 		}
 	} else {
 		memmove(buf_out, buf_in, temp_len);
 		*buf_out_len = temp_len;
 	}
 
 	return 0;
 }
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 static pthread_mutex_t *openssl_internal_lock;
 
 static void openssl_internal_locking_callback(int mode, int type, char *file, int line)
 {
 	if (mode & CRYPTO_LOCK) {
 		(void)pthread_mutex_lock(&(openssl_internal_lock[type]));
 	} else {
 		pthread_mutex_unlock(&(openssl_internal_lock[type]));
 	}
 }
 
 static pthread_t openssl_internal_thread_id(void)
 {
 	return pthread_self();
 }
 
 static void openssl_internal_lock_cleanup(void)
 {
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
 	CRYPTO_set_id_callback(NULL);
 
 	for (i = 0; i < CRYPTO_num_locks(); i++) {
 		pthread_mutex_destroy(&(openssl_internal_lock[i]));
 	}
 
 	if (openssl_internal_lock) {
 		free(openssl_internal_lock);
 	}
 
 	return;
 }
 
 static void openssl_atexit_handler(void)
 {
 	openssl_internal_lock_cleanup();
 }
 
 static int openssl_internal_lock_setup(void)
 {
 	int savederrno = 0, err = 0;
 	int i;
 
 	openssl_internal_lock = malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
 	if (!openssl_internal_lock) {
 		savederrno = errno;
 		err = -1;
 		goto out;
 	}
 
 	for (i = 0; i < CRYPTO_num_locks(); i++) {
 		savederrno = pthread_mutex_init(&(openssl_internal_lock[i]), NULL);
 		if (savederrno) {
 			err = -1;
 			goto out;
 		}
 	}
 
 	CRYPTO_set_id_callback((void *)openssl_internal_thread_id);
 	CRYPTO_set_locking_callback((void *)&openssl_internal_locking_callback);
 
 	if (atexit(openssl_atexit_handler)) {
 		err = -1;
 	}
 out:
 	if (err) {
 		openssl_internal_lock_cleanup();
 	}
 	errno = savederrno;
 	return err;
 }
 #endif
 
 static void opensslcrypto_fini(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance)
 {
 	struct opensslcrypto_instance *opensslcrypto_instance = crypto_instance->model_instance;
 
 	if (opensslcrypto_instance) {
 		if (opensslcrypto_instance->private_key) {
 			free(opensslcrypto_instance->private_key);
 			opensslcrypto_instance->private_key = NULL;
 		}
 		free(opensslcrypto_instance);
 		crypto_instance->model_instance = NULL;
 	}
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 	ERR_free_strings();
 #endif
 
 	return;
 }
 
 static int opensslcrypto_init(
 	knet_handle_t knet_h,
 	struct crypto_instance *crypto_instance,
 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
 {
 	struct opensslcrypto_instance *opensslcrypto_instance = NULL;
 	int savederrno;
 
 	log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO,
 		  "Initizializing openssl crypto module [%s/%s]",
 		  knet_handle_crypto_cfg->crypto_cipher_type,
 		  knet_handle_crypto_cfg->crypto_hash_type);
 
 	if (!openssl_is_init) {
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 		ERR_load_crypto_strings();
 		OPENSSL_add_all_algorithms_noconf();
 		if (openssl_internal_lock_setup() < 0) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
 			errno = EAGAIN;
 			return -1;
 		}
 #else
 		if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
 					 | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to init openssl");
 			errno = EAGAIN;
 			return -1;
 		}
 #endif
 		openssl_is_init = 1;
 	}
 
 	crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
 	if (!crypto_instance->model_instance) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl model instance");
 		errno = ENOMEM;
 		return -1;
 	}
 
 	opensslcrypto_instance = crypto_instance->model_instance;
 
 	memset(opensslcrypto_instance, 0, sizeof(struct opensslcrypto_instance));
 
 	if (strcmp(knet_handle_crypto_cfg->crypto_cipher_type, "none") == 0) {
 		opensslcrypto_instance->crypto_cipher_type = NULL;
 	} else {
 		opensslcrypto_instance->crypto_cipher_type = EVP_get_cipherbyname(knet_handle_crypto_cfg->crypto_cipher_type);
 		if (!opensslcrypto_instance->crypto_cipher_type) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unknown crypto cipher type requested");
 			savederrno = ENXIO;
 			goto out_err;
 		}
 	}
 
 	if (strcmp(knet_handle_crypto_cfg->crypto_hash_type, "none") == 0) {
 		opensslcrypto_instance->crypto_hash_type = NULL;
 	} else {
 		opensslcrypto_instance->crypto_hash_type = EVP_get_digestbyname(knet_handle_crypto_cfg->crypto_hash_type);
 		if (!opensslcrypto_instance->crypto_hash_type) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unknown crypto hash type requested");
 			savederrno = ENXIO;
 			goto out_err;
 		}
 	}
 
 	if ((opensslcrypto_instance->crypto_cipher_type) &&
 	    (!opensslcrypto_instance->crypto_hash_type)) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "crypto communication requires hash specified");
 		savederrno = EINVAL;
 		goto out_err;
 	}
 
 	opensslcrypto_instance->private_key = malloc(knet_handle_crypto_cfg->private_key_len);
 	if (!opensslcrypto_instance->private_key) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl private key");
 		savederrno = ENOMEM;
 		goto out_err;
 	}
 	memmove(opensslcrypto_instance->private_key, knet_handle_crypto_cfg->private_key, knet_handle_crypto_cfg->private_key_len);
 	opensslcrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
 
 	if (opensslcrypto_instance->crypto_hash_type) {
 		crypto_instance->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);
 	}
 
 	if (opensslcrypto_instance->crypto_cipher_type) {
 		size_t block_size;
 
 		block_size = EVP_CIPHER_block_size(opensslcrypto_instance->crypto_cipher_type);
 
 		crypto_instance->sec_salt_size = SALT_SIZE;
 		crypto_instance->sec_block_size = block_size;
 	}
 
 	return 0;
 
 out_err:
 	opensslcrypto_fini(knet_h, crypto_instance);
 
 	errno = savederrno;
 	return -1;
 }
 
 crypto_ops_t crypto_model = {
 	KNET_CRYPTO_MODEL_ABI,
 	opensslcrypto_init,
 	opensslcrypto_fini,
 	opensslcrypto_encrypt_and_sign,
 	opensslcrypto_encrypt_and_signv,
 	opensslcrypto_authenticate_and_decrypt
 };
diff --git a/libknet/handle.c b/libknet/handle.c
index aae5bb8a..71658926 100644
--- a/libknet/handle.c
+++ b/libknet/handle.c
@@ -1,1772 +1,1923 @@
 /*
  * Copyright (C) 2010-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
 #include <pthread.h>
 #include <sys/uio.h>
 #include <math.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 
 #include "internals.h"
 #include "crypto.h"
 #include "links.h"
 #include "compress.h"
 #include "compat.h"
 #include "common.h"
 #include "threads_common.h"
 #include "threads_heartbeat.h"
 #include "threads_pmtud.h"
 #include "threads_dsthandler.h"
 #include "threads_rx.h"
 #include "threads_tx.h"
 #include "transports.h"
 #include "transport_common.h"
 #include "logging.h"
 
 static pthread_mutex_t handle_config_mutex = PTHREAD_MUTEX_INITIALIZER;
 
 pthread_rwlock_t shlib_rwlock;
 static uint8_t shlib_wrlock_init = 0;
 
 static uint32_t knet_ref = 0;
 
 static int _init_shlib_tracker(knet_handle_t knet_h)
 {
 	int savederrno = 0;
 
 	if (!shlib_wrlock_init) {
 		savederrno = pthread_rwlock_init(&shlib_rwlock, NULL);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize shared lib rwlock: %s",
 				strerror(savederrno));
 			errno = savederrno;
 			return -1;
 		}
 		shlib_wrlock_init = 1;
 	}
 
 	return 0;
 }
 
 static void _fini_shlib_tracker(void)
 {
 	if (knet_ref == 0) {
 		pthread_rwlock_destroy(&shlib_rwlock);
 		shlib_wrlock_init = 0;
 	}
 	return;
 }
 
 static int _init_locks(knet_handle_t knet_h)
 {
 	int savederrno = 0;
 
 	savederrno = pthread_rwlock_init(&knet_h->global_rwlock, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize list rwlock: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->handle_stats_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize handle stats mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->threads_status_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize threads status mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->pmtud_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize pmtud mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->kmtu_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize kernel_mtu mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_cond_init(&knet_h->pmtud_cond, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize pmtud conditional mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->hb_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize hb_thread mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->tx_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize tx_thread mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->backoff_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize pong timeout backoff mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_mutex_init(&knet_h->tx_seq_num_mutex, NULL);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize tx_seq_num_mutex mutex: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	return 0;
 
 exit_fail:
 	errno = savederrno;
 	return -1;
 }
 
 static void _destroy_locks(knet_handle_t knet_h)
 {
 	pthread_rwlock_destroy(&knet_h->global_rwlock);
 	pthread_mutex_destroy(&knet_h->pmtud_mutex);
 	pthread_mutex_destroy(&knet_h->kmtu_mutex);
 	pthread_cond_destroy(&knet_h->pmtud_cond);
 	pthread_mutex_destroy(&knet_h->hb_mutex);
 	pthread_mutex_destroy(&knet_h->tx_mutex);
 	pthread_mutex_destroy(&knet_h->backoff_mutex);
 	pthread_mutex_destroy(&knet_h->tx_seq_num_mutex);
 	pthread_mutex_destroy(&knet_h->threads_status_mutex);
 	pthread_mutex_destroy(&knet_h->handle_stats_mutex);
 }
 
 static int _init_socks(knet_handle_t knet_h)
 {
 	int savederrno = 0;
 
 	if (_init_socketpair(knet_h, knet_h->hostsockfd)) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize internal hostsockpair: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	if (_init_socketpair(knet_h, knet_h->dstsockfd)) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to initialize internal dstsockpair: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	return 0;
 
 exit_fail:
 	errno = savederrno;
 	return -1;
 }
 
 static void _close_socks(knet_handle_t knet_h)
 {
 	_close_socketpair(knet_h, knet_h->dstsockfd);
 	_close_socketpair(knet_h, knet_h->hostsockfd);
 }
 
 static int _init_buffers(knet_handle_t knet_h)
 {
 	int savederrno = 0;
 	int i;
 	size_t bufsize;
 
 	for (i = 0; i < PCKT_FRAG_MAX; i++) {
 		bufsize = ceil((float)KNET_MAX_PACKET_SIZE / (i + 1)) + KNET_HEADER_ALL_SIZE;
 		knet_h->send_to_links_buf[i] = malloc(bufsize);
 		if (!knet_h->send_to_links_buf[i]) {
 			savederrno = errno;
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory datafd to link buffer: %s",
 				strerror(savederrno));
 			goto exit_fail;
 		}
 		memset(knet_h->send_to_links_buf[i], 0, bufsize);
 	}
 
 	for (i = 0; i < PCKT_RX_BUFS; i++) {
 		knet_h->recv_from_links_buf[i] = malloc(KNET_DATABUFSIZE);
 		if (!knet_h->recv_from_links_buf[i]) {
 			savederrno = errno;
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for link to datafd buffer: %s",
 				strerror(savederrno));
 			goto exit_fail;
 		}
 		memset(knet_h->recv_from_links_buf[i], 0, KNET_DATABUFSIZE);
 	}
 
 	knet_h->recv_from_sock_buf = malloc(KNET_DATABUFSIZE);
 	if (!knet_h->recv_from_sock_buf) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for app to datafd buffer: %s",
 				strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->recv_from_sock_buf, 0, KNET_DATABUFSIZE);
 
 	knet_h->pingbuf = malloc(KNET_HEADER_PING_SIZE);
 	if (!knet_h->pingbuf) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for hearbeat buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->pingbuf, 0, KNET_HEADER_PING_SIZE);
 
 	knet_h->pmtudbuf = malloc(KNET_PMTUD_SIZE_V6 + KNET_HEADER_ALL_SIZE);
 	if (!knet_h->pmtudbuf) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for pmtud buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->pmtudbuf, 0, KNET_PMTUD_SIZE_V6 + KNET_HEADER_ALL_SIZE);
 
 	for (i = 0; i < PCKT_FRAG_MAX; i++) {
 		bufsize = ceil((float)KNET_MAX_PACKET_SIZE / (i + 1)) + KNET_HEADER_ALL_SIZE + KNET_DATABUFSIZE_CRYPT_PAD;
 		knet_h->send_to_links_buf_crypt[i] = malloc(bufsize);
 		if (!knet_h->send_to_links_buf_crypt[i]) {
 			savederrno = errno;
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for crypto datafd to link buffer: %s",
 				strerror(savederrno));
 			goto exit_fail;
 		}
 		memset(knet_h->send_to_links_buf_crypt[i], 0, bufsize);
 	}
 
 	knet_h->recv_from_links_buf_decrypt = malloc(KNET_DATABUFSIZE_CRYPT);
 	if (!knet_h->recv_from_links_buf_decrypt) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto link to datafd buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->recv_from_links_buf_decrypt, 0, KNET_DATABUFSIZE_CRYPT);
 
 	knet_h->recv_from_links_buf_crypt = malloc(KNET_DATABUFSIZE_CRYPT);
 	if (!knet_h->recv_from_links_buf_crypt) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto link to datafd buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->recv_from_links_buf_crypt, 0, KNET_DATABUFSIZE_CRYPT);
 
 	knet_h->pingbuf_crypt = malloc(KNET_DATABUFSIZE_CRYPT);
 	if (!knet_h->pingbuf_crypt) {
 		savederrno = errno; 
 		log_err(knet_h, KNET_SUB_CRYPTO, "Unable to allocate memory for crypto hearbeat buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->pingbuf_crypt, 0, KNET_DATABUFSIZE_CRYPT);
 
 	knet_h->pmtudbuf_crypt = malloc(KNET_DATABUFSIZE_CRYPT);
 	if (!knet_h->pmtudbuf_crypt) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for crypto pmtud buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->pmtudbuf_crypt, 0, KNET_DATABUFSIZE_CRYPT);
 
 	knet_h->recv_from_links_buf_decompress = malloc(KNET_DATABUFSIZE_COMPRESS);
 	if (!knet_h->recv_from_links_buf_decompress) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for decompress buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->recv_from_links_buf_decompress, 0, KNET_DATABUFSIZE_COMPRESS);
 
 	knet_h->send_to_links_buf_compress = malloc(KNET_DATABUFSIZE_COMPRESS);
 	if (!knet_h->send_to_links_buf_compress) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to allocate memory for compress buffer: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	memset(knet_h->send_to_links_buf_compress, 0, KNET_DATABUFSIZE_COMPRESS);
 
 	memset(knet_h->knet_transport_fd_tracker, 0, sizeof(knet_h->knet_transport_fd_tracker));
 	for (i = 0; i < KNET_MAX_FDS; i++) {
 		knet_h->knet_transport_fd_tracker[i].transport = KNET_MAX_TRANSPORTS;
 	}
 
 	return 0;
 
 exit_fail:
 	errno = savederrno;
 	return -1;
 }
 
 static void _destroy_buffers(knet_handle_t knet_h)
 {
 	int i;
 
 	for (i = 0; i < PCKT_FRAG_MAX; i++) {
 		free(knet_h->send_to_links_buf[i]);
 		free(knet_h->send_to_links_buf_crypt[i]);
 	}
 
 	for (i = 0; i < PCKT_RX_BUFS; i++) {
 		free(knet_h->recv_from_links_buf[i]);
 	}
 
 	free(knet_h->recv_from_links_buf_decompress);
 	free(knet_h->send_to_links_buf_compress);
 	free(knet_h->recv_from_sock_buf);
 	free(knet_h->recv_from_links_buf_decrypt);
 	free(knet_h->recv_from_links_buf_crypt);
 	free(knet_h->pingbuf);
 	free(knet_h->pingbuf_crypt);
 	free(knet_h->pmtudbuf);
 	free(knet_h->pmtudbuf_crypt);
 }
 
 static int _init_epolls(knet_handle_t knet_h)
 {
 	struct epoll_event ev;
 	int savederrno = 0;
 
 	/*
 	 * even if the kernel does dynamic allocation with epoll_ctl
 	 * we need to reserve one extra for host to host communication
 	 */
 	knet_h->send_to_links_epollfd = epoll_create(KNET_EPOLL_MAX_EVENTS + 1);
 	if (knet_h->send_to_links_epollfd < 0) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to create epoll datafd to link fd: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	knet_h->recv_from_links_epollfd = epoll_create(KNET_EPOLL_MAX_EVENTS);
 	if (knet_h->recv_from_links_epollfd < 0) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to create epoll link to datafd fd: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	knet_h->dst_link_handler_epollfd = epoll_create(KNET_EPOLL_MAX_EVENTS);
 	if (knet_h->dst_link_handler_epollfd < 0) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to create epoll dst cache fd: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	if (_fdset_cloexec(knet_h->send_to_links_epollfd)) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to set CLOEXEC on datafd to link epoll fd: %s",
 			strerror(savederrno)); 
 		goto exit_fail;
 	}
 
 	if (_fdset_cloexec(knet_h->recv_from_links_epollfd)) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to set CLOEXEC on link to datafd epoll fd: %s",
 			strerror(savederrno)); 
 		goto exit_fail;
 	}
 
 	if (_fdset_cloexec(knet_h->dst_link_handler_epollfd)) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to set CLOEXEC on dst cache epoll fd: %s",
 			strerror(savederrno)); 
 		goto exit_fail;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = knet_h->hostsockfd[0];
 
 	if (epoll_ctl(knet_h->send_to_links_epollfd,
 		      EPOLL_CTL_ADD, knet_h->hostsockfd[0], &ev)) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to add hostsockfd[0] to epoll pool: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = knet_h->dstsockfd[0];
 
 	if (epoll_ctl(knet_h->dst_link_handler_epollfd,
 		      EPOLL_CTL_ADD, knet_h->dstsockfd[0], &ev)) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to add dstsockfd[0] to epoll pool: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	return 0;
 
 exit_fail:
 	errno = savederrno;
 	return -1;
 }
 
 static void _close_epolls(knet_handle_t knet_h)
 {
 	struct epoll_event ev;
 	int i;
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 
 	for (i = 0; i < KNET_DATAFD_MAX; i++) {
 		if (knet_h->sockfd[i].in_use) {
 			epoll_ctl(knet_h->send_to_links_epollfd, EPOLL_CTL_DEL, knet_h->sockfd[i].sockfd[knet_h->sockfd[i].is_created], &ev);
 			if  (knet_h->sockfd[i].sockfd[knet_h->sockfd[i].is_created]) {
 				 _close_socketpair(knet_h, knet_h->sockfd[i].sockfd);
 			}
 		}
 	}
 
 	epoll_ctl(knet_h->send_to_links_epollfd, EPOLL_CTL_DEL, knet_h->hostsockfd[0], &ev);
 	epoll_ctl(knet_h->dst_link_handler_epollfd, EPOLL_CTL_DEL, knet_h->dstsockfd[0], &ev);
 	close(knet_h->send_to_links_epollfd);
 	close(knet_h->recv_from_links_epollfd);
 	close(knet_h->dst_link_handler_epollfd);
 }
 
 static int _start_threads(knet_handle_t knet_h)
 {
 	int savederrno = 0;
 	pthread_attr_t attr;
 
 	set_thread_status(knet_h, KNET_THREAD_PMTUD, KNET_THREAD_REGISTERED);
 
 	savederrno = pthread_attr_init(&attr);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to init pthread attributes: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 	savederrno = pthread_attr_setstacksize(&attr, KNET_THREAD_STACK_SIZE);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to set stack size attribute: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_create(&knet_h->pmtud_link_handler_thread, &attr,
 				    _handle_pmtud_link_thread, (void *) knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to start pmtud link thread: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_DST_LINK, KNET_THREAD_REGISTERED);
 	savederrno = pthread_create(&knet_h->dst_link_handler_thread, &attr,
 				    _handle_dst_link_handler_thread, (void *) knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to start dst cache thread: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_TX, KNET_THREAD_REGISTERED);
 	savederrno = pthread_create(&knet_h->send_to_links_thread, &attr,
 				    _handle_send_to_links_thread, (void *) knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to start datafd to link thread: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_RX, KNET_THREAD_REGISTERED);
 	savederrno = pthread_create(&knet_h->recv_from_links_thread, &attr,
 				    _handle_recv_from_links_thread, (void *) knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to start link to datafd thread: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_HB, KNET_THREAD_REGISTERED);
 	savederrno = pthread_create(&knet_h->heartbt_thread, &attr,
 				    _handle_heartbt_thread, (void *) knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to start heartbeat thread: %s",
 			strerror(savederrno));
 		goto exit_fail;
 	}
 
 	savederrno = pthread_attr_destroy(&attr);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to destroy pthread attributes: %s",
 			strerror(savederrno));
 		/*
 		 * Do not return error code. Error is not critical.
 		 */
 	}
 
 	return 0;
 
 exit_fail:
 	errno = savederrno;
 	return -1;
 }
 
 static void _stop_threads(knet_handle_t knet_h)
 {
 	void *retval;
 
 	wait_all_threads_status(knet_h, KNET_THREAD_STOPPED);
 
 	if (knet_h->heartbt_thread) {
 		pthread_cancel(knet_h->heartbt_thread);
 		pthread_join(knet_h->heartbt_thread, &retval);
 	}
 
 	if (knet_h->send_to_links_thread) {
 		pthread_cancel(knet_h->send_to_links_thread);
 		pthread_join(knet_h->send_to_links_thread, &retval);
 	}
 
 	if (knet_h->recv_from_links_thread) {
 		pthread_cancel(knet_h->recv_from_links_thread);
 		pthread_join(knet_h->recv_from_links_thread, &retval);
 	}
 
 	if (knet_h->dst_link_handler_thread) {
 		pthread_cancel(knet_h->dst_link_handler_thread);
 		pthread_join(knet_h->dst_link_handler_thread, &retval);
 	}
 
 	if (knet_h->pmtud_link_handler_thread) {
 		pthread_cancel(knet_h->pmtud_link_handler_thread);
 		pthread_join(knet_h->pmtud_link_handler_thread, &retval);
 	}
 }
 
 knet_handle_t knet_handle_new_ex(knet_node_id_t host_id,
 				 int            log_fd,
 				 uint8_t        default_log_level,
 				 uint64_t       flags)
 {
 	knet_handle_t knet_h;
 	int savederrno = 0;
 	struct rlimit cur;
 
 	if (getrlimit(RLIMIT_NOFILE, &cur) < 0) {
 		return NULL;
 	}
 
 	if ((log_fd < 0) || ((unsigned int)log_fd >= cur.rlim_max)) {
 		errno = EINVAL;
 		return NULL;
 	}
 
 	/*
 	 * validate incoming request
 	 */
 
 	if ((log_fd) && (default_log_level > KNET_LOG_DEBUG)) {
 		errno = EINVAL;
 		return NULL;
 	}
 
 	if (flags > KNET_HANDLE_FLAG_PRIVILEGED * 2 - 1) {
 		errno = EINVAL;
 		return NULL;
 	}
 
 	/*
 	 * allocate handle
 	 */
 
 	knet_h = malloc(sizeof(struct knet_handle));
 	if (!knet_h) {
 		errno = ENOMEM;
 		return NULL;
 	}
 	memset(knet_h, 0, sizeof(struct knet_handle));
 
 	/*
 	 * setting up some handle data so that we can use logging
 	 * also when initializing the library global locks
 	 * and trackers
 	 */
 
 	knet_h->flags = flags;
 
 	/*
 	 * copy config in place
 	 */
 
 	knet_h->host_id = host_id;
 	knet_h->logfd = log_fd;
 	if (knet_h->logfd > 0) {
 		memset(&knet_h->log_levels, default_log_level, KNET_MAX_SUBSYSTEMS);
 	}
 
 	/*
 	 * set pmtud default timers
 	 */
 	knet_h->pmtud_interval = KNET_PMTUD_DEFAULT_INTERVAL;
 
 	/*
 	 * set transports reconnect default timers
 	 */
 	knet_h->reconnect_int = KNET_TRANSPORT_DEFAULT_RECONNECT_INTERVAL;
 
 	/*
 	 * Set 'min' stats to the maximum value so the
 	 * first value we get is always less
 	 */
 	knet_h->stats.tx_compress_time_min = UINT64_MAX;
 	knet_h->stats.rx_compress_time_min = UINT64_MAX;
 	knet_h->stats.tx_crypt_time_min = UINT64_MAX;
 	knet_h->stats.rx_crypt_time_min = UINT64_MAX;
 
 	/*
 	 * init global shlib tracker
 	 */
 	savederrno = pthread_mutex_lock(&handle_config_mutex);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get handle mutex lock: %s",
 			strerror(savederrno));
 		free(knet_h);
 		knet_h = NULL;
 		errno = savederrno;
 		return NULL;
 	}
 
 	knet_ref++;
 
 	if (_init_shlib_tracker(knet_h) < 0) {
 		savederrno = errno;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to init handle tracker: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		pthread_mutex_unlock(&handle_config_mutex);
 		goto exit_fail;
 	}
 
 	pthread_mutex_unlock(&handle_config_mutex);
 
 	/*
 	 * init main locking structures
 	 */
 
 	if (_init_locks(knet_h)) {
 		savederrno = errno;
 		goto exit_fail;
 	}
 
 	/*
 	 * init sockets
 	 */
 
 	if (_init_socks(knet_h)) {
 		savederrno = errno;
 		goto exit_fail;
 	}
 
 	/*
 	 * allocate packet buffers
 	 */
 
 	if (_init_buffers(knet_h)) {
 		savederrno = errno;
 		goto exit_fail;
 	}
 
 	if (compress_init(knet_h)) {
 		savederrno = errno;
 		goto exit_fail;
 	}
 
 	/*
 	 * create epoll fds
 	 */
 
 	if (_init_epolls(knet_h)) {
 		savederrno = errno;
 		goto exit_fail;
 	}
 
 	/*
 	 * start transports
 	 */
 
 	if (start_all_transports(knet_h)) {
 		savederrno = errno;
 		goto exit_fail;
 	}
 
 	/*
 	 * start internal threads
 	 */
 
 	if (_start_threads(knet_h)) {
 		savederrno = errno;
 		goto exit_fail;
 	}
 
 	wait_all_threads_status(knet_h, KNET_THREAD_STARTED);
 
 	errno = 0;
 	return knet_h;
 
 exit_fail:
 	knet_handle_free(knet_h);
 	errno = savederrno;
 	return NULL;
 }
 
 knet_handle_t knet_handle_new(knet_node_id_t host_id,
 			      int            log_fd,
 			      uint8_t        default_log_level)
 {
 	return knet_handle_new_ex(host_id, log_fd, default_log_level, KNET_HANDLE_FLAG_PRIVILEGED);
 }
 
 int knet_handle_free(knet_handle_t knet_h)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (knet_h->host_head != NULL) {
 		savederrno = EBUSY;
 		log_err(knet_h, KNET_SUB_HANDLE,
 			"Unable to free handle: host(s) or listener(s) are still active: %s",
 			strerror(savederrno));
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->fini_in_progress = 1;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	_stop_threads(knet_h);
 	stop_all_transports(knet_h);
 	_close_epolls(knet_h);
 	_destroy_buffers(knet_h);
 	_close_socks(knet_h);
-	crypto_fini(knet_h);
+	crypto_fini(knet_h, KNET_MAX_CRYPTO_INSTANCES + 1); /* values above MAX_CRYPTO will release all crypto resources */
 	compress_fini(knet_h, 1);
 	_destroy_locks(knet_h);
 
 	free(knet_h);
 	knet_h = NULL;
 
 	(void)pthread_mutex_lock(&handle_config_mutex);
 	knet_ref--;
 	_fini_shlib_tracker();
 	pthread_mutex_unlock(&handle_config_mutex);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_enable_sock_notify(knet_handle_t knet_h,
 				   void *sock_notify_fn_private_data,
 				   void (*sock_notify_fn) (
 						void *private_data,
 						int datafd,
 						int8_t channel,
 						uint8_t tx_rx,
 						int error,
 						int errorno))
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!sock_notify_fn) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->sock_notify_fn_private_data = sock_notify_fn_private_data;
 	knet_h->sock_notify_fn = sock_notify_fn;
 	log_debug(knet_h, KNET_SUB_HANDLE, "sock_notify_fn enabled");
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	return 0;
 }
 
 int knet_handle_add_datafd(knet_handle_t knet_h, int *datafd, int8_t *channel)
 {
 	int err = 0, savederrno = 0;
 	int i;
 	struct epoll_event ev;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (datafd == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (*channel >= KNET_DATAFD_MAX) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->sock_notify_fn) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Adding datafd requires sock notify callback enabled!");
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 	if (*datafd > 0) {
 		for (i = 0; i < KNET_DATAFD_MAX; i++) {
 			if  ((knet_h->sockfd[i].in_use) && (knet_h->sockfd[i].sockfd[0] == *datafd)) {
 				log_err(knet_h, KNET_SUB_HANDLE, "requested datafd: %d already exist in index: %d", *datafd, i);
 				savederrno = EEXIST;
 				err = -1;
 				goto out_unlock;
 			}
 		}
 	}
 
 	/*
 	 * auto allocate a channel
 	 */
 	if (*channel < 0) {
 		for (i = 0; i < KNET_DATAFD_MAX; i++) {
 			if (!knet_h->sockfd[i].in_use) {
 				*channel = i;
 				break;
 			}
 		}
 		if (*channel < 0) {
 			savederrno = EBUSY;
 			err = -1;
 			goto out_unlock;
 		}
 	} else {
 		if (knet_h->sockfd[*channel].in_use) {
 			savederrno = EBUSY;
 			err = -1;
 			goto out_unlock;
 		}
 	}
 
 	knet_h->sockfd[*channel].is_created = 0;
 	knet_h->sockfd[*channel].is_socket = 0;
 	knet_h->sockfd[*channel].has_error = 0;
 
 	if (*datafd > 0) {
 		int sockopt;
 		socklen_t sockoptlen = sizeof(sockopt);
 
 		if (_fdset_cloexec(*datafd)) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to set CLOEXEC on datafd: %s",
 				strerror(savederrno));
 			goto out_unlock;
 		}
 
 		if (_fdset_nonblock(*datafd)) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to set NONBLOCK on datafd: %s",
 				strerror(savederrno));
 			goto out_unlock;
 		}
 
 		knet_h->sockfd[*channel].sockfd[0] = *datafd;
 		knet_h->sockfd[*channel].sockfd[1] = 0;
 
 		if (!getsockopt(knet_h->sockfd[*channel].sockfd[0], SOL_SOCKET, SO_TYPE, &sockopt, &sockoptlen)) {
 			knet_h->sockfd[*channel].is_socket = 1;
 		}
 	} else {
 		if (_init_socketpair(knet_h, knet_h->sockfd[*channel].sockfd)) {
 			savederrno = errno;
 			err = -1;
 			goto out_unlock;
 		}
 
 		knet_h->sockfd[*channel].is_created = 1;
 		knet_h->sockfd[*channel].is_socket = 1;
 		*datafd = knet_h->sockfd[*channel].sockfd[0];
 	}
 
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = knet_h->sockfd[*channel].sockfd[knet_h->sockfd[*channel].is_created];
 
 	if (epoll_ctl(knet_h->send_to_links_epollfd,
 		      EPOLL_CTL_ADD, knet_h->sockfd[*channel].sockfd[knet_h->sockfd[*channel].is_created], &ev)) {
 		savederrno = errno;
 		err = -1;
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to add datafd %d to linkfd epoll pool: %s",
 			knet_h->sockfd[*channel].sockfd[knet_h->sockfd[*channel].is_created], strerror(savederrno));
 		if (knet_h->sockfd[*channel].is_created) {
 			_close_socketpair(knet_h, knet_h->sockfd[*channel].sockfd);
 		}
 		goto out_unlock;
 	}
 
 	knet_h->sockfd[*channel].in_use = 1;
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_handle_remove_datafd(knet_handle_t knet_h, int datafd)
 {
 	int err = 0, savederrno = 0;
 	int8_t channel = -1;
 	int i;
 	struct epoll_event ev;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (datafd <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	for (i = 0; i < KNET_DATAFD_MAX; i++) {
 		if  ((knet_h->sockfd[i].in_use) &&
 		     (knet_h->sockfd[i].sockfd[0] == datafd)) {
 			channel = i;
 			break;
 		}
 	}
 
 	if (channel < 0) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 	if (!knet_h->sockfd[channel].has_error) {
 		memset(&ev, 0, sizeof(struct epoll_event));
 
 		if (epoll_ctl(knet_h->send_to_links_epollfd,
 			      EPOLL_CTL_DEL, knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created], &ev)) {
 			savederrno = errno;
 			err = -1;
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to del datafd %d from linkfd epoll pool: %s",
 				knet_h->sockfd[channel].sockfd[0], strerror(savederrno));
 			goto out_unlock;
 		}
 	}
 
 	if (knet_h->sockfd[channel].is_created) {
 		_close_socketpair(knet_h, knet_h->sockfd[channel].sockfd);
 	}
 
 	memset(&knet_h->sockfd[channel], 0, sizeof(struct knet_sock));
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_handle_get_datafd(knet_handle_t knet_h, const int8_t channel, int *datafd)
 {
 	int err = 0, savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((channel < 0) || (channel >= KNET_DATAFD_MAX)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (datafd == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->sockfd[channel].in_use) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 	*datafd = knet_h->sockfd[channel].sockfd[0];
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_handle_get_channel(knet_handle_t knet_h, const int datafd, int8_t *channel)
 {
 	int err = 0, savederrno = 0;
 	int i;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (datafd <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	*channel = -1;
 
 	for (i = 0; i < KNET_DATAFD_MAX; i++) {
 		if  ((knet_h->sockfd[i].in_use) &&
 		     (knet_h->sockfd[i].sockfd[0] == datafd)) {
 			*channel = i;
 			break;
 		}
 	}
 
 	if (*channel < 0) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_handle_enable_filter(knet_handle_t knet_h,
 			      void *dst_host_filter_fn_private_data,
 			      int (*dst_host_filter_fn) (
 					void *private_data,
 					const unsigned char *outdata,
 					ssize_t outdata_len,
 					uint8_t tx_rx,
 					knet_node_id_t this_host_id,
 					knet_node_id_t src_node_id,
 					int8_t *channel,
 					knet_node_id_t *dst_host_ids,
 					size_t *dst_host_ids_entries))
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->dst_host_filter_fn_private_data = dst_host_filter_fn_private_data;
 	knet_h->dst_host_filter_fn = dst_host_filter_fn;
 	if (knet_h->dst_host_filter_fn) {
 		log_debug(knet_h, KNET_SUB_HANDLE, "dst_host_filter_fn enabled");
 	} else {
 		log_debug(knet_h, KNET_SUB_HANDLE, "dst_host_filter_fn disabled");
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (enabled > 1) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (enabled) {
 		knet_h->enabled = enabled;
 		log_debug(knet_h, KNET_SUB_HANDLE, "Data forwarding is enabled");
 	} else {
 		/*
 		 * notify TX and RX threads to flush the queues
 		 */
 		if (set_thread_flush_queue(knet_h, KNET_THREAD_TX, KNET_THREAD_QUEUE_FLUSH) < 0) {
 			log_debug(knet_h, KNET_SUB_HANDLE, "Unable to request queue flushing for TX thread");
 		}
 		if (set_thread_flush_queue(knet_h, KNET_THREAD_RX, KNET_THREAD_QUEUE_FLUSH) < 0) {
 			log_debug(knet_h, KNET_SUB_HANDLE, "Unable to request queue flushing for RX thread");
 		}
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	/*
 	 * when disabling data forward, we need to give time to TX and RX
 	 * to flush the queues.
 	 *
 	 * the TX thread is the main leader here. When there is no more
 	 * data in the TX queue, we will also close traffic for RX.
 	 */
 	if (!enabled) {
 		/*
 		 * this usleep might be unnecessary, but wait_all_threads_flush_queue
 		 * adds extra locking delay.
 		 *
 		 * allow all threads to run free without extra locking interference
 		 * and then we switch to a more active wait in case the scheduler
 		 * has decided to delay one thread or another
 		 */
 		usleep(KNET_THREADS_TIMERES * 2);
 		wait_all_threads_flush_queue(knet_h);
 
 		/*
 		 * all threads have done flushing the queue, we can stop data forwarding
 		 */
 		savederrno = get_global_wrlock(knet_h);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 				strerror(savederrno));
 			errno = savederrno;
 			return -1;
 		}
 		knet_h->enabled = enabled;
 		log_debug(knet_h, KNET_SUB_HANDLE, "Data forwarding is disabled");
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 	}
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (enabled > 1) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->use_access_lists = enabled;
 
 	if (enabled) {
 		log_debug(knet_h, KNET_SUB_HANDLE, "Links access lists are enabled");
 	} else {
 		log_debug(knet_h, KNET_SUB_HANDLE, "Links access lists are disabled");
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_pmtud_getfreq(knet_handle_t knet_h, unsigned int *interval)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!interval) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	*interval = knet_h->pmtud_interval;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_pmtud_setfreq(knet_handle_t knet_h, unsigned int interval)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if ((!interval) || (interval > 86400)) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->pmtud_interval = interval;
 	log_debug(knet_h, KNET_SUB_HANDLE, "PMTUd interval set to: %u seconds", interval);
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_enable_pmtud_notify(knet_handle_t knet_h,
 				    void *pmtud_notify_fn_private_data,
 				    void (*pmtud_notify_fn) (
 						void *private_data,
 						unsigned int data_mtu))
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	knet_h->pmtud_notify_fn_private_data = pmtud_notify_fn_private_data;
 	knet_h->pmtud_notify_fn = pmtud_notify_fn;
 	if (knet_h->pmtud_notify_fn) {
 		log_debug(knet_h, KNET_SUB_HANDLE, "pmtud_notify_fn enabled");
 	} else {
 		log_debug(knet_h, KNET_SUB_HANDLE, "pmtud_notify_fn disabled");
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_pmtud_set(knet_handle_t knet_h,
 			  unsigned int iface_mtu)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (iface_mtu > KNET_PMTUD_SIZE_V4) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_PMTUD, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	log_info(knet_h, KNET_SUB_PMTUD, "MTU manually set to: %u", iface_mtu);
 
 	knet_h->manual_mtu = iface_mtu;
 
 	force_pmtud_run(knet_h, KNET_SUB_PMTUD, 0);
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
 int knet_handle_pmtud_get(knet_handle_t knet_h,
 			  unsigned int *data_mtu)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!data_mtu) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	*data_mtu = knet_h->data_mtu;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = 0;
 	return 0;
 }
 
-int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
+static int _knet_handle_crypto_set_config(knet_handle_t knet_h,
+					  struct knet_handle_crypto_cfg *knet_handle_crypto_cfg,
+					  uint8_t config_num,
+					  uint8_t force)
 {
 	int savederrno = 0;
 	int err = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!knet_handle_crypto_cfg) {
 		errno = EINVAL;
 		return -1;
 	}
 
+	if ((config_num < 1) || (config_num > KNET_MAX_CRYPTO_INSTANCES)) {
+		errno = EINVAL;
+		return -1;
+	}
+
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
-	if ((!strncmp("none", knet_handle_crypto_cfg->crypto_model, 4)) || 
+	if ((knet_h->crypto_in_use_config == config_num) && (!force)) {
+		savederrno = EBUSY;
+		err = -1;
+		goto exit_unlock;
+	}
+
+	if ((!strncmp("none", knet_handle_crypto_cfg->crypto_model, 4)) ||
 	    ((!strncmp("none", knet_handle_crypto_cfg->crypto_cipher_type, 4)) &&
 	     (!strncmp("none", knet_handle_crypto_cfg->crypto_hash_type, 4)))) {
-		crypto_fini(knet_h);
-		log_debug(knet_h, KNET_SUB_CRYPTO, "crypto is not enabled");
+		crypto_fini(knet_h, config_num);
+		log_debug(knet_h, KNET_SUB_CRYPTO, "crypto config %u is not enabled", config_num);
 		err = 0;
 		goto exit_unlock;
 	}
 
 	if (knet_handle_crypto_cfg->private_key_len < KNET_MIN_KEY_LEN) {
-		log_debug(knet_h, KNET_SUB_CRYPTO, "private key len too short (min %d): %u",
-			  KNET_MIN_KEY_LEN, knet_handle_crypto_cfg->private_key_len);
+		log_debug(knet_h, KNET_SUB_CRYPTO, "private key len too short for config %u (min %d): %u",
+			  config_num, KNET_MIN_KEY_LEN, knet_handle_crypto_cfg->private_key_len);
 		savederrno = EINVAL;
 		err = -1;
 		goto exit_unlock;
 	}
 
 	if (knet_handle_crypto_cfg->private_key_len > KNET_MAX_KEY_LEN) {
-		log_debug(knet_h, KNET_SUB_CRYPTO, "private key len too long (max %d): %u",
-			  KNET_MAX_KEY_LEN, knet_handle_crypto_cfg->private_key_len);
+		log_debug(knet_h, KNET_SUB_CRYPTO, "private key len too long for config %u (max %d): %u",
+			  config_num, KNET_MAX_KEY_LEN, knet_handle_crypto_cfg->private_key_len);
 		savederrno = EINVAL;
 		err = -1;
 		goto exit_unlock;
 	}
 
-	err = crypto_init(knet_h, knet_handle_crypto_cfg);
+	err = crypto_init(knet_h, knet_handle_crypto_cfg, config_num);
 
 	if (err) {
 		err = -2;
 		savederrno = errno;
 	}
 
 exit_unlock:
-	if (!err) {
-		force_pmtud_run(knet_h, KNET_SUB_CRYPTO, 1);
+	pthread_rwlock_unlock(&knet_h->global_rwlock);
+	errno = err ? savederrno : 0;
+	return err;
+}
+
+int knet_handle_crypto_set_config(knet_handle_t knet_h,
+				  struct knet_handle_crypto_cfg *knet_handle_crypto_cfg,
+				  uint8_t config_num)
+{
+	return _knet_handle_crypto_set_config(knet_h, knet_handle_crypto_cfg, config_num, 0);
+}
+
+int knet_handle_crypto_rx_clear_traffic(knet_handle_t knet_h,
+					uint8_t value)
+{
+	int savederrno = 0;
+
+	if (!knet_h) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (value > KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	savederrno = get_global_wrlock(knet_h);
+	if (savederrno) {
+		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+			strerror(savederrno));
+		errno = savederrno;
+		return -1;
+	}
+
+	knet_h->crypto_only = value;
+	if (knet_h->crypto_only) {
+		log_debug(knet_h, KNET_SUB_CRYPTO, "Only crypto traffic allowed for RX");
+	} else {
+		log_debug(knet_h, KNET_SUB_CRYPTO, "Both crypto and clear traffic allowed for RX");
+	}
+
+	pthread_rwlock_unlock(&knet_h->global_rwlock);
+	return 0;
+}
+
+int knet_handle_crypto_use_config(knet_handle_t knet_h,
+				  uint8_t config_num)
+{
+	int savederrno = 0;
+	int err = 0;
+
+	if (!knet_h) {
+		errno = EINVAL;
+		return -1;
 	}
+
+	if (config_num > KNET_MAX_CRYPTO_INSTANCES) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	savederrno = get_global_wrlock(knet_h);
+	if (savederrno) {
+		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+			strerror(savederrno));
+		errno = savederrno;
+		return -1;
+	}
+
+	err = crypto_use_config(knet_h, config_num);
+	savederrno = errno;
+
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
+/*
+ * compatibility wrapper for 1.x releases
+ */
+int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
+{
+	int err = 0;
+	uint8_t value;
+
+	if (!knet_h) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	value = knet_h->crypto_only;
+	/*
+	 * configure crypto in slot 1
+	 */
+	err = _knet_handle_crypto_set_config(knet_h, knet_handle_crypto_cfg, 1, 1);
+	if (err < 0) {
+		return err;
+	}
+
+	if ((!strncmp("none", knet_handle_crypto_cfg->crypto_model, 4)) ||
+	    ((!strncmp("none", knet_handle_crypto_cfg->crypto_cipher_type, 4)) &&
+	     (!strncmp("none", knet_handle_crypto_cfg->crypto_hash_type, 4)))) {
+		err = knet_handle_crypto_rx_clear_traffic(knet_h, KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC);
+		if (err < 0) {
+			return err;
+		}
+
+		/*
+		 * start using clear traffic
+		 */
+		err = knet_handle_crypto_use_config(knet_h, 0);
+		if (err < 0) {
+			err = knet_handle_crypto_rx_clear_traffic(knet_h, value);
+			if (err < 0) {
+				/*
+				 * force attempt or things will go bad
+				 */
+				knet_h->crypto_only = value;
+			}
+		}
+		return err;
+	} else {
+		err = knet_handle_crypto_rx_clear_traffic(knet_h, KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC);
+		if (err < 0) {
+			return err;
+		}
+
+		/*
+		 * start using crypto traffic
+		 */
+		err = knet_handle_crypto_use_config(knet_h, 1);
+		if (err < 0) {
+			err = knet_handle_crypto_rx_clear_traffic(knet_h, value);
+			if (err < 0) {
+				/*
+				 * force attempt or things will go bad
+				 */
+				knet_h->crypto_only = value;
+			}
+		}
+		return err;
+	}
+}
+
 int knet_handle_compress(knet_handle_t knet_h, struct knet_handle_compress_cfg *knet_handle_compress_cfg)
 {
 	int savederrno = 0;
 	int err = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!knet_handle_compress_cfg) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	compress_fini(knet_h, 0);
 	err = compress_cfg(knet_h, knet_handle_compress_cfg);
 	savederrno = errno;
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 ssize_t knet_recv(knet_handle_t knet_h, char *buff, const size_t buff_len, const int8_t channel)
 {
 	int savederrno = 0;
 	ssize_t err = 0;
 	struct iovec iov_in;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len > KNET_MAX_PACKET_SIZE) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel >= KNET_DATAFD_MAX) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->sockfd[channel].in_use) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (void *)buff;
 	iov_in.iov_len = buff_len;
 
 	err = readv(knet_h->sockfd[channel].sockfd[0], &iov_in, 1);
 	savederrno = errno;
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 ssize_t knet_send(knet_handle_t knet_h, const char *buff, const size_t buff_len, const int8_t channel)
 {
 	int savederrno = 0;
 	ssize_t err = 0;
 	struct iovec iov_out[1];
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len > KNET_MAX_PACKET_SIZE) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel >= KNET_DATAFD_MAX) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->sockfd[channel].in_use) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out_unlock;
 	}
 
 	memset(iov_out, 0, sizeof(iov_out));
 
 	iov_out[0].iov_base = (void *)buff;
 	iov_out[0].iov_len = buff_len;
 
 	err = writev(knet_h->sockfd[channel].sockfd[0], iov_out, 1);
 	savederrno = errno;
 
 out_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 int knet_handle_get_stats(knet_handle_t knet_h, struct knet_handle_stats *stats, size_t struct_size)
 {
 	int err = 0, savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (!stats) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	savederrno = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get mutex lock: %s",
 			strerror(savederrno));
 		err = -1;
 		goto out_unlock;
 	}
 
 	if (struct_size > sizeof(struct knet_handle_stats)) {
 		struct_size = sizeof(struct knet_handle_stats);
 	}
 
 	memmove(stats, &knet_h->stats, struct_size);
 
 	/*
 	 * TX crypt stats only count the data packets sent, so add in the ping/pong/pmtud figures
 	 * RX is OK as it counts them before they are sorted.
 	 */
 
 	stats->tx_crypt_packets += knet_h->stats_extra.tx_crypt_ping_packets +
 		knet_h->stats_extra.tx_crypt_pong_packets +
 		knet_h->stats_extra.tx_crypt_pmtu_packets +
 		knet_h->stats_extra.tx_crypt_pmtu_reply_packets;
 
 	/* Tell the caller our full size in case they have an old version */
 	stats->size = sizeof(struct knet_handle_stats);
 
 out_unlock:
 	pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	return err;
 }
 
 int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option)
 {
 	int savederrno = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (clear_option != KNET_CLEARSTATS_HANDLE_ONLY &&
 	    clear_option != KNET_CLEARSTATS_HANDLE_AND_LINK) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = get_global_wrlock(knet_h);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	memset(&knet_h->stats, 0, sizeof(struct knet_handle_stats));
 	memset(&knet_h->stats_extra, 0, sizeof(struct knet_handle_stats_extra));
 	if (clear_option == KNET_CLEARSTATS_HANDLE_AND_LINK) {
 		_link_clear_stats(knet_h);
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 	return 0;
 }
diff --git a/libknet/internals.h b/libknet/internals.h
index b763d4a9..cda58a6d 100644
--- a/libknet/internals.h
+++ b/libknet/internals.h
@@ -1,418 +1,422 @@
 /*
  * Copyright (C) 2010-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __KNET_INTERNALS_H__
 #define __KNET_INTERNALS_H__
 
 /*
  * NOTE: you shouldn't need to include this header normally
  */
 
 #include <pthread.h>
 #include <stddef.h>
 #include <qb/qblist.h>
 #include "libknet.h"
 #include "onwire.h"
 #include "compat.h"
 #include "threads_common.h"
 
 #define KNET_DATABUFSIZE KNET_MAX_PACKET_SIZE + KNET_HEADER_ALL_SIZE
 
 #define KNET_DATABUFSIZE_CRYPT_PAD 1024
 #define KNET_DATABUFSIZE_CRYPT KNET_DATABUFSIZE + KNET_DATABUFSIZE_CRYPT_PAD
 
 #define KNET_DATABUFSIZE_COMPRESS_PAD 1024
 #define KNET_DATABUFSIZE_COMPRESS KNET_DATABUFSIZE + KNET_DATABUFSIZE_COMPRESS_PAD
 
 #define KNET_RING_RCVBUFF 8388608
 
 #define PCKT_FRAG_MAX UINT8_MAX
 #define PCKT_RX_BUFS  512
 
 #define KNET_EPOLL_MAX_EVENTS KNET_DATAFD_MAX + 1
 
 #define KNET_INTERNAL_DATA_CHANNEL KNET_DATAFD_MAX
 
 /*
  * Size of threads stack. Value is choosen by experimenting, how much is needed
  * to sucesfully finish test suite, and at the time of writing patch it was
  * ~300KiB. To have some room for future enhancement it is increased
  * by factor of 3 and rounded.
  */
 #define KNET_THREAD_STACK_SIZE (1024 * 1024)
 
 typedef void *knet_transport_link_t; /* per link transport handle */
 typedef void *knet_transport_t;      /* per knet_h transport handle */
 struct  knet_transport_ops;          /* Forward because of circular dependancy */
 
 struct knet_mmsghdr {
 	struct msghdr msg_hdr;	/* Message header */
 	unsigned int  msg_len;	/* Number of bytes transmitted */
 };
 
 struct knet_link {
 	/* required */
 	struct sockaddr_storage src_addr;
 	struct sockaddr_storage dst_addr;
 	/* configurable */
 	unsigned int dynamic;			/* see KNET_LINK_DYN_ define above */
 	uint8_t  priority;			/* higher priority == preferred for A/P */
 	unsigned long long ping_interval;	/* interval */
 	unsigned long long pong_timeout;	/* timeout */
 	unsigned long long pong_timeout_adj;	/* timeout adjusted for latency */
 	uint8_t pong_timeout_backoff;		/* see link.h for definition */
 	unsigned int latency_max_samples;	/* precision */
 	unsigned int latency_cur_samples;
 	uint8_t pong_count;			/* how many ping/pong to send/receive before link is up */
 	uint64_t flags;
 	/* status */
 	struct knet_link_status status;
 	/* internals */
 	pthread_mutex_t link_stats_mutex;	/* used to update link stats */
 	uint8_t link_id;
 	uint8_t transport;                      /* #defined constant from API */
 	knet_transport_link_t transport_link;   /* link_info_t from transport */
 	int outsock;
 	unsigned int configured:1;		/* set to 1 if src/dst have been configured transport initialized on this link*/
 	unsigned int transport_connected:1;	/* set to 1 if lower level transport is connected */
 	uint8_t received_pong;
 	struct timespec ping_last;
 	/* used by PMTUD thread as temp per-link variables and should always contain the onwire_len value! */
 	uint32_t proto_overhead;		/* IP + UDP/SCTP overhead. NOT to be confused
 						   with stats.proto_overhead that includes also knet headers
 						   and crypto headers */
 	struct timespec pmtud_last;
 	uint32_t last_ping_size;
 	uint32_t last_good_mtu;
 	uint32_t last_bad_mtu;
 	uint32_t last_sent_mtu;
 	uint32_t last_recv_mtu;
 	uint32_t pmtud_crypto_timeout_multiplier;/* used by PMTUd to adjust timeouts on high loads */
 	uint8_t has_valid_mtu;
 };
 
 #define KNET_CBUFFER_SIZE 4096
 
 struct knet_host_defrag_buf {
 	char buf[KNET_DATABUFSIZE];
 	uint8_t in_use;			/* 0 buffer is free, 1 is in use */
 	seq_num_t pckt_seq;		/* identify the pckt we are receiving */
 	uint8_t frag_recv;		/* how many frags did we receive */
 	uint8_t frag_map[PCKT_FRAG_MAX];/* bitmap of what we received? */
 	uint8_t	last_first;		/* special case if we receive the last fragment first */
 	ssize_t frag_size;		/* normal frag size (not the last one) */
 	ssize_t last_frag_size;		/* the last fragment might not be aligned with MTU size */
 	struct timespec last_update;	/* keep time of the last pckt */
 };
 
 struct knet_host {
 	/* required */
 	knet_node_id_t host_id;
 	/* configurable */
 	uint8_t link_handler_policy;
 	char name[KNET_MAX_HOST_LEN];
 	/* status */
 	struct knet_host_status status;
 	/* internals */
 	char circular_buffer[KNET_CBUFFER_SIZE];
 	seq_num_t rx_seq_num;
 	seq_num_t untimed_rx_seq_num;
 	seq_num_t timed_rx_seq_num;
 	uint8_t got_data;
 	/* defrag/reassembly buffers */
 	struct knet_host_defrag_buf defrag_buf[KNET_MAX_LINK];
 	char circular_buffer_defrag[KNET_CBUFFER_SIZE];
 	/* link stuff */
 	struct knet_link link[KNET_MAX_LINK];
 	uint8_t active_link_entries;
 	uint8_t active_links[KNET_MAX_LINK];
 	struct knet_host *next;
 };
 
 struct knet_sock {
 	int sockfd[2];   /* sockfd[0] will always be application facing
 			  * and sockfd[1] internal if sockpair has been created by knet */
 	int is_socket;   /* check if it's a socket for recvmmsg usage */
 	int is_created;  /* knet created this socket and has to clean up on exit/del */
 	int in_use;      /* set to 1 if it's use, 0 if free */
 	int has_error;   /* set to 1 if there were errors reading from the sock
 			  * and socket has been removed from epoll */
 };
 
 struct knet_fd_trackers {
 	uint8_t transport;		    /* transport type (UDP/SCTP...) */
 	uint8_t data_type;		    /* internal use for transport to define what data are associated
 					     * with this fd */
 	void *data;			    /* pointer to the data */
 	void *access_list_match_entry_head; /* pointer to access list match_entry list head */
 };
 
 #define KNET_MAX_FDS KNET_MAX_HOST * KNET_MAX_LINK * 4
 
 #define KNET_MAX_COMPRESS_METHODS UINT8_MAX
 
+#define KNET_MAX_CRYPTO_INSTANCES 2
+
 struct knet_handle_stats_extra {
 	uint64_t tx_crypt_pmtu_packets;
 	uint64_t tx_crypt_pmtu_reply_packets;
 	uint64_t tx_crypt_ping_packets;
 	uint64_t tx_crypt_pong_packets;
 };
 
 struct knet_handle {
 	knet_node_id_t host_id;
 	unsigned int enabled:1;
 	struct knet_sock sockfd[KNET_DATAFD_MAX + 1];
 	int logfd;
 	uint8_t log_levels[KNET_MAX_SUBSYSTEMS];
 	int hostsockfd[2];
 	int dstsockfd[2];
 	int send_to_links_epollfd;
 	int recv_from_links_epollfd;
 	int dst_link_handler_epollfd;
 	uint8_t use_access_lists; /* set to 0 for disable, 1 for enable */
 	unsigned int pmtud_interval;
 	unsigned int manual_mtu;
 	unsigned int data_mtu;	/* contains the max data size that we can send onwire
 				 * without frags */
 	struct knet_host *host_head;
 	struct knet_host *host_index[KNET_MAX_HOST];
 	knet_transport_t transports[KNET_MAX_TRANSPORTS+1];
 	struct knet_fd_trackers knet_transport_fd_tracker[KNET_MAX_FDS]; /* track status for each fd handled by transports */
 	struct knet_handle_stats stats;
 	struct knet_handle_stats_extra stats_extra;
 	pthread_mutex_t handle_stats_mutex;	/* used to protect handle stats */
 	uint32_t reconnect_int;
 	knet_node_id_t host_ids[KNET_MAX_HOST];
 	size_t host_ids_entries;
 	struct knet_header *recv_from_sock_buf;
 	struct knet_header *send_to_links_buf[PCKT_FRAG_MAX];
 	struct knet_header *recv_from_links_buf[PCKT_RX_BUFS];
 	struct knet_header *pingbuf;
 	struct knet_header *pmtudbuf;
 	uint8_t threads_status[KNET_THREAD_MAX];
 	uint8_t threads_flush_queue[KNET_THREAD_MAX];
 	pthread_mutex_t threads_status_mutex;
 	pthread_t send_to_links_thread;
 	pthread_t recv_from_links_thread;
 	pthread_t heartbt_thread;
 	pthread_t dst_link_handler_thread;
 	pthread_t pmtud_link_handler_thread;
 	pthread_rwlock_t global_rwlock;		/* global config lock */
 	pthread_mutex_t pmtud_mutex;		/* pmtud mutex to handle conditional send/recv + timeout */
 	pthread_cond_t pmtud_cond;		/* conditional for above */
 	pthread_mutex_t tx_mutex;		/* used to protect knet_send_sync and TX thread */
 	pthread_mutex_t hb_mutex;		/* used to protect heartbeat thread and seq_num broadcasting */
 	pthread_mutex_t backoff_mutex;		/* used to protect dst_link->pong_timeout_adj */
 	pthread_mutex_t kmtu_mutex;		/* used to protect kernel_mtu */
 	uint32_t kernel_mtu;			/* contains the MTU detected by the kernel on a given link */
 	int pmtud_waiting;
 	int pmtud_running;
 	int pmtud_forcerun;
 	int pmtud_abort;
-	struct crypto_instance *crypto_instance;
+	struct crypto_instance *crypto_instance[KNET_MAX_CRYPTO_INSTANCES + 1]; /* store an extra pointer to allow 0|1|2 values without too much magic in the code */
+	uint8_t crypto_in_use_config;		/* crypto config to use for TX */
+	uint8_t crypto_only;			/* allow only crypto (1) or also clear (0) traffic */
 	size_t sec_block_size;
 	size_t sec_hash_size;
 	size_t sec_salt_size;
 	unsigned char *send_to_links_buf_crypt[PCKT_FRAG_MAX];
 	unsigned char *recv_from_links_buf_crypt;
 	unsigned char *recv_from_links_buf_decrypt;
 	unsigned char *pingbuf_crypt;
 	unsigned char *pmtudbuf_crypt;
 	int compress_model;
 	int compress_level;
 	size_t compress_threshold;
 	void *compress_int_data[KNET_MAX_COMPRESS_METHODS]; /* for compress method private data */
 	unsigned char *recv_from_links_buf_decompress;
 	unsigned char *send_to_links_buf_compress;
 	seq_num_t tx_seq_num;
 	pthread_mutex_t tx_seq_num_mutex;
 	uint8_t has_loop_link;
 	uint8_t loop_link;
 	void *dst_host_filter_fn_private_data;
 	int (*dst_host_filter_fn) (
 		void *private_data,
 		const unsigned char *outdata,
 		ssize_t outdata_len,
 		uint8_t tx_rx,
 		knet_node_id_t this_host_id,
 		knet_node_id_t src_node_id,
 		int8_t *channel,
 		knet_node_id_t *dst_host_ids,
 		size_t *dst_host_ids_entries);
 	void *pmtud_notify_fn_private_data;
 	void (*pmtud_notify_fn) (
 		void *private_data,
 		unsigned int data_mtu);
 	void *host_status_change_notify_fn_private_data;
 	void (*host_status_change_notify_fn) (
 		void *private_data,
 		knet_node_id_t host_id,
 		uint8_t reachable,
 		uint8_t remote,
 		uint8_t external);
 	void *sock_notify_fn_private_data;
 	void (*sock_notify_fn) (
 		void *private_data,
 		int datafd,
 		int8_t channel,
 		uint8_t tx_rx,
 		int error,
 		int errorno);
 	int fini_in_progress;
 	uint64_t flags;
 };
 
 extern pthread_rwlock_t shlib_rwlock;       /* global shared lib load lock */
 
 /*
  * NOTE: every single operation must be implementend
  *       for every protocol.
  */
 
 /*
  * for now knet supports only IP protocols (udp/sctp)
  * in future there might be others like ARP
  * or TIPC.
  * keep this around as transport information
  * to use for access lists and other operations
  */
 
 #define TRANSPORT_PROTO_LOOPBACK 0
 #define TRANSPORT_PROTO_IP_PROTO 1
 
 /*
  * some transports like SCTP can filter incoming
  * connections before knet has to process
  * any packets.
  * GENERIC_ACL -> packet has to be read and filterted
  * PROTO_ACL -> transport provides filtering at lower levels
  *              and packet does not need to be processed
  */
 
 typedef enum {
 	USE_NO_ACL,
 	USE_GENERIC_ACL,
 	USE_PROTO_ACL
 } transport_acl;
 
 /*
  * make it easier to map values in transports.c
  */
 #define TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED 0
 #define TRANSPORT_PROTO_IS_CONNECTION_ORIENTED  1
 
 typedef struct knet_transport_ops {
 /*
  * transport generic information
  */
 	const char *transport_name;
 	const uint8_t transport_id;
 	const uint8_t built_in;
 
 	uint8_t transport_protocol;
 	transport_acl transport_acl_type;
 
 /*
  * connection oriented protocols like SCTP
  * don´t need dst_addr in sendto calls and
  * on some OSes are considered EINVAL.
  */
 	uint8_t transport_is_connection_oriented;
 
 	uint32_t transport_mtu_overhead;
 /*
  * transport init must allocate the new transport
  * and perform all internal initializations
  * (threads, lists, etc).
  */
 	int (*transport_init)(knet_handle_t knet_h);
 /*
  * transport free must releases _all_ resources
  * allocated by tranport_init
  */
 	int (*transport_free)(knet_handle_t knet_h);
 
 /*
  * link operations should take care of all the
  * sockets and epoll management for a given link/transport set
  * transport_link_disable should return err = -1 and errno = EBUSY
  * if listener is still in use, and any other errno in case
  * the link cannot be disabled.
  *
  * set_config/clear_config are invoked in global write lock context
  */
 	int (*transport_link_set_config)(knet_handle_t knet_h, struct knet_link *link);
 	int (*transport_link_clear_config)(knet_handle_t knet_h, struct knet_link *link);
 
 /*
  * transport callback for incoming dynamic connections
  * this is called in global read lock context
  */
 	int (*transport_link_dyn_connect)(knet_handle_t knet_h, int sockfd, struct knet_link *link);
 
 
 /*
  * return the fd to use for access lists
  */
 	int (*transport_link_get_acl_fd)(knet_handle_t knet_h, struct knet_link *link);
 
 /*
  * per transport error handling of recvmmsg
  * (see _handle_recv_from_links comments for details)
  */
 
 /*
  * transport_rx_sock_error is invoked when recvmmsg returns <= 0
  *
  * transport_rx_sock_error is invoked with both global_rdlock
  */
 
 	int (*transport_rx_sock_error)(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 
 /*
  * transport_tx_sock_error is invoked with global_rwlock and
  * it's invoked when sendto or sendmmsg returns =< 0
  *
  * it should return:
  * -1 on internal error
  *  0 ignore error and continue
  *  1 retry
  *    any sleep or wait action should happen inside the transport code
  */
 	int (*transport_tx_sock_error)(knet_handle_t knet_h, int sockfd, int recv_err, int recv_errno);
 
 /*
  * this function is called on _every_ received packet
  * to verify if the packet is data or internal protocol error handling
  *
  * it should return:
  * -1 on error
  *  0 packet is not data and we should continue the packet process loop
  *  1 packet is not data and we should STOP the packet process loop
  *  2 packet is data and should be parsed as such
  *
  * transport_rx_is_data is invoked with both global_rwlock
  * and fd_tracker read lock (from RX thread)
  */
 	int (*transport_rx_is_data)(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg);
 
 /*
  * this function is called by links.c when a link down event is recorded
  * to notify the transport that packets are not going through, and give
  * transport the opportunity to take actions.
  */
 	int (*transport_link_is_down)(knet_handle_t knet_h, struct knet_link *link);
 } knet_transport_ops_t;
 
 struct pretty_names {
 	const char *name;
 	uint8_t val;
 };
 
 #endif
diff --git a/libknet/libknet.h b/libknet/libknet.h
index 52cc321c..636e442c 100644
--- a/libknet/libknet.h
+++ b/libknet/libknet.h
@@ -1,2208 +1,2302 @@
 /*
  * Copyright (C) 2010-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #ifndef __LIBKNET_H__
 #define __LIBKNET_H__
 
 #include <stdint.h>
 #include <time.h>
 #include <netinet/in.h>
 #include <unistd.h>
 #include <limits.h>
 
 /**
  * @file libknet.h
  * @brief kronosnet API include file
  * @copyright Copyright (C) 2010-2020 Red Hat, Inc.  All rights reserved.
  *
  * Kronosnet is an advanced VPN system for High Availability applications.
  */
 
 #define KNET_API_VER 1
 
 /*
  * libknet limits
  */
 
 /*
  * Maximum number of hosts
  */
 
 typedef uint16_t knet_node_id_t;
 
 #define KNET_MAX_HOST 65536
 
 /*
  * Maximum number of links between 2 hosts
  */
 
 #define KNET_MAX_LINK 8
 
 /*
  * Maximum packet size that should be written to datafd
  *  see knet_handle_new for details
  */
 
 #define KNET_MAX_PACKET_SIZE 65536
 
 /*
  * Buffers used for pretty logging
  *  host is used to store both ip addresses and hostnames
  */
 
 #define KNET_MAX_HOST_LEN 256
 #define KNET_MAX_PORT_LEN 6
 
 /*
  * Some notifications can be generated either on TX or RX
  */
 
 #define KNET_NOTIFY_TX 0
 #define KNET_NOTIFY_RX 1
 
 /*
  * Link flags
  */
 
 /*
  * Where possible, set traffic priority to high.
  * On Linux this sets the TOS to INTERACTIVE (6),
  * see tc-prio(8) for more infomation
  */
 
 #define KNET_LINK_FLAG_TRAFFICHIPRIO (1ULL << 0)
 
 /*
  * Handle flags
  */
 
 /*
  * Use privileged operations during socket setup.
  */
 
 #define KNET_HANDLE_FLAG_PRIVILEGED (1ULL << 0)
 
 typedef struct knet_handle *knet_handle_t;
 
 /*
  * Handle structs/API calls
  */
 
 /**
  * knet_handle_new_ex
  *
  * @brief create a new instance of a knet handle
  *
  * host_id  - Each host in a knet is identified with a unique
  *            ID. when creating a new handle local host_id
  *            must be specified (0 to UINT16_MAX are all valid).
  *            It is the user's responsibility to check that the value
  *            is unique, or bad things might happen.
  *
  * log_fd   - Write file descriptor. If set to a value > 0, it will be used
  *            to write log packets from libknet to the application.
  *            Setting to 0 will disable logging from libknet.
  *            It is possible to enable logging at any given time (see logging API).
  *            Make sure to either read from this filedescriptor properly and/or
  *            mark it O_NONBLOCK, otherwise if the fd becomes full, libknet could
  *            block.
  *            It is strongly encouraged to use pipes (ex: pipe(2) or pipe2(2)) for
  *            logging fds due to the atomic nature of writes between fds.
  *            See also libknet test suite for reference and guidance.
  *
  * default_log_level -
  *            If logfd is specified, it will initialize all subsystems to log
  *            at default_log_level value. (see logging API)
  *
  * flags    - bitwise OR of some of the following flags:
  *   KNET_HANDLE_FLAG_PRIVILEGED: use privileged operations setting up the
  *            communication sockets.  If disabled, failure to acquire large
  *            enough socket buffers is ignored but logged.  Inadequate buffers
  *            lead to poor performance.
  *
  * @return
  * on success, a new knet_handle_t is returned.
  * on failure, NULL is returned and errno is set.
  * knet-specific errno values:
  *   ENAMETOOLONG - socket buffers couldn't be set big enough and KNET_HANDLE_FLAG_PRIVILEGED was specified
  *   ERANGE       - buffer size readback returned unexpected type
  */
 
 knet_handle_t knet_handle_new_ex(knet_node_id_t host_id,
 				 int            log_fd,
 				 uint8_t        default_log_level,
 				 uint64_t	flags);
 
 /**
  * knet_handle_new
  *
  * @brief knet_handle_new_ex with flags = KNET_HANDLE_FLAG_PRIVILEGED.
  */
 
 knet_handle_t knet_handle_new(knet_node_id_t host_id,
 			      int      log_fd,
 			      uint8_t  default_log_level);
 
 /**
  * knet_handle_free
  *
  * @brief Destroy a knet handle, free all resources
  *
  * knet_h   - pointer to knet_handle_t
  *
  * @return
  * knet_handle_free returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_free(knet_handle_t knet_h);
 
 /**
  * knet_handle_enable_sock_notify
  *
  * @brief Register a callback to receive socket events
  *
  * knet_h   - pointer to knet_handle_t
  *
  * sock_notify_fn_private_data
  *            void pointer to data that can be used to identify
  *            the callback.
  *
  * sock_notify_fn
  *            A callback function that is invoked every time
  *            a socket in the datafd pool will report an error (-1)
  *            or an end of read (0) (see socket.7).
  *            This function MUST NEVER block or add substantial delays.
  *            The callback is invoked in an internal unlocked area
  *            to allow calls to knet_handle_add_datafd/knet_handle_remove_datafd
  *            to swap/replace the bad fd.
  *            if both err and errno are 0, it means that the socket
  *            has received a 0 byte packet (EOF?).
  *            The callback function must either remove the fd from knet
  *            (by calling knet_handle_remove_fd()) or dup a new fd in its place.
  *            Failure to do this can cause problems.
  *
  * @return
  * knet_handle_enable_sock_notify returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_enable_sock_notify(knet_handle_t knet_h,
 				   void *sock_notify_fn_private_data,
 				   void (*sock_notify_fn) (
 						void *private_data,
 						int datafd,
 						int8_t channel,
 						uint8_t tx_rx,
 						int error,
 						int errorno)); /* sorry! can't call it errno ;) */
 
 #define KNET_DATAFD_MAX 32
 
 /**
  * knet_handle_add_datafd
  *
  * @brief Install a file descriptor for communication
  *
  * IMPORTANT: In order to add datafd to knet, knet_handle_enable_sock_notify
  *            _MUST_ be set and be able to handle both errors (-1) and
  *            0 bytes read / write from the provided datafd.
  *            On read error (< 0) from datafd, the socket is automatically
  *            removed from polling to avoid spinning on dead sockets.
  *            It is safe to call knet_handle_remove_datafd even on sockets
  *            that have been removed.
  *
  * knet_h   - pointer to knet_handle_t
  *
  * *datafd  - read/write file descriptor.
  *            knet will read data here to send to the other hosts
  *            and will write data received from the network.
  *            Each data packet can be of max size KNET_MAX_PACKET_SIZE!
  *            Applications using knet_send/knet_recv will receive a
  *            proper error if the packet size is not within boundaries.
  *            Applications using their own functions to write to the
  *            datafd should NOT write more than KNET_MAX_PACKET_SIZE.
  *
  *            Please refer to handle.c on how to set up a socketpair.
  *
  *            datafd can be 0, and knet_handle_add_datafd will create a properly
  *            populated socket pair the same way as ping_test, or a value
  *            higher than 0. A negative number will return an error.
  *            On exit knet_handle_free will take care to cleanup the
  *            socketpair only if they have been created by knet_handle_add_datafd.
  *
  *            It is possible to pass either sockets or normal fds.
  *            User provided datafd will be marked as non-blocking and close-on-exec.
  *
  * *channel - This value is analogous to the tag in VLAN tagging.
  *            A negative value will auto-allocate a channel.
  *            Setting a value between 0 and 31 will try to allocate that
  *            specific channel (unless already in use).
  *
  *            It is possible to add up to 32 datafds but be aware that each
  *            one of them must have a receiving end on the other host.
  *
  *            Example:
  *            hostA channel 0 will be delivered to datafd on hostB channel 0
  *            hostA channel 1 to hostB channel 1.
  *
  *            Each channel must have a unique file descriptor.
  *
  *            If your application could have 2 channels on one host and one
  *            channel on another host, then you can use dst_host_filter
  *            to manipulate channel values on TX and RX.
  *
  * @return
  * knet_handle_add_datafd returns
  * @retval 0 on success,
  *         *datafd  will be populated with a socket if the original value was 0
  *            or if a specific fd was set, the value is untouched.
  *         *channel will be populated with a channel number if the original value
  *            was negative or the value is untouched if a specific channel
  *            was requested.
  *
  * @retval -1 on error and errno is set.
  *         *datafd and *channel are untouched or empty.
  */
 
 int knet_handle_add_datafd(knet_handle_t knet_h, int *datafd, int8_t *channel);
 
 /**
  * knet_handle_remove_datafd
  *
  * @brief Remove a file descriptor from knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * datafd   - file descriptor to remove.
  *            NOTE that if the socket/fd was created by knet_handle_add_datafd,
  *                 the socket will be closed by libknet.
  *
  * @return
  * knet_handle_remove_datafd returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_remove_datafd(knet_handle_t knet_h, int datafd);
 
 /**
  * knet_handle_get_channel
  *
  * @brief Get the channel associated with a file descriptor
  *
  * knet_h  - pointer to knet_handle_t
  *
  * datafd  - get the channel associated to this datafd
  *
  * *channel - will contain the result
  *
  * @return
  * knet_handle_get_channel returns
  * @retval 0 on success
  *   and *channel will contain the result
  * @retval -1 on error and errno is set.
  *   and *channel content is meaningless
  */
 
 int knet_handle_get_channel(knet_handle_t knet_h, const int datafd, int8_t *channel);
 
 /**
  * knet_handle_get_datafd
  *
  * @brief Get the file descriptor associated with a channel
  *
  * knet_h   - pointer to knet_handle_t
  *
  * channel  - get the datafd associated to this channel
  *
  * *datafd  - will contain the result
  *
  * @return
  * knet_handle_get_datafd returns
  * @retval 0 on success
  *   and *datafd will contain the results
  * @retval -1 on error and errno is set.
  *   and *datafd content is meaningless
  */
 
 int knet_handle_get_datafd(knet_handle_t knet_h, const int8_t channel, int *datafd);
 
 /**
  * knet_recv
  *
  * @brief Receive data from knet nodes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * buff     - pointer to buffer to store the received data
  *
  * buff_len - buffer length
  *
  * channel  - channel number
  *
  * @return
  * knet_recv is a commodity function to wrap iovec operations
  * around a socket. It returns a call to readv(2).
  */
 
 ssize_t knet_recv(knet_handle_t knet_h,
 		  char *buff,
 		  const size_t buff_len,
 		  const int8_t channel);
 
 /**
  * knet_send
  *
  * @brief Send data to knet nodes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * buff     - pointer to the buffer of data to send
  *
  * buff_len - length of data to send
  *
  * channel  - channel number
  *
  * @return
  * knet_send is a commodity function to wrap iovec operations
  * around a socket. It returns a call to writev(2).
  */
 
 ssize_t knet_send(knet_handle_t knet_h,
 		  const char *buff,
 		  const size_t buff_len,
 		  const int8_t channel);
 
 /**
  * knet_send_sync
  *
  * @brief Synchronously send data to knet nodes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * buff     - pointer to the buffer of data to send
  *
  * buff_len - length of data to send
  *
  * channel  - data channel to use (see knet_handle_add_datafd(3))
  *
  * All knet RX/TX operations are async for performance reasons.
  * There are applications that might need a sync version of data
  * transmission and receive errors in case of failure to deliver
  * to another host.
  * knet_send_sync bypasses the whole TX async layer and delivers
  * data directly to the link layer, and returns errors accordingly.
  * knet_send_sync sends only one packet to one host at a time.
  * It does NOT support multiple destinations or multicast packets.
  * Decision is still based on dst_host_filter_fn.
  *
  * @return
  * knet_send_sync returns 0 on success and -1 on error.
  * In addition to normal sendmmsg errors, knet_send_sync can fail
  * due to:
  *
  * @retval ECANCELED - data forward is disabled
  * @retval EFAULT    - dst_host_filter fatal error
  * @retval EINVAL    - dst_host_filter did not provide dst_host_ids_entries on unicast pckts
  * @retval E2BIG     - dst_host_filter did return more than one dst_host_ids_entries on unicast pckts
  * @retval ENOMSG    - received unknown message type
  * @retval EHOSTDOWN - unicast pckt cannot be delivered because dest host is not connected yet
  * @retval ECHILD    - crypto failed
  * @retval EAGAIN    - sendmmsg was unable to send all messages and there was no progress during retry
  */
 
 int knet_send_sync(knet_handle_t knet_h,
 		   const char *buff,
 		   const size_t buff_len,
 		   const int8_t channel);
 
 /**
  * knet_handle_enable_filter
  *
  * @brief install a filter to route packets
  *
  * knet_h   - pointer to knet_handle_t
  *
  * dst_host_filter_fn_private_data
  *            void pointer to data that can be used to identify
  *            the callback.
  *
  * dst_host_filter_fn -
  *            is a callback function that is invoked every time
  *            a packet hits datafd (see knet_handle_new(3)).
  *            the function allows users to tell libknet where the
  *            packet has to be delivered.
  *
  *            const unsigned char *outdata - is a pointer to the
  *                                           current packet
  *            ssize_t outdata_len          - length of the above data
  *            uint8_t tx_rx                - filter is called on tx or rx
  *                                           (KNET_NOTIFY_TX, KNET_NOTIFY_RX)
  *            knet_node_id_t this_host_id  - host_id processing the packet
  *            knet_node_id_t src_host_id   - host_id that generated the
  *                                           packet
  *            knet_node_id_t *dst_host_ids - array of KNET_MAX_HOST knet_node_id_t
  *                                           where to store the destinations
  *            size_t *dst_host_ids_entries - number of hosts to send the message
  *
  * dst_host_filter_fn should return
  * -1 on error, packet is discarded.
  *  0 packet is unicast and should be sent to dst_host_ids and there are
  *    dst_host_ids_entries in the buffer.
  *  1 packet is broadcast/multicast and is sent all hosts.
  *    contents of dst_host_ids and dst_host_ids_entries are ignored.
  *  (see also kronosnetd/etherfilter.* for an example that filters based
  *   on ether protocol)
  *
  * @return
  * knet_handle_enable_filter returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_enable_filter(knet_handle_t knet_h,
 			      void *dst_host_filter_fn_private_data,
 			      int (*dst_host_filter_fn) (
 					void *private_data,
 					const unsigned char *outdata,
 					ssize_t outdata_len,
 					uint8_t tx_rx,
 					knet_node_id_t this_host_id,
 					knet_node_id_t src_host_id,
 					int8_t *channel,
 					knet_node_id_t *dst_host_ids,
 					size_t *dst_host_ids_entries));
 
 /**
  * knet_handle_setfwd
  *
  * @brief Start packet forwarding
  *
  * knet_h   - pointer to knet_handle_t
  *
  * enable   - set to 1 to allow data forwarding, 0 to disable data forwarding.
  *
  * @return
  * knet_handle_setfwd returns
  * 0 on success
  * -1 on error and errno is set.
  *
  * By default data forwarding is off and no traffic will pass through knet until
  * it is set on.
  */
 
 int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
 
 /**
  * knet_handle_enable_access_lists
  *
  * @brief Enable or disable usage of access lists (default: off)
  *
  * knet_h   - pointer to knet_handle_t
  *
  * enable   - set to 1 to use access lists, 0 to disable access_lists.
  *
  * @return
  * knet_handle_enable_access_lists returns
  * 0 on success
  * -1 on error and errno is set.
  *
  * access lists are bound to links. There are 2 types of links:
  * 1) point to point, where both source and destinations are well known
  *    at configuration time.
  * 2) open links, where only the source is known at configuration time.
  *
  * knet will automatically generate access lists for point to point links.
  *
  * For open links, knet provides 4 API calls to manipulate access lists:
  * knet_link_add_acl(3), knet_link_rm_acl(3), knet_link_insert_acl(3)
  * and knet_link_clear_acl(3).
  * Those API calls will work exclusively on open links as they
  * are of no use on point to point links.
  *
  * knet will not enforce any access list unless specifically enabled by
  * knet_handle_enable_access_lists(3).
  *
  * From a security / programming perspective we recommend:
  * - create the knet handle
  * - enable access lists
  * - configure hosts and links
  * - configure access lists for open links
  */
 
 int knet_handle_enable_access_lists(knet_handle_t knet_h, unsigned int enabled);
 
 #define KNET_PMTUD_DEFAULT_INTERVAL 60
 
 /**
  * knet_handle_pmtud_setfreq
  *
  * @brief Set the interval between PMTUd scans
  *
  * knet_h   - pointer to knet_handle_t
  *
  * interval - define the interval in seconds between PMTUd scans
  *            range from 1 to 86400 (24h)
  *
  * @return
  * knet_handle_pmtud_setfreq returns
  * 0 on success
  * -1 on error and errno is set.
  *
  * default interval is 60.
  */
 
 int knet_handle_pmtud_setfreq(knet_handle_t knet_h, unsigned int interval);
 
 /**
  * knet_handle_pmtud_getfreq
  *
  * @brief Get the interval between PMTUd scans
  *
  * knet_h   - pointer to knet_handle_t
  *
  * interval - pointer where to store the current interval value
  *
  * @return
  * knet_handle_pmtud_setfreq returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_pmtud_getfreq(knet_handle_t knet_h, unsigned int *interval);
 
 /**
  * knet_handle_enable_pmtud_notify
  *
  * @brief install a callback to receive PMTUd changes
  *
  * knet_h   - pointer to knet_handle_t
  *
  * pmtud_notify_fn_private_data
  *            void pointer to data that can be used to identify
  *            the callback.
  *
  * pmtud_notify_fn
  *            is a callback function that is invoked every time
  *            a path MTU size change is detected.
  *            The function allows libknet to notify the user
  *            of data MTU, that's the max value that can be send
  *            onwire without fragmentation. The data MTU will always
  *            be lower than real link MTU because it accounts for
  *            protocol overhead, knet packet header and (if configured)
  *            crypto overhead,
  *            This function MUST NEVER block or add substantial delays.
  *
  * @return
  * knet_handle_enable_pmtud_notify returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_enable_pmtud_notify(knet_handle_t knet_h,
 				    void *pmtud_notify_fn_private_data,
 				    void (*pmtud_notify_fn) (
 						void *private_data,
 						unsigned int data_mtu));
 
 /**
  * knet_handle_pmtud_set
  *
  * @brief Set the current interface MTU
  *
  * knet_h    - pointer to knet_handle_t
  *
  * iface_mtu - current interface MTU, value 0 to 65535. 0 will
  *             re-enable automatic MTU discovery.
  *             In a setup with multiple interfaces, please specify
  *             the lowest MTU between the selected intefaces.
  *             knet will automatically adjust this value for
  *             all headers overhead and set the correct data_mtu.
  *             data_mtu can be retrivied with knet_handle_pmtud_get(3)
  *             or applications will receive a pmtud_nofity event
  *             if enabled via knet_handle_enable_pmtud_notify(3).
  *
  * @return
  * knet_handle_pmtud_set returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_pmtud_set(knet_handle_t knet_h,
 			  unsigned int iface_mtu);
 
 /**
  * knet_handle_pmtud_get
  *
  * @brief Get the current data MTU
  *
  * knet_h   - pointer to knet_handle_t
  *
  * data_mtu - pointer where to store data_mtu
  *
  * @return
  * knet_handle_pmtud_get returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_pmtud_get(knet_handle_t knet_h,
 				unsigned int *data_mtu);
 
 
 #define KNET_MIN_KEY_LEN  128
 #define KNET_MAX_KEY_LEN 4096
 
 struct knet_handle_crypto_cfg {
 	char		crypto_model[16];
 	char		crypto_cipher_type[16];
 	char		crypto_hash_type[16];
 	unsigned char	private_key[KNET_MAX_KEY_LEN];
 	unsigned int	private_key_len;
 };
 
 /**
- * knet_handle_crypto
+ * knet_handle_crypto_set_config
  *
  * @brief set up packet cryptographic signing & encryption
  *
  * knet_h   - pointer to knet_handle_t
  *
  * knet_handle_crypto_cfg -
  *            pointer to a knet_handle_crypto_cfg structure
  *
  *            crypto_model should contain the model name.
  *                         Currently only "openssl" and "nss" are supported.
  *                         Setting to "none" will disable crypto.
  *
  *            crypto_cipher_type
  *                         should contain the cipher algo name.
  *                         It can be set to "none" to disable
  *                         encryption.
  *                         Currently supported by "nss" model:
  *                         "aes128", "aes192" and "aes256".
  *                         "openssl" model supports more modes and it strictly
  *                         depends on the openssl build. See: EVP_get_cipherbyname
  *                         openssl API call for details.
  *
  *            crypto_hash_type
  *                         should contain the hashing algo name.
  *                         It can be set to "none" to disable
  *                         hashing.
  *                         Currently supported by "nss" model:
  *                         "md5", "sha1", "sha256", "sha384" and "sha512".
  *                         "openssl" model supports more modes and it strictly
  *                         depends on the openssl build. See: EVP_get_digestbyname
  *                         openssl API call for details.
  *
  *            private_key  will contain the private shared key.
  *                         It has to be at least KNET_MIN_KEY_LEN long.
  *
  *            private_key_len
  *                         length of the provided private_key.
  *
+ * config_num - knet supports 2 concurrent sets of crypto configurations,
+ *              to allow runtime change of crypto config and keys.
+ *              On RX both configurations will be used sequentially
+ *              in an attempt to decrypt/validate a packet (when 2 are available).
+ *              Note that this might slow down performance during a reconfiguration.
+ *              See also knet_handle_crypto_rx_clear_traffic(3) to enable / disable
+ *              processing of clear (unencrypted) traffic.
+ *              For TX, the user needs to specify which configuration to use via
+ *              knet_handle_crypto_use_config(3).
+ *              config_num accepts 0, 1 or 2 as the value. 0 should be used when
+ *              all crypto is being disabled.
+ *              Calling knet_handle_crypto_set_config(3) twice with
+ *              the same config_num will REPLACE the configuration and
+ *              NOT activate the second key. If the configuration is currently in use
+ *              EBUSY will be returned. See also knet_handle_crypto_use_config(3).
+ *              The correct sequence to perform a runtime rekey / reconfiguration
+ *              is:
+ *              - knet_handle_crypto_set_config(..., 1). -> first time config, will use config1
+ *              - knet_handle_crypto_use_config(..., 1). -> switch TX to config 1
+ *              - knet_handle_crypto_set_config(..., 2). -> install config2 and use it only for RX
+ *              - knet_handle_crypto_use_config(..., 2). -> switch TX to config 2
+ *              - knet_handle_crypto_set_config(..., 1). -> with a "none"/"none"/"none" configuration to
+ *                                                          release the resources previously allocated
+ *              The application is responsible for synchronizing calls on the nodes
+ *              to make sure the new config is in place before switching the TX configuration.
+ *              Failure to do so will result in knet being unable to talk to some of the nodes.
+ *
  * Implementation notes/current limitations:
  * - enabling crypto, will increase latency as packets have
  *   to processed.
  * - enabling crypto might reduce the overall throughtput
  *   due to crypto data overhead.
- * - re-keying is not implemented yet.
  * - private/public key encryption/hashing is not currently
  *   planned.
  * - crypto key must be the same for all hosts in the same
- *   knet instance.
- * - it is safe to call knet_handle_crypto multiple times at runtime.
+ *   knet instance / configX.
+ * - it is safe to call knet_handle_crypto_set_config multiple times at runtime.
  *   The last config will be used.
- *   IMPORTANT: a call to knet_handle_crypto can fail due to:
+ *   IMPORTANT: a call to knet_handle_crypto_set_config can fail due to:
  *              1) failure to obtain locking
  *              2) errors to initializing the crypto level.
- *   This can happen even in subsequent calls to knet_handle_crypto.
- *   A failure in crypto init will restore the previous crypto configuration.
+ *   This can happen even in subsequent calls to knet_handle_crypto_set_config(3).
+ *   A failure in crypto init will restore the previous crypto configuration if any.
+ *
+ * @return
+ * knet_handle_crypto_set_config returns:
+ * @retval 0 on success
+ * @retval -1 on error and errno is set.
+ * @retval -2 on crypto subsystem initialization error. No errno is provided at the moment (yet).
+ */
+
+int knet_handle_crypto_set_config(knet_handle_t knet_h,
+				  struct knet_handle_crypto_cfg *knet_handle_crypto_cfg,
+				  uint8_t config_num);
+
+
+
+#define KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC 0
+#define KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC 1
+
+/**
+ * knet_handle_crypto_rx_clear_traffic
+ *
+ * @brief enable or disable RX processing of clear (unencrypted) traffic
+ *
+ * knet_h   - pointer to knet_handle_t
+ *
+ * value    - KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC or KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC
+ *
+ * @return
+ * knet_handle_crypto_use_config returns:
+ * @retval 0 on success
+ * @retval -1 on error and errno is set.
+ */
+
+int knet_handle_crypto_rx_clear_traffic(knet_handle_t knet_h, uint8_t value);
+
+/**
+ * knet_handle_crypto_use_config
+ *
+ * @brief specify crypto configuration to use for TX
+ *
+ * knet_h   - pointer to knet_handle_t
+ *
+ * config_num - 1|2 use configuration 1 or 2, 0 for clear (unencrypted) traffic.
+ *
+ * @return
+ * knet_handle_crypto_use_config returns:
+ * @retval 0 on success
+ * @retval -1 on error and errno is set.
+ */
+
+int knet_handle_crypto_use_config(knet_handle_t knet_h,
+				  uint8_t config_num);
+
+/**
+ * knet_handle_crypto
+ *
+ * @brief set up packet cryptographic signing & encryption
+ *
+ * knet_h   - pointer to knet_handle_t
+ *
+ * knet_handle_crypto_cfg -
+ *            pointer to a knet_handle_crypto_cfg structure
+ *            see knet_handle_crypto_set_config(3) for details.
+ *
+ *
+ * Implementation notes:
+ *
+ * knet_handle_crypto(3) is now a wrapper for knet_handle_crypto_set_config(3)
+ * and knet_handle_crypto_use_config(3) with config_num set to 1.
  *
  * @return
  * knet_handle_crypto returns:
  * @retval 0 on success
  * @retval -1 on error and errno is set.
  * @retval -2 on crypto subsystem initialization error. No errno is provided at the moment (yet).
  */
 
 int knet_handle_crypto(knet_handle_t knet_h,
 		       struct knet_handle_crypto_cfg *knet_handle_crypto_cfg);
 
 
 
 #define KNET_COMPRESS_THRESHOLD 100
 
 struct knet_handle_compress_cfg {
 	char	 compress_model[16];
 	uint32_t compress_threshold;
 	int	 compress_level;
 };
 
 /**
  * knet_handle_compress
  *
  * @brief Set up packet compression
  *
  * knet_h   - pointer to knet_handle_t
  *
  * knet_handle_compress_cfg -
  *            pointer to a knet_handle_compress_cfg structure
  *
  *            compress_model contains the model name.
  *                           See "compress_level" for the list of accepted values.
  *                           Setting the value to "none" disables compression.
  *
  *            compress_threshold
  *                           tells the transmission thread to NOT compress
  *                           any packets that are smaller than the value
  *                           indicated. Default 100 bytes.
  *                           Set to 0 to reset to the default.
  *                           Set to 1 to compress everything.
  *                           Max accepted value is KNET_MAX_PACKET_SIZE.
  *
  *            compress_level is the "level" parameter for most models:
  *                           zlib: 0 (no compression), 1 (minimal) .. 9 (max compression).
  *                           lz4: 1 (max compression)... 9 (fastest compression).
  *                           lz4hc: 1 (min compression) ... LZ4HC_MAX_CLEVEL (16) or LZ4HC_CLEVEL_MAX (12)
  *                                  depending on the version of lz4hc libknet was built with.
  *                           lzma: 0 (minimal) .. 9 (max compression)
  *                           bzip2: 1 (minimal) .. 9 (max compression)
  *                           For lzo2 it selects the algorithm to use:
  *                                 1  : lzo1x_1_compress (default)
  *                                 11 : lzo1x_1_11_compress
  *                                 12 : lzo1x_1_12_compress
  *                                 15 : lzo1x_1_15_compress
  *                                 999: lzo1x_999_compress
  *                                 Other values select the default algorithm.
  *                           Please refer to the documentation of the respective
  *                           compression library for guidance about setting this
  *                           value.
  *
  * Implementation notes:
  * - it is possible to enable/disable compression at any time.
  * - nodes can be using a different compression algorithm at any time.
  * - knet does NOT implement the compression algorithm directly. it relies
  *   on external libraries for this functionality. Please read
  *   the libraries man pages to figure out which algorithm/compression
  *   level is best for the data you are planning to transmit.
  *
  * @return
  * knet_handle_compress returns
  * 0 on success
  * -1 on error and errno is set. EINVAL means that either the model or the
  *    level are not supported.
  */
 
 int knet_handle_compress(knet_handle_t knet_h,
 			 struct knet_handle_compress_cfg *knet_handle_compress_cfg);
 
 
 
 struct knet_handle_stats {
 	size_t   size;
 
 	uint64_t tx_uncompressed_packets;
 	uint64_t tx_compressed_packets;
 	uint64_t tx_compressed_original_bytes;
 	uint64_t tx_compressed_size_bytes;
 	uint64_t tx_compress_time_ave;
 	uint64_t tx_compress_time_min;
 	uint64_t tx_compress_time_max;
 
 	uint64_t rx_compressed_packets;
 	uint64_t rx_compressed_original_bytes;
 	uint64_t rx_compressed_size_bytes;
 	uint64_t rx_compress_time_ave;
 	uint64_t rx_compress_time_min;
 	uint64_t rx_compress_time_max;
 
 	/* Overhead times, measured in usecs */
 	uint64_t tx_crypt_packets;
 	uint64_t tx_crypt_byte_overhead;
 	uint64_t tx_crypt_time_ave;
 	uint64_t tx_crypt_time_min;
 	uint64_t tx_crypt_time_max;
 
 	uint64_t rx_crypt_packets;
 	uint64_t rx_crypt_time_ave;
 	uint64_t rx_crypt_time_min;
 	uint64_t rx_crypt_time_max;
 };
 
 /**
  * knet_handle_get_stats
  *
  * @brief Get statistics for compression & crypto
  *
  * knet_h   - pointer to knet_handle_t
  *
  * knet_handle_stats
  *            pointer to a knet_handle_stats structure
  *
  * struct_size
  *            size of knet_handle_stats structure to allow
  *            for backwards compatibility. libknet will only
  *            copy this much data into the stats structure
  *            so that older callers will not get overflowed if
  *            new fields are added.
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  *
  */
 
 int knet_handle_get_stats(knet_handle_t knet_h, struct knet_handle_stats *stats, size_t struct_size);
 
 /*
  * Tell knet_handle_clear_stats whether to clear just the handle stats
  * or all of them.
  */
 #define KNET_CLEARSTATS_HANDLE_ONLY     1
 #define KNET_CLEARSTATS_HANDLE_AND_LINK 2
 
 /**
  * knet_handle_clear_stats
  *
  * @brief Clear knet stats, link and/or handle
  *
  * knet_h   - pointer to knet_handle_t
  *
  * clear_option -  Which stats to clear, must be one of
  *
  * KNET_CLEARSTATS_HANDLE_ONLY or
  * KNET_CLEARSTATS_HANDLE_AND_LINK
  *
  * @return
  * 0 on success
  * -1 on error and errno is set.
  *
  */
 
 int knet_handle_clear_stats(knet_handle_t knet_h, int clear_option);
 
 
 
 struct knet_crypto_info {
 	const char *name; /* openssl,nss,etc.. */
 	uint8_t properties; /* currently unused */
 	char pad[256];      /* currently unused */
 };
 
 /**
  * knet_get_crypto_list
  *
  * @brief Get a list of supported crypto libraries
  *
  * crypto_list  - array of struct knet_crypto_info *
  *                If NULL then only the number of structs is returned in crypto_list_entries
  *                to allow the caller to allocate sufficient space.
  *		  libknet does not allow more than 256 crypto methods at the moment.
  *		  it is safe to allocate 256 structs to avoid calling
  *		  knet_get_crypto_list twice.
  *
  * crypto_list_entries - returns the number of structs in crypto_list
  *
  * @return
  * knet_get_crypto_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_get_crypto_list(struct knet_crypto_info *crypto_list,
 			 size_t *crypto_list_entries);
 
 
 
 struct knet_compress_info {
 	const char *name; /* bzip2, lz4, etc.. */
 	uint8_t properties; /* currently unused */
 	char pad[256];      /* currently unused */
 };
 
 /**
  * knet_get_compress_list
  *
  * @brief Get a list of support compression types
  *
  * compress_list - array of struct knet_compress_info *
  *		   If NULL then only the number of structs is returned in compress_list_entries
  *		   to allow the caller to allocate sufficient space.
  *		   libknet does not allow more than 256 compress methods at the moment.
  *		   it is safe to allocate 256 structs to avoid calling
  *		   knet_get_compress_list twice.
  *
  * compress_list_entries - returns the number of structs in compress_list
  *
  * @return
  * knet_get_compress_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_get_compress_list(struct knet_compress_info *compress_list,
 			   size_t *compress_list_entries);
 
 /*
  * host structs/API calls
  */
 
 /**
  * knet_host_add
  *
  * @brief Add a new host ID to knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - each host in a knet is identified with a unique ID
  *            (see also knet_handle_new(3))
  *
  * @return
  * knet_host_add returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_add(knet_handle_t knet_h, knet_node_id_t host_id);
 
 /**
  * knet_host_remove
  *
  * @brief Remove a host ID from knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - each host in a knet is identified with a unique ID
  *            (see also knet_handle_new(3))
  *
  * @return
  * knet_host_remove returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_remove(knet_handle_t knet_h, knet_node_id_t host_id);
 
 /**
  * knet_host_set_name
  *
  * @brief Set the name of a knet host
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * name     - this name will be used for pretty logging and eventually
  *            search for hosts (see also knet_handle_host_get_name(2) and knet_handle_host_get_id(3)).
  *            Only up to KNET_MAX_HOST_LEN - 1 bytes will be accepted and
  *            name has to be unique for each host.
  *
  * @return
  * knet_host_set_name returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_set_name(knet_handle_t knet_h, knet_node_id_t host_id,
 		       const char *name);
 
 /**
  * knet_host_get_name_by_host_id
  *
  * @brief Get the name of a host given its ID
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * name     - pointer to a preallocated buffer of at least size KNET_MAX_HOST_LEN
  *            where the current host name will be stored
  *            (as set by knet_host_set_name or default by knet_host_add)
  *
  * @return
  * knet_host_get_name_by_host_id returns:
  * 0 on success
  * -1 on error and errno is set (name is left untouched)
  */
 
 int knet_host_get_name_by_host_id(knet_handle_t knet_h, knet_node_id_t host_id,
 				  char *name);
 
 /**
  * knet_host_get_id_by_host_name
  *
  * @brief Get the ID of a host given its name
  *
  * knet_h   - pointer to knet_handle_t
  *
  * name     - name to lookup, max len KNET_MAX_HOST_LEN
  *
  * host_id  - where to store the result
  *
  * @return
  * knet_host_get_id_by_host_name returns:
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_id_by_host_name(knet_handle_t knet_h, const char *name,
 				  knet_node_id_t *host_id);
 
 /**
  * knet_host_get_host_list
  *
  * @brief Get a list of hosts known to knet
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_ids - array of at lest KNET_MAX_HOST size
  *
  * host_ids_entries -
  *            number of entries writted in host_ids
  *
  * @return
  * knet_host_get_host_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_host_list(knet_handle_t knet_h,
 			    knet_node_id_t *host_ids, size_t *host_ids_entries);
 
 /*
  * define switching policies
  */
 
 #define KNET_LINK_POLICY_PASSIVE 0
 #define KNET_LINK_POLICY_ACTIVE  1
 #define KNET_LINK_POLICY_RR      2
 
 /**
  * knet_host_set_policy
  *
  * @brief Set the switching policy for a host's links
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * policy   - there are currently 3 kind of simple switching policies
  *            based on link configuration.
  *            KNET_LINK_POLICY_PASSIVE - the active link with the highest
  *                                       priority (highest number) will be used.
  *                                       if one or more active links share
  *                                       the same priority, the one with
  *                                       lowest link_id will be used.
  *
  *            KNET_LINK_POLICY_ACTIVE  - all active links will be used
  *                                       simultaneously to send traffic.
  *                                       link priority is ignored.
  *
  *            KNET_LINK_POLICY_RR      - round-robin policy, every packet
  *                                       will be send on a different active
  *                                       link.
  *
  * @return
  * knet_host_set_policy returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_set_policy(knet_handle_t knet_h, knet_node_id_t host_id,
 			 uint8_t policy);
 
 /**
  * knet_host_get_policy
  *
  * @brief Get the switching policy for a host's links
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * policy   - will contain the current configured switching policy.
  *            Default is passive when creating a new host.
  *
  * @return
  * knet_host_get_policy returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_policy(knet_handle_t knet_h, knet_node_id_t host_id,
 			 uint8_t *policy);
 
 /**
  * knet_host_enable_status_change_notify
  *
  * @brief Install a callback to get host status change events
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_status_change_notify_fn_private_data -
  *            void pointer to data that can be used to identify
  *            the callback
  *
  * host_status_change_notify_fn -
  *            is a callback function that is invoked every time
  *            there is a change in the host status.
  *            host status is identified by:
  *            - reachable, this host can send/receive data to/from host_id
  *            - remote, 0 if the host_id is connected locally or 1 if
  *                      the there is one or more knet host(s) in between.
  *                      NOTE: re-switching is NOT currently implemented,
  *                            but this is ready for future and can avoid
  *                            an API/ABI breakage later on.
  *            - external, 0 if the host_id is configured locally or 1 if
  *                        it has been added from remote nodes config.
  *                        NOTE: dynamic topology is NOT currently implemented,
  *                        but this is ready for future and can avoid
  *                        an API/ABI breakage later on.
  *            This function MUST NEVER block or add substantial delays.
  *
  * @return
  * knet_host_status_change_notify returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_enable_status_change_notify(knet_handle_t knet_h,
 					  void *host_status_change_notify_fn_private_data,
 					  void (*host_status_change_notify_fn) (
 						void *private_data,
 						knet_node_id_t host_id,
 						uint8_t reachable,
 						uint8_t remote,
 						uint8_t external));
 
 /*
  * define host status structure for quick lookup
  * struct is in flux as more stats will be added soon
  *
  * reachable             host_id can be seen either directly connected
  *                       or via another host_id
  *
  * remote                0 = node is connected locally, 1 is visible via
  *                       via another host_id
  *
  * external              0 = node is configured/known locally,
  *                       1 host_id has been received via another host_id
  */
 
 struct knet_host_status {
 	uint8_t reachable;
 	uint8_t remote;
 	uint8_t external;
 	/* add host statistics */
 };
 
 /**
  * knet_host_get_status
  *
  * @brief Get the status of a host
  *
  * knet_h   - pointer to knet_handle_t
  *
  * host_id  - see knet_host_add(3)
  *
  * status   - pointer to knet_host_status struct
  *
  * @return
  * knet_handle_pmtud_get returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_host_get_status(knet_handle_t knet_h, knet_node_id_t host_id,
 			 struct knet_host_status *status);
 
 /*
  * link structs/API calls
  *
  * every host allocated/managed by knet_host_* has
  * KNET_MAX_LINK structures to define the network
  * paths that connect 2 hosts.
  *
  * Each link is identified by a link_id that has a
  * values between 0 and KNET_MAX_LINK - 1.
  *
  * KNOWN LIMITATIONS:
  *
  * - let's assume the scenario where two hosts are connected
  *   with any number of links. link_id must match on both sides.
  *   If host_id 0 link_id 0 is configured to connect IP1 to IP2 and
  *   host_id 0 link_id 1 is configured to connect IP3 to IP4,
  *   host_id 1 link_id 0 _must_ connect IP2 to IP1 and likewise
  *   host_id 1 link_id 1 _must_ connect IP4 to IP3.
  *   We might be able to lift this restriction in future, by using
  *   other data to determine src/dst link_id, but for now, deal with it.
  */
 
 /*
  * commodity functions to convert strings to sockaddr and viceversa
  */
 
 /**
  * knet_strtoaddr
  *
  * @brief Convert a hostname string to an address
  *
  * host      - IPaddr/hostname to convert
  *             be aware only the first IP address will be returned
  *             in case a hostname resolves to multiple IP
  *
  * port      - port to connect to
  *
  * ss        - sockaddr_storage where to store the converted data
  *
  * sslen     - len of the sockaddr_storage
  *
  * @return
  * knet_strtoaddr returns same error codes as getaddrinfo
  *
  */
 
 int knet_strtoaddr(const char *host, const char *port,
 		   struct sockaddr_storage *ss, socklen_t sslen);
 
 /**
  * knet_addrtostr
  *
  * @brief Convert an address to a host name
  *
  * ss        - sockaddr_storage to convert
  *
  * sslen     - len of the sockaddr_storage
  *
  * host      - IPaddr/hostname where to store data
  *             (recommended size: KNET_MAX_HOST_LEN)
  *
  * port      - port buffer where to store data
  *             (recommended size: KNET_MAX_PORT_LEN)
  *
  * @return
  * knet_strtoaddr returns same error codes as getnameinfo
  */
 
 int knet_addrtostr(const struct sockaddr_storage *ss, socklen_t sslen,
 		   char *addr_buf, size_t addr_buf_size,
 		   char *port_buf, size_t port_buf_size);
 
 
 
 #define KNET_TRANSPORT_LOOPBACK 0
 #define KNET_TRANSPORT_UDP      1
 #define KNET_TRANSPORT_SCTP     2
 #define KNET_MAX_TRANSPORTS     UINT8_MAX
 
 /*
  * The Loopback transport is only valid for connections to localhost, the host
  * with the same node_id specified in knet_handle_new(). Only one link of this
  * type is allowed. Data sent down a LOOPBACK link will be copied directly from
  * the knet send datafd to the knet receive datafd so the application must be set
  * up to take data from that socket at least as often as it is sent or deadlocks
  * could occur. If used, a LOOPBACK link must be the only link configured to the
  * local host.
  */
 
 struct knet_transport_info {
 	const char *name;   /* UDP/SCTP/etc... */
 	uint8_t id;         /* value that can be used for link_set_config */
 	uint8_t properties; /* currently unused */
 	char pad[256];      /* currently unused */
 };
 
 /**
  * knet_get_transport_list
  *
  * @brief Get a list of the transports support by this build of knet
  *
  * transport_list         - an array of struct transport_info that must be
  *                          at least of size struct transport_info * KNET_MAX_TRANSPORTS
  *
  * transport_list_entries - pointer to a size_t where to store how many transports
  *                          are available in this build of libknet.
  *
  * @return
  * knet_get_transport_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_get_transport_list(struct knet_transport_info *transport_list,
 			    size_t *transport_list_entries);
 
 /**
  * knet_get_transport_name_by_id
  *
  * @brief Get a transport name from its ID number
  *
  * transport - one of the KNET_TRANSPORT_xxx constants
  *
  * @return
  * knet_get_transport_name_by_id returns:
  *
  * @retval pointer to the name on success or
  * @retval NULL on error and errno is set.
  */
 
 const char *knet_get_transport_name_by_id(uint8_t transport);
 
 /**
  * knet_get_transport_id_by_name
  *
  * @brief Get a transport ID from its name
  *
  * name      - transport name (UDP/SCTP/etc)
  *
  * @return
  * knet_get_transport_name_by_id returns:
  *
  * @retval KNET_MAX_TRANSPORTS on error and errno is set accordingly
  * @retval KNET_TRANSPORT_xxx on success.
  */
 
 uint8_t knet_get_transport_id_by_name(const char *name);
 
 
 
 #define KNET_TRANSPORT_DEFAULT_RECONNECT_INTERVAL 1000
 
 /**
  * knet_handle_set_transport_reconnect_interval
  *
  * @brief Set the interval between transport attempts to reconnect a failed link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * msecs     - milliseconds
  *
  * @return
  * knet_handle_set_transport_reconnect_interval returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_set_transport_reconnect_interval(knet_handle_t knet_h, uint32_t msecs);
 
 /**
  * knet_handle_get_transport_reconnect_interval
  *
  * @brief Get the interval between transport attempts to reconnect a failed link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * msecs     - milliseconds
  *
  * @return
  * knet_handle_get_transport_reconnect_interval returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_handle_get_transport_reconnect_interval(knet_handle_t knet_h, uint32_t *msecs);
 
 /**
  * knet_link_set_config
  *
  * @brief Configure the link to a host
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * transport - one of the KNET_TRANSPORT_xxx constants
  *
  * src_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *
  * dst_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *             this can be null if we don't know the incoming
  *             IP address/port and the link will remain quiet
  *             till the node on the other end will initiate a
  *             connection
  *
  * flags     - KNET_LINK_FLAG_*
  *
  * @return
  * knet_link_set_config returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 uint8_t transport,
 			 struct sockaddr_storage *src_addr,
 			 struct sockaddr_storage *dst_addr,
 			 uint64_t flags);
 
 /**
  * knet_link_get_config
  *
  * @brief Get the link configutation information
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * transport - see knet_link_set_config(3)
  *
  * src_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *
  * dst_addr  - sockaddr_storage that can be either IPv4 or IPv6
  *
  * dynamic   - 0 if dst_addr is static or 1 if dst_addr is dynamic.
  *             In case of 1, dst_addr can be NULL and it will be left
  *             untouched.
  *
  * flags     - KNET_LINK_FLAG_*
  *
  * @return
  * knet_link_get_config returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_get_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 uint8_t *transport,
 			 struct sockaddr_storage *src_addr,
 			 struct sockaddr_storage *dst_addr,
 			 uint8_t *dynamic,
 			 uint64_t *flags);
 
 /**
  * knet_link_clear_config
  *
  * @brief Clear link information and disconnect the link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * @return
  * knet_link_clear_config returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_clear_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
 
 /*
  * Access lists management for open links
  * see also knet_handle_enable_access_lists(3)
  */
 
 /**
  * check_type_t
  * @brief address type enum for knet access lists
  *
  * CHECK_TYPE_ADDRESS is the equivalent of a single entry / IP address.
  *                    for example: 10.1.9.3
  *                    and the entry is stored in ss1. ss2 can be NULL.
  *
  * CHECK_TYPE_MASK    is used to configure network/netmask.
  *                    for example: 192.168.0.0/24
  *                    the network is stored in ss1 and the netmask in ss2.
  *
  * CHECK_TYPE_RANGE   defines a value / range of ip addresses.
  *                    for example: 172.16.0.1-172.16.0.10
  *                    the start is stored in ss1 and the end in ss2.
  *
  * Please be aware that the above examples refer only to IP based protocols.
  * Other protocols might use ss1 and ss2 in slightly different ways.
  * At the moment knet only supports IP based protocol, though that might change
  * in the future.
  */
 
 typedef enum {
 	CHECK_TYPE_ADDRESS,
 	CHECK_TYPE_MASK,
 	CHECK_TYPE_RANGE
 } check_type_t;
 
 /**
  * check_acceptreject_t
  *
  * @brief enum for accept/reject in knet access lists
  *
  * accept or reject incoming packets defined in the access list entry
  */
 
 typedef enum {
 	CHECK_ACCEPT,
 	CHECK_REJECT
 } check_acceptreject_t;
 
 /**
  * knet_link_add_acl
  *
  * @brief Add access list entry to an open link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
  *
  * IMPORTANT: the order in which access lists are added is critical and it
  *            is left to the user to add them in the right order. knet
  *            will not attempt to logically sort them.
  *
  *            For example:
  *            1 - accept from 10.0.0.0/8
  *            2 - reject from 10.0.0.1/32
  *
  *            is not the same as:
  *
  *            1 - reject from 10.0.0.1/32
  *            2 - accept from 10.0.0.0/8
  *
  *            In the first example, rule number 2 will never match because
  *            packets from 10.0.0.1 will be accepted by rule number 1.
  *
  * @return
  * knet_link_add_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_add_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 		      struct sockaddr_storage *ss1,
 		      struct sockaddr_storage *ss2,
 		      check_type_t type, check_acceptreject_t acceptreject);
 
 /**
  * knet_link_insert_acl
  *
  * @brief Insert access list entry to an open link at given index
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * index     - insert at position "index" where 0 is the first entry and -1
  *             appends to the current list.
  *
  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
  *
  * @return
  * knet_link_insert_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_insert_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 int index,
 			 struct sockaddr_storage *ss1,
 			 struct sockaddr_storage *ss2,
 			 check_type_t type, check_acceptreject_t acceptreject);
 
 /**
  * knet_link_rm_acl
  *
  * @brief Remove access list entry from an open link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * ss1 / ss2 / type / acceptreject - see typedef definitions for details
  *
  * IMPORTANT: the data passed to this API call must match exactly that passed
  *            to knet_link_add_acl(3).
  *
  * @return
  * knet_link_rm_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_rm_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 		     struct sockaddr_storage *ss1,
 		     struct sockaddr_storage *ss2,
 		     check_type_t type, check_acceptreject_t acceptreject);
 
 /**
  * knet_link_clear_acl
  *
  * @brief Remove all access list entries from an open link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * @return
  * knet_link_clear_acl returns
  * 0 on success.
  * -1 on error and errno is set.
  */
 
 int knet_link_clear_acl(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id);
 
 /**
  * knet_link_set_enable
  *
  * @brief Enable traffic on a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * enabled   - 0 disable the link, 1 enable the link
  *
  * @return
  * knet_link_set_enable returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_enable(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 unsigned int enabled);
 
 /**
  * knet_link_get_enable
  *
  * @brief Find out whether a link is enabled or not
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * enabled   - 0 disable the link, 1 enable the link
  *
  * @return
  * knet_link_get_enable returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_enable(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 unsigned int *enabled);
 
 
 
 #define KNET_LINK_DEFAULT_PING_INTERVAL  1000 /* 1 second */
 #define KNET_LINK_DEFAULT_PING_TIMEOUT   2000 /* 2 seconds */
 #define KNET_LINK_DEFAULT_PING_PRECISION 2048 /* samples */
 
 /**
  * knet_link_set_ping_timers
  *
  * @brief Set the ping timers for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * interval  - specify the ping interval in milliseconds.
  *
  * timeout   - if no pong is received within this time,
  *             the link is declared dead, in milliseconds.
  *             NOTE: in future it will be possible to set timeout to 0
  *             for an autocalculated timeout based on interval, pong_count
  *             and latency. The API already accept 0 as value and it will
  *             return ENOSYS / -1. Once the automatic calculation feature
  *             will be implemented, this call will only return EINVAL
  *             for incorrect values.
  *
  * precision - how many values of latency are used to calculate
  *             the average link latency (see also knet_link_get_status(3))
  *
  * @return
  * knet_link_set_ping_timers returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_ping_timers(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			      time_t interval, time_t timeout, unsigned int precision);
 
 /**
  * knet_link_get_ping_timers
  *
  * @brief Get the ping timers for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * interval  - ping interval
  *
  * timeout   - if no pong is received within this time,
  *             the link is declared dead
  *
  * precision - how many values of latency are used to calculate
  *             the average link latency (see also knet_link_get_status(3))
  *
  * @return
  * knet_link_get_ping_timers returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_ping_timers(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			      time_t *interval, time_t *timeout, unsigned int *precision);
 
 
 
 #define KNET_LINK_DEFAULT_PONG_COUNT 5
 
 /**
  * knet_link_set_pong_count
  *
  * @brief Set the pong count for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * pong_count - how many valid ping/pongs before a link is marked UP.
  *              default: 5, value should be > 0
  *
  * @return
  * knet_link_set_pong_count returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_pong_count(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			     uint8_t pong_count);
 
 /**
  * knet_link_get_pong_count
  *
  * @brief Get the pong count for a link
  *
  * knet_h     - pointer to knet_handle_t
  *
  * host_id    - see knet_host_add(3)
  *
  * link_id    - see knet_link_set_config(3)
  *
  * pong_count - how many valid ping/pongs before a link is marked UP.
  *              default: 5, value should be > 0
  *
  * @return
  * knet_link_get_pong_count returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_pong_count(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			     uint8_t *pong_count);
 
 /**
  * knet_link_set_priority
  *
  * @brief Set the priority for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * priority  - specify the switching priority for this link
  *             see also knet_host_set_policy
  *
  * @return
  * knet_link_set_priority returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_set_priority(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			   uint8_t priority);
 
 /**
  * knet_link_get_priority
  *
  * @brief Get the priority for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * priority  - gather the switching priority for this link
  *             see also knet_host_set_policy
  *
  * @return
  * knet_link_get_priority returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_priority(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			   uint8_t *priority);
 
 /**
  * knet_link_get_link_list
  *
  * @brief Get a list of links connecting a host
  *
  * knet_h   - pointer to knet_handle_t
  *
  * link_ids - array of at lest KNET_MAX_LINK size
  *            with the list of configured links for a certain host.
  *
  * link_ids_entries -
  *            number of entries contained in link_ids
  *
  * @return
  * knet_link_get_link_list returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_link_list(knet_handle_t knet_h, knet_node_id_t host_id,
 			    uint8_t *link_ids, size_t *link_ids_entries);
 
 /*
  * define link status structure for quick lookup
  *
  * src/dst_{ipaddr,port} strings are filled by
  *                       getnameinfo(3) when configuring the link.
  *                       if the link is dynamic (see knet_link_set_config(3))
  *                       dst_ipaddr/port will contain ipaddr/port of the currently
  *                       connected peer or "Unknown" if it was not possible
  *                       to determine the ipaddr/port at runtime.
  *
  * enabled               see also knet_link_set/get_enable.
  *
  * connected             the link is connected to a peer and ping/pong traffic
  *                       is flowing.
  *
  * dynconnected          the link has dynamic ip on the other end, and
  *                       we can see the other host is sending pings to us.
  *
  * latency               average latency of this link
  *                       see also knet_link_set/get_timeout.
  *
  * pong_last             if the link is down, this value tells us how long
  *                       ago this link was active. A value of 0 means that the link
  *                       has never been active.
  *
  * knet_link_stats       structure that contains details statistics for the link
  */
 
 #define MAX_LINK_EVENTS 16
 
 struct knet_link_stats {
 	/* onwire values */
 	uint64_t tx_data_packets;
 	uint64_t rx_data_packets;
 	uint64_t tx_data_bytes;
 	uint64_t rx_data_bytes;
 	uint64_t rx_ping_packets;
 	uint64_t tx_ping_packets;
 	uint64_t rx_ping_bytes;
 	uint64_t tx_ping_bytes;
 	uint64_t rx_pong_packets;
 	uint64_t tx_pong_packets;
 	uint64_t rx_pong_bytes;
 	uint64_t tx_pong_bytes;
 	uint64_t rx_pmtu_packets;
 	uint64_t tx_pmtu_packets;
 	uint64_t rx_pmtu_bytes;
 	uint64_t tx_pmtu_bytes;
 
 	/* Only filled in when requested */
 	uint64_t tx_total_packets;
 	uint64_t rx_total_packets;
 	uint64_t tx_total_bytes;
 	uint64_t rx_total_bytes;
 	uint64_t tx_total_errors;
 	uint64_t tx_total_retries;
 
 	uint32_t tx_pmtu_errors;
 	uint32_t tx_pmtu_retries;
 	uint32_t tx_ping_errors;
 	uint32_t tx_ping_retries;
 	uint32_t tx_pong_errors;
 	uint32_t tx_pong_retries;
 	uint32_t tx_data_errors;
 	uint32_t tx_data_retries;
 
 	/* measured in usecs */
 	uint32_t latency_min;
 	uint32_t latency_max;
 	uint32_t latency_ave;
 	uint32_t latency_samples;
 
 	/* how many times the link has been going up/down */
 	uint32_t down_count;
 	uint32_t up_count;
 
 	/*
 	 * circular buffer of time_t structs collecting the history
 	 * of up/down events on this link.
 	 * the index indicates current/last event.
 	 * it is safe to walk back the history by decreasing the index
 	 */
 	time_t   last_up_times[MAX_LINK_EVENTS];
 	time_t   last_down_times[MAX_LINK_EVENTS];
 	int8_t   last_up_time_index;
 	int8_t   last_down_time_index;
 	/* Always add new stats at the end */
 };
 
 struct knet_link_status {
 	size_t size;                    /* For ABI checking */
 	char src_ipaddr[KNET_MAX_HOST_LEN];
 	char src_port[KNET_MAX_PORT_LEN];
 	char dst_ipaddr[KNET_MAX_HOST_LEN];
 	char dst_port[KNET_MAX_PORT_LEN];
 	uint8_t enabled;	        /* link is configured and admin enabled for traffic */
 	uint8_t connected;              /* link is connected for data (local view) */
 	uint8_t dynconnected;	        /* link has been activated by remote dynip */
 	unsigned long long latency;	/* average latency computed by fix/exp */
 	struct timespec pong_last;
 	unsigned int mtu;		/* current detected MTU on this link */
 	unsigned int proto_overhead;    /* contains the size of the IP protocol, knet headers and
 					 * crypto headers (if configured). This value is filled in
 					 * ONLY after the first PMTUd run on that given link,
 					 * and can change if link configuration or crypto configuration
 					 * changes at runtime.
 					 * WARNING: in general mtu + proto_overhead might or might
 					 * not match the output of ifconfig mtu due to crypto
 					 * requirements to pad packets to some specific boundaries. */
 	/* Link statistics */
 	struct knet_link_stats stats;
 };
 
 /**
  * knet_link_get_status
  *
  * @brief Get the status (and statistics) for a link
  *
  * knet_h    - pointer to knet_handle_t
  *
  * host_id   - see knet_host_add(3)
  *
  * link_id   - see knet_link_set_config(3)
  *
  * status    - pointer to knet_link_status struct
  *
  * struct_size - max size of knet_link_status - allows library to
  *               add fields without ABI change. Returned structure
  *               will be truncated to this length and .size member
  *               indicates the full size.
  *
  * @return
  * knet_link_get_status returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_link_get_status(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			 struct knet_link_status *status, size_t struct_size);
 
 /*
  * logging structs/API calls
  */
 
 /*
  * libknet is composed of several subsystems. In order
  * to easily distinguish log messages coming from different
  * places, each subsystem has its own ID.
  *
  *  0-19 config/management
  * 20-39 internal threads
  * 40-59 transports
  * 60-69 crypto implementations
  */
 
 #define KNET_SUB_COMMON         0 /* common.c */
 #define KNET_SUB_HANDLE         1 /* handle.c alloc/dealloc config changes */
 #define KNET_SUB_HOST           2 /* host add/del/modify */
 #define KNET_SUB_LISTENER       3 /* listeners add/del/modify... */
 #define KNET_SUB_LINK           4 /* link add/del/modify */
 #define KNET_SUB_TRANSPORT      5 /* Transport common */
 #define KNET_SUB_CRYPTO         6 /* crypto.c config generic layer */
 #define KNET_SUB_COMPRESS       7 /* compress.c config generic layer */
 
 #define KNET_SUB_FILTER        19 /* allocated for users to log from dst_filter */
 
 #define KNET_SUB_DSTCACHE      20 /* switching thread (destination cache handling) */
 #define KNET_SUB_HEARTBEAT     21 /* heartbeat thread */
 #define KNET_SUB_PMTUD         22 /* Path MTU Discovery thread */
 #define KNET_SUB_TX            23 /* send to link thread */
 #define KNET_SUB_RX            24 /* recv from link thread */
 
 #define KNET_SUB_TRANSP_BASE   40 /* Base log level for transports */
 #define KNET_SUB_TRANSP_LOOPBACK (KNET_SUB_TRANSP_BASE + KNET_TRANSPORT_LOOPBACK)
 #define KNET_SUB_TRANSP_UDP      (KNET_SUB_TRANSP_BASE + KNET_TRANSPORT_UDP)
 #define KNET_SUB_TRANSP_SCTP     (KNET_SUB_TRANSP_BASE + KNET_TRANSPORT_SCTP)
 
 #define KNET_SUB_NSSCRYPTO     60 /* nsscrypto.c */
 #define KNET_SUB_OPENSSLCRYPTO 61 /* opensslcrypto.c */
 
 #define KNET_SUB_ZLIBCOMP      70 /* compress_zlib.c */
 #define KNET_SUB_LZ4COMP       71 /* compress_lz4.c */
 #define KNET_SUB_LZ4HCCOMP     72 /* compress_lz4.c */
 #define KNET_SUB_LZO2COMP      73 /* compress_lzo.c */
 #define KNET_SUB_LZMACOMP      74 /* compress_lzma.c */
 #define KNET_SUB_BZIP2COMP     75 /* compress_bzip2.c */
 #define KNET_SUB_ZSTDCOMP      76 /* compress_zstd.c */
 
 #define KNET_SUB_UNKNOWN       UINT8_MAX - 1
 #define KNET_MAX_SUBSYSTEMS    UINT8_MAX
 
 /*
  * Convert between subsystem IDs and names
  */
 
 /**
  * knet_log_get_subsystem_name
  *
  * @brief Get a logging system name from its numeric ID
  *
  * @return
  * returns internal name of the subsystem or "common"
  */
 
 const char *knet_log_get_subsystem_name(uint8_t subsystem);
 
 /**
  * knet_log_get_subsystem_id
  *
  * @brief Get a logging system ID from its name
  *
  * @return
  * returns internal ID of the subsystem or KNET_SUB_COMMON
  */
 
 uint8_t knet_log_get_subsystem_id(const char *name);
 
 /*
  * 4 log levels are enough for everybody
  */
 
 #define KNET_LOG_ERR         0 /* unrecoverable errors/conditions */
 #define KNET_LOG_WARN        1 /* recoverable errors/conditions */
 #define KNET_LOG_INFO        2 /* info, link up/down, config changes.. */
 #define KNET_LOG_DEBUG       3
 
 /*
  * Convert between log level values and names
  */
 
 /**
  * knet_log_get_loglevel_name
  *
  * @brief Get a logging level name from its numeric ID
  *
  * @return
  * returns internal name of the log level or "ERROR" for unknown values
  */
 
 const char *knet_log_get_loglevel_name(uint8_t level);
 
 /**
  * knet_log_get_loglevel_id
  *
  * @brief Get a logging level ID from its name
  *
  * @return
  * returns internal log level ID or KNET_LOG_ERR for invalid names
  */
 
 uint8_t knet_log_get_loglevel_id(const char *name);
 
 /*
  * every log message is composed by a text message
  * and message level/subsystem IDs.
  * In order to make debugging easier it is possible to send those packets
  * straight to stdout/stderr (see knet_bench.c stdout option).
  */
 
 #define KNET_MAX_LOG_MSG_SIZE    254
 #if KNET_MAX_LOG_MSG_SIZE > PIPE_BUF
 #error KNET_MAX_LOG_MSG_SIZE cannot be bigger than PIPE_BUF for guaranteed system atomic writes
 #endif
 
 struct knet_log_msg {
 	char	msg[KNET_MAX_LOG_MSG_SIZE];
 	uint8_t	subsystem;	/* KNET_SUB_* */
 	uint8_t msglevel;	/* KNET_LOG_* */
 };
 
 /**
  * knet_log_set_loglevel
  *
  * @brief Set the logging level for a subsystem
  *
  * knet_h     - same as above
  *
  * subsystem  - same as above
  *
  * level      - same as above
  *
  * knet_log_set_loglevel allows fine control of log levels by subsystem.
  *                       See also knet_handle_new for defaults.
  *
  * @return
  * knet_log_set_loglevel returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_log_set_loglevel(knet_handle_t knet_h, uint8_t subsystem,
 			  uint8_t level);
 
 /**
  * knet_log_get_loglevel
  *
  * @brief Get the logging level for a subsystem
  *
  * knet_h     - same as above
  *
  * subsystem  - same as above
  *
  * level      - same as above
  *
  * @return
  * knet_log_get_loglevel returns
  * 0 on success
  * -1 on error and errno is set.
  */
 
 int knet_log_get_loglevel(knet_handle_t knet_h, uint8_t subsystem,
 			  uint8_t *level);
 
 #endif
diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
index 86312072..aa948218 100644
--- a/libknet/tests/Makefile.am
+++ b/libknet/tests/Makefile.am
@@ -1,104 +1,108 @@
 #
 # Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 MAINTAINERCLEANFILES	= Makefile.in
 
 include $(top_srcdir)/build-aux/check.mk
 include $(top_srcdir)/libknet/tests/api-check.mk
 
 EXTRA_DIST		= \
 			  api-test-coverage \
 			  api-check.mk
 
 AM_CPPFLAGS		= -I$(top_srcdir)/libknet
 AM_CFLAGS		+= $(PTHREAD_CFLAGS) $(libqb_CFLAGS)
 LIBS			= $(top_builddir)/libknet/libknet.la \
 			  $(PTHREAD_LIBS) $(dl_LIBS)
 
 noinst_HEADERS		= \
 			  test-common.h
 
 # the order of those tests is NOT random.
 # some functions can only be tested properly after some dependents
 # API have been validated upfront.
 
 check_PROGRAMS		= \
 			  $(api_checks) \
 			  $(int_checks) \
 			  $(fun_checks)
 
 int_checks		= \
 			  int_links_acl_ip_test \
 			  int_timediff_test
 
-fun_checks		=
+fun_checks		= \
+			  fun_config_crypto_test
 
 # checks below need to be executed manually
 # or with a specifi environment
 
 long_run_checks		= \
 			  fun_pmtud_crypto_test
 
 benchmarks		= \
 			  knet_bench_test
 
 noinst_PROGRAMS		= \
 			  api_knet_handle_new_limit_test \
 			  pckt_test \
 			  $(benchmarks) \
 			  $(long_run_checks) \
 			  $(check_PROGRAMS)
 
 noinst_SCRIPTS		= \
 			  api-test-coverage
 
 TESTS			= $(check_PROGRAMS)
 
 if INSTALL_TESTS
 testsuitedir		= $(TESTDIR)
 testsuite_PROGRAMS	= $(noinst_PROGRAMS)
 endif
 
 check-local: check-api-test-coverage
 
 check-api-test-coverage:
 	chmod u+x $(top_srcdir)/libknet/tests/api-test-coverage
 	$(top_srcdir)/libknet/tests/api-test-coverage $(top_srcdir) $(top_builddir)
 
 pckt_test_SOURCES	= pckt_test.c
 
 int_links_acl_ip_test_SOURCES = int_links_acl_ip.c \
 				../common.c \
 				../compat.c \
 				../logging.c \
 				../netutils.c \
 				../threads_common.c \
 				../onwire.c \
 				../transports.c \
 				../transport_common.c \
 				../transport_loopback.c \
 				../transport_sctp.c \
 				../transport_udp.c \
 				../links_acl.c \
 				../links_acl_ip.c \
 				../links_acl_loopback.c
 
 int_timediff_test_SOURCES = int_timediff.c
 
 knet_bench_test_SOURCES	= knet_bench.c \
 			  test-common.c \
 			  ../common.c \
 			  ../logging.c \
 			  ../compat.c \
 			  ../transport_common.c \
 			  ../threads_common.c \
 			  ../onwire.c
 
 fun_pmtud_crypto_test_SOURCES = fun_pmtud_crypto.c \
 				test-common.c \
 				../onwire.c
+
+fun_config_crypto_test_SOURCES = fun_config_crypto.c \
+				 test-common.c
diff --git a/libknet/tests/api-check.mk b/libknet/tests/api-check.mk
index 75a51507..97afcfbe 100644
--- a/libknet/tests/api-check.mk
+++ b/libknet/tests/api-check.mk
@@ -1,278 +1,290 @@
 #
 # Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 api_checks		= \
 			  api_knet_handle_new_test \
 			  api_knet_handle_free_test \
 			  api_knet_handle_compress_test \
 			  api_knet_handle_crypto_test \
 			  api_knet_handle_setfwd_test \
 			  api_knet_handle_enable_access_lists_test \
 			  api_knet_handle_enable_filter_test \
 			  api_knet_handle_enable_sock_notify_test \
 			  api_knet_handle_add_datafd_test \
 			  api_knet_handle_remove_datafd_test \
 			  api_knet_handle_get_channel_test \
 			  api_knet_handle_get_datafd_test \
 			  api_knet_handle_get_stats_test \
 			  api_knet_get_crypto_list_test \
 			  api_knet_get_compress_list_test \
 			  api_knet_handle_clear_stats_test \
 			  api_knet_get_transport_list_test \
 			  api_knet_get_transport_name_by_id_test \
 			  api_knet_get_transport_id_by_name_test \
 			  api_knet_handle_set_transport_reconnect_interval_test \
 			  api_knet_handle_get_transport_reconnect_interval_test \
 			  api_knet_recv_test \
 			  api_knet_send_test \
 			  api_knet_send_crypto_test \
 			  api_knet_send_compress_test \
 			  api_knet_send_sync_test \
 			  api_knet_send_loopback_test \
 			  api_knet_handle_pmtud_setfreq_test \
 			  api_knet_handle_pmtud_getfreq_test \
 			  api_knet_handle_enable_pmtud_notify_test \
 			  api_knet_handle_pmtud_get_test \
 			  api_knet_handle_pmtud_set_test \
 			  api_knet_host_add_test \
 			  api_knet_host_remove_test \
 			  api_knet_host_set_name_test \
 			  api_knet_host_get_name_by_host_id_test \
 			  api_knet_host_get_id_by_host_name_test \
 			  api_knet_host_get_host_list_test \
 			  api_knet_host_set_policy_test \
 			  api_knet_host_get_policy_test \
 			  api_knet_host_get_status_test \
 			  api_knet_host_enable_status_change_notify_test \
 			  api_knet_log_get_subsystem_name_test \
 			  api_knet_log_get_subsystem_id_test \
 			  api_knet_log_get_loglevel_name_test \
 			  api_knet_log_get_loglevel_id_test \
 			  api_knet_log_set_loglevel_test \
 			  api_knet_log_get_loglevel_test \
 			  api_knet_strtoaddr_test \
 			  api_knet_addrtostr_test \
 			  api_knet_link_set_config_test \
 			  api_knet_link_clear_config_test \
 			  api_knet_link_get_config_test \
 			  api_knet_link_set_ping_timers_test \
 			  api_knet_link_get_ping_timers_test \
 			  api_knet_link_set_pong_count_test \
 			  api_knet_link_get_pong_count_test \
 			  api_knet_link_set_priority_test \
 			  api_knet_link_get_priority_test \
 			  api_knet_link_set_enable_test \
 			  api_knet_link_get_enable_test \
 			  api_knet_link_get_link_list_test \
 			  api_knet_link_get_status_test \
 			  api_knet_link_add_acl_test \
 			  api_knet_link_insert_acl_test \
 			  api_knet_link_rm_acl_test \
-			  api_knet_link_clear_acl_test
+			  api_knet_link_clear_acl_test \
+			  api_knet_handle_crypto_set_config_test \
+			  api_knet_handle_crypto_use_config_test \
+			  api_knet_handle_crypto_rx_clear_traffic_test
 
 api_knet_handle_new_test_SOURCES = api_knet_handle_new.c \
 				   test-common.c
 
 api_knet_handle_free_test_SOURCES = api_knet_handle_free.c \
 				    test-common.c
 
 api_knet_handle_new_limit_test_SOURCES = api_knet_handle_new_limit.c \
 					 test-common.c
 
 api_knet_handle_compress_test_SOURCES = api_knet_handle_compress.c \
 					test-common.c
 
 api_knet_handle_crypto_test_SOURCES = api_knet_handle_crypto.c \
 				      test-common.c
 
 api_knet_handle_setfwd_test_SOURCES = api_knet_handle_setfwd.c \
 				      test-common.c
 
 api_knet_handle_enable_access_lists_test_SOURCES = api_knet_handle_enable_access_lists.c \
 						   test-common.c
 
 api_knet_handle_enable_filter_test_SOURCES = api_knet_handle_enable_filter.c \
 					     test-common.c
 
 api_knet_handle_enable_sock_notify_test_SOURCES = api_knet_handle_enable_sock_notify.c \
 						  test-common.c
 
 api_knet_handle_add_datafd_test_SOURCES = api_knet_handle_add_datafd.c \
 					  test-common.c
 
 api_knet_handle_remove_datafd_test_SOURCES = api_knet_handle_remove_datafd.c \
 					     test-common.c
 
 api_knet_handle_get_channel_test_SOURCES = api_knet_handle_get_channel.c \
 					   test-common.c
 
 api_knet_handle_get_datafd_test_SOURCES = api_knet_handle_get_datafd.c \
 					  test-common.c
 
 api_knet_handle_get_stats_test_SOURCES = api_knet_handle_get_stats.c \
 					 test-common.c
 
 api_knet_get_crypto_list_test_SOURCES = api_knet_get_crypto_list.c \
 					test-common.c
 
 api_knet_get_compress_list_test_SOURCES = api_knet_get_compress_list.c \
 					  test-common.c
 
 api_knet_handle_clear_stats_test_SOURCES = api_knet_handle_clear_stats.c \
 					  test-common.c
 
 api_knet_get_transport_list_test_SOURCES = api_knet_get_transport_list.c \
 					   test-common.c
 
 api_knet_get_transport_name_by_id_test_SOURCES = api_knet_get_transport_name_by_id.c \
 						 test-common.c
 
 api_knet_get_transport_id_by_name_test_SOURCES = api_knet_get_transport_id_by_name.c \
 						 test-common.c
 
 api_knet_handle_set_transport_reconnect_interval_test_SOURCES = api_knet_handle_set_transport_reconnect_interval.c \
 								test-common.c
 
 api_knet_handle_get_transport_reconnect_interval_test_SOURCES = api_knet_handle_get_transport_reconnect_interval.c \
 								test-common.c
 
 api_knet_recv_test_SOURCES = api_knet_recv.c \
 			     test-common.c
 
 api_knet_send_test_SOURCES = api_knet_send.c \
 			     test-common.c
 
 api_knet_send_compress_test_SOURCES = api_knet_send_compress.c \
 				      test-common.c
 
 api_knet_send_crypto_test_SOURCES = api_knet_send_crypto.c \
 				    test-common.c
 
 api_knet_send_loopback_test_SOURCES = api_knet_send_loopback.c \
 			     test-common.c
 
 api_knet_send_sync_test_SOURCES = api_knet_send_sync.c \
 				  test-common.c
 
 api_knet_handle_pmtud_setfreq_test_SOURCES = api_knet_handle_pmtud_setfreq.c \
 					     test-common.c
 
 api_knet_handle_pmtud_getfreq_test_SOURCES = api_knet_handle_pmtud_getfreq.c \
 					     test-common.c
 
 api_knet_handle_enable_pmtud_notify_test_SOURCES = api_knet_handle_enable_pmtud_notify.c \
 						   test-common.c
 
 api_knet_handle_pmtud_get_test_SOURCES = api_knet_handle_pmtud_get.c \
 					 test-common.c
 
 api_knet_handle_pmtud_set_test_SOURCES = api_knet_handle_pmtud_set.c \
 					 test-common.c
 
 api_knet_host_add_test_SOURCES = api_knet_host_add.c \
 				 test-common.c
 
 api_knet_host_remove_test_SOURCES = api_knet_host_remove.c \
 				    test-common.c
 
 api_knet_host_set_name_test_SOURCES = api_knet_host_set_name.c \
 				      test-common.c
 
 api_knet_host_get_name_by_host_id_test_SOURCES = api_knet_host_get_name_by_host_id.c \
 						 test-common.c
 
 api_knet_host_get_id_by_host_name_test_SOURCES = api_knet_host_get_id_by_host_name.c \
 						 test-common.c
 
 api_knet_host_get_host_list_test_SOURCES = api_knet_host_get_host_list.c \
 					   test-common.c
 
 api_knet_host_set_policy_test_SOURCES = api_knet_host_set_policy.c \
 					test-common.c
 
 api_knet_host_get_policy_test_SOURCES = api_knet_host_get_policy.c \
 					test-common.c
 
 api_knet_host_get_status_test_SOURCES = api_knet_host_get_status.c \
 					test-common.c
 
 api_knet_host_enable_status_change_notify_test_SOURCES = api_knet_host_enable_status_change_notify.c \
 							 test-common.c
 
 api_knet_log_get_subsystem_name_test_SOURCES = api_knet_log_get_subsystem_name.c \
 					       test-common.c
 
 api_knet_log_get_subsystem_id_test_SOURCES = api_knet_log_get_subsystem_id.c \
 					     test-common.c
 
 api_knet_log_get_loglevel_name_test_SOURCES = api_knet_log_get_loglevel_name.c \
 					      test-common.c
 
 api_knet_log_get_loglevel_id_test_SOURCES = api_knet_log_get_loglevel_id.c \
 					    test-common.c
 
 api_knet_log_set_loglevel_test_SOURCES = api_knet_log_set_loglevel.c \
 					 test-common.c
 
 api_knet_log_get_loglevel_test_SOURCES = api_knet_log_get_loglevel.c \
 					 test-common.c
 
 api_knet_strtoaddr_test_SOURCES = api_knet_strtoaddr.c
 
 api_knet_addrtostr_test_SOURCES = api_knet_addrtostr.c
 
 api_knet_link_set_config_test_SOURCES = api_knet_link_set_config.c \
 					test-common.c
 
 api_knet_link_clear_config_test_SOURCES = api_knet_link_clear_config.c \
 					  test-common.c
 
 api_knet_link_get_config_test_SOURCES = api_knet_link_get_config.c \
 					test-common.c
 
 api_knet_link_set_ping_timers_test_SOURCES = api_knet_link_set_ping_timers.c \
 					     test-common.c
 
 api_knet_link_get_ping_timers_test_SOURCES = api_knet_link_get_ping_timers.c \
 					     test-common.c
 
 api_knet_link_set_pong_count_test_SOURCES = api_knet_link_set_pong_count.c \
 					    test-common.c
 
 api_knet_link_get_pong_count_test_SOURCES = api_knet_link_get_pong_count.c \
 					    test-common.c
 
 api_knet_link_set_priority_test_SOURCES = api_knet_link_set_priority.c \
 					  test-common.c
 
 api_knet_link_get_priority_test_SOURCES = api_knet_link_get_priority.c \
 					  test-common.c
 
 api_knet_link_set_enable_test_SOURCES = api_knet_link_set_enable.c \
 					test-common.c
 
 api_knet_link_get_enable_test_SOURCES = api_knet_link_get_enable.c \
 					test-common.c
 
 api_knet_link_get_link_list_test_SOURCES = api_knet_link_get_link_list.c \
 					   test-common.c
 
 api_knet_link_get_status_test_SOURCES = api_knet_link_get_status.c \
 					test-common.c
 
 api_knet_link_add_acl_test_SOURCES = api_knet_link_add_acl.c \
 				     test-common.c
 
 api_knet_link_insert_acl_test_SOURCES = api_knet_link_insert_acl.c \
 					test-common.c
 
 api_knet_link_rm_acl_test_SOURCES = api_knet_link_rm_acl.c \
 				    test-common.c
 
 api_knet_link_clear_acl_test_SOURCES = api_knet_link_clear_acl.c \
 				       test-common.c
+
+api_knet_handle_crypto_set_config_test_SOURCES = api_knet_handle_crypto_set_config.c \
+						 test-common.c
+
+api_knet_handle_crypto_use_config_test_SOURCES = api_knet_handle_crypto_use_config.c \
+						 test-common.c
+
+api_knet_handle_crypto_rx_clear_traffic_test_SOURCES = api_knet_handle_crypto_rx_clear_traffic.c \
+						       test-common.c
diff --git a/libknet/tests/api-test-coverage b/libknet/tests/api-test-coverage
index 2fa0edbd..4b6e223a 100755
--- a/libknet/tests/api-test-coverage
+++ b/libknet/tests/api-test-coverage
@@ -1,90 +1,90 @@
 #!/bin/sh
 #
 # Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
 #
 # Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 srcdir="$1"/libknet/tests
 builddir="$2"/libknet/tests
 
 headerapicalls="$(grep knet_ "$srcdir"/../libknet.h | grep -v "^ \*" | grep -v ^struct | grep -v "^[[:space:]]" | grep -v typedef | sed -e 's/(.*//g' -e 's/^const //g' -e 's/\*//g' | awk '{print $2}')"
 
 # The PowerPC64 ELFv1 ABI defines the address of a function as that of a
 # function descriptor defined in .opd, a data (D) section.  Other ABIs
 # use the entry address of the function itself in the text (T) section.
-exportedapicalls="$(nm -B -D "$builddir"/../.libs/libknet.so | grep ' [DT] ' | awk '{print $3}')"
+exportedapicalls="$(nm -B -D "$builddir"/../.libs/libknet.so | grep ' [DT] ' | awk '{print $3}' | sed -e 's#@@LIBKNET##g')"
 
 echo "Checking for exported symbols NOT available in header file"
 
 for i in $exportedapicalls; do
 	found=0
 	for x in $headerapicalls; do
 		if [ "$x" = "$i" ]; then
 			found=1
 			break;
 		fi
 	done
 	if [ "$found" = 0 ]; then
 		echo "Symbol $i not found in header file"
 		exit 1
 	fi
 done
 
 echo "Checking for symbols in header file NOT exported by binary lib"
 
 for i in $headerapicalls; do
 	found=0
 	for x in $exportedapicalls; do
 		if [ "$x" = "$i" ]; then
 			found=1
 			break;
 		fi
 	done
 	if [ "$found" = 0 ]; then
 		echo "Symbol $i not found in binary lib"
 		exit 1
 	fi
 done
 
 echo "Checking for tests with memcheck exceptions"
 
 for i in $(grep -l is_memcheck "$srcdir"/*.c | grep -v test-common); do
 	echo "WARNING: $(basename $i) - has memcheck exception enabled"
 done
 
 echo "Checking for tests with helgrind exceptions"
 
 for i in $(grep -l is_helgrind "$srcdir"/*.c | grep -v test-common); do
 	echo "WARNING: $(basename $i) has helgrind exception enabled"
 done
 
 echo "Checking for api test coverage"
 
 numapicalls=0
 found=0
 missing=0
 
 for i in $headerapicalls; do
 	[ "$i" = knet_handle_new_ex ] && i=knet_handle_new # tested together
 	numapicalls=$((numapicalls + 1))
 	if [ -f $srcdir/api_${i}.c ]; then
 		found=$((found + 1))
 	else
 		missing=$((missing + 1))
 		echo "MISSING: $i"
 	fi
 done
 
 echo "Summary"
 echo "-------"
 echo "Found   : $found"
 echo "Missing : $missing"
 echo "Total   : $numapicalls"
 which bc > /dev/null 2>&1 && {
 	coverage=$(echo "scale=3; $found / $numapicalls * 100" | bc -l)
 	echo "Coverage: $coverage%"
 }
 exit 0
diff --git a/libknet/tests/api_knet_handle_crypto.c b/libknet/tests/api_knet_handle_crypto.c
index 1fa962df..e02e9041 100644
--- a/libknet/tests/api_knet_handle_crypto.c
+++ b/libknet/tests/api_knet_handle_crypto.c
@@ -1,332 +1,332 @@
 /*
  * Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "crypto_model.h"
 #include "test-common.h"
 
 static void test(const char *model, const char *model2)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	struct knet_handle_crypto_cfg knet_handle_crypto_cfg;
 	struct crypto_instance *current = NULL;
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 
 	printf("Test knet_handle_crypto incorrect knet_h\n");
 
 	if ((!knet_handle_crypto(NULL, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
 		printf("knet_handle_crypto accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with invalid cfg\n");
 
 	if ((!knet_handle_crypto(knet_h, NULL)) || (errno != EINVAL)) {
 		printf("knet_handle_crypto accepted invalid cfg or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with un-initialized cfg\n");
 
 	if ((!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
 		printf("knet_handle_crypto accepted invalid un-initialized cfg\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with none crypto model (disable crypto)\n");
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, "none", sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 
 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) != 0) {
 		printf("knet_handle_crypto did not accept none crypto mode cfg\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with none crypto cipher and hash (disable crypto)\n");
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "none", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 
 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) != 0) {
 		printf("knet_handle_crypto did not accept none crypto cipher and hash cfg\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with %s/aes128/sha1 and too short key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 10;
 
 	if ((!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
 		printf("knet_handle_crypto accepted too short private key\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with %s/aes128/sha1 and too long key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 10000;
 
 	if ((!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
 		printf("knet_handle_crypto accepted too long private key\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with %s/aes128/sha1 and normal key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
 		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model2);
 
-	current = knet_h->crypto_instance;
+	current = knet_h->crypto_instance[1];
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
 		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	if (current == knet_h->crypto_instance) {
+	if (current == knet_h->crypto_instance[1]) {
 		printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model);
 
-	current = knet_h->crypto_instance;
+	current = knet_h->crypto_instance[1];
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
 		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	if (current == knet_h->crypto_instance) {
+	if (current == knet_h->crypto_instance[1]) {
 		printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto reconfig with %s/aes129/sha1 and normal key\n", model);
 
-	current = knet_h->crypto_instance;
+	current = knet_h->crypto_instance[1];
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes129", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
 	if (!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
 		printf("knet_handle_crypto failed to detect incorrect config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	if (current != knet_h->crypto_instance) {
+	if (current != knet_h->crypto_instance[1]) {
 		printf("knet_handle_crypto failed to restore correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with %s/aes128/none and normal key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
 	if (!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
 		printf("knet_handle_crypto accepted crypto without hashing\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Test knet_handle_crypto with %s/aes128/sha1 and key where (key_len %% wrap_key_block_size != 0)\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	/*
 	 * Prime number so chance that (private_key_len % wrap_key_block_size == 0) is minimalized
 	 */
 	knet_handle_crypto_cfg.private_key_len = 2003;
 
 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) < 0) {
 		printf("knet_handle_crypto doesn't accept private_ley with len 2003: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Shutdown crypto\n");
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, "none", sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "none", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) < 0) {
 		printf("Unable to shutdown crypto: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	struct knet_crypto_info crypto_list[16];
 	size_t crypto_list_entries;
 	size_t i;
 
 	memset(crypto_list, 0, sizeof(crypto_list));
 
 	if (knet_get_crypto_list(crypto_list, &crypto_list_entries) < 0) {
 		printf("knet_get_crypto_list failed: %s\n", strerror(errno));
 		return FAIL;
 	}
 
 	if (crypto_list_entries == 0) {
 		printf("no crypto modules detected. Skipping\n");
 		return SKIP;
 	}
 
 	for (i=0; i < crypto_list_entries; i++) {
 		test(crypto_list[i].name, crypto_list[0].name);
 	}
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_handle_crypto_rx_clear_traffic.c b/libknet/tests/api_knet_handle_crypto_rx_clear_traffic.c
new file mode 100644
index 00000000..cbd87e22
--- /dev/null
+++ b/libknet/tests/api_knet_handle_crypto_rx_clear_traffic.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2020 Red Hat, Inc.  All rights reserved.
+ *
+ * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
+ *
+ * This software licensed under GPL-2.0+
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "libknet.h"
+
+#include "internals.h"
+#include "crypto_model.h"
+#include "test-common.h"
+
+static void test()
+{
+	knet_handle_t knet_h;
+	int logfds[2];
+
+	printf("Test knet_handle_crypto_rx_clear_traffic incorrect knet_h\n");
+
+	if ((!knet_handle_crypto_rx_clear_traffic(NULL, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_rx_clear_traffic accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+		exit(FAIL);
+	}
+
+	setup_logpipes(logfds);
+
+	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_rx_clear_traffic with invalid value\n");
+
+	if ((!knet_handle_crypto_rx_clear_traffic(knet_h, 2)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_rx_clear_traffic accepted invalid value (%u) or returned incorrect error: %s\n", 2, strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_rx_clear_traffic with valid value KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC\n");
+
+	if ((knet_handle_crypto_rx_clear_traffic(knet_h, KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC)) < 0) {
+		printf("knet_handle_crypto_rx_clear_traffic did not accept valid value\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (knet_h->crypto_only != KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC) {
+		printf("knet_handle_crypto_rx_clear_traffic failed to set correct value\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_rx_clear_traffic with valid value KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC\n");
+
+	if ((knet_handle_crypto_rx_clear_traffic(knet_h, KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC)) < 0) {
+		printf("knet_handle_crypto_rx_clear_traffic did not accept valid value\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (knet_h->crypto_only != KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC) {
+		printf("knet_handle_crypto_rx_clear_traffic failed to set correct value\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	knet_handle_free(knet_h);
+	flush_logs(logfds[0], stdout);
+	close_logpipes(logfds);
+}
+
+int main(int argc, char *argv[])
+{
+	test();
+
+	return PASS;
+}
diff --git a/libknet/tests/api_knet_handle_crypto.c b/libknet/tests/api_knet_handle_crypto_set_config.c
similarity index 53%
copy from libknet/tests/api_knet_handle_crypto.c
copy to libknet/tests/api_knet_handle_crypto_set_config.c
index 1fa962df..b4e398ba 100644
--- a/libknet/tests/api_knet_handle_crypto.c
+++ b/libknet/tests/api_knet_handle_crypto_set_config.c
@@ -1,332 +1,432 @@
 /*
  * Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 #include "libknet.h"
 
 #include "internals.h"
 #include "crypto_model.h"
 #include "test-common.h"
 
 static void test(const char *model, const char *model2)
 {
 	knet_handle_t knet_h;
 	int logfds[2];
 	struct knet_handle_crypto_cfg knet_handle_crypto_cfg;
 	struct crypto_instance *current = NULL;
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 
-	printf("Test knet_handle_crypto incorrect knet_h\n");
+	printf("Test knet_handle_crypto_set_config incorrect knet_h\n");
 
-	if ((!knet_handle_crypto(NULL, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
-		printf("knet_handle_crypto accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+	if ((!knet_handle_crypto_set_config(NULL, &knet_handle_crypto_cfg, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_set_config accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
 		exit(FAIL);
 	}
 
 	setup_logpipes(logfds);
 
 	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with invalid cfg\n");
+	printf("Test knet_handle_crypto_set_config with invalid cfg\n");
 
-	if ((!knet_handle_crypto(knet_h, NULL)) || (errno != EINVAL)) {
-		printf("knet_handle_crypto accepted invalid cfg or returned incorrect error: %s\n", strerror(errno));
+	if ((!knet_handle_crypto_set_config(knet_h, NULL, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_set_config accepted invalid cfg or returned incorrect error: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with un-initialized cfg\n");
+	printf("Test knet_handle_crypto_set_config with invalid config num\n");
 
-	if ((!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
-		printf("knet_handle_crypto accepted invalid un-initialized cfg\n");
+	if ((!knet_handle_crypto_set_config(knet_h, NULL, KNET_MAX_CRYPTO_INSTANCES + 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_set_config accepted invalid config num (%u) or returned incorrect error: %s\n", KNET_MAX_CRYPTO_INSTANCES + 1, strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with none crypto model (disable crypto)\n");
+	printf("Test knet_handle_crypto_set_config with un-initialized cfg\n");
+
+	if ((!knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_set_config accepted invalid un-initialized cfg\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_set_config with none crypto model (disable crypto)\n");
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, "none", sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 
-	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) != 0) {
-		printf("knet_handle_crypto did not accept none crypto mode cfg\n");
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1) != 0) {
+		printf("knet_handle_crypto_set_config did not accept none crypto mode cfg\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with none crypto cipher and hash (disable crypto)\n");
+	printf("Test knet_handle_crypto_set_config with none crypto cipher and hash (disable crypto)\n");
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "none", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 
-	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) != 0) {
-		printf("knet_handle_crypto did not accept none crypto cipher and hash cfg\n");
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1) != 0) {
+		printf("knet_handle_crypto_set_config did not accept none crypto cipher and hash cfg\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with %s/aes128/sha1 and too short key\n", model);
+	printf("Test knet_handle_crypto_set_config with %s/aes128/sha1 and too short key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 10;
 
-	if ((!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
-		printf("knet_handle_crypto accepted too short private key\n");
+	if ((!knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_set_config accepted too short private key\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with %s/aes128/sha1 and too long key\n", model);
+	printf("Test knet_handle_crypto_set_config with %s/aes128/sha1 and too long key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 10000;
 
-	if ((!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) || (errno != EINVAL)) {
-		printf("knet_handle_crypto accepted too long private key\n");
+	if ((!knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_set_config accepted too long private key\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with %s/aes128/sha1 and normal key\n", model);
+	printf("Test knet_handle_crypto_set_config with %s/aes128/sha1 and normal key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
-	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
-		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) {
+		printf("knet_handle_crypto_set_config failed with correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model2);
+	printf("Test knet_handle_crypto_set_config reconfig with %s/aes128/sha1 and normal key\n", model2);
 
-	current = knet_h->crypto_instance;
+	current = knet_h->crypto_instance[1];
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
-	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
-		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) {
+		printf("knet_handle_crypto_set_config failed with correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	if (current == knet_h->crypto_instance) {
-		printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
+	if (current == knet_h->crypto_instance[1]) {
+		printf("knet_handle_crypto_set_config failed to install new correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto reconfig with %s/aes128/sha1 and normal key\n", model);
+	printf("Test knet_handle_crypto_set_config reconfig with %s/aes128/sha1 and normal key\n", model);
 
-	current = knet_h->crypto_instance;
+	current = knet_h->crypto_instance[1];
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
-	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
-		printf("knet_handle_crypto failed with correct config: %s\n", strerror(errno));
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) {
+		printf("knet_handle_crypto_set_config failed with correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	if (current == knet_h->crypto_instance) {
-		printf("knet_handle_crypto failed to install new correct config: %s\n", strerror(errno));
+	if (current == knet_h->crypto_instance[1]) {
+		printf("knet_handle_crypto_set_config failed to install new correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto reconfig with %s/aes129/sha1 and normal key\n", model);
+	printf("Test knet_handle_crypto_set_config reconfig with %s/aes129/sha1 and normal key\n", model);
 
-	current = knet_h->crypto_instance;
+	current = knet_h->crypto_instance[1];
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes129", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
-	if (!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
-		printf("knet_handle_crypto failed to detect incorrect config: %s\n", strerror(errno));
+	if (!knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) {
+		printf("knet_handle_crypto_set_config failed to detect incorrect config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	if (current != knet_h->crypto_instance) {
-		printf("knet_handle_crypto failed to restore correct config: %s\n", strerror(errno));
+	if (current != knet_h->crypto_instance[1]) {
+		printf("knet_handle_crypto_set_config failed to restore correct config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with %s/aes128/none and normal key\n", model);
+	printf("Test knet_handle_crypto_set_config with %s/aes128/none and normal key\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
-	if (!knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
-		printf("knet_handle_crypto accepted crypto without hashing\n");
+	if (!knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) {
+		printf("knet_handle_crypto_set_config accepted crypto without hashing\n");
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
-	printf("Test knet_handle_crypto with %s/aes128/sha1 and key where (key_len %% wrap_key_block_size != 0)\n", model);
+	printf("Test knet_handle_crypto_set_config with %s/aes128/sha1 and key where (key_len %% wrap_key_block_size != 0)\n", model);
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	/*
 	 * Prime number so chance that (private_key_len % wrap_key_block_size == 0) is minimalized
 	 */
 	knet_handle_crypto_cfg.private_key_len = 2003;
 
-	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) < 0) {
-		printf("knet_handle_crypto doesn't accept private_ley with len 2003: %s\n", strerror(errno));
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1) < 0) {
+		printf("knet_handle_crypto_set_config doesn't accept private_ley with len 2003: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_set_config second with %s/aes128/sha1 and normal key\n", model);
+
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+	knet_handle_crypto_cfg.private_key_len = 2000;
+
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 2) < 0) {
+		printf("knet_handle_crypto_set_config failed to install second config: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if (!knet_h->crypto_instance[2]) {
+		printf("knet_handle_crypto_set_config failed to install second config but reported success\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (knet_h->crypto_instance[1] == knet_h->crypto_instance[2]) {
+		printf("knet_handle_crypto_set_config failed to install second config and assigned to first\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	printf("Test knet_handle_crypto_set_config second config BUSY test\n");
+
+	if (knet_handle_crypto_use_config(knet_h, 2) < 0) {
+		printf("knet_handle_crypto_use_config failed to enable second config: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (!knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 2) && (errno != EBUSY)) {
+		printf("knet_handle_crypto_set_config failed to detect second config in use: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (knet_handle_crypto_use_config(knet_h, 0) < 0) {
+		printf("knet_handle_crypto_use_config failed to enable second config: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
 	printf("Shutdown crypto\n");
 
 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
 	strncpy(knet_handle_crypto_cfg.crypto_model, "none", sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "none", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
 	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
 	knet_handle_crypto_cfg.private_key_len = 2000;
 
-	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg) < 0) {
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1) < 0) {
 		printf("Unable to shutdown crypto: %s\n", strerror(errno));
 		knet_handle_free(knet_h);
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 
 	flush_logs(logfds[0], stdout);
 
+	if (knet_h->crypto_instance[1]) {
+		printf("knet_handle_crypto_set_config failed to wipe first config but reported success\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 2) < 0) {
+		printf("Unable to shutdown crypto: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if (knet_h->crypto_instance[2]) {
+		printf("knet_handle_crypto_set_config failed to wipe first config but reported success\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
 	knet_handle_free(knet_h);
 	flush_logs(logfds[0], stdout);
 	close_logpipes(logfds);
 }
 
 int main(int argc, char *argv[])
 {
 	struct knet_crypto_info crypto_list[16];
 	size_t crypto_list_entries;
 	size_t i;
 
 	memset(crypto_list, 0, sizeof(crypto_list));
 
 	if (knet_get_crypto_list(crypto_list, &crypto_list_entries) < 0) {
 		printf("knet_get_crypto_list failed: %s\n", strerror(errno));
 		return FAIL;
 	}
 
 	if (crypto_list_entries == 0) {
 		printf("no crypto modules detected. Skipping\n");
 		return SKIP;
 	}
 
 	for (i=0; i < crypto_list_entries; i++) {
 		test(crypto_list[i].name, crypto_list[0].name);
 	}
 
 	return PASS;
 }
diff --git a/libknet/tests/api_knet_handle_crypto_use_config.c b/libknet/tests/api_knet_handle_crypto_use_config.c
new file mode 100644
index 00000000..d9dd0040
--- /dev/null
+++ b/libknet/tests/api_knet_handle_crypto_use_config.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (C) 2020 Red Hat, Inc.  All rights reserved.
+ *
+ * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
+ *
+ * This software licensed under GPL-2.0+
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "libknet.h"
+
+#include "internals.h"
+#include "crypto_model.h"
+#include "test-common.h"
+
+static void test(const char *model, const char *model2)
+{
+	knet_handle_t knet_h;
+	int logfds[2];
+	struct knet_handle_crypto_cfg knet_handle_crypto_cfg;
+
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+
+	printf("Test knet_handle_crypto_use_config incorrect knet_h\n");
+
+	if ((!knet_handle_crypto_use_config(NULL, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_use_config accepted invalid knet_h or returned incorrect error: %s\n", strerror(errno));
+		exit(FAIL);
+	}
+
+	setup_logpipes(logfds);
+
+	knet_h = knet_handle_start(logfds, KNET_LOG_DEBUG);
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_use_config with invalid config num\n");
+
+	if ((!knet_handle_crypto_use_config(knet_h, KNET_MAX_CRYPTO_INSTANCES + 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_use_config accepted invalid config num (%u) or returned incorrect error: %s\n", KNET_MAX_CRYPTO_INSTANCES + 1, strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_use_config with un-initialized cfg\n");
+
+	if ((!knet_handle_crypto_use_config(knet_h, 1)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_use_config accepted invalid un-initialized cfg (1): %d\n", errno);
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if ((!knet_handle_crypto_use_config(knet_h, 2)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_use_config accepted invalid un-initialized cfg (2)\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_set_config with %s/aes128/sha1 and normal key\n", model);
+
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+	knet_handle_crypto_cfg.private_key_len = 2000;
+
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1)) {
+		printf("knet_handle_crypto_set_config failed with correct config: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_use_config with un-initialized cfg (part 2)\n");
+
+	if ((!knet_handle_crypto_use_config(knet_h, 2)) || (errno != EINVAL)) {
+		printf("knet_handle_crypto_use_config accepted invalid un-initialized cfg (2)\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if ((knet_handle_crypto_use_config(knet_h, 1)) < 0) {
+		printf("knet_handle_crypto_use_config did not accept valid config (1)\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_set_config for second config with %s/aes128/sha1 and normal key\n", model);
+
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+	knet_handle_crypto_cfg.private_key_len = 2000;
+
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 2)) {
+		printf("knet_handle_crypto_set_config failed with correct config: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Test knet_handle_crypto_use_config with valid data\n");
+
+	if ((knet_handle_crypto_use_config(knet_h, 2)) < 0) {
+		printf("knet_handle_crypto_use_config did not accept valid config (1)\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if (knet_h->crypto_in_use_config != 2) {
+		printf("knet_handle_crypto_set_config failed to set crypto in-use config to 2\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	printf("Shutdown crypto\n");
+
+	printf("Test knet_handle_crypto_use_config with valid data\n");
+
+	if ((knet_handle_crypto_use_config(knet_h, 0)) < 0) {
+		printf("knet_handle_crypto_use_config did not accept valid config (1)\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if (knet_h->crypto_in_use_config != 0) {
+		printf("knet_handle_crypto_set_config failed to set crypto in-use config to 2\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+	strncpy(knet_handle_crypto_cfg.crypto_model, "none", sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "none", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+	knet_handle_crypto_cfg.private_key_len = 2000;
+
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 1) < 0) {
+		printf("Unable to shutdown crypto: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if (knet_h->crypto_instance[1]) {
+		printf("knet_handle_crypto_set_config failed to wipe first config but reported success\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	if (knet_handle_crypto_set_config(knet_h, &knet_handle_crypto_cfg, 2) < 0) {
+		printf("Unable to shutdown crypto: %s\n", strerror(errno));
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	if (knet_h->crypto_instance[2]) {
+		printf("knet_handle_crypto_set_config failed to wipe first config but reported success\n");
+		knet_handle_free(knet_h);
+		flush_logs(logfds[0], stdout);
+		close_logpipes(logfds);
+		exit(FAIL);
+	}
+
+	knet_handle_free(knet_h);
+	flush_logs(logfds[0], stdout);
+	close_logpipes(logfds);
+}
+
+int main(int argc, char *argv[])
+{
+	struct knet_crypto_info crypto_list[16];
+	size_t crypto_list_entries;
+	size_t i;
+
+	memset(crypto_list, 0, sizeof(crypto_list));
+
+	if (knet_get_crypto_list(crypto_list, &crypto_list_entries) < 0) {
+		printf("knet_get_crypto_list failed: %s\n", strerror(errno));
+		return FAIL;
+	}
+
+	if (crypto_list_entries == 0) {
+		printf("no crypto modules detected. Skipping\n");
+		return SKIP;
+	}
+
+	for (i=0; i < crypto_list_entries; i++) {
+		test(crypto_list[i].name, crypto_list[0].name);
+	}
+
+	return PASS;
+}
diff --git a/libknet/tests/fun_config_crypto.c b/libknet/tests/fun_config_crypto.c
new file mode 100644
index 00000000..2a4b5df1
--- /dev/null
+++ b/libknet/tests/fun_config_crypto.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) 2020 Red Hat, Inc.  All rights reserved.
+ *
+ * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
+ *
+ * This software licensed under GPL-2.0+
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <inttypes.h>
+
+#include "libknet.h"
+
+#include "compress.h"
+#include "internals.h"
+#include "netutils.h"
+#include "test-common.h"
+
+#define TESTNODES 2
+
+static void test(const char *model)
+{
+	knet_handle_t knet_h[TESTNODES + 1];
+	int logfds[2];
+	struct knet_handle_crypto_cfg knet_handle_crypto_cfg;
+	int i,x,j;
+	int seconds = 5;
+
+	if (is_memcheck() || is_helgrind()) {
+		printf("Test suite is running under valgrind, adjusting wait_for_host timeout\n");
+		seconds = seconds * 16;
+	}
+
+	setup_logpipes(logfds);
+
+	knet_handle_start_nodes(knet_h, TESTNODES, logfds, KNET_LOG_DEBUG);
+
+	flush_logs(logfds[0], stdout);
+
+	/*
+	 * config1: aes128/sha256 key1 is all 0s (2000 bytes)
+	 */
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha256", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+	memset(knet_handle_crypto_cfg.private_key, 0, KNET_MAX_KEY_LEN);
+	knet_handle_crypto_cfg.private_key_len = 2000;
+
+	for (i = 1; i <= TESTNODES; i++) {
+		if (knet_handle_crypto_set_config(knet_h[i], &knet_handle_crypto_cfg, 1) < 0) {
+			printf("knet_handle_crypto_set_config (1) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+		if (knet_handle_crypto_use_config(knet_h[i], 1) < 0) {
+			printf("knet_handle_crypto_use_config (1) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+		if (knet_handle_crypto_rx_clear_traffic(knet_h[i], KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC)) {
+			printf("knet_handle_crypto_rx_clear_traffic failed: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	knet_handle_join_nodes(knet_h, TESTNODES, 1, AF_INET, KNET_TRANSPORT_UDP);
+
+	flush_logs(logfds[0], stdout);
+
+	/*
+	 * config2: aes256/sha512 key1 is all 1s (KNET_MAX_KEY_LEN bytes)
+	 */
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes256", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha512", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+	memset(knet_handle_crypto_cfg.private_key, 1, KNET_MAX_KEY_LEN);
+	knet_handle_crypto_cfg.private_key_len = KNET_MAX_KEY_LEN;
+
+	for (i = 1; i <= TESTNODES; i++) {
+		if (knet_handle_crypto_set_config(knet_h[i], &knet_handle_crypto_cfg, 2) < 0) {
+			printf("knet_handle_crypto_set_config (2) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Testing crypto config switch from 1 to 2\n");
+
+	for (i = 1; i <= TESTNODES; i++) {
+		if (knet_handle_crypto_use_config(knet_h[i], 2) < 0) {
+			printf("knet_handle_crypto_use_config (2) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+		for (x = 0; x < seconds; x++){
+			flush_logs(logfds[0], stdout);
+			sleep(1);
+		}
+		for (x = 1; x <= TESTNODES; x++) {
+			for (j = 1; j <= TESTNODES; j++) {
+				if (j == x) {
+					continue;
+				}
+				if (knet_h[x]->host_index[j]->status.reachable != 1) {
+					printf("knet failed to switch config for host %d\n", x);
+					knet_handle_stop_nodes(knet_h, TESTNODES);
+					flush_logs(logfds[0], stdout);
+					close_logpipes(logfds);
+					exit(FAIL);
+				}
+			}
+		}
+	}
+
+	flush_logs(logfds[0], stdout);
+
+	printf("Testing crypto config switch from 2 to 1\n");
+
+	for (i = 1; i <= TESTNODES; i++) {
+		if (knet_handle_crypto_use_config(knet_h[i], 1) < 0) {
+			printf("knet_handle_crypto_use_config (1) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+		for (x = 0; x < seconds; x++){
+			flush_logs(logfds[0], stdout);
+			sleep(1);
+		}
+		for (x = 1; x <= TESTNODES; x++) {
+			for (j = 1; j <= TESTNODES; j++) {
+				if (j == x) {
+					continue;
+				}
+				if (knet_h[x]->host_index[j]->status.reachable != 1) {
+					printf("knet failed to switch config for host %d\n", x);
+					knet_handle_stop_nodes(knet_h, TESTNODES);
+					flush_logs(logfds[0], stdout);
+					close_logpipes(logfds);
+					exit(FAIL);
+				}
+			}
+		}
+	}
+
+	printf("Testing disable crypto config and allow clear traffic\n");
+
+	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));
+	strncpy(knet_handle_crypto_cfg.crypto_model, "none", sizeof(knet_handle_crypto_cfg.crypto_model) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "none", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);
+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "none", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);
+	memset(knet_handle_crypto_cfg.private_key, 0, KNET_MAX_KEY_LEN);
+	knet_handle_crypto_cfg.private_key_len = KNET_MAX_KEY_LEN;
+
+	for (i = 1; i <= TESTNODES; i++) {
+		/*
+		 * config2 is no longer in use
+		 */
+		if (knet_handle_crypto_set_config(knet_h[i], &knet_handle_crypto_cfg, 2) < 0) {
+			printf("knet_handle_crypto_set_config (2) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+		/*
+		 * allow clear traffic on RX on all nodes, before we change config to clear traffic
+		 */
+		if (knet_handle_crypto_rx_clear_traffic(knet_h[i], KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC)) {
+			printf("knet_handle_crypto_rx_clear_traffic failed: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+	}
+
+	for (i = 1; i <= TESTNODES; i++) {
+		/*
+		 * switch to clear traffic on RX on all nodes
+		 */
+		if (knet_handle_crypto_use_config(knet_h[i], 0) < 0) {
+			printf("knet_handle_crypto_use_config (0) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+	}
+
+
+	for (i = 1; i <= TESTNODES; i++) {
+		/*
+		 * config1 is no longer in use
+		 */
+		if (knet_handle_crypto_set_config(knet_h[i], &knet_handle_crypto_cfg, 1) < 0) {
+			printf("knet_handle_crypto_set_config (2) failed with correct config: %s\n", strerror(errno));
+			knet_handle_stop_nodes(knet_h, TESTNODES);
+			flush_logs(logfds[0], stdout);
+			close_logpipes(logfds);
+			exit(FAIL);
+		}
+	}
+
+	for (i = 1; i <= TESTNODES; i++) {
+		for (x = 0; x < seconds; x++){
+			flush_logs(logfds[0], stdout);
+			sleep(1);
+		}
+		for (x = 1; x <= TESTNODES; x++) {
+			for (j = 1; j <= TESTNODES; j++) {
+				if (j == x) {
+					continue;
+				}
+				if (knet_h[x]->host_index[j]->status.reachable != 1) {
+					printf("knet failed to switch config for host %d\n", x);
+					knet_handle_stop_nodes(knet_h, TESTNODES);
+					flush_logs(logfds[0], stdout);
+					close_logpipes(logfds);
+					exit(FAIL);
+				}
+			}
+		}
+	}
+
+	flush_logs(logfds[0], stdout);
+	close_logpipes(logfds);
+	knet_handle_stop_nodes(knet_h, TESTNODES);
+}
+
+int main(int argc, char *argv[])
+{
+	struct knet_crypto_info crypto_list[16];
+	size_t crypto_list_entries;
+	size_t i;
+
+	memset(crypto_list, 0, sizeof(crypto_list));
+
+	if (knet_get_crypto_list(crypto_list, &crypto_list_entries) < 0) {
+		printf("knet_get_crypto_list failed: %s\n", strerror(errno));
+		return FAIL;
+	}
+
+	if (crypto_list_entries == 0) {
+		printf("no crypto modules detected. Skipping\n");
+		return SKIP;
+	}
+
+	for (i=0; i < crypto_list_entries; i++) {
+		test(crypto_list[i].name);
+	}
+
+	return PASS;
+}
diff --git a/libknet/tests/test-common.c b/libknet/tests/test-common.c
index b3cf9638..0906bac5 100644
--- a/libknet/tests/test-common.c
+++ b/libknet/tests/test-common.c
@@ -1,586 +1,693 @@
 /*
  * Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sys/select.h>
 
 #include "libknet.h"
 #include "test-common.h"
 
 static pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
 static int log_init = 0;
 static pthread_mutex_t log_thread_mutex = PTHREAD_MUTEX_INITIALIZER;
 static pthread_t log_thread;
 static int log_thread_init = 0;
 static int log_fds[2];
 struct log_thread_data {
 	int logfd;
 	FILE *std;
 };
 static struct log_thread_data data;
-static pthread_mutex_t shutdown_mutex = PTHREAD_MUTEX_INITIALIZER;
-static int stop_in_progress = 0;
 
 static int _read_pipe(int fd, char **file, size_t *length)
 {
 	char buf[4096];
 	int n;
 	int done = 0;
 
 	*file = NULL;
 	*length = 0;
 
 	memset(buf, 0, sizeof(buf));
 
 	while (!done) {
 
 		n = read(fd, buf, sizeof(buf));
 
 		if (n < 0) {
 			if (errno == EINTR)
 				continue;
 
 			if (*file)
 				free(*file);
 
 			return n;
 		}
 
 		if (n == 0 && (!*length))
 			return 0;
 
 		if (n == 0)
 			done = 1;
 
 		if (*file)
 			*file = realloc(*file, (*length) + n + done);
 		else
 			*file = malloc(n + done);
 
 		if (!*file)
 			return -1;
 
 		memmove((*file) + (*length), buf, n);
 		*length += (done + n);
 	}
 
 	/* Null terminator */
 	(*file)[(*length) - 1] = 0;
 
 	return 0;
 }
 
 int execute_shell(const char *command, char **error_string)
 {
 	pid_t pid;
 	int status, err = 0;
 	int fd[2];
 	size_t size = 0;
 
 	if ((command == NULL) || (!error_string)) {
 		errno = EINVAL;
 		return FAIL;
 	}
 
 	*error_string = NULL;
 
 	err = pipe(fd);
 	if (err)
 		goto out_clean;
 
 	pid = fork();
 	if (pid < 0) {
 		err = pid;
 		goto out_clean;
 	}
 
 	if (pid) { /* parent */
 
 		close(fd[1]);
 		err = _read_pipe(fd[0], error_string, &size);
 		if (err)
 			goto out_clean0;
 
 		waitpid(pid, &status, 0);
 		if (!WIFEXITED(status)) {
 			err = -1;
 			goto out_clean0;
 		}
 		if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
 			err = WEXITSTATUS(status);
 			goto out_clean0;
 		}
 		goto out_clean0;
 	} else { /* child */
 		close(0);
 		close(1);
 		close(2);
 
 		close(fd[0]);
 		dup2(fd[1], 1);
 		dup2(fd[1], 2);
 		close(fd[1]);
 
 		execlp("/bin/sh", "/bin/sh", "-c", command, NULL);
 		exit(FAIL);
 	}
 
 out_clean:
 	close(fd[1]);
 out_clean0:
 	close(fd[0]);
 
 	return err;
 }
 
 int is_memcheck(void)
 {
 	char *val;
 
 	val = getenv("KNETMEMCHECK");
 
 	if (val) {
 		if (!strncmp(val, "yes", 3)) {
 			return 1;
 		}
 	}
 
 	return 0;
 }
 
 int is_helgrind(void)
 {
 	char *val;
 
 	val = getenv("KNETHELGRIND");
 
 	if (val) {
 		if (!strncmp(val, "yes", 3)) {
 			return 1;
 		}
 	}
 
 	return 0;
 }
 
 void set_scheduler(int policy)
 {
 	struct sched_param sched_param;
 	int err;
 
 	err = sched_get_priority_max(policy);
 	if (err < 0) {
 		printf("Could not get maximum scheduler priority\n");
 		exit(FAIL);
 	}
 	sched_param.sched_priority = err;
 	err = sched_setscheduler(0, policy, &sched_param);
 	if (err < 0) {
 		printf("Could not set priority\n");
 		exit(FAIL);
 	}
 	return;
 }
 
 int setup_logpipes(int *logfds)
 {
 	if (pipe2(logfds, O_CLOEXEC | O_NONBLOCK) < 0) {
 		printf("Unable to setup logging pipe\n");
 		exit(FAIL);
 	}
 
 	return PASS;
 }
 
 void close_logpipes(int *logfds)
 {
 	close(logfds[0]);
 	logfds[0] = 0;
 	close(logfds[1]);
 	logfds[1] = 0;
 }
 
 void flush_logs(int logfd, FILE *std)
 {
 	struct knet_log_msg msg;
 	int len;
 
 	while (1) {
 		len = read(logfd, &msg, sizeof(msg));
 		if (len != sizeof(msg)) {
 			/*
 			 * clear errno to avoid incorrect propagation
 			 */
 			errno = 0;
 			return;
 		}
 
 		msg.msg[sizeof(msg.msg) - 1] = 0;
 
 		fprintf(std, "[knet]: [%s] %s: %.*s\n",
 			knet_log_get_loglevel_name(msg.msglevel),
 			knet_log_get_subsystem_name(msg.subsystem),
 			KNET_MAX_LOG_MSG_SIZE, msg.msg);
 	}
 }
 
 static void *_logthread(void *args)
 {
 	while (1) {
 		int num;
 		struct timeval tv = { 60, 0 };
 		fd_set rfds;
 
 		FD_ZERO(&rfds);
 		FD_SET(data.logfd, &rfds);
 
 		num = select(FD_SETSIZE, &rfds, NULL, NULL, &tv);
 		if (num < 0) {
 			fprintf(data.std, "Unable select over logfd!\nHALTING LOGTHREAD!\n");
 			return NULL;
 		}
 		if (num == 0) {
 			fprintf(data.std, "[knet]: No logs in the last 60 seconds\n");
 			continue;
 		}
 		if (FD_ISSET(data.logfd, &rfds)) {
 			flush_logs(data.logfd, data.std);
 		}
 	}
 }
 
 int start_logthread(int logfd, FILE *std)
 {
 	int savederrno = 0;
 
 	savederrno = pthread_mutex_lock(&log_thread_mutex);
 	if (savederrno) {
 		printf("Unable to get log_thread mutex lock\n");
 		return -1;
 	}
 
 	if (!log_thread_init) {
 		data.logfd = logfd;
 		data.std = std;
 
 		savederrno = pthread_create(&log_thread, 0, _logthread, NULL);
 		if (savederrno) {
 			printf("Unable to start logging thread: %s\n", strerror(savederrno));
 			pthread_mutex_unlock(&log_thread_mutex);
 			return -1;
 		}
 		log_thread_init = 1;
 	}
 
 	pthread_mutex_unlock(&log_thread_mutex);
 	return 0;
 }
 
 int stop_logthread(void)
 {
 	int savederrno = 0;
 	void *retval;
 
 	savederrno = pthread_mutex_lock(&log_thread_mutex);
 	if (savederrno) {
 		printf("Unable to get log_thread mutex lock\n");
 		return -1;
 	}
 
 	if (log_thread_init) {
 		pthread_cancel(log_thread);
 		pthread_join(log_thread, &retval);
 		log_thread_init = 0;
 	}
 
 	pthread_mutex_unlock(&log_thread_mutex);
 	return 0;
 }
 
 static void stop_logging(void)
 {
 	stop_logthread();
 	flush_logs(log_fds[0], stdout);
 	close_logpipes(log_fds);
 }
 
 int start_logging(FILE *std)
 {
 	int savederrno = 0;
 
 	savederrno = pthread_mutex_lock(&log_mutex);
 	if (savederrno) {
 		printf("Unable to get log_mutex lock\n");
 		return -1;
 	}
 
 	if (!log_init) {
 		setup_logpipes(log_fds);
 
 		if (atexit(&stop_logging) != 0) {
 			printf("Unable to register atexit handler to stop logging: %s\n",
 			       strerror(errno));
 			exit(FAIL);
 		}
 
 		if (start_logthread(log_fds[0], std) < 0) {
 			exit(FAIL);
 		}
 
 		log_init = 1;
 	}
 
 	pthread_mutex_unlock(&log_mutex);
 
 	return log_fds[1];
 }
 
 knet_handle_t knet_handle_start(int logfds[2], uint8_t log_level)
 {
 	knet_handle_t knet_h = knet_handle_new_ex(1, logfds[1], log_level, 0);
 
 	if (knet_h) {
 		return knet_h;
 	} else {
 		printf("knet_handle_new failed: %s\n", strerror(errno));
 		flush_logs(logfds[0], stdout);
 		close_logpipes(logfds);
 		exit(FAIL);
 	}
 }
 
 int knet_handle_stop(knet_handle_t knet_h)
 {
-	int savederrno;
 	size_t i, j;
 	knet_node_id_t host_ids[KNET_MAX_HOST];
 	uint8_t link_ids[KNET_MAX_LINK];
 	size_t host_ids_entries = 0, link_ids_entries = 0;
-	struct knet_link_status status;
-
-	savederrno = pthread_mutex_lock(&shutdown_mutex);
-	if (savederrno) {
-		printf("Unable to get shutdown mutex lock\n");
-		return -1;
-	}
-
-	if (stop_in_progress) {
-		pthread_mutex_unlock(&shutdown_mutex);
-		errno = EINVAL;
-		return -1;
-	}
-
-	stop_in_progress = 1;
-
-	pthread_mutex_unlock(&shutdown_mutex);
+	unsigned int enabled;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (knet_handle_setfwd(knet_h, 0) < 0) {
 		printf("knet_handle_setfwd failed: %s\n", strerror(errno));
 		return -1;
 	}
 
 	if (knet_host_get_host_list(knet_h, host_ids, &host_ids_entries) < 0) {
 		printf("knet_host_get_host_list failed: %s\n", strerror(errno));
 		return -1;
 	}
 
 	for (i = 0; i < host_ids_entries; i++) {
 		if (knet_link_get_link_list(knet_h, host_ids[i], link_ids, &link_ids_entries)) {
 			printf("knet_link_get_link_list failed: %s\n", strerror(errno));
 			return -1;
 		}
 		for (j = 0; j < link_ids_entries; j++) {
-			if (knet_link_get_status(knet_h, host_ids[i], link_ids[j], &status, sizeof(struct knet_link_status))) {
-				printf("knet_link_get_status failed: %s\n", strerror(errno));
+			if (knet_link_get_enable(knet_h, host_ids[i], link_ids[j], &enabled)) {
+				printf("knet_link_get_enable failed: %s\n", strerror(errno));
 				return -1;
 			}
-			if (status.enabled) {
+			if (enabled) {
 				if (knet_link_set_enable(knet_h, host_ids[i], j, 0)) {
 					printf("knet_link_set_enable failed: %s\n", strerror(errno));
 					return -1;
 				}
 			}
+			printf("clearing config for: %p host: %u link: %zu\n", knet_h, host_ids[i], j);
 			knet_link_clear_config(knet_h, host_ids[i], j);
 		}
 		if (knet_host_remove(knet_h, host_ids[i]) < 0) {
 			printf("knet_host_remove failed: %s\n", strerror(errno));
 			return -1;
 		}
 	}
 
 	if (knet_handle_free(knet_h)) {
 		printf("knet_handle_free failed: %s\n", strerror(errno));
 		return -1;
 	}
+
 	return 0;
 }
 
 static int _make_local_sockaddr(struct sockaddr_storage *lo, int offset, int family)
 {
 	in_port_t port;
 	char portstr[32];
 
 	if (offset < 0) {
 		/*
 		 * api_knet_link_set_config needs to access the API directly, but
 		 * it does not send any traffic, so it´s safe to ask the kernel
 		 * for a random port.
 		 */
 		port = 0;
 	} else {
 		/* Use the pid if we can. but makes sure its in a sensible range */
 		port = (getpid() + offset) % (65536-1024) + 1024;
 	}
 	sprintf(portstr, "%u", port);
 	memset(lo, 0, sizeof(struct sockaddr_storage));
 	printf("Using port %u\n", port);
 
 	if (family == AF_INET6) {
 		return knet_strtoaddr("::1", portstr, lo, sizeof(struct sockaddr_storage));
 	}
 	return knet_strtoaddr("127.0.0.1", portstr, lo, sizeof(struct sockaddr_storage));
 }
 
 int make_local_sockaddr(struct sockaddr_storage *lo, int offset)
 {
 	return _make_local_sockaddr(lo, offset, AF_INET);
 }
 
 int make_local_sockaddr6(struct sockaddr_storage *lo, int offset)
 {
 	return _make_local_sockaddr(lo, offset, AF_INET6);
 }
 
 int _knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			  uint8_t transport, uint64_t flags, int family, int dynamic,
 			  struct sockaddr_storage *lo)
 {
 	int err = 0, savederrno = 0;
 	uint32_t port;
 	char portstr[32];
 
 	for (port = 1025; port < 65536; port++) {
 		sprintf(portstr, "%u", port);
 		memset(lo, 0, sizeof(struct sockaddr_storage));
 		if (family == AF_INET6) {
 			err = knet_strtoaddr("::1", portstr, lo, sizeof(struct sockaddr_storage));
 		} else {
 			err = knet_strtoaddr("127.0.0.1", portstr, lo, sizeof(struct sockaddr_storage));
 		}
 		if (err < 0) {
 			printf("Unable to convert loopback to sockaddr: %s\n", strerror(errno));
 			goto out;
 		}
 		errno = 0;
 		if (dynamic) {
 			err = knet_link_set_config(knet_h, host_id, link_id, transport, lo, NULL, flags);
 		} else {
 			err = knet_link_set_config(knet_h, host_id, link_id, transport, lo, lo, flags);
 		}
 		savederrno = errno;
 		if ((err < 0)  && (savederrno != EADDRINUSE)) {
 			printf("Unable to configure link: %s\n", strerror(savederrno));
 			goto out;
 		}
 		if (!err) {
 			printf("Using port %u\n", port);
 			goto out;
 		}
 	}
 
 	if (err) {
 		printf("No more ports available\n");
 	}
 out:
 	errno = savederrno;
 	return err;
 }
 
 void test_sleep(knet_handle_t knet_h, int seconds)
 {
 	if (is_memcheck() || is_helgrind()) {
 		printf("Test suite is running under valgrind, adjusting sleep timers\n");
 		seconds = seconds * 16;
 	}
 	sleep(seconds);
 }
 
 int wait_for_host(knet_handle_t knet_h, uint16_t host_id, int seconds, int logfd, FILE *std)
 {
 	int i = 0;
 
 	if (is_memcheck() || is_helgrind()) {
 		printf("Test suite is running under valgrind, adjusting wait_for_host timeout\n");
 		seconds = seconds * 16;
 	}
 
 	while (i < seconds) {
 		flush_logs(logfd, std);
 		if (knet_h->host_index[host_id]->status.reachable == 1) {
 			printf("Waiting for host to settle\n");
 			test_sleep(knet_h, 1);
 			return 0;
 		}
 		printf("waiting host %u to be reachable for %d more seconds\n", host_id, seconds - i);
 		sleep(1);
 		i++;
 	}
 	return -1;
 }
 
 int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd, int logfd, FILE *std)
 {
 	fd_set rfds;
 	struct timeval tv;
 	int err = 0, i = 0;
 
 	if (is_memcheck() || is_helgrind()) {
 		printf("Test suite is running under valgrind, adjusting wait_for_packet timeout\n");
 		seconds = seconds * 16;
 	}
 
 try_again:
 	FD_ZERO(&rfds);
 	FD_SET(datafd, &rfds);
 
 	tv.tv_sec = 1;
 	tv.tv_usec = 0;
 
 	err = select(datafd+1, &rfds, NULL, NULL, &tv);
 	/*
 	 * on slow arches the first call to select can return 0.
 	 * pick an arbitrary 10 times loop (multiplied by waiting seconds)
 	 * before failing.
 	 */
 	if ((!err) && (i < seconds)) {
 		flush_logs(logfd, std);
 		i++;
 		goto try_again;
 	}
 	if ((err > 0) && (FD_ISSET(datafd, &rfds))) {
 		return 0;
 	}
 
 	errno = ETIMEDOUT;
 	return -1;
 }
+
+/*
+ * functional tests helpers
+ */
+
+void knet_handle_start_nodes(knet_handle_t knet_h[], uint8_t numnodes, int logfds[2], uint8_t log_level)
+{
+	uint8_t i;
+
+	for (i = 1; i <= numnodes; i++) {
+		knet_h[i] = knet_handle_new_ex(i, logfds[1], log_level, 0);
+		if (!knet_h[i]) {
+			printf("failed to create handle: %s\n", strerror(errno));
+			break;
+		} else {
+			printf("knet_h[%u] at %p\n", i, knet_h[i]);
+		}
+	}
+
+	if (i < numnodes) {
+		knet_handle_stop_nodes(knet_h, i);
+		exit(FAIL);
+	}
+
+	return;
+}
+
+void knet_handle_stop_nodes(knet_handle_t knet_h[], uint8_t numnodes)
+{
+	uint8_t i;
+
+	for (i = 1; i <= numnodes; i++) {
+		printf("stopping handle %u at %p\n", i, knet_h[i]);
+		knet_handle_stop(knet_h[i]);
+	}
+
+	return;
+}
+
+void knet_handle_join_nodes(knet_handle_t knet_h[], uint8_t numnodes, uint8_t numlinks, int family, uint8_t transport)
+{
+	uint8_t i, x, j;
+	struct sockaddr_storage src, dst;
+
+	for (i = 1; i <= numnodes; i++) {
+		for (j = 1; j <= numnodes; j++) {
+			/*
+			 * don´t connect to itself
+			 */
+			if (j == i) {
+				continue;
+			}
+
+			printf("host %u adding host: %u\n", i, j);
+
+			if (knet_host_add(knet_h[i], j) < 0) {
+				printf("Unable to add host: %s\n", strerror(errno));
+				knet_handle_stop_nodes(knet_h, numnodes);
+				exit(FAIL);
+			}
+
+			for (x = 0; x < numlinks; x++) {
+				if (family == AF_INET6) {
+					if (make_local_sockaddr6(&src, i + x) < 0) {
+						printf("Unable to convert src to sockaddr: %s\n", strerror(errno));
+						knet_handle_stop_nodes(knet_h, numnodes);
+						exit(FAIL);
+					}
+
+					if (make_local_sockaddr6(&dst, j + x) < 0) {
+						printf("Unable to convert dst to sockaddr: %s\n", strerror(errno));
+						knet_handle_stop_nodes(knet_h, numnodes);
+						exit(FAIL);
+					}
+				} else {
+					if (make_local_sockaddr(&src, i + x) < 0) {
+						printf("Unable to convert src to sockaddr: %s\n", strerror(errno));
+						knet_handle_stop_nodes(knet_h, numnodes);
+						exit(FAIL);
+					}
+
+					if (make_local_sockaddr(&dst, j + x) < 0) {
+						printf("Unable to convert dst to sockaddr: %s\n", strerror(errno));
+						knet_handle_stop_nodes(knet_h, numnodes);
+						exit(FAIL);
+					}
+				}
+
+				printf("joining node %u with node %u via link %u src offset: %u dst offset: %u\n", i, j, x, i+x, j+x);
+
+				if (knet_link_set_config(knet_h[i], j, x, transport, &src, &dst, 0) < 0) {
+					printf("unable to configure link: %s\n", strerror(errno));
+					knet_handle_stop_nodes(knet_h, numnodes);
+					exit(FAIL);
+				}
+
+				if (knet_link_set_enable(knet_h[i], j, x, 1) < 0) {
+					printf("unable to enable link: %s\n", strerror(errno));
+					knet_handle_stop_nodes(knet_h, numnodes);
+					exit(FAIL);
+				}
+			}
+		}
+	}
+
+	for (i = 1; i <= numnodes; i++) {
+		for (j = 1; j <= numnodes; j++) {
+			/*
+			 * don´t wait for self
+			 */
+			if (j == i) {
+				continue;
+			}
+
+			if (wait_for_host(knet_h[i], j, (10 * numnodes) , knet_h[i]->logfd, stdout) < 0) {
+					printf("Cannot connect node %u to node %u: %s\n", i, j, strerror(errno));
+					knet_handle_stop_nodes(knet_h, numnodes);
+					exit(FAIL);
+			}
+		}
+	}
+
+	return;
+}
diff --git a/libknet/tests/test-common.h b/libknet/tests/test-common.h
index 0c40400f..cc31e62c 100644
--- a/libknet/tests/test-common.h
+++ b/libknet/tests/test-common.h
@@ -1,84 +1,91 @@
 /*
  * Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+
  */
 
 #ifndef __KNET_TEST_COMMON_H__
 #define __KNET_TEST_COMMON_H__
 
 #include "internals.h"
 #include <sched.h>
 
 /*
  * error codes from automake test-driver
  */
 
 #define PASS	0
 #define SKIP	77
 #define ERROR	99
 #define FAIL	-1
 
 /* For *BSD compatibility */
 #ifndef s6_addr16
 #define s6_addr8  __u6_addr.__u6_addr8
 #define s6_addr16 __u6_addr.__u6_addr16
 #define s6_addr32 __u6_addr.__u6_addr32
 #endif
 
 /*
  * common facilities
  */
 
 int execute_shell(const char *command, char **error_string);
 
 int is_memcheck(void);
 int is_helgrind(void);
 
 void set_scheduler(int policy);
 
 knet_handle_t knet_handle_start(int logfds[2], uint8_t log_level);
 
 /*
  * consider moving this one as official API
  */
 int knet_handle_stop(knet_handle_t knet_h);
 
 /*
  * knet_link_set_config wrapper required to find a free port
  */
 
 int _knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t link_id,
 			  uint8_t transport, uint64_t flags, int family, int dynamic,
 			  struct sockaddr_storage *lo);
 
+/*
+ * functional test helpers
+ */
+void knet_handle_start_nodes(knet_handle_t knet_h[], uint8_t numnodes, int logfds[2], uint8_t log_level);
+void knet_handle_stop_nodes(knet_handle_t knet_h[], uint8_t numnodes);
+void knet_handle_join_nodes(knet_handle_t knet_h[], uint8_t numnodes, uint8_t numlinks, int family, uint8_t transport);
+
 /*
  * high level logging function.
  * automatically setup logpipes and start/stop logging thread.
  *
  * start_logging exit(FAIL) on error or fd to pass to knet_handle_new
  * and it will install an atexit handle to close logging properly
  *
  * WARNING: DO NOT use start_logging for api_ or int_ testing.
  * while start_logging would work just fine, the output
  * of the logs is more complex to read because of the way
  * the thread would interleave the output of printf from api_/int_ testing
  * with knet logs. Functionally speaking you get the exact same logs,
  * but a lot harder to read due to the thread latency in printing logs.
  */
 int start_logging(FILE *std);
 
 int setup_logpipes(int *logfds);
 void close_logpipes(int *logfds);
 void flush_logs(int logfd, FILE *std);
 int start_logthread(int logfd, FILE *std);
 int stop_logthread(void);
 int make_local_sockaddr(struct sockaddr_storage *lo, int offset);
 int make_local_sockaddr6(struct sockaddr_storage *lo, int offset);
 int wait_for_host(knet_handle_t knet_h, uint16_t host_id, int seconds, int logfd, FILE *std);
 int wait_for_packet(knet_handle_t knet_h, int seconds, int datafd, int logfd, FILE *std);
 void test_sleep(knet_handle_t knet_h, int seconds);
 
 #endif
diff --git a/libknet/threads_heartbeat.c b/libknet/threads_heartbeat.c
index 3b6ca161..df3d5d17 100644
--- a/libknet/threads_heartbeat.c
+++ b/libknet/threads_heartbeat.c
@@ -1,238 +1,238 @@
 /*
  * Copyright (C) 2015-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <unistd.h>
 #include <errno.h>
 #include <string.h>
 #include <pthread.h>
 #include <time.h>
 
 #include "crypto.h"
 #include "links.h"
 #include "logging.h"
 #include "transports.h"
 #include "threads_common.h"
 #include "threads_heartbeat.h"
 
 static void _link_down(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link)
 {
 	memset(&dst_link->pmtud_last, 0, sizeof(struct timespec));
 	dst_link->received_pong = 0;
 	dst_link->status.pong_last.tv_nsec = 0;
 	dst_link->pong_timeout_backoff = KNET_LINK_PONG_TIMEOUT_BACKOFF;
 	if (dst_link->status.connected == 1) {
 		log_info(knet_h, KNET_SUB_LINK, "host: %u link: %u is down",
 			 dst_host->host_id, dst_link->link_id);
 		_link_updown(knet_h, dst_host->host_id, dst_link->link_id, dst_link->status.enabled, 0, 1);
 	}
 }
 
 static void _handle_check_each(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link, int timed)
 {
 	int err = 0, savederrno = 0, stats_err = 0;
 	int len;
 	ssize_t outlen = KNET_HEADER_PING_SIZE;
 	struct timespec clock_now, pong_last;
 	unsigned long long diff_ping;
 	unsigned char *outbuf = (unsigned char *)knet_h->pingbuf;
 
 	if (dst_link->transport_connected == 0) {
 		_link_down(knet_h, dst_host, dst_link);
 		return;
 	}
 
 	/* caching last pong to avoid race conditions */
 	pong_last = dst_link->status.pong_last;
 
 	if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
 		log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get monotonic clock");
 		return;
 	}
 
 	timespec_diff(dst_link->ping_last, clock_now, &diff_ping);
 
 	if ((diff_ping >= (dst_link->ping_interval * 1000llu)) || (!timed)) {
 		memmove(&knet_h->pingbuf->khp_ping_time[0], &clock_now, sizeof(struct timespec));
 		knet_h->pingbuf->khp_ping_link = dst_link->link_id;
 		if (pthread_mutex_lock(&knet_h->tx_seq_num_mutex)) {
 			log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get seq mutex lock");
 			return;
 		}
 		knet_h->pingbuf->khp_ping_seq_num = htons(knet_h->tx_seq_num);
 		pthread_mutex_unlock(&knet_h->tx_seq_num_mutex);
 		knet_h->pingbuf->khp_ping_timed = timed;
 
-		if (knet_h->crypto_instance) {
+		if (knet_h->crypto_in_use_config) {
 			if (crypto_encrypt_and_sign(knet_h,
 						    (const unsigned char *)knet_h->pingbuf,
 						    outlen,
 						    knet_h->pingbuf_crypt,
 						    &outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to crypto ping packet");
 				return;
 			}
 
 			outbuf = knet_h->pingbuf_crypt;
 			if (pthread_mutex_lock(&knet_h->handle_stats_mutex) < 0) {
 				log_err(knet_h, KNET_SUB_HEARTBEAT, "Unable to get mutex lock");
 				return;
 			}
 			knet_h->stats_extra.tx_crypt_ping_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 		stats_err = pthread_mutex_lock(&dst_link->link_stats_mutex);
 		if (stats_err) {
 			log_err(knet_h, KNET_SUB_HEARTBEAT, "Unable to get stats mutex lock for host %u link %u: %s",
 				dst_host->host_id, dst_link->link_id, strerror(stats_err));
 			return;
 		}
 
 retry:
 		if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 			len = sendto(dst_link->outsock, outbuf, outlen,	MSG_DONTWAIT | MSG_NOSIGNAL,
 				     (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
 		} else {
 			len = sendto(dst_link->outsock, outbuf, outlen,	MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 		}
 		savederrno = errno;
 
 		dst_link->ping_last = clock_now;
 		dst_link->status.stats.tx_ping_packets++;
 		dst_link->status.stats.tx_ping_bytes += outlen;
 
 		if (len != outlen) {
 			err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
 			switch(err) {
 				case -1: /* unrecoverable error */
 					log_debug(knet_h, KNET_SUB_HEARTBEAT,
 						  "Unable to send ping (sock: %d) packet (sendto): %d %s. recorded src ip: %s src port: %s dst ip: %s dst port: %s",
 						  dst_link->outsock, savederrno, strerror(savederrno),
 						  dst_link->status.src_ipaddr, dst_link->status.src_port,
 						  dst_link->status.dst_ipaddr, dst_link->status.dst_port);
 					dst_link->status.stats.tx_ping_errors++;
 					break;
 				case 0:
 					break;
 				case 1:
 					dst_link->status.stats.tx_ping_retries++;
 					goto retry;
 					break;
 			}
 		} else {
 			dst_link->last_ping_size = outlen;
 		}
 		pthread_mutex_unlock(&dst_link->link_stats_mutex);
 	}
 
 	timespec_diff(pong_last, clock_now, &diff_ping);
 	if ((pong_last.tv_nsec) && 
 	    (diff_ping >= (dst_link->pong_timeout_adj * 1000llu))) {
 		_link_down(knet_h, dst_host, dst_link);
 	}
 }
 
 void _send_pings(knet_handle_t knet_h, int timed)
 {
 	struct knet_host *dst_host;
 	int link_idx;
 
 	if (pthread_mutex_lock(&knet_h->hb_mutex)) {
 		log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get hb mutex lock");
 		return;
 	}
 
 	for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 			if ((dst_host->link[link_idx].status.enabled != 1) ||
 			    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
 			    ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
 			     (dst_host->link[link_idx].status.dynconnected != 1)))
 				continue;
 
 			_handle_check_each(knet_h, dst_host, &dst_host->link[link_idx], timed);
 		}
 	}
 
 	pthread_mutex_unlock(&knet_h->hb_mutex);
 }
 
 static void _adjust_pong_timeouts(knet_handle_t knet_h)
 {
 	struct knet_host *dst_host;
 	struct knet_link *dst_link;
 	int link_idx;
 
 	if (pthread_mutex_lock(&knet_h->backoff_mutex)) {
 		log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get backoff_mutex");
 		return;
 	}
 
 	for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 		for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 			if ((dst_host->link[link_idx].status.enabled != 1) ||
 			    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK ) ||
 			    ((dst_host->link[link_idx].dynamic == KNET_LINK_DYNIP) &&
 			     (dst_host->link[link_idx].status.dynconnected != 1)))
 				continue;
 
 			dst_link = &dst_host->link[link_idx];
 
 			if (dst_link->pong_timeout_backoff > 1) {
 				dst_link->pong_timeout_backoff--;
 			}
 
 			dst_link->pong_timeout_adj = (dst_link->pong_timeout * dst_link->pong_timeout_backoff) + (dst_link->status.latency * KNET_LINK_PONG_TIMEOUT_LAT_MUL);
 		}
 	}
 
 	pthread_mutex_unlock(&knet_h->backoff_mutex);
 }
 
 void *_handle_heartbt_thread(void *data)
 {
 	knet_handle_t knet_h = (knet_handle_t) data;
 	int i = 1;
 
 	set_thread_status(knet_h, KNET_THREAD_HB, KNET_THREAD_STARTED);
 
 	/* preparing ping buffer */
 	knet_h->pingbuf->kh_version = KNET_HEADER_VERSION;
 	knet_h->pingbuf->kh_type = KNET_HEADER_TYPE_PING;
 	knet_h->pingbuf->kh_node = htons(knet_h->host_id);
 
 	while (!shutdown_in_progress(knet_h)) {
 		usleep(KNET_THREADS_TIMERES);
 
 		if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 			log_debug(knet_h, KNET_SUB_HEARTBEAT, "Unable to get read lock");
 			continue;
 		}
 
 		/*
 		 *  _adjust_pong_timeouts should execute approx once a second.
 		 */
 		if ((i % (1000000 / KNET_THREADS_TIMERES)) == 0) {
 			_adjust_pong_timeouts(knet_h);
 			i = 1;
 		} else {
 			i++;
 		}
 
 		_send_pings(knet_h, 1);
 
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_HB, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c
index 2c4a2630..b4432898 100644
--- a/libknet/threads_pmtud.c
+++ b/libknet/threads_pmtud.c
@@ -1,642 +1,642 @@
 /*
  * Copyright (C) 2015-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <unistd.h>
 #include <string.h>
 #include <errno.h>
 #include <pthread.h>
 
 #include "crypto.h"
 #include "links.h"
 #include "host.h"
 #include "logging.h"
 #include "transports.h"
 #include "threads_common.h"
 #include "threads_pmtud.h"
 
 static int _calculate_manual_mtu(knet_handle_t knet_h, struct knet_link *dst_link)
 {
 	size_t ipproto_overhead_len;	/* onwire packet overhead (protocol based) */
 
 	switch (dst_link->dst_addr.ss_family) {
 		case AF_INET6:
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V6 + dst_link->proto_overhead;
 			break;
 		case AF_INET:
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V4 + dst_link->proto_overhead;
 			break;
 		default:
 			log_debug(knet_h, KNET_SUB_PMTUD, "unknown protocol");
 			return 0;
 			break;
 	}
 
 	dst_link->status.mtu = calc_max_data_outlen(knet_h, knet_h->manual_mtu - ipproto_overhead_len);
 
 	return 1;
 }
 
 static int _handle_check_link_pmtud(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link)
 {
 	int err, ret, savederrno, mutex_retry_limit, failsafe, use_kernel_mtu, warn_once;
 	uint32_t kernel_mtu;		/* record kernel_mtu from EMSGSIZE */
 	size_t onwire_len;   		/* current packet onwire size */
 	size_t ipproto_overhead_len;	/* onwire packet overhead (protocol based) */
 	size_t max_mtu_len;		/* max mtu for protocol */
 	size_t data_len;		/* how much data we can send in the packet
 					 * generally would be onwire_len - ipproto_overhead_len
 					 * needs to be adjusted for crypto
 					 */
 	size_t app_mtu_len;		/* real data that we can send onwire */
 	ssize_t len;			/* len of what we were able to sendto onwire */
 
 	struct timespec ts, pmtud_crypto_start_ts, pmtud_crypto_stop_ts;
 	unsigned long long pong_timeout_adj_tmp, timediff;
 	int pmtud_crypto_reduce = 1;
 	unsigned char *outbuf = (unsigned char *)knet_h->pmtudbuf;
 
 	warn_once = 0;
 
 	mutex_retry_limit = 0;
 	failsafe = 0;
 
 	knet_h->pmtudbuf->khp_pmtud_link = dst_link->link_id;
 
 	switch (dst_link->dst_addr.ss_family) {
 		case AF_INET6:
 			max_mtu_len = KNET_PMTUD_SIZE_V6;
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V6 + dst_link->proto_overhead;
 			break;
 		case AF_INET:
 			max_mtu_len = KNET_PMTUD_SIZE_V4;
 			ipproto_overhead_len = KNET_PMTUD_OVERHEAD_V4 + dst_link->proto_overhead;
 			break;
 		default:
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD aborted, unknown protocol");
 			return -1;
 			break;
 	}
 
 	dst_link->last_bad_mtu = 0;
 	dst_link->last_good_mtu = dst_link->last_ping_size + ipproto_overhead_len;
 
 	/*
 	 * discovery starts from the top because kernel will
 	 * refuse to send packets > current iface mtu.
 	 * this saves us some time and network bw.
 	 */ 
 	onwire_len = max_mtu_len;
 
 restart:
 
 	/*
 	 * prevent a race when interface mtu is changed _exactly_ during
 	 * the discovery process and it's complex to detect. Easier
 	 * to wait the next loop.
 	 * 30 is not an arbitrary value. To bisect from 576 to 128000 doesn't
 	 * take more than 18/19 steps.
 	 */
 
 	if (failsafe == 30) {
 		log_err(knet_h, KNET_SUB_PMTUD,
 			"Aborting PMTUD process: Too many attempts. MTU might have changed during discovery.");
 		return -1;
 	} else {
 		failsafe++;
 	}
 
 	/*
 	 * common to all packets
 	 */
 
 	/*
 	 * calculate the application MTU based on current onwire_len minus ipproto_overhead_len
 	 */
 
 	app_mtu_len = calc_max_data_outlen(knet_h, onwire_len - ipproto_overhead_len);
 
 	/*
 	 * recalculate onwire len back that might be different based
 	 * on data padding from crypto layer.
 	 */
 
 	onwire_len = calc_data_outlen(knet_h, app_mtu_len + KNET_HEADER_ALL_SIZE) + ipproto_overhead_len;
 
 	/*
 	 * calculate the size of what we need to send to sendto(2).
 	 * see also onwire.c for packet format explanation.
 	 */
 	data_len = app_mtu_len + knet_h->sec_hash_size + knet_h->sec_salt_size + KNET_HEADER_ALL_SIZE;
 
-	if (knet_h->crypto_instance) {
+	if (knet_h->crypto_in_use_config) {
 		if (data_len < (knet_h->sec_hash_size + knet_h->sec_salt_size) + 1) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Aborting PMTUD process: link mtu smaller than crypto header detected (link might have been disconnected)");
 			return -1;
 		}
 
 		knet_h->pmtudbuf->khp_pmtud_size = onwire_len;
 
 		if (crypto_encrypt_and_sign(knet_h,
 					    (const unsigned char *)knet_h->pmtudbuf,
 					    data_len - (knet_h->sec_hash_size + knet_h->sec_salt_size),
 					    knet_h->pmtudbuf_crypt,
 					    (ssize_t *)&data_len) < 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to crypto pmtud packet");
 			return -1;
 		}
 
 		outbuf = knet_h->pmtudbuf_crypt;
 		if (pthread_mutex_lock(&knet_h->handle_stats_mutex) < 0) {
 			log_err(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 			return -1;
 		}
 		knet_h->stats_extra.tx_crypt_pmtu_packets++;
 		pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 	} else {
 		knet_h->pmtudbuf->khp_pmtud_size = onwire_len;
 	}
 
 	/* link has gone down, aborting pmtud */
 	if (dst_link->status.connected != 1) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD detected host (%u) link (%u) has been disconnected", dst_host->host_id, dst_link->link_id);
 		return -1;
 	}
 
 	if (dst_link->transport_connected != 1) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD detected host (%u) link (%u) has been disconnected", dst_host->host_id, dst_link->link_id);
 		return -1;
 	}
 
 	if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 		return -1;
 	}
 
 	if (knet_h->pmtud_abort) {
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		errno = EDEADLK;
 		return -1;
 	}
 
 	savederrno = pthread_mutex_lock(&knet_h->tx_mutex);
 	if (savederrno) {
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		log_err(knet_h, KNET_SUB_PMTUD, "Unable to get TX mutex lock: %s", strerror(savederrno));
 		return -1;
 	}
 
 	savederrno = pthread_mutex_lock(&dst_link->link_stats_mutex);
 	if (savederrno) {
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		pthread_mutex_unlock(&knet_h->tx_mutex);
 		log_err(knet_h, KNET_SUB_PMTUD, "Unable to get stats mutex lock for host %u link %u: %s",
 			dst_host->host_id, dst_link->link_id, strerror(savederrno));
 		return -1;
 	}
 
 retry:
 	if (transport_get_connection_oriented(knet_h, dst_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 		len = sendto(dst_link->outsock, outbuf, data_len, MSG_DONTWAIT | MSG_NOSIGNAL,
 			     (struct sockaddr *) &dst_link->dst_addr, sizeof(struct sockaddr_storage));
 	} else {
 		len = sendto(dst_link->outsock, outbuf, data_len, MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 	}
 	savederrno = errno;
 
 	/*
 	 * we cannot hold a lock on kmtu_mutex between resetting
 	 * knet_h->kernel_mtu here and below where it's used.
 	 * use_kernel_mtu tells us if the knet_h->kernel_mtu was
 	 * set to 0 and we can trust its value later.
 	 */
 	use_kernel_mtu = 0;
 
 	if (pthread_mutex_lock(&knet_h->kmtu_mutex) == 0) {
 		use_kernel_mtu = 1;
 		knet_h->kernel_mtu = 0;
 		pthread_mutex_unlock(&knet_h->kmtu_mutex);
 	}
 
 	kernel_mtu = 0;
 
 	err = transport_tx_sock_error(knet_h, dst_link->transport, dst_link->outsock, len, savederrno);
 	switch(err) {
 		case -1: /* unrecoverable error */
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to send pmtu packet (sendto): %d %s", savederrno, strerror(savederrno));
 			pthread_mutex_unlock(&knet_h->tx_mutex);
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			dst_link->status.stats.tx_pmtu_errors++;
 			pthread_mutex_unlock(&dst_link->link_stats_mutex);
 			return -1;
 		case 0: /* ignore error and continue */
 			break;
 		case 1: /* retry to send those same data */
 			dst_link->status.stats.tx_pmtu_retries++;
 			goto retry;
 			break;
 	}
 
 	pthread_mutex_unlock(&knet_h->tx_mutex);
 
 	if (len != (ssize_t )data_len) {
 		pthread_mutex_unlock(&dst_link->link_stats_mutex);
 		if (savederrno == EMSGSIZE) {
 			/*
 			 * we cannot hold a lock on kmtu_mutex between resetting
 			 * knet_h->kernel_mtu and here.
 			 * use_kernel_mtu tells us if the knet_h->kernel_mtu was
 			 * set to 0 previously and we can trust its value now.
 			 */
 			if (use_kernel_mtu) {
 				use_kernel_mtu = 0;
 				if (pthread_mutex_lock(&knet_h->kmtu_mutex) == 0) {
 					kernel_mtu = knet_h->kernel_mtu;
 					pthread_mutex_unlock(&knet_h->kmtu_mutex);
 				}
 			}
 			if (kernel_mtu > 0) {
 				dst_link->last_bad_mtu = kernel_mtu + 1;
 			} else {
 				dst_link->last_bad_mtu = onwire_len;
 			}
 		} else {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to send pmtu packet len: %zu err: %s", onwire_len, strerror(savederrno));
 		}
 
 	} else {
 		dst_link->last_sent_mtu = onwire_len;
 		dst_link->last_recv_mtu = 0;
 		dst_link->status.stats.tx_pmtu_packets++;
 		dst_link->status.stats.tx_pmtu_bytes += data_len;
 		pthread_mutex_unlock(&dst_link->link_stats_mutex);
 
 		if (clock_gettime(CLOCK_REALTIME, &ts) < 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get current time: %s", strerror(errno));
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			return -1;
 		}
 
 		/*
 		 * non fatal, we can wait the next round to reduce the
 		 * multiplier
 		 */
 		if (clock_gettime(CLOCK_MONOTONIC, &pmtud_crypto_start_ts) < 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get current time: %s", strerror(errno));
 			pmtud_crypto_reduce = 0;
 		}
 
 		/*
 		 * set PMTUd reply timeout to match pong_timeout on a given link
 		 *
 		 * math: internally pong_timeout is expressed in microseconds, while
 		 *       the public API exports milliseconds. So careful with the 0's here.
 		 * the loop is necessary because we are grabbing the current time just above
 		 * and add values to it that could overflow into seconds.
 		 */ 
 
 		if (pthread_mutex_lock(&knet_h->backoff_mutex)) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get backoff_mutex");
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			return -1;
 		}
 
-		if (knet_h->crypto_instance) {
+		if (knet_h->crypto_in_use_config) {
 			/*
 			 * crypto, under pressure, is a royal PITA
 			 */
 			pong_timeout_adj_tmp = dst_link->pong_timeout_adj * dst_link->pmtud_crypto_timeout_multiplier;
 		} else {
 			pong_timeout_adj_tmp = dst_link->pong_timeout_adj;
 		}
 
 		ts.tv_sec += pong_timeout_adj_tmp / 1000000;
 		ts.tv_nsec += (((pong_timeout_adj_tmp) % 1000000) * 1000);
 		while (ts.tv_nsec > 1000000000) {
 			ts.tv_sec += 1;
 			ts.tv_nsec -= 1000000000;
 		}
 
 		pthread_mutex_unlock(&knet_h->backoff_mutex);
 
 		knet_h->pmtud_waiting = 1;
 
 		ret = pthread_cond_timedwait(&knet_h->pmtud_cond, &knet_h->pmtud_mutex, &ts);
 
 		knet_h->pmtud_waiting = 0;
 
 		if (knet_h->pmtud_abort) {
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			errno = EDEADLK;
 			return -1;
 		}
 
 		/*
 		 * we cannot use shutdown_in_progress in here because
 		 * we already hold the read lock
 		 */
 		if (knet_h->fini_in_progress) {
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD aborted. shutdown in progress");
 			return -1;
 		}
 
 		if (ret) {
 			if (ret == ETIMEDOUT) {
-				if ((knet_h->crypto_instance) && (dst_link->pmtud_crypto_timeout_multiplier < KNET_LINK_PMTUD_CRYPTO_TIMEOUT_MULTIPLIER_MAX)) {
+				if ((knet_h->crypto_in_use_config) && (dst_link->pmtud_crypto_timeout_multiplier < KNET_LINK_PMTUD_CRYPTO_TIMEOUT_MULTIPLIER_MAX)) {
 					dst_link->pmtud_crypto_timeout_multiplier = dst_link->pmtud_crypto_timeout_multiplier * 2;
 					pmtud_crypto_reduce = 0;
 					log_debug(knet_h, KNET_SUB_PMTUD,
 							"Increasing PMTUd response timeout multiplier to (%u) for host %u link: %u",
 							dst_link->pmtud_crypto_timeout_multiplier,
 							dst_host->host_id,
 							dst_link->link_id);
 					pthread_mutex_unlock(&knet_h->pmtud_mutex);
 					goto restart;
 				}
 				if (!warn_once) {
 					log_warn(knet_h, KNET_SUB_PMTUD,
 							"possible MTU misconfiguration detected. "
 							"kernel is reporting MTU: %u bytes for "
 							"host %u link %u but the other node is "
 							"not acknowledging packets of this size. ",
 							dst_link->last_sent_mtu,
 							dst_host->host_id,
 							dst_link->link_id);
 					log_warn(knet_h, KNET_SUB_PMTUD,
 							"This can be caused by this node interface MTU "
 							"too big or a network device that does not "
 							"support or has been misconfigured to manage MTU "
 							"of this size, or packet loss. knet will continue "
 							"to run but performances might be affected.");
 					warn_once = 1;
 				}
 			} else {
 				pthread_mutex_unlock(&knet_h->pmtud_mutex);
 				if (mutex_retry_limit == 3) {
 					log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD aborted, unable to get mutex lock");
 					return -1;
 				}
 				mutex_retry_limit++;
 				goto restart;
 			}
 		}
 
-		if ((knet_h->crypto_instance) && (pmtud_crypto_reduce == 1) &&
+		if ((knet_h->crypto_in_use_config) && (pmtud_crypto_reduce == 1) &&
 		    (dst_link->pmtud_crypto_timeout_multiplier > KNET_LINK_PMTUD_CRYPTO_TIMEOUT_MULTIPLIER_MIN)) {
 			if (!clock_gettime(CLOCK_MONOTONIC, &pmtud_crypto_stop_ts)) {
 				timespec_diff(pmtud_crypto_start_ts, pmtud_crypto_stop_ts, &timediff);
 				if (((pong_timeout_adj_tmp * 1000) / 2) > timediff) {
 					dst_link->pmtud_crypto_timeout_multiplier = dst_link->pmtud_crypto_timeout_multiplier / 2;
 					log_debug(knet_h, KNET_SUB_PMTUD,
 							"Decreasing PMTUd response timeout multiplier to (%u) for host %u link: %u",
 							dst_link->pmtud_crypto_timeout_multiplier,
 							dst_host->host_id,
 							dst_link->link_id);
 				}
 			} else {
 				log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get current time: %s", strerror(errno));
 			}
 		}
 
 		if ((dst_link->last_recv_mtu != onwire_len) || (ret)) {
 			dst_link->last_bad_mtu = onwire_len;
 		} else {
 			int found_mtu = 0;
 
 			if (knet_h->sec_block_size) {
 				if ((onwire_len + knet_h->sec_block_size >= max_mtu_len) ||
 				   ((dst_link->last_bad_mtu) && (dst_link->last_bad_mtu <= (onwire_len + knet_h->sec_block_size)))) {
 					found_mtu = 1;
 				}
 			} else {
 				if ((onwire_len == max_mtu_len) ||
 				    ((dst_link->last_bad_mtu) && (dst_link->last_bad_mtu == (onwire_len + 1))) ||
 				     (dst_link->last_bad_mtu == dst_link->last_good_mtu)) {
 					found_mtu = 1;
 				}
 			}
 
 			if (found_mtu) {
 				/*
 				 * account for IP overhead, knet headers and crypto in PMTU calculation
 				 */
 				dst_link->status.mtu = calc_max_data_outlen(knet_h, onwire_len - ipproto_overhead_len);
 				pthread_mutex_unlock(&knet_h->pmtud_mutex);
 				return 0;
 			}
 
 			dst_link->last_good_mtu = onwire_len;
 		}
 	}
 
 	if (kernel_mtu) {
 		onwire_len = kernel_mtu;
 	} else {
 		onwire_len = (dst_link->last_good_mtu + dst_link->last_bad_mtu) / 2;
 	}
 
 	pthread_mutex_unlock(&knet_h->pmtud_mutex);
 
 	goto restart;
 }
 
 static int _handle_check_pmtud(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_link *dst_link, int force_run)
 {
 	uint8_t saved_valid_pmtud;
 	unsigned int saved_pmtud;
 	struct timespec clock_now;
 	unsigned long long diff_pmtud, interval;
 
 	if (clock_gettime(CLOCK_MONOTONIC, &clock_now) != 0) {
 		log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get monotonic clock");
 		return 0;
 	}
 
 	if (!force_run) {
 		interval = knet_h->pmtud_interval * 1000000000llu; /* nanoseconds */
 
 		timespec_diff(dst_link->pmtud_last, clock_now, &diff_pmtud);
 
 		if (diff_pmtud < interval) {
 			return dst_link->has_valid_mtu;
 		}
 	}
 
 	/*
 	 * status.proto_overhead should include all IP/(UDP|SCTP)/knet headers
 	 *
 	 * please note that it is not the same as link->proto_overhead that
 	 * includes only either UDP or SCTP (at the moment) overhead.
 	 */
 	switch (dst_link->dst_addr.ss_family) {
 		case AF_INET6:
 			dst_link->status.proto_overhead = KNET_PMTUD_OVERHEAD_V6 + dst_link->proto_overhead + KNET_HEADER_ALL_SIZE + knet_h->sec_hash_size + knet_h->sec_salt_size;
 			break;
 		case AF_INET:
 			dst_link->status.proto_overhead = KNET_PMTUD_OVERHEAD_V4 + dst_link->proto_overhead + KNET_HEADER_ALL_SIZE + knet_h->sec_hash_size + knet_h->sec_salt_size;
 			break;
 	}
 
 	saved_pmtud = dst_link->status.mtu;
 	saved_valid_pmtud = dst_link->has_valid_mtu;
 
 	log_debug(knet_h, KNET_SUB_PMTUD, "Starting PMTUD for host: %u link: %u", dst_host->host_id, dst_link->link_id);
 
 	errno = 0;
 	if (_handle_check_link_pmtud(knet_h, dst_host, dst_link) < 0) {
 		if (errno == EDEADLK) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD for host: %u link: %u has been rescheduled", dst_host->host_id, dst_link->link_id);
 			dst_link->status.mtu = saved_pmtud;
 			dst_link->has_valid_mtu = saved_valid_pmtud;
 			errno = EDEADLK;
 			return dst_link->has_valid_mtu;
 		}
 		dst_link->has_valid_mtu = 0;
 	} else {
 		if (dst_link->status.mtu < calc_min_mtu(knet_h)) {
 			log_info(knet_h, KNET_SUB_PMTUD,
 				 "Invalid MTU detected for host: %u link: %u mtu: %u",
 				 dst_host->host_id, dst_link->link_id, dst_link->status.mtu);
 			dst_link->has_valid_mtu = 0;
 		} else {
 			dst_link->has_valid_mtu = 1;
 		}
 		if (dst_link->has_valid_mtu) {
 			if ((saved_pmtud) && (saved_pmtud != dst_link->status.mtu)) {
 				log_info(knet_h, KNET_SUB_PMTUD, "PMTUD link change for host: %u link: %u from %u to %u",
 					 dst_host->host_id, dst_link->link_id, saved_pmtud, dst_link->status.mtu);
 			}
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUD completed for host: %u link: %u current link mtu: %u",
 				  dst_host->host_id, dst_link->link_id, dst_link->status.mtu);
 
 			/*
 			 * set pmtud_last, if we can, after we are done with the PMTUd process
 			 * because it can take a very long time.
 			 */
 			dst_link->pmtud_last = clock_now;
 			if (!clock_gettime(CLOCK_MONOTONIC, &clock_now)) {
 				dst_link->pmtud_last = clock_now;
 			}
 		}
 	}
 
 	if (saved_valid_pmtud != dst_link->has_valid_mtu) {
 		_host_dstcache_update_async(knet_h, dst_host);
 	}
 
 	return dst_link->has_valid_mtu;
 }
 
 void *_handle_pmtud_link_thread(void *data)
 {
 	knet_handle_t knet_h = (knet_handle_t) data;
 	struct knet_host *dst_host;
 	struct knet_link *dst_link;
 	int link_idx;
 	unsigned int have_mtu;
 	unsigned int lower_mtu;
 	int link_has_mtu;
 	int force_run = 0;
 
 	set_thread_status(knet_h, KNET_THREAD_PMTUD, KNET_THREAD_STARTED);
 
 	knet_h->data_mtu = calc_min_mtu(knet_h);
 
 	/* preparing pmtu buffer */
 	knet_h->pmtudbuf->kh_version = KNET_HEADER_VERSION;
 	knet_h->pmtudbuf->kh_type = KNET_HEADER_TYPE_PMTUD;
 	knet_h->pmtudbuf->kh_node = htons(knet_h->host_id);
 
 	while (!shutdown_in_progress(knet_h)) {
 		usleep(KNET_THREADS_TIMERES);
 
 		if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 			continue;
 		}
 		knet_h->pmtud_abort = 0;
 		knet_h->pmtud_running = 1;
 		force_run = knet_h->pmtud_forcerun;
 		knet_h->pmtud_forcerun = 0;
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 
 		if (force_run) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "PMTUd request to rerun has been received");
 		}
 
 		if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get read lock");
 			continue;
 		}
 
 		lower_mtu = KNET_PMTUD_SIZE_V4;
 		have_mtu = 0;
 
 		for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 			for (link_idx = 0; link_idx < KNET_MAX_LINK; link_idx++) {
 				dst_link = &dst_host->link[link_idx];
 
 				if ((dst_link->status.enabled != 1) ||
 				    (dst_link->status.connected != 1) ||
 				    (dst_host->link[link_idx].transport == KNET_TRANSPORT_LOOPBACK) ||
 				    (!dst_link->last_ping_size) ||
 				    ((dst_link->dynamic == KNET_LINK_DYNIP) &&
 				     (dst_link->status.dynconnected != 1)))
 					continue;
 
 				if (!knet_h->manual_mtu) {
 					link_has_mtu = _handle_check_pmtud(knet_h, dst_host, dst_link, force_run);
 					if (errno == EDEADLK) {
 						goto out_unlock;
 					}
 					if (link_has_mtu) {
 						have_mtu = 1;
 						if (dst_link->status.mtu < lower_mtu) {
 							lower_mtu = dst_link->status.mtu;
 						}
 					}
 				} else {
 					link_has_mtu = _calculate_manual_mtu(knet_h, dst_link);
 					if (link_has_mtu) {
 						have_mtu = 1;
 						if (dst_link->status.mtu < lower_mtu) {
 							lower_mtu = dst_link->status.mtu;
 						}
 					}
 				}
 			}
 		}
 
 		if (have_mtu) {
 			if (knet_h->data_mtu != lower_mtu) {
 				knet_h->data_mtu = lower_mtu;
 				log_info(knet_h, KNET_SUB_PMTUD, "Global data MTU changed to: %u", knet_h->data_mtu);
 
 				if (knet_h->pmtud_notify_fn) {
 					knet_h->pmtud_notify_fn(knet_h->pmtud_notify_fn_private_data,
 								knet_h->data_mtu);
 				}
 			}
 		}
 out_unlock:
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 		if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 			log_debug(knet_h, KNET_SUB_PMTUD, "Unable to get mutex lock");
 		} else {
 			knet_h->pmtud_running = 0;
 			pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		}
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_PMTUD, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
index 880174c1..bff7dbad 100644
--- a/libknet/threads_rx.c
+++ b/libknet/threads_rx.c
@@ -1,984 +1,1001 @@
 /*
  * Copyright (C) 2012-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
 #include <sys/uio.h>
 #include <pthread.h>
 
 #include "compat.h"
 #include "compress.h"
 #include "crypto.h"
 #include "host.h"
 #include "links.h"
 #include "links_acl.h"
 #include "logging.h"
 #include "transports.h"
 #include "transport_common.h"
 #include "threads_common.h"
 #include "threads_heartbeat.h"
 #include "threads_rx.h"
 #include "netutils.h"
 
 /*
  * RECV
  */
 
 /*
  *  return 1 if a > b
  *  return -1 if b > a
  *  return 0 if they are equal
  */
 static inline int timecmp(struct timespec a, struct timespec b)
 {
 	if (a.tv_sec != b.tv_sec) {
 		if (a.tv_sec > b.tv_sec) {
 			return 1;
 		} else {
 			return -1;
 		}
 	} else {
 		if (a.tv_nsec > b.tv_nsec) {
 			return 1;
 		} else if (a.tv_nsec < b.tv_nsec) {
 			return -1;
 		} else {
 			return 0;
 		}
 	}
 }
 
 /*
  * this functions needs to return an index (0 to 7)
  * to a knet_host_defrag_buf. (-1 on errors)
  */
 
 static int find_pckt_defrag_buf(knet_handle_t knet_h, struct knet_header *inbuf)
 {
 	struct knet_host *src_host = knet_h->host_index[inbuf->kh_node];
 	int i, oldest;
 
 	/*
 	 * check if there is a buffer already in use handling the same seq_num
 	 */
 	for (i = 0; i < KNET_MAX_LINK; i++) {
 		if (src_host->defrag_buf[i].in_use) {
 			if (src_host->defrag_buf[i].pckt_seq == inbuf->khp_data_seq_num) {
 				return i;
 			}
 		}
 	}
 
 	/*
 	 * If there is no buffer that's handling the current seq_num
 	 * either it's new or it's been reclaimed already.
 	 * check if it's been reclaimed/seen before using the defrag circular
 	 * buffer. If the pckt has been seen before, the buffer expired (ETIME)
 	 * and there is no point to try to defrag it again.
 	 */
 	if (!_seq_num_lookup(src_host, inbuf->khp_data_seq_num, 1, 0)) {
 		errno = ETIME;
 		return -1;
 	}
 
 	/*
 	 * register the pckt as seen
 	 */
 	_seq_num_set(src_host, inbuf->khp_data_seq_num, 1);
 
 	/*
 	 * see if there is a free buffer
 	 */
 	for (i = 0; i < KNET_MAX_LINK; i++) {
 		if (!src_host->defrag_buf[i].in_use) {
 			return i;
 		}
 	}
 
 	/*
 	 * at this point, there are no free buffers, the pckt is new
 	 * and we need to reclaim a buffer, and we will take the one
 	 * with the oldest timestamp. It's as good as any.
 	 */
 
 	oldest = 0;
 
 	for (i = 0; i < KNET_MAX_LINK; i++) {
 		if (timecmp(src_host->defrag_buf[i].last_update, src_host->defrag_buf[oldest].last_update) < 0) {
 			oldest = i;
 		}
 	}
 	src_host->defrag_buf[oldest].in_use = 0;
 	return oldest;
 }
 
 static int pckt_defrag(knet_handle_t knet_h, struct knet_header *inbuf, ssize_t *len)
 {
 	struct knet_host_defrag_buf *defrag_buf;
 	int defrag_buf_idx;
 
 	defrag_buf_idx = find_pckt_defrag_buf(knet_h, inbuf);
 	if (defrag_buf_idx < 0) {
 		return 1;
 	}
 
 	defrag_buf = &knet_h->host_index[inbuf->kh_node]->defrag_buf[defrag_buf_idx];
 
 	/*
 	 * if the buf is not is use, then make sure it's clean
 	 */
 	if (!defrag_buf->in_use) {
 		memset(defrag_buf, 0, sizeof(struct knet_host_defrag_buf));
 		defrag_buf->in_use = 1;
 		defrag_buf->pckt_seq = inbuf->khp_data_seq_num;
 	}
 
 	/*
 	 * update timestamp on the buffer
 	 */
 	clock_gettime(CLOCK_MONOTONIC, &defrag_buf->last_update);
 
 	/*
 	 * check if we already received this fragment
 	 */
 	if (defrag_buf->frag_map[inbuf->khp_data_frag_seq]) {
 		/*
 		 * if we have received this fragment and we didn't clear the buffer
 		 * it means that we don't have all fragments yet
 		 */
 		return 1;
 	}
 
 	/*
 	 *  we need to handle the last packet with gloves due to its different size
 	 */
 
 	if (inbuf->khp_data_frag_seq == inbuf->khp_data_frag_num) {
 		defrag_buf->last_frag_size = *len;
 
 		/*
 		 * in the event when the last packet arrives first,
 		 * we still don't know the offset vs the other fragments (based on MTU),
 		 * so we store the fragment at the end of the buffer where it's safe
 		 * and take a copy of the len so that we can restore its offset later.
 		 * remember we can't use the local MTU for this calculation because pMTU
 		 * can be asymettric between the same hosts.
 		 */
 		if (!defrag_buf->frag_size) {
 			defrag_buf->last_first = 1;
 			memmove(defrag_buf->buf + (KNET_MAX_PACKET_SIZE - *len),
 			       inbuf->khp_data_userdata,
 			       *len);
 		}
 	} else {
 		defrag_buf->frag_size = *len;
 	}
 
 	if (defrag_buf->frag_size) {
 		memmove(defrag_buf->buf + ((inbuf->khp_data_frag_seq - 1) * defrag_buf->frag_size),
 		       inbuf->khp_data_userdata, *len);
 	}
 
 	defrag_buf->frag_recv++;
 	defrag_buf->frag_map[inbuf->khp_data_frag_seq] = 1;
 
 	/*
 	 * check if we received all the fragments
 	 */
 	if (defrag_buf->frag_recv == inbuf->khp_data_frag_num) {
 		/*
 		 * special case the last pckt
 		 */
 
 		if (defrag_buf->last_first) {
 			memmove(defrag_buf->buf + ((inbuf->khp_data_frag_num - 1) * defrag_buf->frag_size),
 			        defrag_buf->buf + (KNET_MAX_PACKET_SIZE - defrag_buf->last_frag_size),
 				defrag_buf->last_frag_size);
 		}
 
 		/*
 		 * recalculate packet lenght
 		 */
 
 		*len = ((inbuf->khp_data_frag_num - 1) * defrag_buf->frag_size) + defrag_buf->last_frag_size;
 
 		/*
 		 * copy the pckt back in the user data
 		 */
 		memmove(inbuf->khp_data_userdata, defrag_buf->buf, *len);
 
 		/*
 		 * free this buffer
 		 */
 		defrag_buf->in_use = 0;
 		return 0;
 	}
 
 	return 1;
 }
 
 static void _parse_recv_from_links(knet_handle_t knet_h, int sockfd, const struct knet_mmsghdr *msg)
 {
 	int err = 0, savederrno = 0, stats_err = 0;
 	ssize_t outlen;
 	struct knet_host *src_host;
 	struct knet_link *src_link;
 	unsigned long long latency_last;
 	knet_node_id_t dst_host_ids[KNET_MAX_HOST];
 	size_t dst_host_ids_entries = 0;
 	int bcast = 1;
 	uint64_t decrypt_time = 0;
 	struct timespec recvtime;
 	struct knet_header *inbuf = msg->msg_hdr.msg_iov->iov_base;
 	unsigned char *outbuf = (unsigned char *)msg->msg_hdr.msg_iov->iov_base;
 	ssize_t len = msg->msg_len;
 	struct knet_hostinfo *knet_hostinfo;
 	struct iovec iov_out[1];
 	int8_t channel;
 	struct sockaddr_storage pckt_src;
 	seq_num_t recv_seq_num;
 	int wipe_bufs = 0;
+	int try_decrypt = 0, decrypted = 0, i;
 
-	if (knet_h->crypto_instance) {
+	for (i = 1; i <= KNET_MAX_CRYPTO_INSTANCES; i++) {
+		if (knet_h->crypto_instance[i]) {
+			try_decrypt = 1;
+			break;
+		}
+	}
+
+	if ((!try_decrypt) && (knet_h->crypto_only == KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC)) {
+		log_debug(knet_h, KNET_SUB_RX, "RX thread configured to accept only crypto packets, but no crypto configs are configured!");
+		return;
+	}
+
+	if (try_decrypt) {
 		struct timespec start_time;
 		struct timespec end_time;
 
-
 		clock_gettime(CLOCK_MONOTONIC, &start_time);
 		if (crypto_authenticate_and_decrypt(knet_h,
 						    (unsigned char *)inbuf,
 						    len,
 						    knet_h->recv_from_links_buf_decrypt,
 						    &outlen) < 0) {
 			log_debug(knet_h, KNET_SUB_RX, "Unable to decrypt/auth packet");
-			return;
-		}
-		clock_gettime(CLOCK_MONOTONIC, &end_time);
-		timespec_diff(start_time, end_time, &decrypt_time);
+			if (knet_h->crypto_only == KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC) {
+				return;
+			}
+			log_debug(knet_h, KNET_SUB_RX, "Attempting to process packet as clear data");
+		} else {
+			clock_gettime(CLOCK_MONOTONIC, &end_time);
+			timespec_diff(start_time, end_time, &decrypt_time);
 
-		len = outlen;
-		inbuf = (struct knet_header *)knet_h->recv_from_links_buf_decrypt;
+			len = outlen;
+			inbuf = (struct knet_header *)knet_h->recv_from_links_buf_decrypt;
+			decrypted = 1;
+		}
 	}
 
 	if (len < (ssize_t)(KNET_HEADER_SIZE + 1)) {
 		log_debug(knet_h, KNET_SUB_RX, "Packet is too short: %ld", (long)len);
 		return;
 	}
 
 	if (inbuf->kh_version != KNET_HEADER_VERSION) {
 		log_debug(knet_h, KNET_SUB_RX, "Packet version does not match");
 		return;
 	}
 
 	inbuf->kh_node = ntohs(inbuf->kh_node);
 	src_host = knet_h->host_index[inbuf->kh_node];
 	if (src_host == NULL) {  /* host not found */
 		log_debug(knet_h, KNET_SUB_RX, "Unable to find source host for this packet");
 		return;
 	}
 
 	src_link = src_host->link +
 		(inbuf->khp_ping_link % KNET_MAX_LINK);
 	if ((inbuf->kh_type & KNET_HEADER_TYPE_PMSK) != 0) {
 		if (src_link->dynamic == KNET_LINK_DYNIP) {
 			/*
 			 * cpyaddrport will only copy address and port of the incoming
 			 * packet and strip extra bits such as flow and scopeid
 			 */
 			cpyaddrport(&pckt_src, msg->msg_hdr.msg_name);
 
 			if (cmpaddr(&src_link->dst_addr, sockaddr_len(&src_link->dst_addr),
 				    &pckt_src, sockaddr_len(&pckt_src)) != 0) {
 				log_debug(knet_h, KNET_SUB_RX, "host: %u link: %u appears to have changed ip address",
 					  src_host->host_id, src_link->link_id);
 				memmove(&src_link->dst_addr, &pckt_src, sizeof(struct sockaddr_storage));
 				if (knet_addrtostr(&src_link->dst_addr, sockaddr_len(msg->msg_hdr.msg_name),
 						src_link->status.dst_ipaddr, KNET_MAX_HOST_LEN,
 						src_link->status.dst_port, KNET_MAX_PORT_LEN) != 0) {
 					log_debug(knet_h, KNET_SUB_RX, "Unable to resolve ???");
 					snprintf(src_link->status.dst_ipaddr, KNET_MAX_HOST_LEN - 1, "Unknown!!!");
 					snprintf(src_link->status.dst_port, KNET_MAX_PORT_LEN - 1, "??");
 				} else {
 					log_info(knet_h, KNET_SUB_RX,
 						 "host: %u link: %u new connection established from: %s %s",
 						 src_host->host_id, src_link->link_id,
 						 src_link->status.dst_ipaddr, src_link->status.dst_port);
 				}
 			}
 			/*
 			 * transport has already accepted the connection here
 			 * otherwise we would not be receiving packets
 			 */
 			transport_link_dyn_connect(knet_h, sockfd, src_link);
 		}
 	}
 
 	stats_err = pthread_mutex_lock(&src_link->link_stats_mutex);
 	if (stats_err) {
 		log_err(knet_h, KNET_SUB_RX, "Unable to get stats mutex lock for host %u link %u: %s",
 			src_host->host_id, src_link->link_id, strerror(savederrno));
 		return;
 	}
 
 	switch (inbuf->kh_type) {
 	case KNET_HEADER_TYPE_HOST_INFO:
 	case KNET_HEADER_TYPE_DATA:
 		if (!src_host->status.reachable) {
 			pthread_mutex_unlock(&src_link->link_stats_mutex);
 			log_debug(knet_h, KNET_SUB_RX, "Source host %u not reachable yet. Discarding packet.", src_host->host_id);
 			return;
 		}
 		inbuf->khp_data_seq_num = ntohs(inbuf->khp_data_seq_num);
 		channel = inbuf->khp_data_channel;
 		src_host->got_data = 1;
 
 		src_link->status.stats.rx_data_packets++;
 		src_link->status.stats.rx_data_bytes += len;
 
 		if (!_seq_num_lookup(src_host, inbuf->khp_data_seq_num, 0, 0)) {
 			pthread_mutex_unlock(&src_link->link_stats_mutex);
 			if (src_host->link_handler_policy != KNET_LINK_POLICY_ACTIVE) {
 				log_debug(knet_h, KNET_SUB_RX, "Packet has already been delivered");
 			}
 			return;
 		}
 
 		if (inbuf->khp_data_frag_num > 1) {
 			/*
 			 * len as received from the socket also includes extra stuff
 			 * that the defrag code doesn't care about. So strip it
 			 * here and readd only for repadding once we are done
 			 * defragging
 			 */
 			len = len - KNET_HEADER_DATA_SIZE;
 			if (pckt_defrag(knet_h, inbuf, &len)) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				return;
 			}
 			len = len + KNET_HEADER_DATA_SIZE;
 		}
 
 		if (inbuf->khp_data_compress) {
 			ssize_t decmp_outlen = KNET_DATABUFSIZE_COMPRESS;
 			struct timespec start_time;
 			struct timespec end_time;
 			uint64_t compress_time;
 
 			clock_gettime(CLOCK_MONOTONIC, &start_time);
 			err = decompress(knet_h, inbuf->khp_data_compress,
 					 (const unsigned char *)inbuf->khp_data_userdata,
 					 len - KNET_HEADER_DATA_SIZE,
 					 knet_h->recv_from_links_buf_decompress,
 					 &decmp_outlen);
 
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 				return;
 			}
 
 			clock_gettime(CLOCK_MONOTONIC, &end_time);
 			timespec_diff(start_time, end_time, &compress_time);
 
 			if (!err) {
 				/* Collect stats */
 				if (compress_time < knet_h->stats.rx_compress_time_min) {
 					knet_h->stats.rx_compress_time_min = compress_time;
 				}
 				if (compress_time > knet_h->stats.rx_compress_time_max) {
 					knet_h->stats.rx_compress_time_max = compress_time;
 				}
 				knet_h->stats.rx_compress_time_ave =
 					(knet_h->stats.rx_compress_time_ave * knet_h->stats.rx_compressed_packets +
 					 compress_time) / (knet_h->stats.rx_compressed_packets+1);
 
 				knet_h->stats.rx_compressed_packets++;
 				knet_h->stats.rx_compressed_original_bytes += decmp_outlen;
 				knet_h->stats.rx_compressed_size_bytes += len - KNET_HEADER_SIZE;
 
 				memmove(inbuf->khp_data_userdata, knet_h->recv_from_links_buf_decompress, decmp_outlen);
 				len = decmp_outlen + KNET_HEADER_DATA_SIZE;
 			} else {
 				pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_warn(knet_h, KNET_SUB_COMPRESS, "Unable to decompress packet (%d): %s",
 					 err, strerror(errno));
 				return;
 			}
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 		if (inbuf->kh_type == KNET_HEADER_TYPE_DATA) {
-			if (knet_h->crypto_instance) {
+			if (decrypted) {
 				stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 				if (stats_err < 0) {
 					pthread_mutex_unlock(&src_link->link_stats_mutex);
 					log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 					return;
 				}
 				/* Only update the crypto overhead for data packets. Mainly to be
 				   consistent with TX */
 				if (decrypt_time < knet_h->stats.rx_crypt_time_min) {
 					knet_h->stats.rx_crypt_time_min = decrypt_time;
 				}
 				if (decrypt_time > knet_h->stats.rx_crypt_time_max) {
 					knet_h->stats.rx_crypt_time_max = decrypt_time;
 				}
 				knet_h->stats.rx_crypt_time_ave =
 					(knet_h->stats.rx_crypt_time_ave * knet_h->stats.rx_crypt_packets +
 					 decrypt_time) / (knet_h->stats.rx_crypt_packets+1);
 				knet_h->stats.rx_crypt_packets++;
 				pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 			}
 
 			if (knet_h->enabled != 1) /* data forward is disabled */
 				break;
 
 			if (knet_h->dst_host_filter_fn) {
 				size_t host_idx;
 				int found = 0;
 
 				bcast = knet_h->dst_host_filter_fn(
 						knet_h->dst_host_filter_fn_private_data,
 						(const unsigned char *)inbuf->khp_data_userdata,
 						len - KNET_HEADER_DATA_SIZE,
 						KNET_NOTIFY_RX,
 						knet_h->host_id,
 						inbuf->kh_node,
 						&channel,
 						dst_host_ids,
 						&dst_host_ids_entries);
 				if (bcast < 0) {
 					pthread_mutex_unlock(&src_link->link_stats_mutex);
 					log_debug(knet_h, KNET_SUB_RX, "Error from dst_host_filter_fn: %d", bcast);
 					return;
 				}
 
 				if ((!bcast) && (!dst_host_ids_entries)) {
 					pthread_mutex_unlock(&src_link->link_stats_mutex);
 					log_debug(knet_h, KNET_SUB_RX, "Message is unicast but no dst_host_ids_entries");
 					return;
 				}
 
 				/* check if we are dst for this packet */
 				if (!bcast) {
 					if (dst_host_ids_entries > KNET_MAX_HOST) {
 						pthread_mutex_unlock(&src_link->link_stats_mutex);
 						log_debug(knet_h, KNET_SUB_RX, "dst_host_filter_fn returned too many destinations");
 						return;
 					}
 					for (host_idx = 0; host_idx < dst_host_ids_entries; host_idx++) {
 						if (dst_host_ids[host_idx] == knet_h->host_id) {
 							found = 1;
 							break;
 						}
 					}
 					if (!found) {
 						pthread_mutex_unlock(&src_link->link_stats_mutex);
 						log_debug(knet_h, KNET_SUB_RX, "Packet is not for us");
 						return;
 					}
 				}
 			}
 		}
 
 		if (inbuf->kh_type == KNET_HEADER_TYPE_DATA) {
 			if (!knet_h->sockfd[channel].in_use) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				log_debug(knet_h, KNET_SUB_RX,
 					  "received packet for channel %d but there is no local sock connected",
 					  channel);
 				return;
 			}
 
 			outlen = 0;
 			memset(iov_out, 0, sizeof(iov_out));
 
 retry:
 			iov_out[0].iov_base = (void *) inbuf->khp_data_userdata + outlen;
 			iov_out[0].iov_len = len - (outlen + KNET_HEADER_DATA_SIZE);
 
 			outlen = writev(knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created], iov_out, 1);
 			if ((outlen > 0) && (outlen < (ssize_t)iov_out[0].iov_len)) {
 				log_debug(knet_h, KNET_SUB_RX,
 					  "Unable to send all data to the application in one go. Expected: %zu Sent: %zd\n",
 					  iov_out[0].iov_len, outlen);
 				goto retry;
 			}
 
 			if (outlen <= 0) {
 				knet_h->sock_notify_fn(knet_h->sock_notify_fn_private_data,
 						       knet_h->sockfd[channel].sockfd[0],
 						       channel,
 						       KNET_NOTIFY_RX,
 						       outlen,
 						       errno);
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				return;
 			}
 			if ((size_t)outlen == iov_out[0].iov_len) {
 				_seq_num_set(src_host, inbuf->khp_data_seq_num, 0);
 			}
 		} else { /* HOSTINFO */
 			knet_hostinfo = (struct knet_hostinfo *)inbuf->khp_data_userdata;
 			if (knet_hostinfo->khi_bcast == KNET_HOSTINFO_UCAST) {
 				knet_hostinfo->khi_dst_node_id = ntohs(knet_hostinfo->khi_dst_node_id);
 			}
 			if (!_seq_num_lookup(src_host, inbuf->khp_data_seq_num, 0, 0)) {
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 				return;
 			}
 			_seq_num_set(src_host, inbuf->khp_data_seq_num, 0);
 			switch(knet_hostinfo->khi_type) {
 				case KNET_HOSTINFO_TYPE_LINK_UP_DOWN:
 					break;
 				case KNET_HOSTINFO_TYPE_LINK_TABLE:
 					break;
 				default:
 					log_warn(knet_h, KNET_SUB_RX, "Receiving unknown host info message from host %u", src_host->host_id);
 					break;
 			}
 		}
 		break;
 	case KNET_HEADER_TYPE_PING:
 		outlen = KNET_HEADER_PING_SIZE;
 		inbuf->kh_type = KNET_HEADER_TYPE_PONG;
 		inbuf->kh_node = htons(knet_h->host_id);
 		recv_seq_num = ntohs(inbuf->khp_ping_seq_num);
 		src_link->status.stats.rx_ping_packets++;
 		src_link->status.stats.rx_ping_bytes += len;
 
 		wipe_bufs = 0;
 
 		if (!inbuf->khp_ping_timed) {
 			/*
 			 * we might be receiving this message from all links, but we want
 			 * to process it only the first time
 			 */
 			if (recv_seq_num != src_host->untimed_rx_seq_num) {
 				/*
 				 * cache the untimed seq num
 				 */
 				src_host->untimed_rx_seq_num = recv_seq_num;
 				/*
 				 * if the host has received data in between
 				 * untimed ping, then we don't need to wipe the bufs
 				 */
 				if (src_host->got_data) {
 					src_host->got_data = 0;
 					wipe_bufs = 0;
 				} else {
 					wipe_bufs = 1;
 				}
 			}
 			_seq_num_lookup(src_host, recv_seq_num, 0, wipe_bufs);
 		} else {
 			/*
 			 * pings always arrives in bursts over all the link
 			 * catch the first of them to cache the seq num and
 			 * avoid duplicate processing
 			 */
 			if (recv_seq_num != src_host->timed_rx_seq_num) {
 				src_host->timed_rx_seq_num = recv_seq_num;
 
 				if (recv_seq_num == 0) {
 					_seq_num_lookup(src_host, recv_seq_num, 0, 1);
 				}
 			}
 		}
 
-		if (knet_h->crypto_instance) {
+		if (knet_h->crypto_in_use_config) {
 			if (crypto_encrypt_and_sign(knet_h,
 						    (const unsigned char *)inbuf,
 						    outlen,
 						    knet_h->recv_from_links_buf_crypt,
 						    &outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_RX, "Unable to encrypt pong packet");
 				break;
 			}
 			outbuf = knet_h->recv_from_links_buf_crypt;
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 				break;
 			}
 			knet_h->stats_extra.tx_crypt_pong_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 retry_pong:
 		if (src_link->transport_connected) {
 			if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
 					     (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
 			} else {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 			}
 			savederrno = errno;
 			if (len != outlen) {
 				err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
 				switch(err) {
 					case -1: /* unrecoverable error */
 						log_debug(knet_h, KNET_SUB_RX,
 							  "Unable to send pong reply (sock: %d) packet (sendto): %d %s. recorded src ip: %s src port: %s dst ip: %s dst port: %s",
 							  src_link->outsock, errno, strerror(errno),
 							  src_link->status.src_ipaddr, src_link->status.src_port,
 							  src_link->status.dst_ipaddr, src_link->status.dst_port);
 						src_link->status.stats.tx_pong_errors++;
 						break;
 					case 0: /* ignore error and continue */
 						break;
 					case 1: /* retry to send those same data */
 						src_link->status.stats.tx_pong_retries++;
 						goto retry_pong;
 						break;
 				}
 			}
 			src_link->status.stats.tx_pong_packets++;
 			src_link->status.stats.tx_pong_bytes += outlen;
 		}
 		break;
 	case KNET_HEADER_TYPE_PONG:
 		src_link->status.stats.rx_pong_packets++;
 		src_link->status.stats.rx_pong_bytes += len;
 		clock_gettime(CLOCK_MONOTONIC, &src_link->status.pong_last);
 
 		memmove(&recvtime, &inbuf->khp_ping_time[0], sizeof(struct timespec));
 		timespec_diff(recvtime,
 				src_link->status.pong_last, &latency_last);
 
 		if ((latency_last / 1000llu) > src_link->pong_timeout) {
 			log_debug(knet_h, KNET_SUB_RX,
 				  "Incoming pong packet from host: %u link: %u has higher latency than pong_timeout. Discarding",
 				  src_host->host_id, src_link->link_id);
 		} else {
 
 			/*
 			 * in words : ('previous mean' * '(count -1)') + 'new value') / 'count'
 			 */
 
 			src_link->latency_cur_samples++;
 
 			/*
 			 * limit to max_samples (precision)
 			 */
 			if (src_link->latency_cur_samples >= src_link->latency_max_samples) {
 				src_link->latency_cur_samples = src_link->latency_max_samples;
 			}
 			src_link->status.latency =
 				(((src_link->status.latency * (src_link->latency_cur_samples - 1)) + (latency_last / 1000llu)) / src_link->latency_cur_samples);
 
 			if (src_link->status.latency < src_link->pong_timeout_adj) {
 				if (!src_link->status.connected) {
 					if (src_link->received_pong >= src_link->pong_count) {
 						log_info(knet_h, KNET_SUB_RX, "host: %u link: %u is up",
 							 src_host->host_id, src_link->link_id);
 						_link_updown(knet_h, src_host->host_id, src_link->link_id, src_link->status.enabled, 1, 0);
 					} else {
 						src_link->received_pong++;
 						log_debug(knet_h, KNET_SUB_RX, "host: %u link: %u received pong: %u",
 							  src_host->host_id, src_link->link_id, src_link->received_pong);
 					}
 				}
 			}
 			/* Calculate latency stats */
 			if (src_link->status.latency > src_link->status.stats.latency_max) {
 				src_link->status.stats.latency_max = src_link->status.latency;
 			}
 			if (src_link->status.latency < src_link->status.stats.latency_min) {
 				src_link->status.stats.latency_min = src_link->status.latency;
 			}
 
 			/*
 			 * those 2 lines below make all latency average calculations consistent and capped to
 			 * link precision. In future we will kill the one above to keep only this one in
 			 * the stats structure, but for now we leave it around to avoid API/ABI
 			 * breakage as we backport the fixes to stable
 			 */
 			src_link->status.stats.latency_ave = src_link->status.latency;
 			src_link->status.stats.latency_samples = src_link->latency_cur_samples;
 		}
 		break;
 	case KNET_HEADER_TYPE_PMTUD:
 		src_link->status.stats.rx_pmtu_packets++;
 		src_link->status.stats.rx_pmtu_bytes += len;
 		outlen = KNET_HEADER_PMTUD_SIZE;
 		inbuf->kh_type = KNET_HEADER_TYPE_PMTUD_REPLY;
 		inbuf->kh_node = htons(knet_h->host_id);
 
-		if (knet_h->crypto_instance) {
+		if (knet_h->crypto_in_use_config) {
 			if (crypto_encrypt_and_sign(knet_h,
 						    (const unsigned char *)inbuf,
 						    outlen,
 						    knet_h->recv_from_links_buf_crypt,
 						    &outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_RX, "Unable to encrypt PMTUd reply packet");
 				break;
 			}
 			outbuf = knet_h->recv_from_links_buf_crypt;
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 				break;
 			}
 			knet_h->stats_extra.tx_crypt_pmtu_reply_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 		}
 
 		/* Unlock so we don't deadlock with tx_mutex */
 		pthread_mutex_unlock(&src_link->link_stats_mutex);
 
 		savederrno = pthread_mutex_lock(&knet_h->tx_mutex);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_RX, "Unable to get TX mutex lock: %s", strerror(savederrno));
 			goto out_pmtud;
 		}
 retry_pmtud:
 		if (src_link->transport_connected) {
 			if (transport_get_connection_oriented(knet_h, src_link->transport) == TRANSPORT_PROTO_NOT_CONNECTION_ORIENTED) {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL,
 					     (struct sockaddr *) &src_link->dst_addr, sizeof(struct sockaddr_storage));
 			} else {
 				len = sendto(src_link->outsock, outbuf, outlen, MSG_DONTWAIT | MSG_NOSIGNAL, NULL, 0);
 			}
 			savederrno = errno;
 			if (len != outlen) {
 				err = transport_tx_sock_error(knet_h, src_link->transport, src_link->outsock, len, savederrno);
 				stats_err = pthread_mutex_lock(&src_link->link_stats_mutex);
 				if (stats_err < 0) {
 					log_err(knet_h, KNET_SUB_RX, "Unable to get mutex lock: %s", strerror(stats_err));
 					break;
 				}
 				switch(err) {
 					case -1: /* unrecoverable error */
 						log_debug(knet_h, KNET_SUB_RX,
 							  "Unable to send PMTUd reply (sock: %d) packet (sendto): %d %s. recorded src ip: %s src port: %s dst ip: %s dst port: %s",
 							  src_link->outsock, errno, strerror(errno),
 							  src_link->status.src_ipaddr, src_link->status.src_port,
 							  src_link->status.dst_ipaddr, src_link->status.dst_port);
 
 						src_link->status.stats.tx_pmtu_errors++;
 						break;
 					case 0: /* ignore error and continue */
 						src_link->status.stats.tx_pmtu_errors++;
 						break;
 					case 1: /* retry to send those same data */
 						src_link->status.stats.tx_pmtu_retries++;
 						pthread_mutex_unlock(&src_link->link_stats_mutex);
 						goto retry_pmtud;
 						break;
 				}
 				pthread_mutex_unlock(&src_link->link_stats_mutex);
 			}
 		}
 		pthread_mutex_unlock(&knet_h->tx_mutex);
 out_pmtud:
 		return; /* Don't need to unlock link_stats_mutex */
 	case KNET_HEADER_TYPE_PMTUD_REPLY:
 		src_link->status.stats.rx_pmtu_packets++;
 		src_link->status.stats.rx_pmtu_bytes += len;
 
 		/* pmtud_mutex can't be acquired while we hold a link_stats_mutex (ordering) */
 		pthread_mutex_unlock(&src_link->link_stats_mutex);
 
 		if (pthread_mutex_lock(&knet_h->pmtud_mutex) != 0) {
 			log_debug(knet_h, KNET_SUB_RX, "Unable to get mutex lock");
 			break;
 		}
 		src_link->last_recv_mtu = inbuf->khp_pmtud_size;
 		pthread_cond_signal(&knet_h->pmtud_cond);
 		pthread_mutex_unlock(&knet_h->pmtud_mutex);
 		return;
 	default:
 		pthread_mutex_unlock(&src_link->link_stats_mutex);
 		return;
 	}
 	pthread_mutex_unlock(&src_link->link_stats_mutex);
 }
 
 static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
 {
 	int err, savederrno;
 	int i, msg_recv, transport;
 
 	if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 		log_debug(knet_h, KNET_SUB_RX, "Unable to get global read lock");
 		return;
 	}
 
 	if (_is_valid_fd(knet_h, sockfd) < 1) {
 		/*
 		 * this is normal if a fd got an event and before we grab the read lock
 		 * and the link is removed by another thread
 		 */
 		goto exit_unlock;
 	}
 
 	transport = knet_h->knet_transport_fd_tracker[sockfd].transport;
 
 	/*
 	 * reset msg_namelen to buffer size because after recvmmsg
 	 * each msg_namelen will contain sizeof sockaddr_in or sockaddr_in6
 	 */
 
 	for (i = 0; i < PCKT_RX_BUFS; i++) {
 		msg[i].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage);
 	}
 
 	msg_recv = _recvmmsg(sockfd, &msg[0], PCKT_RX_BUFS, MSG_DONTWAIT | MSG_NOSIGNAL);
 	savederrno = errno;
 
 	/*
 	 * WARNING: man page for recvmmsg is wrong. Kernel implementation here:
 	 * recvmmsg can return:
 	 * -1 on error
 	 *  0 if the previous run of recvmmsg recorded an error on the socket
 	 *  N number of messages (see exception below).
 	 *
 	 * If there is an error from recvmsg after receiving a frame or more, the recvmmsg
 	 * loop is interrupted, error recorded in the socket (getsockopt(SO_ERROR) and
 	 * it will be visibile in the next run.
 	 *
 	 * Need to be careful how we handle errors at this stage.
 	 *
 	 * error messages need to be handled on a per transport/protocol base
 	 * at this point we have different layers of error handling
 	 * - msg_recv < 0 -> error from this run
 	 *   msg_recv = 0 -> error from previous run and error on socket needs to be cleared
 	 * - per-transport message data
 	 *   example: msg[i].msg_hdr.msg_flags & MSG_NOTIFICATION or msg_len for SCTP == EOF,
 	 *            but for UDP it is perfectly legal to receive a 0 bytes message.. go figure
 	 * - NOTE: on SCTP MSG_NOTIFICATION we get msg_recv == PCKT_FRAG_MAX messages and no
 	 *         errno set. That means the error api needs to be able to abort the loop below.
 	 */
 
 	if (msg_recv <= 0) {
 		transport_rx_sock_error(knet_h, transport, sockfd, msg_recv, savederrno);
 		goto exit_unlock;
 	}
 
 	for (i = 0; i < msg_recv; i++) {
 		err = transport_rx_is_data(knet_h, transport, sockfd, &msg[i]);
 
 		/*
 		 * TODO: make this section silent once we are confident
 		 *       all protocols packet handlers are good
 		 */
 
 		switch(err) {
 			case KNET_TRANSPORT_RX_ERROR: /* on error */
 				log_debug(knet_h, KNET_SUB_RX, "Transport reported error parsing packet");
 				goto exit_unlock;
 				break;
 			case KNET_TRANSPORT_RX_NOT_DATA_CONTINUE: /* packet is not data and we should continue the packet process loop */
 				log_debug(knet_h, KNET_SUB_RX, "Transport reported no data, continue");
 				break;
 			case KNET_TRANSPORT_RX_NOT_DATA_STOP: /* packet is not data and we should STOP the packet process loop */
 				log_debug(knet_h, KNET_SUB_RX, "Transport reported no data, stop");
 				goto exit_unlock;
 				break;
 			case KNET_TRANSPORT_RX_IS_DATA: /* packet is data and should be parsed as such */
 				/*
 				 * processing incoming packets vs access lists
 				 */
 				if ((knet_h->use_access_lists) &&
 				    (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
 					if (!check_validate(knet_h, sockfd, transport, msg[i].msg_hdr.msg_name)) {
 						char src_ipaddr[KNET_MAX_HOST_LEN];
 						char src_port[KNET_MAX_PORT_LEN];
 
 						memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
 						memset(src_port, 0, KNET_MAX_PORT_LEN);
 						if (knet_addrtostr(msg[i].msg_hdr.msg_name, sockaddr_len(msg[i].msg_hdr.msg_name),
 								   src_ipaddr, KNET_MAX_HOST_LEN,
 								   src_port, KNET_MAX_PORT_LEN) < 0) {
 
 							log_debug(knet_h, KNET_SUB_RX, "Packet rejected: unable to resolve host/port");
 						} else {
 							log_debug(knet_h, KNET_SUB_RX, "Packet rejected from %s/%s", src_ipaddr, src_port);
 						}
 						/*
 						 * continue processing the other packets
 						 */
 						continue;
 					}
 				}
 				_parse_recv_from_links(knet_h, sockfd, &msg[i]);
 				break;
 			case KNET_TRANSPORT_RX_OOB_DATA_CONTINUE:
 				log_debug(knet_h, KNET_SUB_RX, "Transport is processing sock OOB data, continue");
 				break;
 			case KNET_TRANSPORT_RX_OOB_DATA_STOP:
 				log_debug(knet_h, KNET_SUB_RX, "Transport has completed processing sock OOB data, stop");
 				goto exit_unlock;
 				break;
 		}
 	}
 
 exit_unlock:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 }
 
 void *_handle_recv_from_links_thread(void *data)
 {
 	int i, nev;
 	knet_handle_t knet_h = (knet_handle_t) data;
 	struct epoll_event events[KNET_EPOLL_MAX_EVENTS];
 	struct sockaddr_storage address[PCKT_RX_BUFS];
 	struct knet_mmsghdr msg[PCKT_RX_BUFS];
 	struct iovec iov_in[PCKT_RX_BUFS];
 
 	set_thread_status(knet_h, KNET_THREAD_RX, KNET_THREAD_STARTED);
 
 	memset(&msg, 0, sizeof(msg));
 
 	for (i = 0; i < PCKT_RX_BUFS; i++) {
 		iov_in[i].iov_base = (void *)knet_h->recv_from_links_buf[i];
 		iov_in[i].iov_len = KNET_DATABUFSIZE;
 
 		memset(&msg[i].msg_hdr, 0, sizeof(struct msghdr));
 
 		msg[i].msg_hdr.msg_name = &address[i];
 		msg[i].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage);
 		msg[i].msg_hdr.msg_iov = &iov_in[i];
 		msg[i].msg_hdr.msg_iovlen = 1;
 	}
 
 	while (!shutdown_in_progress(knet_h)) {
 		nev = epoll_wait(knet_h->recv_from_links_epollfd, events, KNET_EPOLL_MAX_EVENTS, KNET_THREADS_TIMERES / 1000);
 
 		/*
 		 * the RX threads only need to notify that there has been at least
 		 * one successful run after queue flush has been requested.
 		 * See setfwd in handle.c
 		 */
 		if (get_thread_flush_queue(knet_h, KNET_THREAD_RX) == KNET_THREAD_QUEUE_FLUSH) {
 			set_thread_flush_queue(knet_h, KNET_THREAD_RX, KNET_THREAD_QUEUE_FLUSHED);
 		}
 
 		/*
 		 * we use timeout to detect if thread is shutting down
 		 */
 		if (nev == 0) {
 			continue;
 		}
 
 		for (i = 0; i < nev; i++) {
 			_handle_recv_from_links(knet_h, events[i].data.fd, msg);
 		}
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_RX, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
diff --git a/libknet/threads_tx.c b/libknet/threads_tx.c
index d5539a1e..be5fb6b2 100644
--- a/libknet/threads_tx.c
+++ b/libknet/threads_tx.c
@@ -1,837 +1,837 @@
 /*
  * Copyright (C) 2012-2020 Red Hat, Inc.  All rights reserved.
  *
  * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *          Federico Simoncelli <fsimon@kronosnet.org>
  *
  * This software licensed under LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <math.h>
 #include <string.h>
 #include <pthread.h>
 #include <unistd.h>
 #include <sys/uio.h>
 #include <errno.h>
 
 #include "compat.h"
 #include "compress.h"
 #include "crypto.h"
 #include "host.h"
 #include "link.h"
 #include "logging.h"
 #include "transports.h"
 #include "transport_common.h"
 #include "threads_common.h"
 #include "threads_heartbeat.h"
 #include "threads_tx.h"
 #include "netutils.h"
 
 /*
  * SEND
  */
 
 static int _dispatch_to_links(knet_handle_t knet_h, struct knet_host *dst_host, struct knet_mmsghdr *msg, int msgs_to_send)
 {
 	int link_idx, msg_idx, sent_msgs, prev_sent, progress;
 	int err = 0, savederrno = 0, locked = 0;
 	unsigned int i;
 	struct knet_mmsghdr *cur;
 	struct knet_link *cur_link;
 
 	for (link_idx = 0; link_idx < dst_host->active_link_entries; link_idx++) {
 		prev_sent = 0;
 		progress = 1;
 		locked = 0;
 
 		cur_link = &dst_host->link[dst_host->active_links[link_idx]];
 
 		if (cur_link->transport == KNET_TRANSPORT_LOOPBACK) {
 			continue;
 		}
 
 		savederrno = pthread_mutex_lock(&cur_link->link_stats_mutex);
 		if (savederrno) {
 			log_err(knet_h, KNET_SUB_TX, "Unable to get stats mutex lock for host %u link %u: %s",
 				dst_host->host_id, cur_link->link_id, strerror(savederrno));
 			continue;
 		}
 		locked = 1;
 
 		msg_idx = 0;
 		while (msg_idx < msgs_to_send) {
 			msg[msg_idx].msg_hdr.msg_name = &cur_link->dst_addr;
 
 			/* Cast for Linux/BSD compatibility */
 			for (i=0; i<(unsigned int)msg[msg_idx].msg_hdr.msg_iovlen; i++) {
 				cur_link->status.stats.tx_data_bytes += msg[msg_idx].msg_hdr.msg_iov[i].iov_len;
 			}
 			cur_link->status.stats.tx_data_packets++;
 			msg_idx++;
 		}
 
 retry:
 		cur = &msg[prev_sent];
 
 		sent_msgs = _sendmmsg(dst_host->link[dst_host->active_links[link_idx]].outsock,
 				      transport_get_connection_oriented(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport),
 				      &cur[0], msgs_to_send - prev_sent, MSG_DONTWAIT | MSG_NOSIGNAL);
 		savederrno = errno;
 
 		err = transport_tx_sock_error(knet_h, dst_host->link[dst_host->active_links[link_idx]].transport, dst_host->link[dst_host->active_links[link_idx]].outsock, sent_msgs, savederrno);
 		switch(err) {
 			case -1: /* unrecoverable error */
 				cur_link->status.stats.tx_data_errors++;
 				goto out_unlock;
 				break;
 			case 0: /* ignore error and continue */
 				break;
 			case 1: /* retry to send those same data */
 				cur_link->status.stats.tx_data_retries++;
 				goto retry;
 				break;
 		}
 
 		prev_sent = prev_sent + sent_msgs;
 
 		if ((sent_msgs >= 0) && (prev_sent < msgs_to_send)) {
 			if ((sent_msgs) || (progress)) {
 				if (sent_msgs) {
 					progress = 1;
 				} else {
 					progress = 0;
 				}
 #ifdef DEBUG
 				log_debug(knet_h, KNET_SUB_TX, "Unable to send all (%d/%d) data packets to host %s (%u) link %s:%s (%u)",
 					  sent_msgs, msg_idx,
 					  dst_host->name, dst_host->host_id,
 					  dst_host->link[dst_host->active_links[link_idx]].status.dst_ipaddr,
 					  dst_host->link[dst_host->active_links[link_idx]].status.dst_port,
 					  dst_host->link[dst_host->active_links[link_idx]].link_id);
 #endif
 				goto retry;
 			}
 			if (!progress) {
 				savederrno = EAGAIN;
 				err = -1;
 				goto out_unlock;
 			}
 		}
 
 		if ((dst_host->link_handler_policy == KNET_LINK_POLICY_RR) &&
 		    (dst_host->active_link_entries > 1)) {
 			uint8_t cur_link_id = dst_host->active_links[0];
 
 			memmove(&dst_host->active_links[0], &dst_host->active_links[1], KNET_MAX_LINK - 1);
 			dst_host->active_links[dst_host->active_link_entries - 1] = cur_link_id;
 
 			break;
 		}
 		pthread_mutex_unlock(&cur_link->link_stats_mutex);
 		locked = 0;
 	}
 
 out_unlock:
 	if (locked) {
 		pthread_mutex_unlock(&cur_link->link_stats_mutex);
 	}
 	errno = savederrno;
 	return err;
 }
 
 static int _parse_recv_from_sock(knet_handle_t knet_h, size_t inlen, int8_t channel, int is_sync)
 {
 	size_t outlen, frag_len;
 	struct knet_host *dst_host;
 	knet_node_id_t dst_host_ids_temp[KNET_MAX_HOST];
 	size_t dst_host_ids_entries_temp = 0;
 	knet_node_id_t dst_host_ids[KNET_MAX_HOST];
 	size_t dst_host_ids_entries = 0;
 	int bcast = 1;
 	struct knet_hostinfo *knet_hostinfo;
 	struct iovec iov_out[PCKT_FRAG_MAX][2];
 	int iovcnt_out = 2;
 	uint8_t frag_idx;
 	unsigned int temp_data_mtu;
 	size_t host_idx;
 	int send_mcast = 0;
 	struct knet_header *inbuf;
 	int savederrno = 0;
 	int err = 0;
 	seq_num_t tx_seq_num;
 	struct knet_mmsghdr msg[PCKT_FRAG_MAX];
 	int msgs_to_send, msg_idx;
 	unsigned int i;
 	int j;
 	int send_local = 0;
 	int data_compressed = 0;
 	size_t uncrypted_frag_size;
 	int stats_locked = 0, stats_err = 0;
 
 	inbuf = knet_h->recv_from_sock_buf;
 
 	if ((knet_h->enabled != 1) &&
 	    (inbuf->kh_type != KNET_HEADER_TYPE_HOST_INFO)) { /* data forward is disabled */
 		log_debug(knet_h, KNET_SUB_TX, "Received data packet but forwarding is disabled");
 		savederrno = ECANCELED;
 		err = -1;
 		goto out_unlock;
 	}
 
 	/*
 	 * move this into a separate function to expand on
 	 * extra switching rules
 	 */
 	switch(inbuf->kh_type) {
 		case KNET_HEADER_TYPE_DATA:
 			if (knet_h->dst_host_filter_fn) {
 				bcast = knet_h->dst_host_filter_fn(
 						knet_h->dst_host_filter_fn_private_data,
 						(const unsigned char *)inbuf->khp_data_userdata,
 						inlen,
 						KNET_NOTIFY_TX,
 						knet_h->host_id,
 						knet_h->host_id,
 						&channel,
 						dst_host_ids_temp,
 						&dst_host_ids_entries_temp);
 				if (bcast < 0) {
 					log_debug(knet_h, KNET_SUB_TX, "Error from dst_host_filter_fn: %d", bcast);
 					savederrno = EFAULT;
 					err = -1;
 					goto out_unlock;
 				}
 
 				if ((!bcast) && (!dst_host_ids_entries_temp)) {
 					log_debug(knet_h, KNET_SUB_TX, "Message is unicast but no dst_host_ids_entries");
 					savederrno = EINVAL;
 					err = -1;
 					goto out_unlock;
 				}
 
 				if ((!bcast) &&
 				    (dst_host_ids_entries_temp > KNET_MAX_HOST)) {
 					log_debug(knet_h, KNET_SUB_TX, "dst_host_filter_fn returned too many destinations");
 					savederrno = EINVAL;
 					err = -1;
 					goto out_unlock;
 				}
 			}
 
 			/* Send to localhost if appropriate and enabled */
 			if (knet_h->has_loop_link) {
 				send_local = 0;
 				if (bcast) {
 					send_local = 1;
 				} else {
 					for (i=0; i< dst_host_ids_entries_temp; i++) {
 						if (dst_host_ids_temp[i] == knet_h->host_id) {
 							send_local = 1;
 						}
 					}
 				}
 				if (send_local) {
 					const unsigned char *buf = inbuf->khp_data_userdata;
 					ssize_t buflen = inlen;
 					struct knet_link *local_link;
 
 					local_link = knet_h->host_index[knet_h->host_id]->link;
 
 				local_retry:
 					err = write(knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created], buf, buflen);
 					if (err < 0) {
 						log_err(knet_h, KNET_SUB_TRANSP_LOOPBACK, "send local failed. error=%s\n", strerror(errno));
 						local_link->status.stats.tx_data_errors++;
 					}
 					if (err > 0 && err < buflen) {
 						log_debug(knet_h, KNET_SUB_TRANSP_LOOPBACK, "send local incomplete=%d bytes of %zu\n", err, inlen);
 						local_link->status.stats.tx_data_retries++;
 						buf += err;
 						buflen -= err;
 						goto local_retry;
 					}
 					if (err == buflen) {
 						local_link->status.stats.tx_data_packets++;
 						local_link->status.stats.tx_data_bytes += inlen;
 					}
 				}
 			}
 			break;
 		case KNET_HEADER_TYPE_HOST_INFO:
 			knet_hostinfo = (struct knet_hostinfo *)inbuf->khp_data_userdata;
 			if (knet_hostinfo->khi_bcast == KNET_HOSTINFO_UCAST) {
 				bcast = 0;
 				dst_host_ids_temp[0] = knet_hostinfo->khi_dst_node_id;
 				dst_host_ids_entries_temp = 1;
 				knet_hostinfo->khi_dst_node_id = htons(knet_hostinfo->khi_dst_node_id);
 			}
 			break;
 		default:
 			log_warn(knet_h, KNET_SUB_TX, "Receiving unknown messages from socket");
 			savederrno = ENOMSG;
 			err = -1;
 			goto out_unlock;
 			break;
 	}
 
 	if (is_sync) {
 		if ((bcast) ||
 		    ((!bcast) && (dst_host_ids_entries_temp > 1))) {
 			log_debug(knet_h, KNET_SUB_TX, "knet_send_sync is only supported with unicast packets for one destination");
 			savederrno = E2BIG;
 			err = -1;
 			goto out_unlock;
 		}
 	}
 
 	/*
 	 * check destinations hosts before spending time
 	 * in fragmenting/encrypting packets to save
 	 * time processing data for unreachable hosts.
 	 * for unicast, also remap the destination data
 	 * to skip unreachable hosts.
 	 */
 
 	if (!bcast) {
 		dst_host_ids_entries = 0;
 		for (host_idx = 0; host_idx < dst_host_ids_entries_temp; host_idx++) {
 			dst_host = knet_h->host_index[dst_host_ids_temp[host_idx]];
 			if (!dst_host) {
 				continue;
 			}
 			if (!(dst_host->host_id == knet_h->host_id &&
 			     knet_h->has_loop_link) &&
 			    dst_host->status.reachable) {
 				dst_host_ids[dst_host_ids_entries] = dst_host_ids_temp[host_idx];
 				dst_host_ids_entries++;
 			}
 		}
 		if (!dst_host_ids_entries) {
 			savederrno = EHOSTDOWN;
 			err = -1;
 			goto out_unlock;
 		}
 	} else {
 		send_mcast = 0;
 		for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 			if (!(dst_host->host_id == knet_h->host_id &&
 			      knet_h->has_loop_link) &&
 			    dst_host->status.reachable) {
 				send_mcast = 1;
 				break;
 			}
 		}
 		if (!send_mcast) {
 			savederrno = EHOSTDOWN;
 			err = -1;
 			goto out_unlock;
 		}
 	}
 
 	if (!knet_h->data_mtu) {
 		/*
 		 * using MIN_MTU_V4 for data mtu is not completely accurate but safe enough
 		 */
 		log_debug(knet_h, KNET_SUB_TX,
 			  "Received data packet but data MTU is still unknown."
 			  " Packet might not be delivered."
 			  " Assuming minimum IPv4 MTU (%d)",
 			  KNET_PMTUD_MIN_MTU_V4);
 		temp_data_mtu = KNET_PMTUD_MIN_MTU_V4;
 	} else {
 		/*
 		 * take a copy of the mtu to avoid value changing under
 		 * our feet while we are sending a fragmented pckt
 		 */
 		temp_data_mtu = knet_h->data_mtu;
 	}
 
 	/*
 	 * compress data
 	 */
 	if ((knet_h->compress_model > 0) && (inlen > knet_h->compress_threshold)) {
 		size_t cmp_outlen = KNET_DATABUFSIZE_COMPRESS;
 		struct timespec start_time;
 		struct timespec end_time;
 		uint64_t compress_time;
 
 		clock_gettime(CLOCK_MONOTONIC, &start_time);
 		err = compress(knet_h,
 			       (const unsigned char *)inbuf->khp_data_userdata, inlen,
 			       knet_h->send_to_links_buf_compress, (ssize_t *)&cmp_outlen);
 
 		savederrno = errno;
 
 		stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 		if (stats_err < 0) {
 			log_err(knet_h, KNET_SUB_TX, "Unable to get mutex lock: %s", strerror(stats_err));
 			err = -1;
 			savederrno = stats_err;
 			goto out_unlock;
 		}
 		stats_locked = 1;
 		/* Collect stats */
 		clock_gettime(CLOCK_MONOTONIC, &end_time);
 		timespec_diff(start_time, end_time, &compress_time);
 
 		if (compress_time < knet_h->stats.tx_compress_time_min) {
 			knet_h->stats.tx_compress_time_min = compress_time;
 		}
 		if (compress_time > knet_h->stats.tx_compress_time_max) {
 			knet_h->stats.tx_compress_time_max = compress_time;
 		}
 		knet_h->stats.tx_compress_time_ave =
 			(unsigned long long)(knet_h->stats.tx_compress_time_ave * knet_h->stats.tx_compressed_packets +
 			 compress_time) / (knet_h->stats.tx_compressed_packets+1);
 		if (err < 0) {
 			log_warn(knet_h, KNET_SUB_COMPRESS, "Compression failed (%d): %s", err, strerror(savederrno));
 		} else {
 			knet_h->stats.tx_compressed_packets++;
 			knet_h->stats.tx_compressed_original_bytes += inlen;
 			knet_h->stats.tx_compressed_size_bytes += cmp_outlen;
 
 			if (cmp_outlen < inlen) {
 				memmove(inbuf->khp_data_userdata, knet_h->send_to_links_buf_compress, cmp_outlen);
 				inlen = cmp_outlen;
 				data_compressed = 1;
 			}
 		}
 	}
 	if (!stats_locked) {
 		stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 		if (stats_err < 0) {
 			log_err(knet_h, KNET_SUB_TX, "Unable to get mutex lock: %s", strerror(stats_err));
 			err = -1;
 			savederrno = stats_err;
 			goto out_unlock;
 		}
 	}
 	if (knet_h->compress_model > 0 && !data_compressed) {
 		knet_h->stats.tx_uncompressed_packets++;
 	}
 	pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 	stats_locked = 0;
 
 	/*
 	 * prepare the outgoing buffers
 	 */
 
 	frag_len = inlen;
 	frag_idx = 0;
 
 	inbuf->khp_data_bcast = bcast;
 	inbuf->khp_data_frag_num = ceil((float)inlen / temp_data_mtu);
 	inbuf->khp_data_channel = channel;
 	if (data_compressed) {
 		inbuf->khp_data_compress = knet_h->compress_model;
 	} else {
 		inbuf->khp_data_compress = 0;
 	}
 
 	if (pthread_mutex_lock(&knet_h->tx_seq_num_mutex)) {
 		log_debug(knet_h, KNET_SUB_TX, "Unable to get seq mutex lock");
 		goto out_unlock;
 	}
 	knet_h->tx_seq_num++;
 	/*
 	 * force seq_num 0 to detect a node that has crashed and rejoining
 	 * the knet instance. seq_num 0 will clear the buffers in the RX
 	 * thread
 	 */
 	if (knet_h->tx_seq_num == 0) {
 		knet_h->tx_seq_num++;
 	}
 	/*
 	 * cache the value in locked context
 	 */
 	tx_seq_num = knet_h->tx_seq_num;
 	inbuf->khp_data_seq_num = htons(knet_h->tx_seq_num);
 	pthread_mutex_unlock(&knet_h->tx_seq_num_mutex);
 
 	/*
 	 * forcefully broadcast a ping to all nodes every SEQ_MAX / 8
 	 * pckts.
 	 * this solves 2 problems:
 	 * 1) on TX socket overloads we generate extra pings to keep links alive
 	 * 2) in 3+ nodes setup, where all the traffic is flowing between node 1 and 2,
 	 *    node 3+ will be able to keep in sync on the TX seq_num even without
 	 *    receiving traffic or pings in betweens. This avoids issues with
 	 *    rollover of the circular buffer
 	 */
 
 	if (tx_seq_num % (SEQ_MAX / 8) == 0) {
 		_send_pings(knet_h, 0);
 	}
 
 	if (inbuf->khp_data_frag_num > 1) {
 		while (frag_idx < inbuf->khp_data_frag_num) {
 			/*
 			 * set the iov_base
 			 */
 			iov_out[frag_idx][0].iov_base = (void *)knet_h->send_to_links_buf[frag_idx];
 			iov_out[frag_idx][0].iov_len = KNET_HEADER_DATA_SIZE;
 			iov_out[frag_idx][1].iov_base = inbuf->khp_data_userdata + (temp_data_mtu * frag_idx);
 
 			/*
 			 * set the len
 			 */
 			if (frag_len > temp_data_mtu) {
 				iov_out[frag_idx][1].iov_len = temp_data_mtu;
 			} else {
 				iov_out[frag_idx][1].iov_len = frag_len;
 			}
 
 			/*
 			 * copy the frag info on all buffers
 			 */
 			knet_h->send_to_links_buf[frag_idx]->kh_type = inbuf->kh_type;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_seq_num = inbuf->khp_data_seq_num;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_frag_num = inbuf->khp_data_frag_num;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_bcast = inbuf->khp_data_bcast;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_channel = inbuf->khp_data_channel;
 			knet_h->send_to_links_buf[frag_idx]->khp_data_compress = inbuf->khp_data_compress;
 
 			frag_len = frag_len - temp_data_mtu;
 			frag_idx++;
 		}
 		iovcnt_out = 2;
 	} else {
 		iov_out[frag_idx][0].iov_base = (void *)inbuf;
 		iov_out[frag_idx][0].iov_len = frag_len + KNET_HEADER_DATA_SIZE;
 		iovcnt_out = 1;
 	}
 
-	if (knet_h->crypto_instance) {
+	if (knet_h->crypto_in_use_config) {
 		struct timespec start_time;
 		struct timespec end_time;
 		uint64_t crypt_time;
 
 		frag_idx = 0;
 		while (frag_idx < inbuf->khp_data_frag_num) {
 			clock_gettime(CLOCK_MONOTONIC, &start_time);
 			if (crypto_encrypt_and_signv(
 					knet_h,
 					iov_out[frag_idx], iovcnt_out,
 					knet_h->send_to_links_buf_crypt[frag_idx],
 					(ssize_t *)&outlen) < 0) {
 				log_debug(knet_h, KNET_SUB_TX, "Unable to encrypt packet");
 				savederrno = ECHILD;
 				err = -1;
 				goto out_unlock;
 			}
 			clock_gettime(CLOCK_MONOTONIC, &end_time);
 			timespec_diff(start_time, end_time, &crypt_time);
 
 			stats_err = pthread_mutex_lock(&knet_h->handle_stats_mutex);
 			if (stats_err < 0) {
 				log_err(knet_h, KNET_SUB_TX, "Unable to get mutex lock: %s", strerror(stats_err));
 				err = -1;
 				savederrno = stats_err;
 				goto out_unlock;
 			}
 
 			if (crypt_time < knet_h->stats.tx_crypt_time_min) {
 				knet_h->stats.tx_crypt_time_min = crypt_time;
 			}
 			if (crypt_time > knet_h->stats.tx_crypt_time_max) {
 				knet_h->stats.tx_crypt_time_max = crypt_time;
 			}
 			knet_h->stats.tx_crypt_time_ave =
 				(knet_h->stats.tx_crypt_time_ave * knet_h->stats.tx_crypt_packets +
 				 crypt_time) / (knet_h->stats.tx_crypt_packets+1);
 
 			uncrypted_frag_size = 0;
 			for (j=0; j < iovcnt_out; j++) {
 				uncrypted_frag_size += iov_out[frag_idx][j].iov_len;
 			}
 			knet_h->stats.tx_crypt_byte_overhead += (outlen - uncrypted_frag_size);
 			knet_h->stats.tx_crypt_packets++;
 			pthread_mutex_unlock(&knet_h->handle_stats_mutex);
 
 			iov_out[frag_idx][0].iov_base = knet_h->send_to_links_buf_crypt[frag_idx];
 			iov_out[frag_idx][0].iov_len = outlen;
 			frag_idx++;
 		}
 		iovcnt_out = 1;
 	}
 
 	memset(&msg, 0, sizeof(msg));
 
 	msgs_to_send = inbuf->khp_data_frag_num;
 
 	msg_idx = 0;
 
 	while (msg_idx < msgs_to_send) {
 		msg[msg_idx].msg_hdr.msg_namelen = sizeof(struct sockaddr_storage);
 		msg[msg_idx].msg_hdr.msg_iov = &iov_out[msg_idx][0];
 		msg[msg_idx].msg_hdr.msg_iovlen = iovcnt_out;
 		msg_idx++;
 	}
 
 	if (!bcast) {
 		for (host_idx = 0; host_idx < dst_host_ids_entries; host_idx++) {
 			dst_host = knet_h->host_index[dst_host_ids[host_idx]];
 
 			err = _dispatch_to_links(knet_h, dst_host, &msg[0], msgs_to_send);
 			savederrno = errno;
 			if (err) {
 				goto out_unlock;
 			}
 		}
 	} else {
 		for (dst_host = knet_h->host_head; dst_host != NULL; dst_host = dst_host->next) {
 			if (dst_host->status.reachable) {
 				err = _dispatch_to_links(knet_h, dst_host, &msg[0], msgs_to_send);
 				savederrno = errno;
 				if (err) {
 					goto out_unlock;
 				}
 			}
 		}
 	}
 
 out_unlock:
 	errno = savederrno;
 	return err;
 }
 
 int knet_send_sync(knet_handle_t knet_h, const char *buff, const size_t buff_len, const int8_t channel)
 {
 	int savederrno = 0, err = 0;
 
 	if (!knet_h) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff == NULL) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len <= 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (buff_len > KNET_MAX_PACKET_SIZE) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel < 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	if (channel >= KNET_DATAFD_MAX) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_TX, "Unable to get read lock: %s",
 			strerror(savederrno));
 		errno = savederrno;
 		return -1;
 	}
 
 	if (!knet_h->sockfd[channel].in_use) {
 		savederrno = EINVAL;
 		err = -1;
 		goto out;
 	}
 
 	savederrno = pthread_mutex_lock(&knet_h->tx_mutex);
 	if (savederrno) {
 		log_err(knet_h, KNET_SUB_TX, "Unable to get TX mutex lock: %s",
 			strerror(savederrno));
 		err = -1;
 		goto out;
 	}
 
 	knet_h->recv_from_sock_buf->kh_type = KNET_HEADER_TYPE_DATA;
 	memmove(knet_h->recv_from_sock_buf->khp_data_userdata, buff, buff_len);
 	err = _parse_recv_from_sock(knet_h, buff_len, channel, 1);
 	savederrno = errno;
 
 	pthread_mutex_unlock(&knet_h->tx_mutex);
 
 out:
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
 	errno = err ? savederrno : 0;
 	return err;
 }
 
 static void _handle_send_to_links(knet_handle_t knet_h, struct msghdr *msg, int sockfd, int8_t channel, int type)
 {
 	ssize_t inlen = 0;
 	int savederrno = 0, docallback = 0;
 
 	if ((channel >= 0) &&
 	    (channel < KNET_DATAFD_MAX) &&
 	    (!knet_h->sockfd[channel].is_socket)) {
 		inlen = readv(sockfd, msg->msg_iov, 1);
 	} else {
 		inlen = recvmsg(sockfd, msg, MSG_DONTWAIT | MSG_NOSIGNAL);
 		if (msg->msg_flags & MSG_TRUNC) {
 			log_warn(knet_h, KNET_SUB_TX, "Received truncated message from sock %d. Discarding", sockfd);
 			return;
 		}
 	}
 
 	if (inlen == 0) {
 		savederrno = 0;
 		docallback = 1;
 	} else if (inlen < 0) {
 		struct epoll_event ev;
 
 		savederrno = errno;
 		docallback = 1;
 		memset(&ev, 0, sizeof(struct epoll_event));
 
 		if (channel != KNET_INTERNAL_DATA_CHANNEL) {
 			if (epoll_ctl(knet_h->send_to_links_epollfd,
 				      EPOLL_CTL_DEL, knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created], &ev)) {
 				log_err(knet_h, KNET_SUB_TX, "Unable to del datafd %d from linkfd epoll pool: %s",
 					knet_h->sockfd[channel].sockfd[0], strerror(savederrno));
 			} else {
 				knet_h->sockfd[channel].has_error = 1;
 			}
 		}
 		/*
 		 * TODO: add error handling for KNET_INTERNAL_DATA_CHANNEL
 		 *       once we add support for internal knet communication
 		 */
 	} else {
 		knet_h->recv_from_sock_buf->kh_type = type;
 		_parse_recv_from_sock(knet_h, inlen, channel, 0);
 	}
 
 	if ((docallback) && (channel != KNET_INTERNAL_DATA_CHANNEL)) {
 		knet_h->sock_notify_fn(knet_h->sock_notify_fn_private_data,
 				       knet_h->sockfd[channel].sockfd[0],
 				       channel,
 				       KNET_NOTIFY_TX,
 				       inlen,
 				       savederrno);
 	}
 }
 
 void *_handle_send_to_links_thread(void *data)
 {
 	knet_handle_t knet_h = (knet_handle_t) data;
 	struct epoll_event events[KNET_EPOLL_MAX_EVENTS];
 	int i, nev, type;
 	int flush, flush_queue_limit;
 	int8_t channel;
 	struct iovec iov_in;
 	struct msghdr msg;
 	struct sockaddr_storage address;
 
 	set_thread_status(knet_h, KNET_THREAD_TX, KNET_THREAD_STARTED);
 
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (void *)knet_h->recv_from_sock_buf->khp_data_userdata;
 	iov_in.iov_len = KNET_MAX_PACKET_SIZE;
 
 	memset(&msg, 0, sizeof(struct msghdr));
 	msg.msg_name = &address;
 	msg.msg_namelen = sizeof(struct sockaddr_storage);
 	msg.msg_iov = &iov_in;
 	msg.msg_iovlen = 1;
 
 	knet_h->recv_from_sock_buf->kh_version = KNET_HEADER_VERSION;
 	knet_h->recv_from_sock_buf->khp_data_frag_seq = 0;
 	knet_h->recv_from_sock_buf->kh_node = htons(knet_h->host_id);
 
 	for (i = 0; i < PCKT_FRAG_MAX; i++) {
 		knet_h->send_to_links_buf[i]->kh_version = KNET_HEADER_VERSION;
 		knet_h->send_to_links_buf[i]->khp_data_frag_seq = i + 1;
 		knet_h->send_to_links_buf[i]->kh_node = htons(knet_h->host_id);
 	}
 
 	flush_queue_limit = 0;
 
 	while (!shutdown_in_progress(knet_h)) {
 		nev = epoll_wait(knet_h->send_to_links_epollfd, events, KNET_EPOLL_MAX_EVENTS + 1, KNET_THREADS_TIMERES / 1000);
 
 		flush = get_thread_flush_queue(knet_h, KNET_THREAD_TX);
 
 		/*
 		 * we use timeout to detect if thread is shutting down
 		 */
 		if (nev == 0) {
 			/*
 			 * ideally we want to communicate that we are done flushing
 			 * the queue when we have an epoll timeout event
 			 */
 			if (flush == KNET_THREAD_QUEUE_FLUSH) {
 				set_thread_flush_queue(knet_h, KNET_THREAD_TX, KNET_THREAD_QUEUE_FLUSHED);
 				flush_queue_limit = 0;
 			}
 			continue;
 		}
 
 		/*
 		 * fall back in case the TX sockets will continue receive traffic
 		 * and we do not hit an epoll timeout.
 		 *
 		 * allow up to a 100 loops to flush queues, then we give up.
 		 * there might be more clean ways to do it by checking the buffer queue
 		 * on each socket, but we have tons of sockets and calculations can go wrong.
 		 * Also, why would you disable data forwarding and still send packets?
 		 */
 		if (flush == KNET_THREAD_QUEUE_FLUSH) {
 			if (flush_queue_limit >= 100) {
 				log_debug(knet_h, KNET_SUB_TX, "Timeout flushing the TX queue, expect packet loss");
 				set_thread_flush_queue(knet_h, KNET_THREAD_TX, KNET_THREAD_QUEUE_FLUSHED);
 				flush_queue_limit = 0;
 			} else {
 				flush_queue_limit++;
 			}
 		} else {
 			flush_queue_limit = 0;
 		}
 
 		if (pthread_rwlock_rdlock(&knet_h->global_rwlock) != 0) {
 			log_debug(knet_h, KNET_SUB_TX, "Unable to get read lock");
 			continue;
 		}
 
 		for (i = 0; i < nev; i++) {
 			if (events[i].data.fd == knet_h->hostsockfd[0]) {
 				type = KNET_HEADER_TYPE_HOST_INFO;
 				channel = KNET_INTERNAL_DATA_CHANNEL;
 			} else {
 				type = KNET_HEADER_TYPE_DATA;
 				for (channel = 0; channel < KNET_DATAFD_MAX; channel++) {
 					if ((knet_h->sockfd[channel].in_use) &&
 					    (knet_h->sockfd[channel].sockfd[knet_h->sockfd[channel].is_created] == events[i].data.fd)) {
 						break;
 					}
 				}
 				if (channel >= KNET_DATAFD_MAX) {
 					log_debug(knet_h, KNET_SUB_TX, "No available channels");
 					continue; /* channel not found */
 				}
 			}
 			if (pthread_mutex_lock(&knet_h->tx_mutex) != 0) {
 				log_debug(knet_h, KNET_SUB_TX, "Unable to get mutex lock");
 				continue;
 			}
 			_handle_send_to_links(knet_h, &msg, events[i].data.fd, channel, type);
 			pthread_mutex_unlock(&knet_h->tx_mutex);
 		}
 
 		pthread_rwlock_unlock(&knet_h->global_rwlock);
 	}
 
 	set_thread_status(knet_h, KNET_THREAD_TX, KNET_THREAD_STOPPED);
 
 	return NULL;
 }
diff --git a/libnozzle/tests/api-test-coverage b/libnozzle/tests/api-test-coverage
index eaea7090..e6d762d7 100755
--- a/libnozzle/tests/api-test-coverage
+++ b/libnozzle/tests/api-test-coverage
@@ -1,93 +1,93 @@
 #!/bin/sh
 #
 # Copyright (C) 2016-2020 Red Hat, Inc.  All rights reserved.
 #
 # Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 srcdir="$1"/libnozzle/tests
 builddir="$2"/libnozzle/tests
 
 headerapicalls="$(grep nozzle_ "$srcdir"/../libnozzle.h | grep -v "^ \*" | grep -v ^struct | grep -v "^[[:space:]]" | grep -v typedef | sed -e 's/(.*//g' -e 's/^const //g' -e 's/\*//g' | awk '{print $2}')"
 
 # The PowerPC64 ELFv1 ABI defines the address of a function as that of a
 # function descriptor defined in .opd, a data (D) section.  Other ABIs
 # use the entry address of the function itself in the text (T) section.
-exportedapicalls="$(nm -B -D "$builddir"/../.libs/libnozzle.so | grep ' [DT] ' | awk '{print $3}')"
+exportedapicalls="$(nm -B -D "$builddir"/../.libs/libnozzle.so | grep ' [DT] ' | awk '{print $3}' | sed -e 's#@@LIBNOZZLE##g')"
 
 echo "Checking for exported symbols NOT available in header file"
 
 for i in $exportedapicalls; do
 	found=0
 	for x in $headerapicalls; do
 		if [ "$x" = "$i" ]; then
 			found=1
 			break;
 		fi
 	done
 	if [ "$found" = 0 ]; then
 		echo "Symbol $i not found in header file"
 		exit 1
 	fi
 done
 
 echo "Checking for symbols in header file NOT exported by binary lib"
 
 for i in $headerapicalls; do
 	found=0
 	for x in $exportedapicalls; do
 		if [ "$x" = "$i" ]; then
 			found=1
 			break;
 		fi
 	done
 	if [ "$found" = 0 ]; then
 		echo "Symbol $i not found in binary lib"
 		exit 1
 	fi
 done
 
 echo "Checking for tests with memcheck exceptions"
 
 for i in $(grep -l is_memcheck "$srcdir"/*.c | grep -v test-common); do
 	echo "WARNING: $(basename $i) - has memcheck exception enabled"
 done
 
 echo "Checking for tests with helgrind exceptions"
 
 for i in $(grep -l is_helgrind "$srcdir"/*.c | grep -v test-common); do
 	echo "WARNING: $(basename $i) has helgrind exception enabled"
 done
 
 echo "Checking for api test coverage"
 
 numapicalls=0
 found=0
 missing=0
 
 for i in $headerapicalls; do
 	[ "$i" = nozzle_reset_mtu ] && i=nozzle_set_mtu # tested together
 	[ "$i" = nozzle_reset_mac ] && i=nozzle_set_mac # tested together
 	numapicalls=$((numapicalls + 1))
 	if [ -f $srcdir/api_${i}.c ]; then
 		found=$((found + 1))
 	else
 		missing=$((missing + 1))
 		echo "MISSING: $i"
 	fi
 done
 
 echo "Summary"
 echo "-------"
 echo "Found   : $found"
 echo "Missing : $missing"
 echo "Total   : $numapicalls"
 which bc > /dev/null 2>&1 && {
 	coverage=$(echo "scale=3; $found / $numapicalls * 100" | bc -l)
 	echo "Coverage: $coverage%"
 }
 exit 0
 
 exit 0
diff --git a/man/Makefile.am b/man/Makefile.am
index f813b97d..5223f595 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,162 +1,165 @@
 #
 # Copyright (C) 2017-2020 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #          Federico Simoncelli <fsimon@kronosnet.org>
 #
 # This software licensed under GPL-2.0+
 #
 
 MAINTAINERCLEANFILES	= Makefile.in
 
 include $(top_srcdir)/build-aux/check.mk
 
 EXTRA_DIST	= \
 		  kronosnetd.8 knet-keygen.8 \
 		  api-to-man-page-coverage
 
 # Avoid Automake warnings about overriding these user variables.
 # Programs in this directory are used during the build only.
 AUTOMAKE_OPTIONS = -Wno-gnu
 EXEEXT=$(BUILD_EXEEXT)
 CC=$(CC_FOR_BUILD)
 CFLAGS=$(CFLAGS_FOR_BUILD)
 CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
 LDFLAGS=$(LDFLAGS_FOR_BUILD)
 
 if BUILD_MAN
 
 if BUILD_KRONOSNETD
 man8_MANS	= kronosnetd.8 knet-keygen.8
 endif
 
 if BUILD_DOXYXML
 noinst_PROGRAMS	= doxyxml
 
 doxyxml_SOURCES = doxyxml.c
 doxyxml_CFLAGS = $(AM_CFLAGS) $(libqb_BUILD_CFLAGS) $(libxml_BUILD_CFLAGS)
 doxyxml_LDADD = $(libqb_BUILD_LIBS) $(libxml_BUILD_LIBS)
 endif
 
 knet_man3_MANS = \
 		knet_addrtostr.3 \
 		knet_handle_add_datafd.3 \
 		knet_handle_clear_stats.3 \
 		knet_handle_compress.3 \
 		knet_handle_crypto.3 \
 		knet_handle_enable_filter.3 \
 		knet_handle_enable_pmtud_notify.3 \
 		knet_handle_enable_sock_notify.3 \
 		knet_handle_free.3 \
 		knet_handle_get_channel.3 \
 		knet_get_compress_list.3 \
 		knet_get_crypto_list.3 \
 		knet_handle_get_datafd.3 \
 		knet_handle_get_stats.3 \
 		knet_get_transport_id_by_name.3 \
 		knet_get_transport_list.3 \
 		knet_get_transport_name_by_id.3 \
 		knet_handle_get_transport_reconnect_interval.3 \
 		knet_handle_new.3 \
 		knet_handle_new_ex.3 \
 		knet_handle_pmtud_get.3 \
 		knet_handle_pmtud_set.3 \
 		knet_handle_pmtud_getfreq.3 \
 		knet_handle_pmtud_setfreq.3 \
 		knet_handle_remove_datafd.3 \
 		knet_handle_setfwd.3 \
 		knet_handle_set_transport_reconnect_interval.3 \
 		knet_host_add.3 \
 		knet_host_enable_status_change_notify.3 \
 		knet_host_get_host_list.3 \
 		knet_host_get_id_by_host_name.3 \
 		knet_host_get_name_by_host_id.3 \
 		knet_host_get_policy.3 \
 		knet_host_get_status.3 \
 		knet_host_remove.3 \
 		knet_host_set_name.3 \
 		knet_host_set_policy.3 \
 		knet_link_clear_config.3 \
 		knet_link_get_config.3 \
 		knet_link_get_enable.3 \
 		knet_link_get_link_list.3 \
 		knet_link_get_ping_timers.3 \
 		knet_link_get_pong_count.3 \
 		knet_link_get_priority.3 \
 		knet_link_get_status.3 \
 		knet_link_set_config.3 \
 		knet_link_set_enable.3 \
 		knet_link_set_ping_timers.3 \
 		knet_link_set_pong_count.3 \
 		knet_link_set_priority.3 \
 		knet_log_get_loglevel.3 \
 		knet_log_get_loglevel_id.3 \
 		knet_log_get_loglevel_name.3 \
 		knet_log_get_subsystem_id.3 \
 		knet_log_get_subsystem_name.3 \
 		knet_log_set_loglevel.3 \
 		knet_recv.3 \
 		knet_send.3 \
 		knet_send_sync.3 \
 		knet_strtoaddr.3 \
 		knet_handle_enable_access_lists.3 \
 		knet_link_add_acl.3 \
 		knet_link_insert_acl.3 \
 		knet_link_rm_acl.3 \
-		knet_link_clear_acl.3
+		knet_link_clear_acl.3 \
+		knet_handle_crypto_set_config.3 \
+		knet_handle_crypto_use_config.3 \
+		knet_handle_crypto_rx_clear_traffic.3
 
 if BUILD_LIBNOZZLE
 nozzle_man3_MANS = \
 		nozzle_add_ip.3 \
 		nozzle_close.3 \
 		nozzle_del_ip.3 \
 		nozzle_get_fd.3 \
 		nozzle_get_handle_by_name.3 \
 		nozzle_get_ips.3 \
 		nozzle_get_mac.3 \
 		nozzle_get_mtu.3 \
 		nozzle_get_name_by_handle.3 \
 		nozzle_open.3 \
 		nozzle_reset_mac.3 \
 		nozzle_reset_mtu.3 \
 		nozzle_run_updown.3 \
 		nozzle_set_down.3 \
 		nozzle_set_mac.3 \
 		nozzle_set_mtu.3 \
 		nozzle_set_up.3
 endif
 
 man3_MANS = $(knet_man3_MANS) $(nozzle_man3_MANS)
 
 $(MANS): doxyfile-knet.stamp doxyfile-nozzle.stamp
 
 doxyfile-knet.stamp: $(noinst_PROGRAMS) Doxyfile-knet $(top_srcdir)/libknet/libknet.h
 	$(DOXYGEN) Doxyfile-knet
 	$(DOXYGEN2MAN) -m -P -o $(builddir) -s 3 -p @PACKAGE_NAME@ -H "Kronosnet Programmer's Manual" \
 		$$($(UTC_DATE_AT)$(SOURCE_EPOCH) +"-D %F -Y %Y") -d $(builddir)/xml-knet/ libknet_8h.xml
 	touch doxyfile-knet.stamp
 
 doxyfile-nozzle.stamp: $(noinst_PROGRAMS) Doxyfile-nozzle $(top_srcdir)/libnozzle/libnozzle.h
 if BUILD_LIBNOZZLE
 	$(DOXYGEN) Doxyfile-nozzle
 	$(DOXYGEN2MAN) -m -P -o $(builddir) -s 3 -p @PACKAGE_NAME@ -H "Kronosnet Programmer's Manual" \
 		$$($(UTC_DATE_AT)$(SOURCE_EPOCH) +"-D %F -Y %Y") -d $(builddir)/xml-nozzle/ libnozzle_8h.xml
 endif
 	touch doxyfile-nozzle.stamp
 
 noinst_SCRIPTS	= api-to-man-page-coverage
 
 check-local: check-api-to-man-page-coverage-libknet check-api-to-man-page-coverage-libnozzle
 
 check-api-to-man-page-coverage-libnozzle:
 if BUILD_LIBNOZZLE
 	$(srcdir)/api-to-man-page-coverage $(top_srcdir) nozzle
 endif
 
 check-api-to-man-page-coverage-libknet:
 	$(srcdir)/api-to-man-page-coverage $(top_srcdir) knet
 
 endif
 
 clean-local:
 	rm -rf doxyxml doxyfile*.stamp xml* *.3
diff --git a/man/doxyxml.c b/man/doxyxml.c
index 343449c4..278c1883 100644
--- a/man/doxyxml.c
+++ b/man/doxyxml.c
@@ -1,937 +1,1155 @@
 /*
- * Copyright (C) 2018-2019 Red Hat, Inc.  All rights reserved.
+ * Copyright (C) 2018-2020 Red Hat, Inc.  All rights reserved.
  *
  * Author: Christine Caulfield <ccaulfie@redhat.com>
  *
  * This software licensed under GPL-2.0+
  */
 
 
 /*
  * NOTE: this code is very rough, it does the bare minimum to parse the
  * XML out from doxygen and is probably very fragile to changes in that XML
  * schema. It probably leaks memory all over the place too.
  *
- * In its favour, it *does* generate man pages and should only be run very ocasionally
+ * In its favour, it *does* generate nice man pages and should only be run very ocasionally
  */
 
 #define _DEFAULT_SOURCE
 #define _BSD_SOURCE
 #define _XOPEN_SOURCE
 #define _XOPEN_SOURCE_EXTENDED
 #include <stdlib.h>
 #include <sys/time.h>
+#include <sys/stat.h>
 #include <time.h>
 #include <stdio.h>
 #include <limits.h>
 #include <string.h>
 #include <getopt.h>
 #include <errno.h>
+#include <ctype.h>
 #include <libxml/tree.h>
 #include <qb/qblist.h>
 #include <qb/qbmap.h>
 
-#define XML_DIR "../man/xml-knet"
-#define XML_FILE "libknet_8h.xml"
-
 /*
  * This isn't a maximum size, it just defines how long a parameter
- * type can get before we decide it's not worth lining everything up to.
- * it's mainly to stop function pointer types (which can get VERY long because
+ * type can get before we decide it's not worth lining everything up.
+ * It's mainly to stop function pointer types (which can get VERY long because
  * of all *their* parameters) making everything else 'line-up' over separate lines
  */
 #define LINE_LENGTH 80
 
 static int print_ascii = 1;
 static int print_man = 0;
 static int print_params = 0;
+static int print_general = 0;
 static int num_functions = 0;
+static int quiet=0;
 static const char *man_section="3";
-static const char *package_name="Kronosnet";
-static const char *header="Kronosnet Programmer's Manual";
+static const char *package_name="Package";
+static const char *header="Programmer's Manual";
+static const char *company="Red Hat";
 static const char *output_dir="./";
-static const char *xml_dir = XML_DIR;
-static const char *xml_file = XML_FILE;
+static const char *xml_dir = "./xml/";
+static const char *xml_file;
 static const char *manpage_date = NULL;
+static const char *headerfile = NULL;
+static const char *header_prefix = "";
 static long manpage_year = LONG_MIN;
+static long start_year = 2010;
 static struct qb_list_head params_list;
 static struct qb_list_head retval_list;
 static qb_map_t *function_map;
 static qb_map_t *structures_map;
 static qb_map_t *used_structures_map;
 
 struct param_info {
 	char *paramname;
 	char *paramtype;
 	char *paramdesc;
 	struct param_info *next;
 	struct qb_list_head list;
 };
 
 struct struct_info {
 	enum {STRUCTINFO_STRUCT, STRUCTINFO_ENUM} kind;
 	char *structname;
+	char *description;
+	char *brief_description;
 	struct qb_list_head params_list; /* our params */
 	struct qb_list_head list;
 };
 
-static char *get_texttree(int *type, xmlNode *cur_node, char **returntext);
+static char *get_texttree(int *type, xmlNode *cur_node, char **returntext, char **notetext);
 static void traverse_node(xmlNode *parentnode, const char *leafname, void (do_members(xmlNode*, void*)), void *arg);
 
 static void free_paraminfo(struct param_info *pi)
 {
 	free(pi->paramname);
 	free(pi->paramtype);
 	free(pi->paramdesc);
 	free(pi);
 }
 
 static char *get_attr(xmlNode *node, const char *tag)
 {
 	xmlAttr *this_attr;
 
 	for (this_attr = node->properties; this_attr; this_attr = this_attr->next) {
 		if (this_attr->type == XML_ATTRIBUTE_NODE && strcmp((char *)this_attr->name, tag) == 0) {
 			return strdup((char *)this_attr->children->content);
 		}
 	}
 	return NULL;
 }
 
 static char *get_child(xmlNode *node, const char *tag)
 {
 	xmlNode *this_node;
 	xmlNode *child;
 	char buffer[1024] = {'\0'};
 	char *refid = NULL;
 	char *declname = NULL;
 
 	for (this_node = node->children; this_node; this_node = this_node->next) {
 		if ((strcmp( (char*)this_node->name, "declname") == 0)) {
 			declname = strdup((char*)this_node->children->content);
 		}
 
 		if ((this_node->type == XML_ELEMENT_NODE && this_node->children) && ((strcmp((char *)this_node->name, tag) == 0))) {
 			refid = NULL;
 			for (child = this_node->children; child; child = child->next) {
 				if (child->content) {
 					strncat(buffer, (char *)child->content, sizeof(buffer)-1);
 				}
 
 				if ((strcmp( (char*)child->name, "ref") == 0)) {
 					if (child->children->content) {
-						strncat(buffer, (char *)child->children->content, sizeof(buffer)-1);
+						strncat(buffer,(char *)child->children->content, sizeof(buffer)-1);
 					}
 					refid = get_attr(child, "refid");
 				}
 			}
 		}
 		if (declname && refid) {
 			qb_map_put(used_structures_map, refid, declname);
 		}
 	}
 	return strdup(buffer);
 }
 
 static struct param_info *find_param_by_name(struct qb_list_head *list, const char *name)
 {
 	struct qb_list_head *iter;
 	struct param_info *pi;
 
 	qb_list_for_each(iter, list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 		if (strcmp(pi->paramname, name) == 0) {
 			return pi;
 		}
 	}
 	return NULL;
 }
 
 static int not_all_whitespace(char *string)
 {
 	unsigned int i;
 
 	for (i=0; i<strlen(string); i++) {
 		if (string[i] != ' ' &&
 		    string[i] != '\n' &&
 		    string[i] != '\r' &&
 		    string[i] != '\t')
 			return 1;
 	}
 	return 0;
 }
 
 static void get_param_info(xmlNode *cur_node, struct qb_list_head *list)
 {
 	xmlNode *this_tag;
 	xmlNode *sub_tag;
 	char *paramname = NULL;
 	char *paramdesc = NULL;
 	struct param_info *pi;
 
 	/* This is not robust, and very inflexible */
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		for (sub_tag = this_tag->children; sub_tag; sub_tag = sub_tag->next) {
-			if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "parameternamelist") == 0) {
+			if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "parameternamelist") == 0 &&
+				sub_tag->children->next->children) {
 				paramname = (char*)sub_tag->children->next->children->content;
 			}
-			if (paramname && sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "parameterdescription") == 0) {
+			if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "parameterdescription") == 0 &&
+			    paramname && sub_tag->children->next->children) {
 				paramdesc = (char*)sub_tag->children->next->children->content;
 
 				/* Add text to the param_map */
 				pi = find_param_by_name(list, paramname);
 				if (pi) {
 					pi->paramdesc = paramdesc;
 				}
 				else {
 					pi = malloc(sizeof(struct param_info));
 					if (pi) {
 						pi->paramname = paramname;
 						pi->paramdesc = paramdesc;
 						pi->paramtype = NULL; /* retval */
 						qb_list_add_tail(&pi->list, list);
 					}
 				}
 			}
 		}
 	}
 }
 
-static char *get_text(xmlNode *cur_node, char **returntext)
+static char *get_text(xmlNode *cur_node, char **returntext, char **notetext)
 {
 	xmlNode *this_tag;
 	xmlNode *sub_tag;
 	char *kind;
 	char buffer[4096] = {'\0'};
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (this_tag->type == XML_TEXT_NODE && strcmp((char *)this_tag->name, "text") == 0) {
 			if (not_all_whitespace((char*)this_tag->content)) {
 				strncat(buffer, (char*)this_tag->content, sizeof(buffer)-1);
-				strncat(buffer, "\n", sizeof(buffer)-1);
 			}
 		}
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "emphasis") == 0) {
 			if (print_man) {
 				strncat(buffer, "\\fB", sizeof(buffer)-1);
 			}
 			strncat(buffer, (char*)this_tag->children->content, sizeof(buffer)-1);
 			if (print_man) {
 				strncat(buffer, "\\fR", sizeof(buffer)-1);
 			}
 		}
+
+		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "ref") == 0) {
+			if (print_man) {
+				strncat(buffer, "\\fI", sizeof(buffer)-1);
+			}
+			strncat(buffer, (char*)this_tag->children->content, sizeof(buffer)-1);
+			if (print_man) {
+				strncat(buffer, "\\fR", sizeof(buffer)-1);
+			}
+		}
+
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "itemizedlist") == 0) {
 			for (sub_tag = this_tag->children; sub_tag; sub_tag = sub_tag->next) {
 				if (sub_tag->type == XML_ELEMENT_NODE && strcmp((char *)sub_tag->name, "listitem") == 0) {
 					strncat(buffer, (char*)sub_tag->children->children->content, sizeof(buffer)-1);
 					strncat(buffer, "\n", sizeof(buffer)-1);
 				}
 			}
 		}
 
 		/* Look for subsections - return value & params */
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "simplesect") == 0) {
 			char *tmp;
 
 			kind = get_attr(this_tag, "kind");
-			tmp = get_text(this_tag->children, NULL);
+			tmp = get_text(this_tag->children, NULL, NULL);
 
 			if (returntext && strcmp(kind, "return") == 0) {
 				*returntext = tmp;
 			}
-			free(kind);
+			if (notetext && strcmp(kind, "note") == 0) {
+				*notetext = tmp;
+			}
 		}
 
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "parameterlist") == 0) {
 			kind = get_attr(this_tag, "kind");
 			if (strcmp(kind, "param") == 0) {
 				get_param_info(this_tag, &params_list);
 			}
 			if (strcmp(kind, "retval") == 0) {
 				get_param_info(this_tag, &retval_list);
 			}
-			free(kind);
 		}
 	}
 	return strdup(buffer);
 }
 
 static void read_structname(xmlNode *cur_node, void *arg)
 {
 	struct struct_info *si=arg;
 	xmlNode *this_tag;
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (strcmp((char*)this_tag->name, "compoundname") == 0) {
 			si->structname = strdup((char*)this_tag->children->content);
 		}
 	}
 }
 
+static void read_structdesc(xmlNode *cur_node, void *arg)
+{
+	struct struct_info *si=arg;
+	xmlNode *this_tag;
+
+	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
+		if (strcmp((char*)this_tag->name, "detaileddescription") == 0) {
+			char *desc = get_texttree(NULL, this_tag, NULL, NULL);
+			if (desc) {
+				si->description = strdup((char*)desc);
+			}
+		}
+		if (strcmp((char*)this_tag->name, "briefdescription") == 0) {
+			char *brief = get_texttree(NULL, this_tag, NULL, NULL);
+			if (brief) {
+				si->brief_description = brief;
+			}
+		}
+	}
+}
+
+
+static void read_headername(xmlNode *cur_node, void *arg)
+{
+	char **h_file = arg;
+	xmlNode *this_tag;
+
+	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
+		if (strcmp((char*)this_tag->name, "compoundname") == 0) {
+			*h_file = strdup((char*)this_tag->children->content);
+		}
+	}
+}
+
+
 /* Called from traverse_node() */
 static void read_struct(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 	struct struct_info *si=arg;
 	struct param_info *pi;
 	char fullname[1024];
 	char *type = NULL;
 	char *name = NULL;
 	const char *args="";
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 		if (strcmp((char*)this_tag->name, "type") == 0) {
-			type = (char*)this_tag->children->content ;
+			type = (char*)this_tag->children->content;
+			/* If type is NULL then look for a ref - it's probably an external struct or typedef */
+			if (type == NULL) {
+				type = get_child(this_tag, "ref");
+			}
 		}
 		if (strcmp((char*)this_tag->name, "name") == 0) {
-			name = (char*)this_tag->children->content ;
+			name = (char*)this_tag->children->content;
 		}
 		if (this_tag->children && strcmp((char*)this_tag->name, "argsstring") == 0) {
 			args = (char*)this_tag->children->content;
 		}
 	}
 
 	if (name) {
 		pi = malloc(sizeof(struct param_info));
 		if (pi) {
 			snprintf(fullname, sizeof(fullname), "%s%s", name, args);
 			pi->paramtype = type?strdup(type):strdup("");
 			pi->paramname = strdup(fullname);
 			pi->paramdesc = NULL;
 			qb_list_add_tail(&pi->list, &si->params_list);
 		}
 	}
 }
 
-static int read_structure_from_xml(char *refid, char *name)
+static int read_structure_from_xml(const char *refid, const char *name)
 {
 	char fname[PATH_MAX];
 	xmlNode *rootdoc;
 	xmlDocPtr doc;
 	struct struct_info *si;
+	struct stat st;
 	int ret = -1;
 
 	snprintf(fname, sizeof(fname),  "%s/%s.xml", xml_dir, refid);
 
+	/* Don't call into libxml if the file does not exist - saves unwanted error messages */
+	if (stat(fname, &st) == -1) {
+		return -1;
+	}
+
 	doc = xmlParseFile(fname);
 	if (doc == NULL) {
 		fprintf(stderr, "Error: unable to open xml file for %s\n", refid);
 		return -1;
 	}
 
 	rootdoc = xmlDocGetRootElement(doc);
 	if (!rootdoc) {
 		fprintf(stderr, "Can't find \"document root\"\n");
 		return -1;
 	}
 
 	si = malloc(sizeof(struct struct_info));
 	if (si) {
+		memset(si, 0, sizeof(*si));
 		si->kind = STRUCTINFO_STRUCT;
 		qb_list_init(&si->params_list);
 		traverse_node(rootdoc, "memberdef", read_struct, si);
+		traverse_node(rootdoc, "compounddef", read_structdesc, si);
 		traverse_node(rootdoc, "compounddef", read_structname, si);
 		ret = 0;
 		qb_map_put(structures_map, refid, si);
 	}
 	xmlFreeDoc(doc);
 
 	return ret;
 }
 
+static char *allcaps(const char *name)
+{
+	static char buffer[1024] = {'\0'};
+	int i;
+
+	for (i=0; i< strlen(name); i++) {
+		buffer[i] = toupper(name[i]);
+	}
+	buffer[strlen(name)] = '\0';
+	return buffer;
+}
 
 static void print_param(FILE *manfile, struct param_info *pi, int field_width, int bold, const char *delimiter)
 {
-	char *asterisks = "  ";
+	const char *asterisks = "  ";
 	char *type = pi->paramtype;
+	int typelength = strlen(type);
 
 	/* Reformat pointer params so they look nicer */
-	if (pi->paramtype[strlen(pi->paramtype)-1] == '*') {
+	if (typelength > 0 && pi->paramtype[typelength-1] == '*') {
 		asterisks=" *";
 		type = strdup(pi->paramtype);
-		type[strlen(type)-1] = '\0';
+		type[typelength-1] = '\0';
 
 		/* Cope with double pointers */
-		if (pi->paramtype[strlen(type)-1] == '*') {
+		if (typelength > 1 && pi->paramtype[typelength-2] == '*') {
 			asterisks="**";
-			type[strlen(type)-1] = '\0';
+			type[typelength-2] = '\0';
+		}
+
+		/* Tidy function pointers */
+		if (typelength > 1 && pi->paramtype[typelength-2] == '(') {
+			asterisks="(*";
+			type[typelength-2] = '\0';
 		}
 	}
 
 	fprintf(manfile, "    %s%-*s%s%s\\fI%s\\fP%s\n",
 		bold?"\\fB":"", field_width, type,
 		asterisks, bold?"\\fP":"", pi->paramname, delimiter);
 
 	if (type != pi->paramtype) {
 		free(type);
 	}
 }
 
-static void print_structure(FILE *manfile, char *refid, char *name)
+static void print_structure(FILE *manfile, struct struct_info *si)
 {
-	struct struct_info *si;
 	struct param_info *pi;
 	struct qb_list_head *iter;
 	unsigned int max_param_length=0;
 
-	/* If it's not been read in - go and look for it */
-	si = qb_map_get(structures_map, refid);
-	if (!si) {
-		if (!read_structure_from_xml(refid, name)) {
-			si = qb_map_get(structures_map, refid);
-		}
+	fprintf(manfile, ".nf\n");
+	fprintf(manfile, "\\fB\n");
+
+	if (si->brief_description) {
+		fprintf(manfile, "%s\n", si->brief_description);
+	}
+	if (si->description) {
+		fprintf(manfile, "%s\n", si->description);
 	}
 
-	if (si) {
-		qb_list_for_each(iter, &si->params_list) {
-			pi = qb_list_entry(iter, struct param_info, list);
-			if (strlen(pi->paramtype) > max_param_length) {
-				max_param_length = strlen(pi->paramtype);
-			}
+	qb_list_for_each(iter, &si->params_list) {
+		pi = qb_list_entry(iter, struct param_info, list);
+		if (strlen(pi->paramtype) > max_param_length) {
+			max_param_length = strlen(pi->paramtype);
 		}
+	}
 
-		if (si->kind == STRUCTINFO_STRUCT) {
-			fprintf(manfile, "struct %s {\n", si->structname);
-		} else if (si->kind == STRUCTINFO_ENUM) {
-			fprintf(manfile, "enum %s {\n", si->structname);
-		} else {
-			fprintf(manfile, "%s {\n", si->structname);
-		}
+	if (si->kind == STRUCTINFO_STRUCT) {
+		fprintf(manfile, "struct %s {\n", si->structname);
+	} else if (si->kind == STRUCTINFO_ENUM) {
+		fprintf(manfile, "enum %s {\n", si->structname);
+	} else {
+		fprintf(manfile, "%s {\n", si->structname);
+	}
 
-		qb_list_for_each(iter, &si->params_list) {
-			pi = qb_list_entry(iter, struct param_info, list);
-			print_param(manfile, pi, max_param_length, 0,";");
-		}
-		fprintf(manfile, "};\n");
+	qb_list_for_each(iter, &si->params_list) {
+		pi = qb_list_entry(iter, struct param_info, list);
+		print_param(manfile, pi, max_param_length, 0,";");
 	}
+	fprintf(manfile, "};\n");
+
+	fprintf(manfile, "\\fP\n");
+	fprintf(manfile, ".fi\n");
 }
 
-char *get_texttree(int *type, xmlNode *cur_node, char **returntext)
+char *get_texttree(int *type, xmlNode *cur_node, char **returntext, char **notetext)
 {
 	xmlNode *this_tag;
 	char *tmp = NULL;
 	char buffer[4096] = {'\0'};
 
 	for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 
 		if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "para") == 0) {
-			tmp = get_text(this_tag, returntext);
+			tmp = get_text(this_tag, returntext, notetext);
 			strncat(buffer, tmp, sizeof(buffer)-1);
 			strncat(buffer, "\n", sizeof(buffer)-1);
 			free(tmp);
 		}
 	}
 
 	if (buffer[0]) {
 		return strdup(buffer);
 	} else {
 		return NULL;
 	}
 }
 
 /* The text output is VERY basic and just a check that it's working really */
 static void print_text(char *name, char *def, char *brief, char *args, char *detailed,
-		       struct qb_list_head *param_list, char *returntext)
+		       struct qb_list_head *param_list, char *returntext, char *notetext)
 {
 	printf(" ------------------ %s --------------------\n", name);
 	printf("NAME\n");
-	printf("        %s - %s\n", name, brief);
+	if (brief) {
+		printf("        %s - %s\n", name, brief);
+	} else {
+		printf("        %s\n", name);
+	}
 
 	printf("SYNOPSIS\n");
-	printf("        %s %s\n\n", name, args);
+	printf("        #include <%s%s>\n", header_prefix, headerfile);
+	if (args) {
+		printf("        %s %s\n\n", name, args);
+	}
 
-	printf("DESCRIPTION\n");
-	printf("        %s\n", detailed);
+	if (detailed) {
+		printf("DESCRIPTION\n");
+		printf("        %s\n", detailed);
+	}
 
 	if (returntext) {
 		printf("RETURN VALUE\n");
 		printf("        %s\n", returntext);
 	}
+	if (notetext) {
+		printf("NOTE\n");
+		printf("        %s\n", notetext);
+	}
 }
 
 /* Print a long string with para marks in it. */
 static void man_print_long_string(FILE *manfile, char *text)
 {
 	char *next_nl;
 	char *current = text;
 
 	next_nl = strchr(text, '\n');
 	while (next_nl && *next_nl != '\0') {
 		*next_nl = '\0';
 		if (strlen(current)) {
 			fprintf(manfile, ".PP\n%s\n", current);
 		}
 
 		*next_nl = '\n';
 		current = next_nl+1;
 		next_nl = strchr(current, '\n');
 	}
+
+	/* The bit at the end */
+	if (strlen(current)) {
+		fprintf(manfile, ".PP\n%s\n", current);
+	}
 }
 
 static void print_manpage(char *name, char *def, char *brief, char *args, char *detailed,
-			  struct qb_list_head *param_map, char *returntext)
+			  struct qb_list_head *param_map, char *returntext, char *notetext)
 {
 	char manfilename[PATH_MAX];
 	char gendate[64];
 	const char *dateptr = gendate;
 	FILE *manfile;
 	time_t t;
 	struct tm *tm;
 	qb_map_iter_t *map_iter;
 	struct qb_list_head *iter;
 	struct qb_list_head *tmp;
 	const char *p;
 	void *data;
 	unsigned int max_param_type_len;
 	unsigned int max_param_name_len;
 	unsigned int num_param_descs;
 	int param_count = 0;
 	int param_num = 0;
 	struct param_info *pi;
 
 	t = time(NULL);
 	tm = localtime(&t);
 	if (!tm) {
 		perror("unable to get localtime");
 		exit(1);
 	}
 	strftime(gendate, sizeof(gendate), "%Y-%m-%d", tm);
 
 	if (manpage_date) {
 		dateptr = manpage_date;
 	}
 	if (manpage_year == LONG_MIN) {
 		manpage_year = tm->tm_year+1900;
 	}
 
 	snprintf(manfilename, sizeof(manfilename), "%s/%s.%s", output_dir, name, man_section);
 	manfile = fopen(manfilename, "w+");
 	if (!manfile) {
 		perror("unable to open output file");
 		printf("%s", manfilename);
 		exit(1);
 	}
 
 	/* Work out the length of the parameters, so we can line them up   */
 	max_param_type_len = 0;
 	max_param_name_len = 0;
 	num_param_descs = 0;
 
 	qb_list_for_each(iter, &params_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 
+		/* It's mainly macros that break this,
+		 * macros need more work
+		 */
+		if (!pi->paramtype) {
+			pi->paramtype = strdup("");
+		}
 		if ((strlen(pi->paramtype) < LINE_LENGTH) &&
 		    (strlen(pi->paramtype) > max_param_type_len)) {
 			max_param_type_len = strlen(pi->paramtype);
 		}
 		if (strlen(pi->paramname) > max_param_name_len) {
 			max_param_name_len = strlen(pi->paramname);
 		}
 		if (pi->paramdesc) {
 			num_param_descs++;
 		}
 		param_count++;
 	}
 
 	/* Off we go */
 
 	fprintf(manfile, ".\\\"  Automatically generated man page, do not edit\n");
-	fprintf(manfile, ".TH %s %s %s \"%s\" \"%s\"\n", name, man_section, dateptr, package_name, header);
+	fprintf(manfile, ".TH %s %s %s \"%s\" \"%s\"\n", allcaps(name), man_section, dateptr, package_name, header);
 
 	fprintf(manfile, ".SH NAME\n");
-	fprintf(manfile, "%s \\- %s\n", name, brief);
+	if (brief) {
+		fprintf(manfile, "%s \\- %s\n", name, brief);
+	} else {
+		fprintf(manfile, "%s\n", name);
+	}
 
 	fprintf(manfile, ".SH SYNOPSIS\n");
 	fprintf(manfile, ".nf\n");
-	fprintf(manfile, ".B #include <libknet.h>\n");
-	fprintf(manfile, ".sp\n");
-	fprintf(manfile, "\\fB%s\\fP(\n", def);
+	fprintf(manfile, ".B #include <%s%s>\n", header_prefix, headerfile);
+	if (def) {
+		fprintf(manfile, ".sp\n");
+		fprintf(manfile, "\\fB%s\\fP(\n", def);
 
+		qb_list_for_each(iter, &params_list) {
+			pi = qb_list_entry(iter, struct param_info, list);
 
-	qb_list_for_each(iter, &params_list) {
-		pi = qb_list_entry(iter, struct param_info, list);
+			print_param(manfile, pi, max_param_type_len, 1, ++param_num < param_count?",":"");
+		}
 
-		print_param(manfile, pi, max_param_type_len, 1, ++param_num < param_count?",":"");
+		fprintf(manfile, ");\n");
+		fprintf(manfile, ".fi\n");
 	}
 
-	fprintf(manfile, ");\n");
-	fprintf(manfile, ".fi\n");
-
 	if (print_params && num_param_descs) {
 		fprintf(manfile, ".SH PARAMS\n");
 
 		qb_list_for_each(iter, &params_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 			fprintf(manfile, "\\fB%-*s \\fP\\fI%s\\fP\n", (int)max_param_name_len, pi->paramname,
 				pi->paramdesc);
 			fprintf(manfile, ".PP\n");
 		}
 	}
 
-	fprintf(manfile, ".SH DESCRIPTION\n");
-	man_print_long_string(manfile, detailed);
+	if (detailed) {
+		fprintf(manfile, ".SH DESCRIPTION\n");
+		man_print_long_string(manfile, detailed);
+	}
 
 	if (qb_map_count_get(used_structures_map)) {
-		fprintf(manfile, ".SH STRUCTURES\n");
+		int first_struct = 1;
 
 		map_iter = qb_map_iter_create(used_structures_map);
 		for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
-			fprintf(manfile, ".nf\n");
-			fprintf(manfile, "\\fB\n");
+			struct struct_info *si;
+			const char *refid = p;
+			char *refname = data;
 
-			print_structure(manfile, (char*)p, (char *)data);
+			/* If it's not been read in - go and look for it */
+			si = qb_map_get(structures_map, refid);
+			if (!si) {
+				if (!read_structure_from_xml(refid, refname)) {
+					si = qb_map_get(structures_map, refid);
+				}
+			}
 
-			fprintf(manfile, "\\fP\n");
-			fprintf(manfile, ".fi\n");
+			/* Only print header if the struct files exist - sometimes they don't */
+			if (si && first_struct) {
+				fprintf(manfile, ".SH STRUCTURES\n");
+				first_struct = 0;
+			}
+			if (si) {
+				print_structure(manfile, si);
+				fprintf(manfile, ".PP\n");
+			}
 		}
 		qb_map_iter_free(map_iter);
 
 		fprintf(manfile, ".RE\n");
 	}
 
 	if (returntext) {
 		fprintf(manfile, ".SH RETURN VALUE\n");
 		man_print_long_string(manfile, returntext);
+		fprintf(manfile, ".PP\n");
 	}
 
 	qb_list_for_each(iter, &retval_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 
-		fprintf(manfile, "\\fB%-*s \\fP\\fI%s\\fP\n", 10, pi->paramname,
+		fprintf(manfile, "\\fB%-*s \\fP%s\n", 10, pi->paramname,
 			pi->paramdesc);
 		fprintf(manfile, ".PP\n");
 	}
 
+	if (notetext) {
+		fprintf(manfile, ".SH NOTE\n");
+		man_print_long_string(manfile, notetext);
+	}
+
 	fprintf(manfile, ".SH SEE ALSO\n");
 	fprintf(manfile, ".PP\n");
 	fprintf(manfile, ".nh\n");
 	fprintf(manfile, ".ad l\n");
 
 	param_num = 0;
 	map_iter = qb_map_iter_create(function_map);
 	for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
 
 		/* Exclude us! */
 		if (strcmp(data, name)) {
-			fprintf(manfile, "\\fI%s(%s)%s", (char *)data, man_section,
+			fprintf(manfile, "\\fI%s\\fR(%s)%s", (char *)data, man_section,
 				param_num < (num_functions - 1)?", ":"");
 		}
 		param_num++;
 	}
 	qb_map_iter_free(map_iter);
 
 	fprintf(manfile, "\n");
 	fprintf(manfile, ".ad\n");
 	fprintf(manfile, ".hy\n");
 	fprintf(manfile, ".SH \"COPYRIGHT\"\n");
 	fprintf(manfile, ".PP\n");
-	fprintf(manfile, "Copyright (C) 2010-%4ld Red Hat, Inc. All rights reserved.\n", manpage_year);
+	fprintf(manfile, "Copyright (C) %4ld-%4ld %s, Inc. All rights reserved.\n", start_year, manpage_year, company);
 	fclose(manfile);
 
 	/* Free the params & retval info */
 	qb_list_for_each_safe(iter, tmp, &params_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 		qb_list_del(&pi->list);
 		free_paraminfo(pi);
 	}
 
 	qb_list_for_each_safe(iter, tmp, &retval_list) {
 		pi = qb_list_entry(iter, struct param_info, list);
 		qb_list_del(&pi->list);
 		free_paraminfo(pi);
 	}
 
 	/* Free used-structures map */
 	map_iter = qb_map_iter_create(used_structures_map);
 	for (p = qb_map_iter_next(map_iter, &data); p; p = qb_map_iter_next(map_iter, &data)) {
 		qb_map_rm(used_structures_map, p);
 		free(data);
 	}
 }
 
 /* Same as traverse_members, but to collect function names */
 static void collect_functions(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 	char *kind;
 	char *name = NULL;
 
 	if (cur_node->name && strcmp((char *)cur_node->name, "memberdef") == 0) {
 
 		kind = get_attr(cur_node, "kind");
 		if (kind && strcmp(kind, "function") == 0) {
 
 			for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 				if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "name") == 0) {
 					name = strdup((char *)this_tag->children->content);
 				}
 			}
 
 			if (name) {
 				qb_map_put(function_map, name, name);
 				num_functions++;
 			}
 		}
-		free(kind);
 	}
 }
 
 /* Same as traverse_members, but to collect enums. The behave like structures for,
    but, for some reason, are in the main XML file rather than their own */
 static void collect_enums(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 	struct struct_info *si;
 	char *kind;
 	char *refid = NULL;
 	char *name = NULL;
 
 	if (cur_node->name && strcmp((char *)cur_node->name, "memberdef") == 0) {
 
 		kind = get_attr(cur_node, "kind");
 		if (kind && strcmp(kind, "enum") == 0) {
 			refid = get_attr(cur_node, "id");
 
 			for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next) {
 				if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "name") == 0) {
 					name = strdup((char *)this_tag->children->content);
-					break;
 				}
 			}
 
 			if (name) {
 				si = malloc(sizeof(struct struct_info));
 				if (si) {
+					memset(si, 0, sizeof(*si));
 					si->kind = STRUCTINFO_ENUM;
 					qb_list_init(&si->params_list);
 					si->structname = strdup(name);
 					traverse_node(cur_node, "enumvalue", read_struct, si);
 					qb_map_put(structures_map, refid, si);
 				}
-				free(name);
 			}
 		}
-		free(kind);
 	}
 }
 
 static void traverse_members(xmlNode *cur_node, void *arg)
 {
 	xmlNode *this_tag;
 
-	if (cur_node->name && strcmp((char *)cur_node->name, "memberdef") == 0) {
+	/* if arg == NULL then we're generating a page for the whole header file */
+	if ((cur_node->name && (strcmp((char *)cur_node->name, "memberdef") == 0)) ||
+	    ((arg == NULL) && cur_node->name && strcmp((char *)cur_node->name, "compounddef")) == 0) {
 		char *kind = NULL;
 		char *def = NULL;
 		char *args = NULL;
 		char *name = NULL;
 		char *brief = NULL;
 		char *detailed = NULL;
 		char *returntext = NULL;
+		char *notetext = NULL;
 		int type;
 
 		kind=def=args=name=NULL;
 
 		kind = get_attr(cur_node, "kind");
 
 		for (this_tag = cur_node->children; this_tag; this_tag = this_tag->next)
 		{
 			if (!this_tag->children || !this_tag->children->content)
 				continue;
 
-			if (!def && this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "definition") == 0)
+			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "definition") == 0)
 				def = strdup((char *)this_tag->children->content);
-			if (!args && this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "argsstring") == 0)
+			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "argsstring") == 0)
 				args = strdup((char *)this_tag->children->content);
-			if (!name && this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "name") == 0)
+			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "name") == 0)
 				name = strdup((char *)this_tag->children->content);
 
-			if (!brief && this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "briefdescription") == 0) {
-				brief = get_texttree(&type, this_tag, &returntext);
+			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "briefdescription") == 0) {
+				brief = get_texttree(&type, this_tag, &returntext, &notetext);
 				if (brief) {
 					/*
-					 * apparently brief text contains extra trailing space and 2 \n.
+					 * apparently brief text contains extra trailing space and a \n.
 					 * remove them.
 					 */
-					brief[strlen(brief) - 3] = '\0';
+					brief[strlen(brief) - 2] = '\0';
 				}
 			}
-			if (!detailed && this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "detaileddescription") == 0) {
-				detailed = get_texttree(&type, this_tag, &returntext);
+			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "detaileddescription") == 0) {
+				detailed = get_texttree(&type, this_tag, &returntext, &notetext);
 			}
 			/* Get all the params */
 			if (this_tag->type == XML_ELEMENT_NODE && strcmp((char *)this_tag->name, "param") == 0) {
 				char *param_type = get_child(this_tag, "type");
 				char *param_name = get_child(this_tag, "declname");
 				struct param_info *pi = malloc(sizeof(struct param_info));
 				if (pi) {
 					pi->paramname = param_name;
 					pi->paramtype = param_type;
 					pi->paramdesc = NULL;
 					qb_list_add_tail(&pi->list, &params_list);
 				}
 			}
 		}
 
+		if (arg == headerfile) {
+			/* Print header page */
+			name = (char*)headerfile;
+			if (print_man) {
+				if (!quiet) {
+					printf("Printing header manpage for %s\n", name);
+				}
+				print_manpage(name, def, brief, args, detailed, &params_list, returntext, notetext);
+			}
+			else {
+				print_text(name, def, brief, args, detailed, &params_list, returntext, notetext);
+			}
+		}
+
 		if (kind && strcmp(kind, "function") == 0) {
+
 			/* Make sure function has a doxygen description */
 			if (!detailed) {
-				fprintf(stderr, "No doxygen description for function '%s' - please fix this\n", name);
-				exit(1);
+				fprintf(stderr, "No detailed description for function '%s' - please fix this\n", name);
 			}
 
-			if (print_man) {
-				print_manpage(name, def, brief, args, detailed, &params_list, returntext);
-			}
-			else {
-				print_text(name, def, brief, args, detailed, &params_list, returntext);
+			if (!name) {
+				fprintf(stderr, "Internal error - no name found for function\n");
+			} else {
+				if (print_man) {
+					if (!quiet) {
+						printf("Printing manpage for %s\n", name);
+					}
+					print_manpage(name, def, brief, args, detailed, &params_list, returntext, notetext);
+				}
+				else {
+					print_text(name, def, brief, args, detailed, &params_list, returntext, notetext);
+				}
 			}
 
 		}
 
 		free(kind);
 		free(def);
 		free(args);
-		free(detailed);
-		free(brief);
 		free(name);
 	}
 }
 
 
 static void traverse_node(xmlNode *parentnode, const char *leafname, void (do_members(xmlNode*, void*)), void *arg)
 {
 	xmlNode *cur_node;
 
 	for (cur_node = parentnode->children; cur_node; cur_node = cur_node->next) {
-
 		if (cur_node->type == XML_ELEMENT_NODE && cur_node->name
 		    && strcmp((char*)cur_node->name, leafname)==0) {
 			do_members(cur_node, arg);
 			continue;
 		}
 		if (cur_node->type == XML_ELEMENT_NODE) {
 			traverse_node(cur_node, leafname, do_members, arg);
 		}
 	}
 }
 
 
 static void usage(char *name)
 {
 	printf("Usage:\n");
-	printf("      %s [OPTIONS] [<XML file>]\n", name);
+	printf("      %s [OPTIONS] <XML file>\n", name);
+	printf("\n");
+	printf(" This is a tool to generate API manpages from a doxygen-annotated header file.\n");
+	printf(" First run doxygen on the file and then run this program against the main XML file\n");
+	printf(" it created and the directory containing the ancilliary files. It will then\n");
+	printf(" output a lot of *.3 man page files which you can then ship with your library.\n");
 	printf("\n");
-	printf("      <XML file> defaults to %s\n", XML_FILE);
+	printf(" You will need to invoke this program once for each .h file in your library,\n");
+	printf(" using the name of the generated .xml file. This file will usually be called\n");
+	printf(" something like <include-file>_8h.xml, eg qbipcs_8h.xml\n");
+	printf("\n");
+	printf(" If you want HTML output then simpy use nroff on the generated files as you\n");
+	printf(" would do with any other man page.\n");
 	printf("\n");
 	printf("       -a            Print ASCII dump of man pages to stdout\n");
 	printf("       -m            Write man page files to <output dir>\n");
 	printf("       -P            Print PARAMS section\n");
+	printf("       -g            Print general man page for the whole header file\n");
 	printf("       -s <s>        Write man pages into section <s> <default 3)\n");
-	printf("       -p <package>  Use <package> name. default <Kronosnet>\n");
-	printf("       -H <header>   Set header (default \"Kronosnet Programmer's Manual\"\n");
+	printf("       -p <package>  Use <package> name. default <Package>\n");
+	printf("       -H <header>   Set header (default \"Programmer's Manual\"\n");
+	printf("       -I <include>  Set include filename (default taken from xml)\n");
+	printf("       -i <prefix>   Prefix for include files. eg qb/ (default \"\")\n");
+	printf("       -C <company>  Company name in copyright (defaults to Red Hat)\n");
 	printf("       -D <date>     Date to print at top of man pages (format not checked, default: today)\n");
+	printf("       -S <year>     Start year to print at end of copyright line (default: 2010)\n");
 	printf("       -Y <year>     Year to print at end of copyright line (default: today's year)\n");
 	printf("       -o <dir>      Write all man pages to <dir> (default .)\n");
-	printf("       -d <dir>      Directory for XML files (default %s)\n", XML_DIR);
+	printf("       -d <dir>      Directory for XML files (./xml/)\n");
 	printf("       -h            Print this usage text\n");
 }
 
+static long get_year(char *optionarg, char optionchar)
+{
+	long year = strtol(optionarg, NULL, 10);
+	/*
+	 * Don't make too many assumptions about the year. I was on call at the
+	 * 2000 rollover. #experience
+	 */
+	if (year == LONG_MIN || year == LONG_MAX ||
+	    year < 1900) {
+		fprintf(stderr, "Value passed to -%c is not a valid year number\n", optionchar);
+		return 0;
+	}
+	return year;
+}
+
 int main(int argc, char *argv[])
 {
 	xmlNode *rootdoc;
 	xmlDocPtr doc;
-	int quiet=0;
 	int opt;
 	char xml_filename[PATH_MAX];
 
-	while ( (opt = getopt_long(argc, argv, "H:amPD:Y:s:d:o:p:f:h?", NULL, NULL)) != EOF)
+	while ( (opt = getopt_long(argc, argv, "H:amqgPD:Y:s:S:d:o:p:f:I:i:C:h?", NULL, NULL)) != EOF)
 	{
 		switch(opt)
 		{
 			case 'a':
 				print_ascii = 1;
 				print_man = 0;
 				break;
 			case 'm':
 				print_man = 1;
 				print_ascii = 0;
 				break;
 			case 'P':
 				print_params = 1;
 				break;
+			case 'g':
+				print_general = 1;
+				break;
+			case 'q':
+				quiet = 1;
+				break;
+			case 'I':
+				headerfile = optarg;
+				break;
+			case 'i':
+				header_prefix = optarg;
+				break;
+			case 'C':
+				company = optarg;
+				break;
 			case 's':
 				man_section = optarg;
 				break;
+			case 'S':
+				start_year = get_year(optarg, 'S');
+				if (start_year == 0) {
+					return 1;
+				}
+				break;
 			case 'd':
 				xml_dir = optarg;
 				break;
 			case 'D':
 				manpage_date = optarg;
 				break;
 			case 'Y':
-				manpage_year = strtol(optarg, NULL, 10);
-				/*
-				 * Don't make too many assumptions about the year. I was on call at the
-				 * 2000 rollover. #experience
-				 */
-				if (manpage_year == LONG_MIN || manpage_year == LONG_MAX ||
-				    manpage_year < 1900) {
-					fprintf(stderr, "Value passed to -Y is not a valid year number\n");
+				manpage_year = get_year(optarg, 'Y');
+				if (manpage_year == 0) {
 					return 1;
 				}
 				break;
 			case 'p':
 				package_name = optarg;
 				break;
 			case 'H':
 				header = optarg;
 				break;
 			case 'o':
 				output_dir = optarg;
 				break;
 			case '?':
 			case 'h':
 				usage(argv[0]);
 				return 0;
 		}
 	}
 
 	if (argv[optind]) {
 		xml_file = argv[optind];
 	}
+	if (!xml_file) {
+		usage(argv[0]);
+		exit(1);
+	}
+
 	if (!quiet) {
-		fprintf(stderr, "reading xml ... ");
+		printf("reading %s ... ", xml_file);
 	}
 
 	snprintf(xml_filename, sizeof(xml_filename), "%s/%s", xml_dir, xml_file);
 	doc = xmlParseFile(xml_filename);
 	if (doc == NULL) {
 		fprintf(stderr, "Error: unable to read xml file %s\n", xml_filename);
 		exit(1);
 	}
 
 	rootdoc = xmlDocGetRootElement(doc);
 	if (!rootdoc) {
 		fprintf(stderr, "Can't find \"document root\"\n");
 		exit(1);
 	}
 	if (!quiet)
-		fprintf(stderr, "done.\n");
+		printf("done.\n");
+
+	/* Get our header file name */
+	if (!headerfile) {
+		traverse_node(rootdoc, "compounddef", read_headername, &headerfile);
+	}
+	/* Default to *something* if it all goes wrong */
+	if (!headerfile) {
+		headerfile = "unknown.h";
+	}
 
 	qb_list_init(&params_list);
 	qb_list_init(&retval_list);
 	structures_map = qb_hashtable_create(10);
 	function_map = qb_hashtable_create(10);
 	used_structures_map = qb_hashtable_create(10);
 
 	/* Collect functions */
 	traverse_node(rootdoc, "memberdef", collect_functions, NULL);
 
 	/* Collect enums */
 	traverse_node(rootdoc, "memberdef", collect_enums, NULL);
 
 	/* print pages */
 	traverse_node(rootdoc, "memberdef", traverse_members, NULL);
 
+	if (print_general) {
+		/* Generate and print a page for the headerfile itself */
+		traverse_node(rootdoc, "compounddef", traverse_members, (char *)headerfile);
+	}
 	return 0;
 }