Initial import

author: Sebastien Blot 2017-09-20 10:11:01 +0200
committer: Sebastien Blot 2017-09-20 10:11:01 +0200
commit: 868f96c759b6650d88ff9f4fbc5c048302134248 (patch)
tree: c0de0af318bf77a8959164ef11aeeeb2b7bab294
270 files changed, 8888 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..68dfa7a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,39 @@
+*.txt
+*.orig
+*.gdbhistory
+*.swp
+.deps
+.libs
+*.lo
+src/tests/*.diff
+src/tests/*.exp
+src/tests/*.log
+src/tests/*.out
+src/tests/*.sh
+src/tests/*.php
+# Files generated by phpize, configure and make
+src/autom4te.cache
+src/build
+src/modules
+src/acinclude.m4
+src/aclocal.m4
+src/config.guess
+src/config.h
+src/config.h.in
+src/config.log
+src/config.nice
+src/config.status
+src/config.sub
+src/configure
+src/configure.in
+src/install-sh
+src/*.la
+src/ltmain.sh
+src/libtool
+src/Makefile
+src/Makefile.fragments
+src/Makefile.global
+src/Makefile.objects
+src/missing
+src/mkinstalldirs
+src/run-tests.php
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..65c5ca8
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,165 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+  0. Additional Definitions.
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+  1. Exception to Section 3 of the GNU GPL.
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+  2. Conveying Modified Versions.
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+  3. Object Code Incorporating Material from Library Header Files.
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+  4. Combined Works.
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+   d) Do one of the following:
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+  5. Combined Libraries.
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+  6. Revised Versions of the GNU Lesser General Public License.
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..869f9fb
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,32 @@
+clean:
+        make -C src clean
+        cd src; phpize --clean
+debug:
+        cd src; phpize
+        export CFLAGS="-Wall -Wextra -g3 -ggdb -Wno-unused-function"; cd src; ./configure --enable-snuffleupagus --enable-debug
+        make -C src
+        TEST_PHP_ARGS='-q' REPORT_EXIT_STATUS=1 make -C src test
+coverage:
+        cd src; phpize
+        export CFLAGS="--coverage -fprofile-arcs -ftest-coverage -O0"; export LDFLAGS="--coverage"; cd src; ./configure --enable-snuffleupagus --enable-coverage
+        make -C src
+        lcov --base-directory src --directory ./src --zerocounters -q   --rc lcov_branch_coverage=1
+        rm -Rf src/COV.html
+        TEST_PHP_ARGS='-q' REPORT_EXIT_STATUS=1 make -C src test
+        lcov --base-directory ./src --directory src -c -o ./src/COV.info --rc lcov_branch_coverage=1 2>/dev/null 1>/dev/null
+        lcov --remove src/COV.info '/usr/*' --remove src/COV.info '*tweetnacl.c' -o src/COV.info --rc lcov_branch_coverage=1 2>/dev/null 1>/dev/null
+        genhtml -o src/COV.html ./src/COV.info  --branch-coverage
+tests: joomla
+joomla:
+        if [ -nd "joomla-cms" ]; then git clone --depth 1 git@github.com:joomla/joomla-cms.git; fi
+        cd joomla-cms; composer install
+        cd joomla-cms; libraries/vendor/phpunit/phpunit/phpunit -d extension=./src/modules/snuffleupagus.so
+packages: debian
+debian:
+        dpkg-buildpackage -i -us -uc -tc -I -rfakeroot
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..53b9003
--- /dev/null
+++ b/README.md
@@ -0,0 +1,15 @@
+[![build
+status](https://gitlab.nbs-system.com/secu/snuffleupagus/badges/master/build.svg)](https://gitlab.nbs-system.com/secu/snuffleupagus/commits/master)
+[![coverage
+report](https://gitlab.nbs-system.com/secu/snuffleupagus/badges/master/coverage.svg)](https://gitlab.nbs-system.com/secu/snuffleupagus/commits/master)
+[Documentation]( https://secu.gitlab-pages.nbs-system.com/snuffleupagus/ )
+# Code style
+We're using [clang-format](http://clang.llvm.org/docs/ClangFormat.html) to
+ensure a consistent code-style. Please run it with `clang-format -style=google`
+before committing, or even better, use a [pre-commit hook](https://github.com/andrewseidl/githook-clang-format)
+# Resources
+- The [writeup]( https://github.com/beberlei/whitewashing.de/blob/master/drafts/porting_extension_to_php7.rst) of [tideway profiler](https://github.com/tideways/php-profiler-extension)'s port to php7
+- [Upgrading to php-ng]( https://wiki.php.net/phpng-upgrading )
+- PHP7 [virtual machine](https://nikic.github.io/2017/04/14/PHP-7-Virtual-machine.html)
diff --git a/config/default.ini b/config/default.ini
new file mode 100644
index 0000000..0f67632
--- /dev/null
+++ b/config/default.ini
@@ -0,0 +1,54 @@
+# Harden the `chmod` function
+sp.disable_functions.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_functions.function("chmod").param("mode").value_r("o\\+w$").drop();
+# Prevent various `mail`-related vulnerabilities
+sp.disable_functions.function("mail").param("additional_parameters").value_r("\\-").drop();
+##Prevent various `include`-related vulnerabilities
+sp.disable_functions.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_functions.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_functions.function_r("^(?:require|include)_once$").drop();
+sp.disable_functions.function_r("^require|include$").drop();
+# Prevent `system`-related injections
+sp.disable_functions.function("system").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
+# Prevent runtime modification of interesting things
+sp.disable_functions.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("open_basedir").drop();
+# Detect some backdoors via environnement recon
+sp.disable_functions.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+sp.disable_functions.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
+sp.disable_functions.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
+# Ghetto sqli hardening
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("/\\*").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("--").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("#").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r(";.*;").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("benchmark").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("sleep").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("information_schema").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("/\\*").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("--").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("#").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r(";.*;").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("information_schema").drop();
+# Ghetto sqli detection
+sp.disable_functions.function_r("mysqli?_query").ret("FALSE").drop();
+sp.disable_functions.function_r("PDO::query").ret("FALSE").drop();
+#File upload
+sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
diff --git a/config/examples.ini b/config/examples.ini
new file mode 100644
index 0000000..d7599fb
--- /dev/null
+++ b/config/examples.ini
@@ -0,0 +1,47 @@
+# Restrict system calls to specific file
+sp.disable_functions.function("system").filename("update.php").allow();
+sp.disable_functions.function("system").drop();
+   
+# Restrict system calls to specific file with a specific hash
+sp.disable_functions.function("system").filename("update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow();
+sp.disable_functions.function("system").drop();
+# AbanteCart 1.2.8 - Multiple SQL Injections <https://blog.ripstech.com/2016/abantecart-multiple-sql-injections>
+sp.disable_functions.filename("static_pages/index.php").var("_SERVER[PHP_SELF").value_r("\"").drop().alias("XSS");
+sp.disable_functions.filename("core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop();
+sp.disable_functions.filename("admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop();
+# Redaxo 5.2.0: Remote Code Execution via CSRF <https://blog.ripstech.com/2016/redaxo-remote-code-execution-via-csrf>
+# See <http://code.vtiger.com/vtiger/vtigercrm/commit/9b5c5338f80237ae072a06e1ba4a5cfcbfe063b0> for details
+sp.disable_functions.filename("redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
+# Guest Post: Vtiger 6.5.0 - SQL Injection <https://blog.ripstech.com/2016/vtiger-sql-injection/>
+sp.disable_functions.filename("modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
+# The State of Wordpress Security <https://blog.ripstech.com/2016/the-state-of-wordpress-security>
+# All In One WP Security & Firewall
+sp.disable_functions.filename("admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]]").value_r("\"").drop();
+# PHPKit 1.6.6: Code Execution for Privileged Users <https://blog.ripstech.com/2016/phpkit-code-exection-for-privileged-users>
+sp.disable_functions.filename("pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
+# Coppermine 1.5.42: Second-Order Command Execution <https://blog.ripstech.com/2016/coppermine-second-order-command-execution>
+sp.disable_functions.filename("include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]).value_r("[^a-z0-9]").drop();
+sp.disable_functions.filename("forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
+# CVE-2014-1610 - Mediawiki RCE
+sp.disable_functions.filename("includes/media/DjVu.php")
+sp.disable_functions.filename("includes/media/ImageHandler.php").var("_GET[page]").value_r("[^0-9]").drop()
+# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
+sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
+sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
+\ No newline at end of file
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..6d301b8
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+snuffleupagus (0.1) UNRELEASED; urgency=medium
+  * Initial release.
+ -- jvoisin <snuffleupagus@nbs-system.com>  Tue, 04 Jul 2017 17:51:31 +0200
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..c1cfb92
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,14 @@
+Source: snuffleupagus
+Priority: optional
+Maintainer: NBS System <snuffleupagus@nbs-system.com>
+Build-Depends: debhelper (>= 9), php7.0-dev
+Standards-Version: 3.9.2
+Homepage: https://snuffleupagus.fr
+Section: php
+Vcs-Git: https://github.com/nbs-system/snuffleupagus
+Package: snuffleupagus
+Architecture: any
+Depends: ${misc:Depends}
+Description: Hardening for your php7 stack
+        Snuffleupagus is cool
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..a792452
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Snuffleupagus
+Upstream-Contact: NBS System <snuffleupagus@nbs-system.com>
+Source: https://github.com/nbs-system/snuffleupagus
+Files: *
+Copyright: 2017 NBS System
+License: LGPL
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..b43bf86
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1 @@
+README.md
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..66bf44a
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+DH_VERBOSE = 1
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/default.mk
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+%:
+        dh $@ 
+override_dh_auto_clean:
+        cd ./src; phpize --clean
+override_dh_auto_configure:
+        cd ./src; phpize
+        cd ./src; ./configure --enable-snuffleupagus
+override_dh_auto_build:
+        make -C src
+override_dh_auto_install:
+        make -C src install
+override_dh_auto_test:
+        TEST_PHP_ARGS="-q" REPORT_EXIST_STATUS=1 make -C src test
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..86028c7
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,2 @@
+version=3
+https://github.com/nbs-system/snuffleupagus/tags /nbs-system/snuffleupagus/archive/snuffleupagus-([0-9.]+)\.tar\.(gz|xz|bz2)
diff --git a/doc/Makefile b/doc/Makefile
new file mode 100644
index 0000000..7355011
--- /dev/null
+++ b/doc/Makefile
@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+# You can set these variables from the command line.
+SPHINXOPTS    =
+SPHINXBUILD   = sphinx-build
+SPHINXPROJ    = Snuffleupagus
+SOURCEDIR     = source
+BUILDDIR      = build
+# Put it first so that "make" without argument is like "make help".
+help:
+        @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+.PHONY: help Makefile
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+        @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+\ No newline at end of file
diff --git a/doc/source/_static/custom.css b/doc/source/_static/custom.css
new file mode 100644
index 0000000..1c47d04
--- /dev/null
+++ b/doc/source/_static/custom.css
@@ -0,0 +1,4 @@
+blockquote {
+    border-left: 2px solid #999;
+    padding-left: 20px;
+}
+\ No newline at end of file
diff --git a/doc/source/_static/sp.jpg b/doc/source/_static/sp.jpg
new file mode 100644
index 0000000..0575ca7
--- /dev/null
+++ b/doc/source/_static/sp.jpg
Binary files differ
diff --git a/doc/source/conf.py b/doc/source/conf.py
new file mode 100644
index 0000000..b2af5f2
--- /dev/null
+++ b/doc/source/conf.py
@@ -0,0 +1,178 @@
+# -*- coding: utf-8 -*-
+#
+# Snuffleupagus documentation build configuration file, created by
+# sphinx-quickstart on Tue Jun 27 14:15:46 2017.
+#
+# This file is execfile()d with the current directory set to its
+# containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+from datetime import datetime
+# -- General configuration ------------------------------------------------
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+#extensions = ['sphinx.ext.githubpages']
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = '.rst'
+# The master toctree document.
+master_doc = 'index'
+# General information about the project.
+project = u'Snuffleupagus'
+copyright = u'%d, NBS System' % datetime.now().year
+author = u'Sebastien Blot & Julien Voisin'
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = u'0.1'
+# The full version, including alpha/beta/rc tags.
+release = u'Public Alpha'
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This patterns also effect to html_static_path and html_extra_path
+exclude_patterns = []
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'manni'
+# If true, `todo` and `todoList` produce output, else they produce nothing.
+todo_include_todos = False
+# -- Options for HTML output ----------------------------------------------
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+html_theme = 'alabaster'
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#
+html_sidebars = {
+    '**': [
+        'about.html',
+        'navigation.html',
+        'relations.html',
+        'searchbox.html',
+        #'donate.html',
+    ]
+}
+html_theme_options = {
+        'logo': './sp.jpg',
+        #'description': '<br>Killing bug-classes in PHP 7, virtual-patching the rest.',
+        #'fixed_sidebar': True,
+        'page_width': '60%',
+        'show_powered_by': False,
+        }
+sidebar_collapse = True
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+#html_logo = './sp.png'
+html_show_sphinx = False
+# -- Options for HTMLHelp output ------------------------------------------
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'Snuffleupagusdoc'
+# -- Options for LaTeX output ---------------------------------------------
+latex_elements = {
+    # The paper size ('letterpaper' or 'a4paper').
+    #
+    # 'papersize': 'letterpaper',
+    # The font size ('10pt', '11pt' or '12pt').
+    #
+    # 'pointsize': '10pt',
+    # Additional stuff for the LaTeX preamble.
+    #
+    # 'preamble': '',
+    # Latex figure (float) alignment
+    #
+    # 'figure_align': 'htbp',
+}
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+#  author, documentclass [howto, manual, or own class]).
+latex_documents = [
+    (master_doc, 'Snuffleupagus.tex', u'Snuffleupagus Documentation',
+     u'Sebastien Blot \\& Julien Voisin', 'manual'),
+]
+# -- Options for manual page output ---------------------------------------
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    (master_doc, 'snuffleupagus', u'Snuffleupagus Documentation',
+     [author], 1)
+]
+# -- Options for Texinfo output -------------------------------------------
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+#  dir menu entry, description, category)
+texinfo_documents = [
+    (master_doc, 'Snuffleupagus', u'Snuffleupagus Documentation',
+     author, 'Snuffleupagus', 'One line description of project.',
+     'Miscellaneous'),
+]
diff --git a/doc/source/config.rst b/doc/source/config.rst
new file mode 100644
index 0000000..8318e7d
--- /dev/null
+++ b/doc/source/config.rst
@@ -0,0 +1,283 @@
+Configuration
+=============
+Since PHP *ini-like* configuration model isn't flexible enough,
+Snuffleupagus is using its own format.
+Options are chainable by using dots (``.``), and string parameters
+**must** be quoted, while booleans and integers aren't.
+Comments are prefixed either with ``#``, or ``;``.
+Some rules applies in a specific ``function`` (context), on a specific ``variable``
+(data), like ``disable_functions``, others can only be enabled/disabled, like
+``harden_random``.
+.. warning::
+  Careful, a wrongly configured Snuffleupagus might break your website.
+  It's up to you to understand its :doc:`features <features>`,
+  read the present documentation about how to configure them,
+  evaluate your threat model, and write your configuration file accordingly.
+The rules are evaluated in the order that they are written, and the **first** one
+to match will terminate the evaluation (except for rules in simulation mode).
+Bugclass-killer features
+------------------------
+global_strict
+^^^^^^^^^^^^^
+`default: disabled`
+``global_strict`` will enable the `strict <https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict>`_ mode globally, 
+forcing PHP to throw a `TypeError <https://secure.php.net/manual/en/class.typeerror.php>`_
+exception if an argument type being passed to a function does not match its corresponding declared parameter type.
+It can either be ``enabled`` or ``disabled``
+::
+  sp.global_strict.disable();
+  sp.global_strict.enable();
+harden_random
+^^^^^^^^^^^^^
+ * `default: enabled`
+ * `more <features.html#weak-prng-via-rand-mt-rand>`__
+ 
+``harden_random`` will silently replace the insecure `rand <https://secure.php.net/manual/en/function.rand.php>`_
+and `mt_rand <https://secure.php.net/manual/en/function.mt-rand.php>`_ functions with
+the secure PRNG `random_int <https://secure.php.net/manual/en/function.random-int.php>`_.
+It can either be ``enabled`` or ``disabled``.
+::
+  sp.harden_random.enable();
+  sp.harden_random.disable();
+.. _config_global:
+global
+^^^^^^
+This configuration variable contain parameters that are used by other ones:
+- ``secret_key``: A secret key used by various cryptographic features,
+  like `cookies protection <features.html#session-cookie-stealing-via-xss>`__ or `unserialize protection <features.html#unserialize-related-magic>`__,
+  so do make sure that it's random and long enough.
+  You can generate it with something like this: ``head -c 256 /dev/urandom | tr -dc 'a-zA-Z0-9'``.
+::
+  sp.global.secret_key("44239bd400aa82e125337c9d4eb8315767411ccd");
+unserialize_hmac
+^^^^^^^^^^^^^^^^
+ * `default: disabled`
+ * `more <features.html#unserialize-related-magic>`__
+ 
+``unserialize_hmac`` will add integrity check to ``unserialize`` calls, preventing
+abritrary code execution in their context.
+::
+  sp.unserialize_hmac.enable();
+  sp.unserialize_hmac.disable();
+auto_cookie_secure
+^^^^^^^^^^^^^^^^^^
+ * `default: disabled`
+ * `more <features.html#session-cookie-stealing-via-xss>`__
+ 
+``auto_cookie_secure`` will automatically mark cookies as `secure <https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie>`_
+when the web page is requested over HTTPS.
+It can either be ``enabled`` or ``disabled``.
+::
+  sp.auto_cookie_secure.enable();
+  sp.auto_cookie_secure.disable();
+cookie_encryption
+^^^^^^^^^^^^^^^^^
+ * `default: disabled`
+ * `more <features.html#session-cookie-stealing-via-xss>`__
+   
+.. warning::
+  To use this feature, you **must** set the :ref:`global.secret_key <config_global>` variable.
+  This design decision prevents attacker from
+  `trivially bruteforcing <https://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/>`_
+  session cookies.
+``cookie_secure`` will activate transparent encryption of specific cookies.
+It can either be ``enabled`` or ``disabled``.
+::
+  sp.cookie_encryption.cookie("my_cookie_name");
+  sp.cookie_encryption.cookie("another_cookie_name");
+readonly_exec
+^^^^^^^^^^^^^
+ * `default: disabled`
+``readonly_exec`` will prevent the execution of writable PHP files.
+It can either be ``enabled`` or ``disabled``.
+::
+  sp.readonly_exec.enable();
+upload_validation
+^^^^^^^^^^^^^^^^^
+ * `default: disabled`
+ * `more <features.html#remote-code-execution-via-file-upload>`__
+``upload_validation`` will call a given script upon a file upload, with the path 
+to the file being uploaded as argument, and various information about it in the environment:
+* ``SP_FILENAME``: the name of the uploaded file
+* ``SP_FILESIZE``: the size of the file being uploaded
+* ``SP_REMOTE_ADDR``: the ip address of the uploader
+* ``SP_CURRENT_FILE``: the current file being executed
+This feature can be used, for example, to check if an uploaded file contains php
+code, with something like `vld <https://derickrethans.nl/projects.html#vld>`_
+(``php -d vld.execute=0 -d vld.active=1 -d extension=vld.so yourfile.php``).
+The upload will be **allowed** if the script return the value ``0``. Every other
+value will prevent the file from being uploaded.
+::
+  sp.upload_validation.script("/var/www/is_valid_php.py").enable();
+disable_xxe
+^^^^^^^^^^^
+ * `default: enabled`
+ * `more <features.html#xxe>`__
+``disable_xxe`` will prevent XXE attacks by disabling the loading of external entities (``libxml_disable_entity_loader``) in the XML parser.
+::
+  sp.disable_xxe.enable();
+Virtual-patching
+----------------
+Snuffleupagus provides virtual-patching, via the ``disable_functions`` directive, allowing you to stop or control dangerous behaviours.
+Admitting you have a call to ``system()`` that lacks proper user-input validation, thus leading to an **RCE**, this might be the right tool.
+::
+   
+  # Allow `id.php` to restrict system() calls to `id`
+  sp.disable_functions.function("system").filename("id.php").param("cmd").value("id").allow();
+  sp.disable_functions.function("system").filename("id.php").drop()
+Of course, this is a trivial example, and a lot can be achieved with this feature, as you will see below.
+Filters
+^^^^^^^
+- ``alias(:str)``: human-readable description of the rule
+- ``cidr(ip/mask:str)``: match on the client's `cidr <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>`_
+- ``filename(name:str)``: match in the file ``name``
+- ``filename_r(regexp:str)``: the file name matching the ``regexp``
+- ``function(name:str)``: match on function ``name``
+- ``function_r(regexp:str)``: the function matching the ``regexp``
+- ``hash(:str)``: match on the file's `sha256 <https://en.wikipedia.org/wiki/SHA-2>`_ sum
+- ``param(name:str)``: match on the function's parameter ``name``
+- ``param_r(regexp:str)``: match on the function's parameter ``regexp``
+- ``param_type(type:str)``: match on the function's parameter ``type``
+- ``ret(value:str)``: match on the function's return ``value``
+- ``ret_r(regexp:str)``: match with a ``regexp`` on the function's return
+- ``ret_type(type_name:str)``: match on the ``type_name`` of the function's return value
+- ``value(:str)``: match on a litteral value
+- ``value_r(:regexp)``: match on a value matching the ``regexp``
+- ``var(name:str)``: match on a **local variable** ``name``
+The ``type`` must be one of the following values:
+- ``FALSE``: for boolean false
+- ``TRUE``: for boolean true
+- ``NULL``: for the **null** value
+- ``LONG``: for a long (also know as ``integer``) value
+- ``DOUBLE``: for a **double** (also known as ``float``) value
+- ``STRING``: for a string
+- ``OBJECT``: for a object
+- ``ARRAY``: for an array
+- ``RESOURCE``: for a resource
+Actions
+^^^^^^^
+- ``allow()``: **allow** the request if the rule matches
+- ``drop()``: **drop** the request if the rule matches
+- ``dump(directory:str)``: dump the request in the ``directory`` if it matches the rule
+- ``simulation()``: enabled the simulation mode
+Details
+^^^^^^^
+The ``function`` filter is able to do various dereferencing:
+- ``function("AwesomeClass::my_method")`` will match in the method ``my_method`` in the class ``AwesomeClass``
+The ``param`` filter is also able to do some dereferencing:
+- ``param(foo[bar])`` will get match on the value corresponding to the ``bar`` key in the hashtable ``foo``.
+  Remember that in PHP, almost every data structure is a hashtable. You can of course nest this like
+  ``param(foo[bar][baz][batman])``.
+- The ``var`` filter will walk the calltrace until it finds the variable's name, or the end of it,
+  allowing to match on global variables: ``.var("_GET[param]")`` will match on the GET parameter ``param``.
+For clarity's sake, the presence of the ``allow`` or ``drop`` action is **mandatory**.
+.. warning::
+  When you're writing rules, please do keep in mind that the **order matters**.
+  For example, if you're denying a call to ``system()`` and then allowing it in a
+  more narrowed way later, the call will be denied,
+  because it'll match the deny first.
+If you're paranoid, we're providing a php script to automatically generate
+hash of files containing dangerous functions,
+and blacklisting them everywhere else.
+Examples
+^^^^^^^^
+Evaluation order of rules
+"""""""""""""""""""""""""
+The following rules will:
+1. Allow calls to ``system("id")``
+2. Issue a trace in the logs on calls to ``system`` with its parameters starting with ``ping``,
+   and pursuing evaluation of the remaining rules.
+3. Drop calls to ``system``.
+::
+  sp.disable_functions.function("system").param("cmd").value("id").allow();
+  sp.disable_functions.function("system").param("cmd").value_r("^ping").drop().simulation();
+  sp.disable_functions.function("system").param("cmd").drop();
+Miscellaneous examples
+""""""""""""""""""""""
+.. literalinclude:: ../../config/examples.ini
+   :language: python
+\ No newline at end of file
diff --git a/doc/source/download.rst b/doc/source/download.rst
new file mode 100644
index 0000000..161937f
--- /dev/null
+++ b/doc/source/download.rst
@@ -0,0 +1,16 @@
+Download
+========
+Debian
+------
+Ubuntu
+------
+Source code
+-----------
+::
+  git clone https://github.com/nbs-system.com/snuffleupagus
diff --git a/doc/source/faq.rst b/doc/source/faq.rst
new file mode 100644
index 0000000..07aba33
--- /dev/null
+++ b/doc/source/faq.rst
@@ -0,0 +1,196 @@
+FAQ
+===
+General
+-------
+What is Snuffleupagus?
+""""""""""""""""""""""
+Snuffleupagus is a `PHP7+ <http://php.net/manual/en/migration70.php>`_
+module designed to drastically raising the cost of attacks against website,
+by killing entire bug classes, and also providing a powerful virtual-patching system,
+allowing administrator to fix specific vulnerabilities without having to touch the PHP code.
+Where does the name *Snuffeupagus* comes from?
+""""""""""""""""""""""""""""""""""""""""""""""
+  Aloysius Snuffleupagus, more commonly known as Mr. Snuffleupagus, Snuffleupagus
+  or Snuffy for short, is one of the characters on Sesame Street,
+  the educational television program for young children.
+  He was created as a woolly mammoth, without tusks or (visible) ears,
+  and has a long thick pointed tail, similar in shape to that of a dinosaur
+  or other reptile. He has long thick brown hair and a trunk, or "snuffle",
+  that drags along the ground. He is Big Bird's best friend and
+  has a baby sister named Alice. He also attends "Snufflegarten".
+  --- `Wikipedia <https://en.wikipedia.org/wiki/Mr._Snuffleupagus>`_
+Why is Snuffleupagus called Snuffleupagus?
+""""""""""""""""""""""""""""""""""""""""""
+Like PHP's `ElePHPant <https://secure.php.net/elephpant.php>`_,
+we thought that using an elephant as a mascot would be a great idea.
+Why did you write Snuffleupagus?
+""""""""""""""""""""""""""""""""
+We're working for `NBS System <https://nbs-system.com/en/>`__,
+a web hosting company (meaning that we're dealing with PHP code all day long),
+with a strong focus on security. We do have hardening
+(kernel, `WAF <https://naxsi.org>`_, `IDS <https://en.wikipedia.org/wiki/Intrusion_detection_system>`_, …)
+below the web stack, but most of the time, when a website is compromised,
+it's either to send ads, spam, deface it, steal data, …
+This is why we need to harden the website itself too, but we can't touch its
+source code.
+Why not Suhosin?
+""""""""""""""""
+We're huge fans of `Suhosin <https://suhosin.org>`_, unfortunately:
+- it doesn't work very well on PHP 7
+- it has some oudated features and misses new ones
+- it doesn't cope very well with our various industrialization needs
+- it has some shortcomings by design
+We're using the `disable_function <https://secure.php.net/manual/en/ini.core.php#ini.disable-functions>`_
+directive, but unfortunately, it doesn't provide enough usable granularity (guess how many CMS are using
+``system`` to do various mandatory maintenance tasks…).
+This is why we decided to write our own hardening module, in the spirit of Suhosin,
+via virtual-patching support, and other cool new features.
+What license is Snuffleupagus under and why?
+""""""""""""""""""""""""""""""""""""""""""""
+Snuffleupagus is licensed under the `LGPL <https://www.gnu.org/copyleft/lesser.html>`_,
+and is developed by the fine people from `NBS System <https://nbs-system.com/>`__.
+We chose the LGPL because we don't care that much how you're using Snuffleupagus,
+but we'd like to force people to make their improvements/contributions
+available to everyone.
+Should I use Snuffleupagus?
+"""""""""""""""""""""""""""
+Yes.
+Even if you're not using the virtual-patching capabilities, Snuffleupagus comes
+with various passive features that won't break your website while killing numerous vulnerabilities.
+Please keep in mind that you are not only protecting yourself and your users/customers,
+but also other people on the internet that might be attacked by your server if
+it becomes compromised.
+How mature is this project?
+"""""""""""""""""""""""""""
+This project was floating around since early 2016, and we did the first commit
+the 28ᵗʰ of December of the same year. We're currently in a private alpha phase,
+finding and fixing as much bugs as possible with the help of friends.
+Are you saying that PHP isn't secure?
+"""""""""""""""""""""""""""""""""""""
+We don't like PHP's approach of security; namely (sometimes) adding warnings
+in the documentation and trusting the developer to not do any mistake,
+instead of focusing on the root cause, and killing the
+bug class one for all.
+Moreover, it seems that the current attitude toward security in the PHP world
+is to `blame the user <https://externals.io/message/100147>`_ instead of acknowledging
+issues, as stated in their `documentation <https://wiki.php.net/security#not_a_security_issue>`_.
+We do think that an security issue that "requires the use of code or settings known to be insecure"
+is still a security issue, and should be treated as such.
+Installation and configuration
+------------------------------
+Can snuffleupagus break my application?
+"""""""""""""""""""""""""""""""""""""""
+Yes.
+Some options won't break anything, like ``harden_rand``, but some like ``global_strict``
+or overly-restrictives virtual-patching rules might pretty well break your website.
+It's up to you to configure Snuffleupaggus accordingly to your needs.
+You can also enable the ``simulation`` mode on features that you're not sure about,
+to see what would snuffleupagus do to your application, before activating them for good.
+How can I find out the problem when my application breaks?
+""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+By checking the logs; Snuffleupagus systematically prefix them with ``[snuffleupagus]``.
+Does Snuffleupagus run on Windows?
+""""""""""""""""""""""""""""""""""
+No idea.
+Will Snuffleupagus run on my old PHP 5?
+"""""""""""""""""""""""""""""""""""""""
+No.
+Since PHP5 `will be deprecated at the end of 2018 <http://php.net/supported-versions.php>`_,
+you should think about moving to PHP7 anyway. You can (and should) use
+`Suhosin <https://suhosin.org>`_ in the meantime.
+Help and support
+----------------
+I found a security issue
+""""""""""""""""""""""""
+If you believe you have found a security issue affecting Snuffleupagus,
+then we would be more than happy to hear from you!
+We promise to treat any reported issue seriously and,
+if the investigation confirms it affects Snuffleupagus,
+to patch it within a reasonable time,
+release a public announcement that describes the issue,
+discuss potential impact of the vulnerability,
+reference applicable patches or workarounds,
+and credit the discoverer.
+Please send it us a mail to the ``snuffleupagus`` user,
+on ``nbs-system.com``.
+I found a bug. How can I report it?
+"""""""""""""""""""""""""""""""""""
+We do have an issue tracker on `Github <https://github.com/nbs-system/snuffleupagus/issues>`_.
+Please make sure to include as much information as possible when reporting your issue,
+such as your operating system, your version of PHP 7, your version of snuffleupagus,
+your logs, the problematic php code, the request, a brief description, … long story short,
+give us everything that you can.
+Where can I find even more help?
+""""""""""""""""""""""""""""""""
+The :doc:`configuration page <config>` might be what you're looking for.
+If you're adventurous, you can also check the `issue tracker <https://github.com/nbs-system/snuffleupagus/issues/?q=is%3Aissue>`_
+(make sure to check the closed issues too).
+I need professional support for my company.
+"""""""""""""""""""""""""""""""""""""""""""
+Contact `NBS System <https://nbs-system.com>`_.
+Unimplemented mitigations and abandoned ideas
+---------------------------------------------
+Contant time comparisons
+""""""""""""""""""""""""
+We didn't manage to perform time-based side-channel attacks on strings 
+against real world PHP application, and the results that we gathered on
+tailored test cases weren't concluding: for simplicity's sake, we chose
+to not implement a mitigation against this class of attacks.
+We would be happy to be proven wrong, and reconsider implementing this feature,
+if someone can manage to get better results than us.
+The possibility of having this natively in PHP has
+`been discussed <https://marc.info/?l=php-internals&m=141692988212413&w=2>`_,
+but as 2017, nothing has been merged yet.
diff --git a/doc/source/features.rst b/doc/source/features.rst
new file mode 100644
index 0000000..89cd756
--- /dev/null
+++ b/doc/source/features.rst
@@ -0,0 +1,352 @@
+Features
+========
+Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes
+killers and virtual-patching. The first category provides primitives to kill various
+bug families (like arbitrary code execution via ``unserialize`` for example) or rise the 
+cost of exploitation, the second one is a highly configurable system to patch functions in php itself.
+Bug classes killed
+------------------
+``system`` injections
+^^^^^^^^^^^^^^^^^^^^^
+The ``system`` function execute an external program and displays the output.
+It's used to interract with various external tools, like file-format converters for example.
+Unfortunately, passing user-controlled parameters to it often leads to an arbitrary command execution.
+  When allowing user-supplied data to be passed to this function,
+  use `escapeshellarg()` or `escapeshellcmd()` to ensure that users cannot trick
+  the system into executing arbitrary commands.
+  --- `The PHP documentation about system <https://secure.php.net/manual/en/function.system.php>`_
+We're kind of killing it by filtering the ``$``, ``|``, ``;``, ````` and ``&`` chars in our 
+default configuration, making it a lot harder for an attacker to inject arbitrary commands.
+This family of vulnerabilities lead to various CVE, like:
+- `CVE-2017-7981 <https://tuleap.net/plugins/tracker/?aid=10159>`_: Authenticated remote code execution on Tuleap
+- `CVE-2014-4688 <https://www.pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc>`_: Authenticated remote code execution on pfSense
+- `CVE-2014-1610 <https://www.rapid7.com/db/modules/exploit/multi/http/mediawiki_thumb>`_: Unauthenticated remote code execution on DokuWiki
+- `CVE-2013-3630 <https://www.rapid7.com/db/modules/exploit/multi/http/moodle_cmd_exec>`_: Authenticated remote code execution on Moodle
+- Every single shitty `modem/router/switch/IoT <https://twitter.com/internetofshit>`_.
+``mail``-related injections
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+This vulnerability is known `since 2011 <http://esec-pentest.sogeti.com/posts/2011/11/03/using-mail-for-remote-code-execution.html>`_,
+and was popularized by `RIPS <https://www.ripstech.com/blog/2016/roundcube-command-execution-via-email/>`_ in 2016.
+The last flag of the `mail` function can be used to pass various parameters to
+the underlying binary used to send emails: this can lead to an arbitrary file write,
+often meaning an arbitrary code execution.
+  The ``additional_parameters`` parameter can be used to pass additional flags
+  as command line options to the program configured to be used when sending mail
+  --- `The PHP documentation about mail <https://secure.php.net/manual/en/function.mail.php>`_
+We're killing it by preventing any extra options in additional_parameters.
+This family of vulnerabilities lead to various CVE, like:
+- `CVE-2017-7692 <https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html>`_: Authenticated remote code execution in SquirrelMail
+- `CVE-2016-10074 <https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>`_: remote code execution in SwiftMailer
+- `CVE-2016-10033 <https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html>`_: remote code execution in PHPMailer
+- `CVE-2016-9920 <https://www.ripstech.com/blog/2016/roundcube-command-execution-via-email/>`_: Unauthenticated remote code execution in Roundcube
+Session-cookie stealing via XSS
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+The goto payload for XSS is often to steal cookies.
+Like *Suhosin*, we are encrypting the cookies with a secret key, the IP of the user
+and its user-agent. This means that an attacker with an XSS won't be able to use
+the stolen cookie, since he (often) can't spoof the IP address of the user.
+This feature is roughly the same than the `Suhosin one <https://suhosin.org/stories/configuration.html#transparent-encryption-options>`_.
+Users behind the same IP address but with different browsers won't be able to use each other stolen cookies,
+except if they can manage to guess the user agent. This isn't especially difficult,
+but an invalid decryption will leave a trace in the logs.
+Finally, having a secret server-side key will prevent anyone (even the user himself)
+from reading the content of the cookie, reducing the impact of an application storing sensitive data client-side.
+The encryption is done via the [tweetnacl library](https://tweetnacl.cr.yp.to/),
+thus using curve25519, xsalsa20 and poly1305 for the encryption. We chose this
+library because of its portability, simplicity and reduced size (a single `.h` and
+`.c` file.).
+Remote code execution via file-upload
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Some PHP applications allows users to upload contents, like avatars for a forum.
+Unfortunately, sometimes, content validation isn't implemented properly (if at all),
+meaning arbitrary file upload, often leading, contrary to what the documentation is saying,
+to an arbitrary code execution.
+  Not validating which file you operate on may mean that users can *access sensitive information* in other directories.
+  --- `The PHP documentation about file uploads <https://secure.php.net/manual/en/features.file-upload.common-pitfalls.php>`_
+We're killing it, like Suhosin, by automatically calling a script upon file upload,
+if it returns something else than ``0``, the file will be removed (or stored in a quarantine,
+for further analysis).
+We're recommending to use the `vld <https://derickrethans.nl/projects.html#vld>`_ project
+inside the script to ensure the file doesn't contain any valid PHP code, with something like this:
+::
+  $ php -d vld.execute=0 -d vld.active=1 -d extension=vld.so $file
+Unserialize-related magic
+^^^^^^^^^^^^^^^^^^^^^^^^^
+PHP is able to *serialize* arbitrary objects, to easily store them.
+Unfortunately, it's often possible to gain arbitrary code execution upon deserialization
+of user-supplied serialized objects.
+  Do not pass untrusted user input to ``unserialize()`` regardless of the options value of allowed_classes.
+  Unserialization can result in code being loaded and executed due to object instantiation and autoloading,
+  and a malicious user may be able to exploit this.
+  --- `The PHP documentation about serialize <https://secure.php.net/manual/en/function.serialize.php>`_
+We're killing it by exploiting the fact that PHP will discard any garbage found at the end of a serialized object,
+allowing us to simply append a `HMAC <https://en.wikipedia.org/wiki/Hash-based_message_authentication_code>`_
+at the end of strings generated by the ``serialize``,
+hence guaranteeing that any object deserialized came from the application,
+and wasn't tampered with,
+We're not encrypting it, like we do with the cookies,
+allowing this feature to be disabled (or switch into leaning mode)
+without the need to invalidate any data.
+.. warning::
+    This feature can't be deployed on websites that already stored serialized
+    objects (ie. in database), since they are missing the HMAC, and thus will be detected as
+    an attack. If you're in this situation, you should use this feature with the
+    ``simulation`` mode, and switch it off once you don't have any messages in your
+    logs.
+A nice side-effect of this feature is that it'll defeat various memory corruption
+issues related to the complexity of ``unserialize``'s implementation,
+and the amount of control if provides to an attacker, like `CVE-2016-9137, CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_,
+`2016-7124 <https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773 <https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_, …
+This family of vulnerabilities lead to various CVE, like:
+- `CVE-2016-???? <https://www.computest.nl/advisories/CT-2016-1110_Observium.txt>`_: Unauthenticated remote code execution in Observium (leading to remote root)
+- `CVE-2016-5726 <http://seclists.org/oss-sec/2016/q2/521>`_: Unauthenticated remote code execution in Simple Machines Forums
+- `CVE-2016-4010 <http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/>`_: Unauthenticated remote code execution in Magento
+- `CVE-2017-2641 <http://netanelrub.in/2017/03/20/moodle-remote-code-execution/>`_: Unauthenticated remote code execution in Moodle
+- `CVE-2015-8562 <https://www.rapid7.com/db/modules/exploit/multi/http/joomla_http_header_rce>`_: Unauthenticated remote code execution in Joomla
+- `CVE-2015-7808 <https://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserialize>`_: Unauthenticated remote code execution in vBulletin
+- `CVE-2014-1691 <http://seclists.org/oss-sec/2014/q1/153>`_: Unauthenticated remote code execution in Horde
+- `CVE-2012-5692 <https://www.rapid7.com/db/modules/exploit/unix/webapp/invision_pboard_unserialize_exec>`_: Unauthenticated remote code execution in IP.Board
+Weak-PRNG via rand/mt_rand
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+The functions ``rand`` and ``mt_rand`` are often used to generate random numbers used
+in sensitive context, like password generation, token creation, …
+Unfortunately, as said in the documentation, the quality of their entropy is low,
+leading to the generation of guessable values.
+  This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.
+  --- `The PHP documentation about rand <https://secure.php.net/manual/en/function.rand.php>`_
+We're addressing this issue by replacing every call to ``rand`` and ``mt_rand`` with
+a call to the ``random_int``, a `CSPRNG <https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator>`_.
+It's worth noting that the PHP documentation contains the following warning:
+  ``min`` ``max`` range must be within the range ``getrandmax()``. i.e. ``(max - min) <= getrandmax()``.
+  Otherwise, ``rand()`` may return poor-quality random numbers.
+  
+  --- `The PHP documentation about rand <https://secure.php.net/manual/en/function.rand.php>`_
+This is of course addressed as well by the ``harden_rand`` feature.
+.. warning::
+  Activating this feature will raise an `Error <https://secure.php.net/manual/en/class.error.php>`_
+  exception if ``min`` is superior to ``max``, while the default dehaviour is simply to swap them.
+This family of vulnerabilities lead to various CVE, like:
+- `CVE-2015-5267 <https://moodle.org/mod/forum/discuss.php?d=320291>`_: Unauthenticated accounts takeover in in Moodle
+- `CVE-2014-9624 <https://www.mantisbt.org/bugs/view.php?id=17984>`_: Captcha bypass in MantisBT
+- `CVE-2014-6412 <https://core.trac.wordpress.org/ticket/28633>`_: Unauthenticated account takeover in Wordpress
+- `CVE-2015-???? <https://hackerone.com/reports/31171>`_: Unauthenticated accounts takeover in Concrete5
+- `CVE-2013-6386 <https://www.drupal.org/SA-CORE-2013-003>`_: Unauthenticated accounts takeover in Drupal
+- `CVE-2010-???? <http://www.sektioneins.com/advisories/advisory-022010-mybb-password-reset-weak-random-numbers-vulnerability.html>`_: Unauthenticated accounts takeover in MyBB
+- `CVE-2008-4102 <https://sektioneins.de/en/advisories/advisory-042008-joomla-weak-random-password-reset-token-vulnerability.html>`_: Unauthenticated accounts takeover in Joomla
+- `CVE-2006-0632 <https://www.cvedetails.com/cve/CVE-2006-0632/>`_: Unauthenticated account takeover in phpBB
+XXE
+^^^
+Despite the documentation saying nothing about this class of vulnerabilities,
+`XML eXternal Entitiy <https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing>`_  (XXE) are often leading to arbitrary file reading, SSRF, and sometimes even arbitrary
+code execution.
+XML documents can contain a `Document Type Definition <https://www.w3.org/TR/REC-xml/#sec-prolog-dtd>`_ (DTD),
+enabling definition of XML entities. It's possible to define an (external) entity by an
+URI, that the parser will access, and embed its content back into the document
+for further processing.
+For example, providing an url like ``file:///etc/passwd`` will read
+this file's content, and since it's not valid XML, the application
+will spit it out in an error message, thus leaking its content.
+We're killing this class of vulnerabilities by calling
+the `libxml_disable_entity_loader <https://secure.php.net/manual/en/function.libxml-disable-entity-loader.php>`_
+function with its parameter set to ``true`` at startup,
+and then *nop'ing* it, so it won't do anything if ever called again.
+This family of vulnerabilities lead to various CVE, like:
+- `CVE-2015-5161 <https://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.html>`_: Unauthenticated arbitrary file disclosure on Magento
+- `CVE-2014-8790 <https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944>`_: Unauthenticated remote code execution in GetSimple CMS
+- `CVE-2011-4107 <https://www.phpmyadmin.net/security/PMASA-2011-17/>`_: Authenticated local file disclosure in PHPMyAdmin
+Cookie stealing via HTTP MITM
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+While it's possible to set the ``secure`` flag on cookies to prevent them from being
+transmitted over HTTP, and only allow its transmission over HTTPS.
+Snuffleupagus can automatically set this flag if the client is accessing the
+website over a secure connection.
+This behaviour is suggested in the documentation:
+   On the server-side, it's on the programmer to send this kind of cookie only
+   on secure connection (e.g. with respect to ``$_SERVER["HTTPS"]``).
+   --- `The PHP documentation about setcookie <https://secure.php.net/manual/en/function.setcookie.php>`_
+Exploitation, post-exploitation and general hardening
+-----------------------------------------------------
+Virtual-patching
+^^^^^^^^^^^^^^^^
+PHP itself exposes a number of functions that might be considered **dangerous** and that have limited legitimate use cases.
+``system()``, ``exec()``, ``dlopen()`` - for example - fall into this category. By default, PHP only allows to globally disable some functions.
+However, (ie. ``system()``) they might have legitimate use cases in processes such as self upgrade etc., making it impossible to effectively
+disable them - at the risk of breaking critical features.
+SnuffleuPagus allows the user to restrict usage of specific functions per files, or per
+files with a matching (sha256) hash, thus allowing the use of such functions **only** in the intended places.
+Furthermore, running the `following script <FIXME>`_  will generate an hash and line-based whitelist
+of dangerous functions, droping them everywhere else:
+.. literalinclude:: ../../scripts/generate_rules.php
+   :language: php
+The intent is to make post-exploitation process (such as backdooring of legitimate code, or RAT usage) a lot harder for the attacker.
+Global strict mode
+^^^^^^^^^^^^^^^^^^
+By default, PHP will coerce values of the wrong type into the expected one
+if possible. For example, if a function expecting an integer is given a string,
+it will be coerced in an integer.
+PHP7 introduced a **strict mode**, in which variables won't be coerced anymore,
+and a `TypeError <https://php.net/manual/en/class.typeerror.php>`_ exception will
+be raised if the types aren't matching.
+`Scalar type declarations <https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations>`_
+are optional, but you don't have to used them in your code to benefit from them,
+since every internal function from php has them.
+This option provide a switch to globally activate this strict mode,
+helping to uncover vulnerabilities like the classical
+`strcmp bypass <https://danuxx.blogspot.fr/2013/03/unauthorized-access-bypassing-php-strcmp.html>`_,
+and various other types mismatch.
+This feature is largely inspired from the
+`autostrict <https://github.com/krakjoe/autostrict>`_ module from `krakjoe <krakjoe.ninja>`_.
+Preventing execution of writable PHP files
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+If an attacker manages to upload an arbitrary file or to modify an existing one,
+odds are that (thanks to the default `umask <https://en.wikipedia.org/wiki/Umask>`_)
+this file is writable by the PHP process.
+Snuffleupagus can prevent the execution of this kind of files. A good practise
+would be to use a different user to run PHP than for administrating the website,
+and using this feature to lock this up.
+Dumping capabilities
+^^^^^^^^^^^^^^^^^^^^
+It's possible to apply the ``dump(:str)`` filter to any virtual-patching rule,
+to dump the complete web request, along with the filename and the corresponding 
+line number. By using the *right* set of restrictive rules (or by using the
+*overly* restrictives ones in ``simulation`` mode), you might be able
+to gather interesting vulnerabilities used against your website.
+Misc low-hanging fruits in the default configuration file
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Snuffleupagus is shipping with a default configuration file, containing
+various examples and ideas of things that you might want to enable (or not).
+Available functions recon
+"""""""""""""""""""""""""
+After compromising a website, most of the time, the attacker does some recon
+within its webshell, to check which functions are available to execute arbitrary code,
+since it's not uncommon for some web-hoster to disable things like ``system`` or ``passthru``,
+or to check if mitigations are enabled, like ``open_basedir``.
+This behaviour can be detected by preventing the execution of functions like ``ini_get``
+or ``is_callable`` with *suspicious* parameters.
+``chmod`` hardening
+"""""""""""""""""""
+Some PHP applications are using broad rights when using the ``chmod`` function, 
+like the infamous ``chmod(777)`` command, effectively making the file writable by everyone.
+Snuffleupagus is preventing this kind of behaviour by restricting the parameters
+than can be passer to ``chmod``.
+Arbitrary file inclusion hardening
+""""""""""""""""""""""""""""""""""
+Arbitrary file inclusion is a common vulnerability, that might be detected
+by preventing the use of anything else than a whitelist of extensions in calls
+to ``include`` or ``require``.
+*Cheap* SQL injections detection
+""""""""""""""""""""""""""""""""
+In some SQL injections, attackers might need to use comments, a feature that is
+often not used in production system, so it might be a good idea to filter
+queries that contains some. The same filtering idea can be used against
+SQL functions that are frequently used in SQL injections, like ``sleep``, ``benchmark``
+or strings like ``version_info``.
+Still about SQL injections, if a function performing a query returns ``FALSE``
+(indicating an error), it might be useful to dump the request for further analysis.
diff --git a/doc/source/index.rst b/doc/source/index.rst
new file mode 100644
index 0000000..8a9c340
--- /dev/null
+++ b/doc/source/index.rst
@@ -0,0 +1,30 @@
+Snuffleupagus
+=============
+Snuffleupagus is a `PHP 7+ <https://secure.php.net/>`_ module designed to drastically raising the cost of
+attacks against website, by killing entire bug classes, and also providing a
+powerful virtual-patching system, allowing administrator to fix specific
+vulnerabilities and audit suspicious behaviours without having to touch the PHP code.
+Documentation
+-------------
+.. toctree::
+   :maxdepth: 2
+   features
+   installation
+   config
+   download
+   faq
+   papers
+Greetings
+---------
+We would like to thank the following people:
+- `Suhosin <http://suhosin.org>`_, for paving the way.
+- The people behind the `RIPS <https://www.ripstech.com/>`_ scanner for their ground breaking work
+- `NBS System <https://nbs-system.com>`_, for creating and open-sourcing this piece of software
+- `Websec.fr <https://websec.fr>`_, for keeping our interesting vulnerabilities alive
+- Web developers around the world, for being so imaginative
diff --git a/doc/source/installation.rst b/doc/source/installation.rst
new file mode 100644
index 0000000..779008d
--- /dev/null
+++ b/doc/source/installation.rst
@@ -0,0 +1,33 @@
+Installation
+============
+Snuffleupagus is tested against various PHP 7+ versions: XXX
+Manual installation
+-------------------
+Depending on the system, we might already offer binary packages.
+You can check our :doc:`download`. In that case you only need to activate
+the extension inside your ``php.ini`` and to configure it.
+Quickstart
+^^^^^^^^^^
+::
+    git clone https://github.com/nbs-system/snuffleupagus
+    cd snuffleupagus
+    phpize
+    ./configure
+    make
+    make install
+This should install ``snuffleupagus.so`` file in your extension directory. The final step is adding a load directive to ``php.ini``::
+    extension=snuffleupagus.so
+Upgrading
+---------
+Upgrading the Snuffleupagus is as simple as recompiling it (or using a binary), replacing the file and restarting your webserver.
diff --git a/doc/source/papers.rst b/doc/source/papers.rst
new file mode 100644
index 0000000..d028b14
--- /dev/null
+++ b/doc/source/papers.rst
@@ -0,0 +1,16 @@
+Propaganda
+==========
+This pages lists various mentions, articles and presentations about Snuffleupagus.
+Talks
+-----
+- `BerlinSide0x08 <https://berlinsides.org/?page_id=2168>`_ - `Php7 Nightmares <slides.pdf>`_ - 2017-05-28
+- `Hack.lu <https://2017.hack.lu/talks/>`_ - soon™ - 2017-10-18
+- `BlackAlps <https://blackalps.ch/2017program.php>`_ - soon™ - 2017-11-16
+Articles
+--------
+- `Killing php bug classes at berlinsides <https://dustri.org/b/killing-php-bug-classes-at-berlinsides.html>`_ - 2017-06-05
+\ No newline at end of file
diff --git a/scripts/generate_rules.php b/scripts/generate_rules.php
new file mode 100644
index 0000000..e286ef1
--- /dev/null
+++ b/scripts/generate_rules.php
@@ -0,0 +1,43 @@
+<?php
+if ($argc != 2) {
+        echo 'Please provide a folder as argument.';
+        die();
+}
+$functions_blacklist = ['shell_exec', 'exec', 'passthru', 'php_uname', 'popen',
+        'posix_kill', 'posix_mkfifo', 'posix_setpgid', 'posix_setsid', 'posix_setuid',
+        'posix_setgid', 'posix_uname', 'proc_close', 'proc_nice', 'proc_open',
+        'proc_terminate', 'proc_open', 'proc_get_status', 'dl', 'pnctl_exec',
+    'pnctl_fork', 'assert', 'system'];
+$extensions = ['php', 'php7', 'php5'];
+$path = realpath($argv[1]);
+$objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path));
+foreach($objects as $name => $object){
+        if (FALSE === in_array (pathinfo($name, PATHINFO_EXTENSION), $extensions, true)) {
+                continue;
+        }
+        $hash = '';
+        $file_content = file_get_contents($name);
+        foreach(token_get_all($file_content) as $token) {
+                if ($token[0] != 319) {
+                        continue;
+                }
+                if (in_array($token[1], $functions_blacklist, true)) {
+                        if ('' === $hash) {
+                                $hash = hash('sha256', $file_content);
+                        }
+                        echo 'sp.disable_function.function("' . $token[1] . '").filename("' . $name . '").hash("' . $hash . '").allow();' . "\n";
+                }
+        }
+}
+foreach($functions_blacklist as $fun) {
+        echo 'sp.disable_function.function("' . $fun . '").drop();' . "\n";
+}
diff --git a/src/bench/bench.php b/src/bench/bench.php
new file mode 100644
index 0000000..5f77180
--- /dev/null
+++ b/src/bench/bench.php
@@ -0,0 +1,422 @@
+<?php
+if (function_exists("date_default_timezone_set")) {
+        date_default_timezone_set("UTC");
+}
+function simple() {
+  $a = 0;
+  for ($i = 0; $i < 1000000; $i++) 
+    $a++;
+  $thisisanotherlongname = 0;
+  for ($thisisalongname = 0; $thisisalongname < 1000000; $thisisalongname++) 
+    $thisisanotherlongname++;
+}
+/****/
+function simplecall() {
+  for ($i = 0; $i < 1000000; $i++) 
+    strlen("hallo");
+}
+/****/
+function hallo($a) {
+}
+function simpleucall() {
+  for ($i = 0; $i < 1000000; $i++) 
+    hallo("hallo");
+}
+/****/
+function simpleudcall() {
+  for ($i = 0; $i < 1000000; $i++) 
+    hallo2("hallo");
+}
+function hallo2($a) {
+}
+/****/
+function mandel() {
+  $w1=50;
+  $h1=150;
+  $recen=-.45;
+  $imcen=0.0;
+  $r=0.7;
+  $s=0;  $rec=0;  $imc=0;  $re=0;  $im=0;  $re2=0;  $im2=0;
+  $x=0;  $y=0;  $w2=0;  $h2=0;  $color=0;
+  $s=2*$r/$w1;
+  $w2=40;
+  $h2=12;
+  for ($y=0 ; $y<=$w1; $y=$y+1) {
+    $imc=$s*($y-$h2)+$imcen;
+    for ($x=0 ; $x<=$h1; $x=$x+1) {
+      $rec=$s*($x-$w2)+$recen;
+      $re=$rec;
+      $im=$imc;
+      $color=1000;
+      $re2=$re*$re;
+      $im2=$im*$im;
+      while( ((($re2+$im2)<1000000) && $color>0)) {
+        $im=$re*$im*2+$imc;
+        $re=$re2-$im2+$rec;
+        $re2=$re*$re;
+        $im2=$im*$im;
+        $color=$color-1;
+      }
+      if ( $color==0 ) {
+        print "_";
+      } else {
+        print "#";
+      }
+    }
+    print "<br>";
+    flush();
+  }
+}
+/****/
+function mandel2() {
+  $b = " .:,;!/>)|&IH%*#";
+  //float r, i, z, Z, t, c, C;
+  for ($y=30; printf("\n"), $C = $y*0.1 - 1.5, $y--;){
+    for ($x=0; $c = $x*0.04 - 2, $z=0, $Z=0, $x++ < 75;){
+      for ($r=$c, $i=$C, $k=0; $t = $z*$z - $Z*$Z + $r, $Z = 2*$z*$Z + $i, $z=$t, $k<5000; $k++)
+        if ($z*$z + $Z*$Z > 500000) break;
+      echo $b[$k%16];
+    }
+  }
+}
+/****/
+function Ack($m, $n){
+  if($m == 0) return $n+1;
+  if($n == 0) return Ack($m-1, 1);
+  return Ack($m - 1, Ack($m, ($n - 1)));
+}
+function ackermann($n) {
+  $r = Ack(3,$n);
+  print "Ack(3,$n): $r\n";
+}
+/****/
+function ary($n) {
+  for ($i=0; $i<$n; $i++) {
+    $X[$i] = $i;
+  }
+  for ($i=$n-1; $i>=0; $i--) {
+    $Y[$i] = $X[$i];
+  }
+  $last = $n-1;
+  print "$Y[$last]\n";
+}
+/****/
+function ary2($n) {
+  for ($i=0; $i<$n;) {
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+    $X[$i] = $i; ++$i;
+  }
+  for ($i=$n-1; $i>=0;) {
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+    $Y[$i] = $X[$i]; --$i;
+  }
+  $last = $n-1;
+  print "$Y[$last]\n";
+}
+/****/
+function ary3($n) {
+  for ($i=0; $i<$n; $i++) {
+    $X[$i] = $i + 1;
+    $Y[$i] = 0;
+  }
+  for ($k=0; $k<1000; $k++) {
+    for ($i=$n-1; $i>=0; $i--) {
+      $Y[$i] += $X[$i];
+    }
+  }
+  $last = $n-1;
+  print "$Y[0] $Y[$last]\n";
+}
+/****/
+function fibo_r($n){
+    return(($n < 2) ? 1 : fibo_r($n - 2) + fibo_r($n - 1));
+}
+function fibo($n) {
+  $r = fibo_r($n);
+  print "$r\n";
+}
+/****/
+function hash1($n) {
+  for ($i = 1; $i <= $n; $i++) {
+    $X[dechex($i)] = $i;
+  }
+  $c = 0;
+  for ($i = $n; $i > 0; $i--) {
+    if ($X[dechex($i)]) { $c++; }
+  }
+  print "$c\n";
+}
+/****/
+function hash2($n) {
+  for ($i = 0; $i < $n; $i++) {
+    $hash1["foo_$i"] = $i;
+    $hash2["foo_$i"] = 0;
+  }
+  for ($i = $n; $i > 0; $i--) {
+    foreach($hash1 as $key => $value) $hash2[$key] += $value;
+  }
+  $first = "foo_0";
+  $last  = "foo_".($n-1);
+  print "$hash1[$first] $hash1[$last] $hash2[$first] $hash2[$last]\n";
+}
+/****/
+function gen_random ($n) {
+    global $LAST;
+    return( ($n * ($LAST = ($LAST * IA + IC) % IM)) / IM );
+}
+function heapsort_r($n, &$ra) {
+    $l = ($n >> 1) + 1;
+    $ir = $n;
+    while (1) {
+        if ($l > 1) {
+            $rra = $ra[--$l];
+        } else {
+            $rra = $ra[$ir];
+            $ra[$ir] = $ra[1];
+            if (--$ir == 1) {
+                $ra[1] = $rra;
+                return;
+            }
+        }
+        $i = $l;
+        $j = $l << 1;
+        while ($j <= $ir) {
+            if (($j < $ir) && ($ra[$j] < $ra[$j+1])) {
+                $j++;
+            }
+            if ($rra < $ra[$j]) {
+                $ra[$i] = $ra[$j];
+                $j += ($i = $j);
+            } else {
+                $j = $ir + 1;
+            }
+        }
+        $ra[$i] = $rra;
+    }
+}
+function heapsort($N) {
+  global $LAST;
+  define("IM", 139968);
+  define("IA", 3877);
+  define("IC", 29573);
+  $LAST = 42;
+  for ($i=1; $i<=$N; $i++) {
+    $ary[$i] = gen_random(1);
+  }
+  heapsort_r($N, $ary);
+  printf("%.10f\n", $ary[$N]);
+}
+/****/
+function mkmatrix ($rows, $cols) {
+    $count = 1;
+    $mx = array();
+    for ($i=0; $i<$rows; $i++) {
+        for ($j=0; $j<$cols; $j++) {
+            $mx[$i][$j] = $count++;
+        }
+    }
+    return($mx);
+}
+function mmult ($rows, $cols, $m1, $m2) {
+    $m3 = array();
+    for ($i=0; $i<$rows; $i++) {
+        for ($j=0; $j<$cols; $j++) {
+            $x = 0;
+            for ($k=0; $k<$cols; $k++) {
+                $x += $m1[$i][$k] * $m2[$k][$j];
+            }
+            $m3[$i][$j] = $x;
+        }
+    }
+    return($m3);
+}
+function matrix($n) {
+  $SIZE = 30;
+  $m1 = mkmatrix($SIZE, $SIZE);
+  $m2 = mkmatrix($SIZE, $SIZE);
+  while ($n--) {
+    $mm = mmult($SIZE, $SIZE, $m1, $m2);
+  }
+  print "{$mm[0][0]} {$mm[2][3]} {$mm[3][2]} {$mm[4][4]}\n";
+}
+/****/
+function nestedloop($n) {
+  $x = 0;
+  for ($a=0; $a<$n; $a++)
+    for ($b=0; $b<$n; $b++)
+      for ($c=0; $c<$n; $c++)
+        for ($d=0; $d<$n; $d++)
+          for ($e=0; $e<$n; $e++)
+            for ($f=0; $f<$n; $f++)
+             $x++;
+  print "$x\n";
+}
+/****/
+function sieve($n) {
+  $count = 0;
+  while ($n-- > 0) {
+    $count = 0;
+    $flags = range (0,8192);
+    for ($i=2; $i<8193; $i++) {
+      if ($flags[$i] > 0) {
+        for ($k=$i+$i; $k <= 8192; $k+=$i) {
+          $flags[$k] = 0;
+        }
+        $count++;
+      }
+    }
+  }
+  print "Count: $count\n";
+}
+/****/
+function strcat($n) {
+  $str = "";
+  while ($n-- > 0) {
+    $str .= "hello\n";
+  }
+  $len = strlen($str);
+  print "$len\n";
+}
+/*****/
+function getmicrotime()
+{
+  $t = gettimeofday();
+  return ($t['sec'] + $t['usec'] / 1000000);
+}
+function start_test()
+{
+        ob_start();
+  return getmicrotime();
+}
+function end_test($start, $name)
+{
+  global $total;
+  $end = getmicrotime();
+  ob_end_clean();
+  $total += $end-$start;
+  $num = number_format($end-$start,3);
+  $pad = str_repeat(" ", 24-strlen($name)-strlen($num));
+  echo $name.$pad.$num."\n";
+        ob_start();
+  return getmicrotime();
+}
+function total()
+{
+  global $total;
+  $pad = str_repeat("-", 24);
+  echo $pad."\n";
+  $num = number_format($total,3);
+  $pad = str_repeat(" ", 24-strlen("Total")-strlen($num));
+  echo "Total".$pad.$num."\n";
+}
+$t0 = $t = start_test();
+simple();
+$t = end_test($t, "simple");
+simplecall();
+$t = end_test($t, "simplecall");
+simpleucall();
+$t = end_test($t, "simpleucall");
+simpleudcall();
+$t = end_test($t, "simpleudcall");
+mandel();
+$t = end_test($t, "mandel");
+mandel2();
+$t = end_test($t, "mandel2");
+ackermann(7);
+$t = end_test($t, "ackermann(7)");
+ary(50000);
+$t = end_test($t, "ary(50000)");
+ary2(50000);
+$t = end_test($t, "ary2(50000)");
+ary3(2000);
+$t = end_test($t, "ary3(2000)");
+fibo(30);
+$t = end_test($t, "fibo(30)");
+hash1(50000);
+$t = end_test($t, "hash1(50000)");
+hash2(500);
+$t = end_test($t, "hash2(500)");
+heapsort(20000);
+$t = end_test($t, "heapsort(20000)");
+matrix(20);
+$t = end_test($t, "matrix(20)");
+nestedloop(12);
+$t = end_test($t, "nestedloop(12)");
+sieve(30);
+$t = end_test($t, "sieve(30)");
+strcat(200000);
+$t = end_test($t, "strcat(200000)");
+total($t0, "Total");
+?>
diff --git a/src/bench/micro_bench.php b/src/bench/micro_bench.php
new file mode 100644
index 0000000..7052588
--- /dev/null
+++ b/src/bench/micro_bench.php
@@ -0,0 +1,358 @@
+<?php
+function hallo() {
+}
+function simpleucall($n) {
+  for ($i = 0; $i < $n; $i++) 
+    hallo();
+}
+function simpleudcall($n) {
+  for ($i = 0; $i < $n; $i++) 
+    hallo2();
+}
+function hallo2() {
+}
+function simpleicall($n) {
+  for ($i = 0; $i < $n; $i++) 
+    func_num_args();
+}
+class Foo {
+        static $a = 0;
+        public $b = 0;
+        const TEST = 0;
+        static function read_static($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $x = self::$a;
+                }
+        }
+        static function write_static($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        self::$a = 0;
+                }
+        }
+        static function isset_static($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $x = isset(self::$a);
+                }
+        }
+        static function empty_static($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $x = empty(self::$a);
+                }
+        }
+        static function f() {
+        }
+        static function call_static($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        self::f();
+                }
+        }
+        function read_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $x = $this->b;
+                }
+        }
+        function write_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $this->b = 0;
+                }
+        }
+        function assign_add_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $this->b += 2;
+                }
+        }
+        function pre_inc_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        ++$this->b;
+                }
+        }
+        function pre_dec_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        --$this->b;
+                }
+        }
+        function post_inc_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $this->b++;
+                }
+        }
+        function post_dec_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $this->b--;
+                }
+        }
+        function isset_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $x = isset($this->b);
+                }
+        }
+        function empty_prop($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $x = empty($this->b);
+                }
+        }
+        function g() {
+        }
+        function call($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $this->g();
+                }
+        }
+        function read_const($n) {
+                for ($i = 0; $i < $n; ++$i) {
+                        $x = $this::TEST;
+                }
+        }
+}
+function read_static($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                $x = Foo::$a;
+        }
+}
+function write_static($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                Foo::$a = 0;
+        }
+}
+function isset_static($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                $x = isset(Foo::$a);
+        }
+}
+function empty_static($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                $x = empty(Foo::$a);
+        }
+}
+function call_static($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                Foo::f();
+        }
+}
+function create_object($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                $x = new Foo();
+        }
+}
+define('TEST', null);
+function read_const($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                $x = TEST;
+        }
+}
+function read_auto_global($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $_GET;
+        }
+}
+$g_var = 0;
+function read_global_var($n) {
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $GLOBALS['g_var'];
+        }
+}
+function read_hash($n) {
+        $hash = array('test' => 0);
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $hash['test'];
+        }
+}
+function read_str_offset($n) {
+        $str = "test";
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $str[1];
+        }
+}
+function issetor($n) {
+        $val = array(0,1,2,3,4,5,6,7,8,9);
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $val ?: null;
+        }
+}
+function issetor2($n) {
+        $f = false; $j = 0;
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $f ?: $j + 1;
+        }
+}
+function ternary($n) {
+        $val = array(0,1,2,3,4,5,6,7,8,9);
+        $f = false;
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $f ? null : $val;
+        }
+}
+function ternary2($n) {
+        $f = false; $j = 0;
+        for ($i = 0; $i < $n; ++$i) {
+                $x = $f ? $f : $j + 1;
+        }
+}
+/*****/
+function empty_loop($n) {
+        for ($i = 0; $i < $n; ++$i) {
+        }
+}
+function getmicrotime()
+{
+  $t = gettimeofday();
+  return ($t['sec'] + $t['usec'] / 1000000);
+}
+function start_test()
+{
+  ob_start();
+  return getmicrotime();
+}
+function end_test($start, $name, $overhead = null)
+{
+  global $total;
+  global $last_time;
+  $end = getmicrotime();
+  ob_end_clean();
+  $last_time = $end-$start;
+  $total += $last_time;
+  $num = number_format($last_time,3);
+  $pad = str_repeat(" ", 24-strlen($name)-strlen($num));
+  if (is_null($overhead)) {
+    echo $name.$pad.$num."\n";
+  } else {
+    $num2 = number_format($last_time - $overhead,3);
+    echo $name.$pad.$num."    ".$num2."\n";
+  }
+  ob_start();
+  return getmicrotime();
+}
+function total()
+{
+  global $total;
+  $pad = str_repeat("-", 24);
+  echo $pad."\n";
+  $num = number_format($total,3);
+  $pad = str_repeat(" ", 24-strlen("Total")-strlen($num));
+  echo "Total".$pad.$num."\n";
+}
+const N = 5000000;
+$t0 = $t = start_test();
+empty_loop(N);
+$t = end_test($t, 'empty_loop');
+$overhead = $last_time;
+simpleucall(N);
+$t = end_test($t, 'func()', $overhead);
+simpleudcall(N);
+$t = end_test($t, 'undef_func()', $overhead);
+simpleicall(N);
+$t = end_test($t, 'int_func()', $overhead);
+Foo::read_static(N);
+$t = end_test($t, '$x = self::$x', $overhead);
+Foo::write_static(N);
+$t = end_test($t, 'self::$x = 0', $overhead);
+Foo::isset_static(N);
+$t = end_test($t, 'isset(self::$x)', $overhead);
+Foo::empty_static(N);
+$t = end_test($t, 'empty(self::$x)', $overhead);
+read_static(N);
+$t = end_test($t, '$x = Foo::$x', $overhead);
+write_static(N);
+$t = end_test($t, 'Foo::$x = 0', $overhead);
+isset_static(N);
+$t = end_test($t, 'isset(Foo::$x)', $overhead);
+empty_static(N);
+$t = end_test($t, 'empty(Foo::$x)', $overhead);
+Foo::call_static(N);
+$t = end_test($t, 'self::f()', $overhead);
+call_static(N);
+$t = end_test($t, 'Foo::f()', $overhead);
+$x = new Foo();
+$x->read_prop(N);
+$t = end_test($t, '$x = $this->x', $overhead);
+$x->write_prop(N);
+$t = end_test($t, '$this->x = 0', $overhead);
+$x->assign_add_prop(N);
+$t = end_test($t, '$this->x += 2', $overhead);
+$x->pre_inc_prop(N);
+$t = end_test($t, '++$this->x', $overhead);
+$x->pre_dec_prop(N);
+$t = end_test($t, '--$this->x', $overhead);
+$x->post_inc_prop(N);
+$t = end_test($t, '$this->x++', $overhead);
+$x->post_dec_prop(N);
+$t = end_test($t, '$this->x--', $overhead);
+$x->isset_prop(N);
+$t = end_test($t, 'isset($this->x)', $overhead);
+$x->empty_prop(N);
+$t = end_test($t, 'empty($this->x)', $overhead);
+$x->call(N);
+$t = end_test($t, '$this->f()', $overhead);
+$x->read_const(N);
+$t = end_test($t, '$x = Foo::TEST', $overhead);
+create_object(N);
+$t = end_test($t, 'new Foo()', $overhead);
+read_const(N);
+$t = end_test($t, '$x = TEST', $overhead);
+read_auto_global(N);
+$t = end_test($t, '$x = $_GET', $overhead);
+read_global_var(N);
+$t = end_test($t, '$x = $GLOBALS[\'v\']', $overhead);
+read_hash(N);
+$t = end_test($t, '$x = $hash[\'v\']', $overhead);
+read_str_offset(N);
+$t = end_test($t, '$x = $str[0]', $overhead);
+issetor(N);
+$t = end_test($t, '$x = $a ?: null', $overhead);
+issetor2(N);
+$t = end_test($t, '$x = $f ?: tmp', $overhead);
+ternary(N);
+$t = end_test($t, '$x = $f ? $f : $a', $overhead);
+ternary2(N);
+$t = end_test($t, '$x = $f ? $f : tmp', $overhead);
+total($t0, "Total");
diff --git a/src/config.m4 b/src/config.m4
new file mode 100644
index 0000000..aba355c
--- /dev/null
+++ b/src/config.m4
@@ -0,0 +1,35 @@
+dnl $Id$
+dnl config.m4 for extension snuffleupagus
+sources="snuffleupagus.c sp_config.c sp_config_utils.c sp_harden_rand.c"
+sources="$sources sp_unserialize.c sp_utils.c sp_disable_xxe.c sp_list.c"
+sources="$sources sp_disabled_functions.c sp_execute.c sp_upload_validation.c"
+sources="$sources sp_cookie_encryption.c sp_network_utils.c tweetnacl.c"
+sources="$sources sp_config_keywords.c sp_compile.c"
+PHP_ARG_ENABLE(snuffleupagus, whether to enable snuffleupagus support,
+[  --enable-snuffleupagus           Enable snuffleupagus support])
+PHP_ARG_ENABLE(coverage, whether to enable coverage support,
+[  --enable-coverage           Enable coverage support])
+PHP_ARG_ENABLE(debug, whether to enable debug messages,
+[  --enable-debug           Enable debug messages])
+CFLAGS="$CFLAGS -lpcre"
+CFLAGS="$CFLAGS -D_DEFAULT_SOURCE=1 -std=c99"
+CFLAGS="$CFLAGS -Wall -Wextra -Wno-unused-parameter"
+if test "$PHP_DEBUG" = "yes"; then
+        AC_DEFINE(SP_DEBUG, 1, [Wether you want to enable debug messages])
+fi
+if test "$PHP_SNUFFLEUPAGUS" != "no"; then
+   if test "$PHP_COVERAGE" != "no"; then
+      CFLAGS="$CFLAGS --coverage -fprofile-arcs -ftest-coverage"
+      LDFLAGS="$LDFLAGS --coverage"
+      PHP_NEW_EXTENSION(snuffleupagus, $sources, $ext_shared,-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -g -fprofile-arcs -ftest-coverage -lgcov)
+   else
+      PHP_NEW_EXTENSION(snuffleupagus, $sources, $ext_shared,-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1)
+   fi
+fi
diff --git a/src/config.w32 b/src/config.w32
new file mode 100644
index 0000000..a0197c1
--- /dev/null
+++ b/src/config.w32
@@ -0,0 +1,13 @@
+// $Id$
+// vim:ft=javascript
+// If your extension references something external, use ARG_WITH
+// ARG_WITH("snuffleupagus", "for snuffleupagus support", "no");
+// Otherwise, use ARG_ENABLE
+// ARG_ENABLE("snuffleupagus", "enable snuffleupagus support", "no");
+if (PHP_SNUFFLEUPAGUS != "no") {
+        EXTENSION("snuffleupagus", "snuffleupagus.c", PHP_EXTNAME_SHARED, "/DZEND_ENABLE_STATIC_TSRMLS_CACHE=1");
+}
diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h
new file mode 100644
index 0000000..e7a3d59
--- /dev/null
+++ b/src/php_snuffleupagus.h
@@ -0,0 +1,71 @@
+#ifndef PHP_SNUFFLEUPAGUS_H
+#define PHP_SNUFFLEUPAGUS_H
+#define PHP_SNUFFLEUPAGUS_VERSION "0.1"
+#define PHP_SNUFFLEUPAGUS_EXTNAME "snuffleupagus"
+#define PHP_SNUFFLEUPAGUS_AUTHOR "NBS System"
+#define PHP_SNUFFLEUPAGUS_URL "https://github.com/nbs-system/snuffleupagus"
+#define PHP_SNUFFLEUPAGUS_COPYRIGHT "LGPLv2"
+#include <stdbool.h>
+#include <stdio.h>
+#include <pcre.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include "SAPI.h"
+#include "ext/standard/info.h"
+#include "php.h"
+#include "php_ini.h"
+#include "zend_hash.h"
+#include "zend_string.h"
+#include "zend_extensions.h"
+#include "sp_list.h"
+#include "sp_compile.h"
+#include "sp_config.h"
+#include "sp_config_utils.h"
+#include "sp_config_keywords.h"
+#include "sp_cookie_encryption.h"
+#include "sp_disable_xxe.h"
+#include "sp_disabled_functions.h"
+#include "sp_execute.h"
+#include "sp_harden_rand.h"
+#include "sp_network_utils.h"
+#include "sp_unserialize.h"
+#include "sp_upload_validation.h"
+#include "sp_utils.h"
+extern zend_module_entry snuffleupagus_module_entry;
+#define phpext_snuffleupagus_ptr &snuffleupagus_module_entry
+#ifdef PHP_WIN32
+#define PHP_SNUFFLEUPAGUS_API __declspec(dllexport)
+#elif defined(__GNUC__) && __GNUC__ >= 4
+#define PHP_SNUFFLEUPAGUS_API __attribute__((visibility("default")))
+#else
+#define PHP_SNUFFLEUPAGUS_API
+#endif
+#ifdef ZTS
+#include "TSRM.h"
+#endif
+ZEND_BEGIN_MODULE_GLOBALS(snuffleupagus)
+sp_config config;
+HashTable *disabled_functions_hook;
+HashTable *sp_internal_functions_hook;
+ZEND_END_MODULE_GLOBALS(snuffleupagus)
+#define SNUFFLEUPAGUS_G(v) ZEND_MODULE_GLOBALS_ACCESSOR(snuffleupagus, v)
+#if defined(ZTS) && defined(COMPILE_DL_SNUFFLEUPAGUS)
+ZEND_TSRMLS_CACHE_EXTERN()
+#endif
+PHP_FUNCTION(check_disabled_function);
+static inline void sp_terminate() { zend_bailout(); }
+#endif /* PHP_SNUFFLEUPAGUS_H */
diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c
new file mode 100644
index 0000000..52b975e
--- /dev/null
+++ b/src/snuffleupagus.c
@@ -0,0 +1,222 @@
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include "php_snuffleupagus.h"
+#ifndef ZEND_EXT_API
+#define ZEND_EXT_API ZEND_DLEXPORT
+#endif
+static PHP_INI_MH(OnUpdateConfiguration);
+static inline int zend_auto_start(zend_extension *extension);
+static inline void sp_op_array_handler(zend_op_array *op);
+ZEND_EXTENSION();
+ZEND_DLEXPORT int sp_zend_startup(zend_extension *extension) {
+  return zend_startup_module(&snuffleupagus_module_entry);
+}
+static inline void sp_op_array_handler(zend_op_array *op) {
+  if (NULL == op->filename) {
+    return;
+  } else {
+    op->fn_flags |= ZEND_ACC_STRICT_TYPES;
+  }
+}
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+PHP_INI_BEGIN()
+PHP_INI_ENTRY("sp.configuration_file", "", PHP_INI_SYSTEM,
+  OnUpdateConfiguration)
+PHP_INI_END()
+ZEND_DLEXPORT zend_extension zend_extension_entry = {
+    PHP_SNUFFLEUPAGUS_EXTNAME,
+    PHP_SNUFFLEUPAGUS_VERSION,
+    PHP_SNUFFLEUPAGUS_AUTHOR,
+    PHP_SNUFFLEUPAGUS_URL,
+    PHP_SNUFFLEUPAGUS_COPYRIGHT,
+    sp_zend_startup,
+    NULL,
+    NULL,               /* activate_func_t */
+    NULL,               /* deactivate_func_t */
+    NULL,               /* message_handler_func_t */
+    sp_op_array_handler,//zend_global_strict, /* op_array_handler_func_t */
+    NULL,               /* statement_handler_func_t */
+    NULL,               /* fcall_begin_handler_func_t */
+    NULL,               /* fcall_end_handler_func_t */
+    NULL,               /* op_array_ctor_func_t */
+    NULL,               /* op_array_dtor_func_t */
+    STANDARD_ZEND_EXTENSION_PROPERTIES};
+/* Uncomment this function if you have INI entries
+static void php_snuffleupagus_init_globals(zend_snuffleupagus_globals
+*snuffleupagus_globals)
+{
+        snuffleupagus_globals->global_value = 0;
+        snuffleupagus_globals->global_string = NULL;
+}
+*/
+PHP_GINIT_FUNCTION(snuffleupagus) {
+#define SP_INIT(F) F = pecalloc(sizeof(*F), 1, 1);
+#define SP_INIT_HT(F) \
+        F = pemalloc(sizeof(*F), 1); \
+        zend_hash_init(F, 10, NULL, NULL, 1);
+  SP_INIT_HT(snuffleupagus_globals->disabled_functions_hook);
+  SP_INIT_HT(snuffleupagus_globals->sp_internal_functions_hook);
+  SP_INIT(snuffleupagus_globals->config.config_unserialize);
+  SP_INIT(snuffleupagus_globals->config.config_random);
+  SP_INIT(snuffleupagus_globals->config.config_readonly_exec);
+  SP_INIT(snuffleupagus_globals->config.config_global_strict);
+  SP_INIT(snuffleupagus_globals->config.config_auto_cookie_secure);
+  SP_INIT(snuffleupagus_globals->config.config_snuffleupagus);
+  SP_INIT(snuffleupagus_globals->config.config_disable_xxe);
+  SP_INIT(snuffleupagus_globals->config.config_upload_validation);
+  SP_INIT(snuffleupagus_globals->config.config_disabled_functions);
+  SP_INIT(snuffleupagus_globals->config.config_disabled_functions_ret);
+  SP_INIT(snuffleupagus_globals->config.config_cookie_encryption);
+  SP_INIT(snuffleupagus_globals->config.config_regexp_inclusion);
+  snuffleupagus_globals->config.config_regexp_inclusion->regexp_inclusion = sp_new_list();
+  snuffleupagus_globals->config.config_disabled_functions->disabled_functions = sp_new_list();
+  snuffleupagus_globals->config.config_disabled_functions_ret->disabled_functions = sp_new_list();
+  SP_INIT_HT(snuffleupagus_globals->config.config_cookie_encryption->names);
+#undef SP_INIT
+#undef SP_INIT_HT
+}
+PHP_MINIT_FUNCTION(snuffleupagus) {
+  REGISTER_INI_ENTRIES();
+  return SUCCESS;
+}
+PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
+#define FREE_HT(F) \
+  zend_hash_destroy(SNUFFLEUPAGUS_G(F)); \
+  pefree(SNUFFLEUPAGUS_G(F), 1);
+  FREE_HT(disabled_functions_hook);
+  FREE_HT(config.config_cookie_encryption->names);
+#undef FREE_HT
+  pefree(SNUFFLEUPAGUS_G(config.config_unserialize), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_random), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_readonly_exec), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_global_strict), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_auto_cookie_secure), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_upload_validation), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_cookie_encryption), 1);
+  sp_list_free(SNUFFLEUPAGUS_G(config.config_disabled_functions->disabled_functions));
+  pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions), 1);
+  sp_list_free(SNUFFLEUPAGUS_G(config.config_disabled_functions_ret->disabled_functions));
+  pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions_ret), 1);
+  UNREGISTER_INI_ENTRIES();
+  return SUCCESS;
+}
+PHP_RINIT_FUNCTION(snuffleupagus) {
+#if defined(COMPILE_DL_SNUFFLEUPAGUS) && defined(ZTS)
+  ZEND_TSRMLS_CACHE_UPDATE();
+#endif
+  if (NULL != SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key) {
+    if (NULL != SNUFFLEUPAGUS_G(config).config_cookie_encryption->names) {
+      zend_hash_apply_with_arguments(
+          Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]), decrypt_cookie, 0);
+    }
+  }
+  return SUCCESS;
+}
+PHP_RSHUTDOWN_FUNCTION(snuffleupagus) { return SUCCESS; }
+PHP_MINFO_FUNCTION(snuffleupagus) {
+  php_info_print_table_start();
+  php_info_print_table_header(2, "snuffleupagus support", "enabled");
+  php_info_print_table_end();
+  /* Remove comments if you have entries in php.ini
+  DISPLAY_INI_ENTRIES();
+  */
+}
+static PHP_INI_MH(OnUpdateConfiguration) {
+  TSRMLS_FETCH();
+  if (!new_value || !new_value->len) {
+    return FAILURE;
+  }
+  if (sp_parse_config(new_value->val) != SUCCESS) {
+    return FAILURE;
+  }
+  if (SNUFFLEUPAGUS_G(config).config_random->enable) {
+    hook_rand();
+  }
+  if (SNUFFLEUPAGUS_G(config).config_upload_validation->enable) {
+    hook_upload();
+  }
+  if (SNUFFLEUPAGUS_G(config).config_disable_xxe->enable == 0) {
+    hook_libxml_disable_entity_loader();
+  }
+  hook_disabled_functions();
+  hook_execute();
+  if (NULL != SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key) {
+    if (SNUFFLEUPAGUS_G(config).config_unserialize->enable) {
+      hook_serialize();
+    }
+    hook_cookies();
+  }
+  if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) {
+    if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) {
+      zend_extension_entry.startup = NULL;
+      zend_register_extension(&zend_extension_entry, NULL);
+    }
+    // This is needed to implement the global strict mode
+    CG(compiler_options) |= ZEND_COMPILE_HANDLE_OP_ARRAY;
+  }
+  return SUCCESS;
+}
+const zend_function_entry snuffleupagus_functions[] = {PHP_FE_END};
+zend_module_entry snuffleupagus_module_entry =
+    {STANDARD_MODULE_HEADER,
+     PHP_SNUFFLEUPAGUS_EXTNAME,
+     snuffleupagus_functions,
+     PHP_MINIT(snuffleupagus),
+     PHP_MSHUTDOWN(snuffleupagus),
+     PHP_RINIT(snuffleupagus),
+     PHP_RSHUTDOWN(snuffleupagus),
+     PHP_MINFO(snuffleupagus),
+     PHP_SNUFFLEUPAGUS_VERSION,
+     PHP_MODULE_GLOBALS(snuffleupagus),
+     PHP_GINIT(snuffleupagus),
+     NULL,
+     NULL,
+     STANDARD_MODULE_PROPERTIES_EX};
+#ifdef COMPILE_DL_SNUFFLEUPAGUS
+#ifdef ZTS
+ZEND_TSRMLS_CACHE_DEFINE()
+#endif
+ZEND_GET_MODULE(snuffleupagus)
+#endif
diff --git a/src/snuffleupagus.php b/src/snuffleupagus.php
new file mode 100644
index 0000000..b373a53
--- /dev/null
+++ b/src/snuffleupagus.php
@@ -0,0 +1,21 @@
+<?php
+$br = (php_sapi_name() == "cli")? "":"<br>";
+if(!extension_loaded('snuffleupagus')) {
+        dl('snuffleupagus.' . PHP_SHLIB_SUFFIX);
+}
+$module = 'snuffleupagus';
+$functions = get_extension_funcs($module);
+echo "Functions available in the test extension:$br\n";
+foreach($functions as $func) {
+    echo $func."$br\n";
+}
+echo "$br\n";
+$function = 'confirm_' . $module . '_compiled';
+if (extension_loaded($module)) {
+        $str = $function($module);
+} else {
+        $str = "Module $module is not compiled into PHP";
+}
+echo "$str\n";
+?>
diff --git a/src/sp_compile.c b/src/sp_compile.c
new file mode 100644
index 0000000..2902377
--- /dev/null
+++ b/src/sp_compile.c
@@ -0,0 +1,53 @@
+#include "php_snuffleupagus.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus);
+static zend_op_array *(*orig_compile_file)(zend_file_handle *, int);
+static zend_op_array *(*orig_compile_string)(zval *, char *);
+zend_op_array *sp_compile_file(zend_file_handle *file_handle, int type) {
+  zend_op_array *ret = orig_compile_file(file_handle, type);
+  
+  const sp_node_t* config = SNUFFLEUPAGUS_G(config).config_disabled_functions->disabled_functions;
+  while (config && config->data) {
+    const char* function_name = ((sp_disabled_function*)config->data)->function;
+    const pcre* function_name_regexp = ((sp_disabled_function*)config->data)->r_function;
+    sp_log_err("checking for %s", function_name);
+    //  EG(function_table)->arData[count - 1].val.value.func->internal_function.handler = PHP_FN(check_disabled_function);
+    
+    if (function_name) {
+      if (HOOK_FUNCTION(function_name, disabled_functions_hook, PHP_FN(check_disabled_function), true) == SUCCESS) {
+          sp_log_err("Successfully hooked %s", function_name);
+      }
+      break;
+    } else if (function_name_regexp) {
+      sp_log_err("error", "We'll hook regard later.");
+    }
+    config = config->next;
+  }
+  
+  return ret;
+}
+zend_op_array *sp_compile_string(zval *source_string, char *filename) {
+  zend_op_array *ret = orig_compile_string(source_string, filename);
+  sp_log_err("in compile_string : filename is :%s", filename);
+  return ret;
+}
+int hook_compile(void) {
+  TSRMLS_FETCH();
+  /* zend_compile_file is used to compile php file */
+  orig_compile_file = zend_compile_file;
+  zend_compile_file = sp_compile_file;
+  /* zend_compile_string is used to compile php string */
+  orig_compile_string = zend_compile_string;
+  zend_compile_string = sp_compile_string;
+  return SUCCESS;
+}
+\ No newline at end of file
diff --git a/src/sp_compile.h b/src/sp_compile.h
new file mode 100644
index 0000000..538ff52
--- /dev/null
+++ b/src/sp_compile.h
@@ -0,0 +1,6 @@
+#ifndef SP_COMPILE_H
+#define SP_COMPILE_H
+int hook_compile(void);
+#endif /* SP_COMPILE_H */
+\ No newline at end of file
diff --git a/src/sp_config.c b/src/sp_config.c
new file mode 100644
index 0000000..f73347d
--- /dev/null
+++ b/src/sp_config.c
@@ -0,0 +1,193 @@
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include "php_snuffleupagus.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+sp_config_tokens const sp_func[] = {
+    {.func = parse_unserialize, .token = SP_TOKEN_UNSERIALIZE_HMAC},
+    {.func = parse_random, .token = SP_TOKEN_HARDEN_RANDOM},
+    {.func = parse_disabled_functions, .token = SP_TOKEN_DISABLE_FUNC},
+    {.func = parse_readonly_exec, .token = SP_TOKEN_READONLY_EXEC},
+    {.func = parse_global_strict, .token = SP_TOKEN_GLOBAL_STRICT},
+    {.func = parse_upload_validation, .token = SP_TOKEN_UPLOAD_VALIDATION},
+    {.func = parse_cookie_encryption, .token = SP_TOKEN_COOKIE_ENCRYPTION},
+    {.func = parse_global, .token = SP_TOKEN_GLOBAL},
+    {.func = parse_auto_cookie_secure, .token = SP_TOKEN_AUTO_COOKIE_SECURE},
+    {.func = parse_disable_xxe, .token = SP_TOKEN_DISABLE_XXE},
+    {NULL, NULL}};
+/* Top level keyword parsing */
+static int parse_line(char *line) {
+  char *ptr = line;
+  while (*ptr == ' ' || *ptr == '\t') {
+    ++ptr;
+  }
+  if (!*ptr || *ptr == '#' || *ptr == ';') {
+    return 0;
+  }
+  if (strncmp(ptr, SP_TOKEN_BASE, strlen(SP_TOKEN_BASE))) {
+    sp_log_err("config", "Invalid configuration prefix for '%s'.", line);
+    return -1;
+  }
+  ptr += strlen(SP_TOKEN_BASE);
+  for (size_t i = 0; sp_func[i].func; i++) {
+    if (!strncmp(sp_func[i].token, ptr, strlen(sp_func[i].token))) {
+      return sp_func[i].func(ptr + strlen(sp_func[i].token));
+    }
+  }
+  sp_log_err("config", "Invalid configuration section '%s'.", line);
+  return -1;
+}
+/* keyword parsing */
+int parse_empty(char *restrict line, char *restrict keyword, void *retval) {
+  *(bool *)retval = true;
+  return 0;
+}
+int parse_int(char *restrict line, char *restrict keyword, void *retval) {
+  size_t consumed = 0;
+  char *value = get_param(&consumed, line, SP_TYPE_INT, keyword);
+  if (value) {
+    sscanf(value, "%ud", (uint32_t *)retval);
+    pefree(value, 1);
+    return consumed;
+  } else {
+    sp_log_err("error", "%s) is expecting a valid integer.", keyword);
+    return -1;
+  }
+}
+int parse_php_type(char *restrict line, char *restrict keyword, void *retval) {
+  size_t consumed = 0;
+  char *value = get_param(&consumed, line, SP_TYPE_STR, keyword);
+  if (value) {
+    if (0 == strcasecmp("undef", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_UNDEF;
+    } else if (0 == strcasecmp("null", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_NULL;
+    } else if (0 == strcasecmp("true", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_TRUE;
+    } else if (0 == strcasecmp("false", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_FALSE;
+    } else if (0 == strcasecmp("long", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_LONG;
+    } else if (0 == strcasecmp("double", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_DOUBLE;
+    } else if (0 == strcasecmp("string", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_STRING;
+    } else if (0 == strcasecmp("array", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_ARRAY;
+    } else  if (0 == strcasecmp("object", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_OBJECT;
+    } else if (0 == strcasecmp("resource", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_RESOURCE;
+    } else if (0 == strcasecmp("reference", value)) {
+      *(sp_php_type*)retval = SP_PHP_TYPE_REFERENCE;
+    } else {
+      pefree(value, 1);
+      sp_log_err("error", "%s) is expecting a valid php type ('false', 'true',"
+        " 'array'. 'object', 'long', 'double', 'null', 'resource', 'reference',"
+        " 'undef').", keyword);
+      return -1;
+    }
+    pefree(value, 1);
+    return consumed;
+  } else {
+    return -1;
+  }
+}
+int parse_str(char *restrict line, char *restrict keyword, void *retval) {
+  char *value = NULL;
+  size_t consumed = 0;
+  value = get_param(&consumed, line, SP_TYPE_STR, keyword);
+  if (value) {
+    *(char **)retval = value;
+    return consumed;
+  }
+  return -1;
+}
+int parse_cidr(char *restrict line, char *restrict keyword, void *retval) {
+  size_t consumed = 0;
+  char *value = get_param(&consumed, line, SP_TYPE_STR, keyword);
+  sp_cidr *cidr = pecalloc(sizeof(sp_cidr), 1, 1);
+  if (value) {
+    if (-1 == get_ip_and_cidr(value, cidr)) {
+      return -1;
+    }
+    *(sp_cidr **)retval = cidr;
+    return consumed;
+  } else {
+    sp_log_err("config", "%s doesn't contain a valid cidr.", line);
+    return -1;
+  }
+}
+int parse_regexp(char *restrict line, char *restrict keyword, void *retval) {
+  /* TODO: Do we want to use pcre_study?
+   * (http://www.pcre.org/original/doc/html/pcre_study.html)
+   * maybe not: http://sljit.sourceforge.net/pcre.html*/
+  size_t consumed = 0;
+  char *value = get_param(&consumed, line, SP_TYPE_STR, keyword);
+  if (value) {
+    const char *pcre_error;
+    int pcre_error_offset;
+    pcre *compiled_re = pcre_compile(value, PCRE_CASELESS, &pcre_error,
+                                     &pcre_error_offset, NULL);
+    if (NULL == compiled_re) {
+      sp_log_err("config", "Failed to compile '%s': %s.", value, pcre_error);
+    } else {
+      *(pcre **)retval = compiled_re;
+      return consumed;
+    }
+  }
+  char *closing_paren = strchr(line, ')');
+  if (NULL != closing_paren) {
+    closing_paren[0] = '\0';
+  }
+  sp_log_err("config", "'%s)' is expecting a valid regexp, and not '%s'.",
+             keyword, line);
+  return -1;
+}
+int sp_parse_config(const char *conf_file) {
+  FILE *fd = fopen(conf_file, "r");
+  char *lineptr = NULL;
+  size_t n = 0;
+  if (fd == NULL) {
+    sp_log_err("config", "Could not open configuration file %s : %s", conf_file,
+               strerror(errno));
+    return FAILURE;
+  }
+  while (getline(&lineptr, &n, fd) > 0) {
+    /* We trash the terminal `\n`. This simplify the display of logs. */
+    if (lineptr[strlen(lineptr) - 1] == '\n') {
+      lineptr[strlen(lineptr) - 1] = '\0';
+    }
+    if (parse_line(lineptr) == -1) {
+      fclose(fd);
+      free(lineptr);
+      return FAILURE;
+    }
+    free(lineptr);
+    lineptr = NULL;
+    n = 0;
+  }
+  fclose(fd);
+  return SUCCESS;
+}
diff --git a/src/sp_config.h b/src/sp_config.h
new file mode 100644
index 0000000..54ec2cc
--- /dev/null
+++ b/src/sp_config.h
@@ -0,0 +1,206 @@
+#ifndef SP_CONFIG_H
+#define SP_CONFIG_H
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+typedef enum {
+  SP_TYPE_STR = 0,
+  SP_TYPE_REGEXP,
+  SP_TYPE_INT,
+  SP_TYPE_EMPTY
+} sp_type;
+typedef enum {
+  SP_PHP_TYPE_UNDEF = IS_UNDEF, 
+  SP_PHP_TYPE_NULL = IS_NULL, 
+  SP_PHP_TYPE_FALSE = IS_FALSE, 
+  SP_PHP_TYPE_TRUE = IS_TRUE, 
+  SP_PHP_TYPE_LONG = IS_LONG, 
+  SP_PHP_TYPE_DOUBLE = IS_DOUBLE, 
+  SP_PHP_TYPE_STRING = IS_STRING, 
+  SP_PHP_TYPE_ARRAY = IS_ARRAY, 
+  SP_PHP_TYPE_OBJECT = IS_OBJECT, 
+  SP_PHP_TYPE_RESOURCE = IS_RESOURCE, 
+  SP_PHP_TYPE_REFERENCE = IS_REFERENCE
+} sp_php_type;
+typedef struct {
+  int ip_version;
+  union {
+    struct in_addr ipv4;
+    struct in6_addr ipv6;
+  } ip;
+  uint8_t mask;
+} sp_cidr;
+typedef struct { char *encryption_key; } sp_config_encryption_key;
+typedef struct {
+        bool enable;
+        bool simulation;
+} sp_config_readonly_exec;
+typedef struct { bool enable; } sp_config_global_strict;
+typedef struct { bool enable; } sp_config_random;
+typedef struct { bool enable; } sp_config_auto_cookie_secure;
+typedef struct { bool enable; } sp_config_disable_xxe;
+typedef struct {
+  HashTable *names;
+  uint32_t mask_ipv4;
+  uint32_t mask_ipv6;
+} sp_config_cookie_encryption;
+typedef struct {
+  bool enable;
+  bool simulation;
+} sp_config_unserialize;
+typedef struct {
+  char *filename;
+  pcre *r_filename;
+  char *function;
+  pcre *r_function;
+  char *hash;
+  int simulation;
+  bool enable;
+  char *param;
+  pcre *r_param;
+  sp_php_type param_type;
+  char *ret;
+  pcre *r_ret;
+  sp_php_type ret_type;
+  
+  pcre *regexp;
+  char *value;
+  char *dump;
+  char *alias;
+  bool param_is_array;
+  bool var_is_array;
+  sp_node_t *param_array_keys;
+  sp_node_t *var_array_keys;
+  bool allow;
+  bool drop;
+  char *var;
+  sp_cidr *cidr;
+} sp_disabled_function;
+typedef struct {
+  sp_node_t *disabled_functions;  // list of sp_disabled_function
+} sp_config_disabled_functions;
+typedef struct {
+  sp_node_t *regexp_inclusion;  // list of regexp for inclusion
+} sp_config_regexp_inclusion;
+typedef struct {
+  char *script;
+  bool simulation;
+  bool enable;
+} sp_config_upload_validation;
+typedef struct {
+  sp_config_random *config_random;
+  sp_config_unserialize *config_unserialize;
+  sp_config_disabled_functions *config_disabled_functions;
+  sp_config_disabled_functions *config_disabled_functions_ret;
+  sp_config_readonly_exec *config_readonly_exec;
+  sp_config_upload_validation *config_upload_validation;
+  sp_config_cookie_encryption *config_cookie_encryption;
+  sp_config_encryption_key *config_snuffleupagus;
+  sp_config_auto_cookie_secure *config_auto_cookie_secure;
+  sp_config_global_strict *config_global_strict;
+  sp_config_disable_xxe *config_disable_xxe;
+  sp_config_regexp_inclusion *config_regexp_inclusion;
+} sp_config;
+typedef struct {
+  int (*func)(char *, char *, void *);
+  char *token;
+  void *retval;
+} sp_config_functions;
+typedef struct {
+  int (*func)(char *);
+  char *token;
+} sp_config_tokens;
+#define SP_TOKEN_BASE "sp"
+#define SP_TOKEN_AUTO_COOKIE_SECURE ".auto_cookie_secure"
+#define SP_TOKEN_COOKIE_ENCRYPTION ".cookie_encryption"
+#define SP_TOKEN_DISABLE_FUNC ".disable_functions"
+#define SP_TOKEN_GLOBAL ".global"
+#define SP_TOKEN_GLOBAL_STRICT ".global_strict"
+#define SP_TOKEN_HARDEN_RANDOM ".harden_random"
+#define SP_TOKEN_READONLY_EXEC ".readonly_exec"
+#define SP_TOKEN_UNSERIALIZE_HMAC ".unserialize_hmac"
+#define SP_TOKEN_UPLOAD_VALIDATION ".upload_validation"
+#define SP_TOKEN_DISABLE_XXE ".disable_xxe"
+// common tokens
+#define SP_TOKEN_ENABLE ".enable("
+#define SP_TOKEN_DISABLE ".disable("
+#define SP_TOKEN_SIMULATION ".simulation("
+#define SP_TOKEN_TRUE "1"
+#define SP_TOKEN_FALSE "0"
+#define SP_TOKEN_DUMP ".dump("
+#define SP_TOKEN_ALIAS ".alias("
+#define SP_TOKEN_ALLOW ".allow("
+#define SP_TOKEN_DROP ".drop("
+#define SP_TOKEN_END_PARAM ')'
+// disable_function
+#define SP_TOKEN_CIDR ".cidr("
+#define SP_TOKEN_FILENAME ".filename("
+#define SP_TOKEN_FILENAME_REGEXP ".filename_r("
+#define SP_TOKEN_FUNCTION ".function("
+#define SP_TOKEN_FUNCTION_REGEXP ".function_r("
+#define SP_TOKEN_HASH ".hash("
+#define SP_TOKEN_LOCAL_VAR ".var("
+#define SP_TOKEN_PARAM ".param("
+#define SP_TOKEN_PARAM_REGEXP ".param_r("
+#define SP_TOKEN_PARAM_TYPE ".param_type("
+#define SP_TOKEN_RET ".ret("
+#define SP_TOKEN_RET_REGEXP ".ret_r("
+#define SP_TOKEN_RET_TYPE ".ret_type("
+#define SP_TOKEN_VALUE ".value("
+#define SP_TOKEN_VALUE_REGEXP ".value_r("
+// cookies encryption
+#define SP_TOKEN_NAME ".cookie("
+#define SP_TOKEN_MASK_IPV4 ".mask_ipv4("
+#define SP_TOKEN_MASK_IPV6 ".mask_ipv6("
+// Global configuration options
+#define SP_TOKEN_ENCRYPTION_KEY ".secret_key("
+// upload_validator
+#define SP_TOKEN_UPLOAD_SCRIPT ".script("
+int sp_parse_config(const char *);
+int parse_array(sp_disabled_function *);
+int parse_str(char *restrict, char *restrict, void *);
+int parse_regexp(char *restrict, char *restrict, void *);
+int parse_empty(char *restrict, char *restrict, void *);
+int parse_int(char *restrict, char *restrict, void *);
+int parse_cidr(char *restrict, char *restrict, void *);
+int parse_php_type(char *restrict, char *restrict, void *);
+#endif /* SP_CONFIG_H */
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
new file mode 100644
index 0000000..4a6dd3a
--- /dev/null
+++ b/src/sp_config_keywords.c
@@ -0,0 +1,268 @@
+#include "php_snuffleupagus.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+static int parse_enable(char *line, bool * restrict retval, bool * restrict simulation) {
+  bool enable = false, disable = false;
+  sp_config_functions sp_config_funcs[] = {
+    {parse_empty, SP_TOKEN_ENABLE, &(enable)},
+    {parse_empty, SP_TOKEN_DISABLE, &(disable)},
+    {parse_empty, SP_TOKEN_SIMULATION, simulation},
+    {0}};
+  int ret = parse_keywords(sp_config_funcs, line);
+  if (0 != ret) {
+    return ret;
+  }
+  if (!(enable ^ disable)) {
+    sp_log_err("config", "A rule can't be enabled and disabled.");
+    return -1;
+  } 
+  *retval = enable;
+  
+  return ret;
+}
+int parse_random(char *line) {
+  return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_random->enable), NULL);
+}
+int parse_disable_xxe(char *line) {
+  return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_disable_xxe->enable), NULL);
+}
+int parse_auto_cookie_secure(char *line) {
+  return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_auto_cookie_secure->enable), NULL);
+}
+int parse_global_strict(char *line) {
+  return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_global_strict->enable), NULL);
+}
+int parse_unserialize(char *line) {
+  return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_unserialize->enable), &(SNUFFLEUPAGUS_G(config).config_unserialize->simulation));
+}
+int parse_readonly_exec(char *line) {
+  return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_readonly_exec->enable), &(SNUFFLEUPAGUS_G(config).config_readonly_exec->simulation));
+}
+int parse_global(char *line) {
+  sp_config_functions sp_config_funcs_encryption_key[] = {
+      {parse_str, SP_TOKEN_ENCRYPTION_KEY,
+       &(SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key)},
+      {0}};
+  return parse_keywords(sp_config_funcs_encryption_key, line);
+}
+int parse_cookie_encryption(char *line) {
+  int ret = 0;
+  char *name = NULL;
+  sp_config_functions sp_config_funcs_cookie_encryption[] = {
+      {parse_str, SP_TOKEN_NAME, &name},
+      {parse_int, SP_TOKEN_MASK_IPV4,
+       &(SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv4)},
+      {parse_int, SP_TOKEN_MASK_IPV6,
+       &(SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv6)},
+      {0}};
+  ret = parse_keywords(sp_config_funcs_cookie_encryption, line);
+  if (0 != ret) {
+    return ret;
+  }
+  if (32 < SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv4) {
+    SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv4 = 32;
+  }
+  if (128 < SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv6) {
+    SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv6 = 128;
+  }
+  if (name) {
+    zend_hash_str_add_empty_element(
+        SNUFFLEUPAGUS_G(config).config_cookie_encryption->names, name,
+        strlen(name));
+  }
+  return SUCCESS;
+}
+int parse_disabled_functions(char *line) {
+  int ret = 0;
+  bool enable = true, disable = false;
+  sp_disabled_function *df = pecalloc(sizeof(*df), 1, 1);
+  sp_config_functions sp_config_funcs_disabled_functions[] = {
+      {parse_empty, SP_TOKEN_ENABLE, &(enable)},
+      {parse_empty, SP_TOKEN_DISABLE, &(disable)},
+      {parse_str, SP_TOKEN_ALIAS, &(df->alias)},
+      {parse_empty, SP_TOKEN_SIMULATION, &(df->simulation)},
+      {parse_str, SP_TOKEN_FILENAME, &(df->filename)},
+      {parse_regexp, SP_TOKEN_FILENAME_REGEXP, &(df->r_filename)},
+      {parse_str, SP_TOKEN_FUNCTION, &(df->function)},
+      {parse_regexp, SP_TOKEN_FUNCTION_REGEXP, &(df->r_function)},
+      {parse_str, SP_TOKEN_DUMP, &(df->dump)},
+      {parse_empty, SP_TOKEN_ALLOW, &(df->allow)},
+      {parse_empty, SP_TOKEN_DROP, &(df->drop)},
+      {parse_str, SP_TOKEN_HASH, &(df->hash)},
+      {parse_str, SP_TOKEN_PARAM, &(df->param)},
+      {parse_regexp, SP_TOKEN_VALUE_REGEXP, &(df->regexp)},
+      {parse_str, SP_TOKEN_VALUE, &(df->value)},
+      {parse_regexp, SP_TOKEN_PARAM_REGEXP, &(df->r_param)},
+      {parse_php_type, SP_TOKEN_PARAM_TYPE, &(df->param_type)},
+      {parse_str, SP_TOKEN_RET, &(df->ret)},
+      {parse_cidr, SP_TOKEN_CIDR, &(df->cidr)},
+      {parse_regexp, SP_TOKEN_RET_REGEXP, &(df->r_ret)},
+      {parse_php_type, SP_TOKEN_RET_TYPE, &(df->ret_type)},
+      {parse_str, SP_TOKEN_LOCAL_VAR, &(df->var)},
+      {0}};
+  ret = parse_keywords(sp_config_funcs_disabled_functions, line);
+  if (0 != ret) {
+    return ret;
+  }
+  if (true == disable){
+    df->enable = false;
+  } else {
+    df->enable = true;
+  }
+  if (df->value && df->regexp) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s':"
+               "'.value' and '.regexp' are mutually exclusives.",
+               line);
+    return -1;
+  } else if (df->r_function && df->function) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s': "
+               "'.r_function' and '.function' are mutually exclusive.",
+               line);
+    return -1;
+  } else if (df->r_filename && df->filename) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s':"
+               "'.r_filename' and '.filename' are mutually exclusive.",
+               line);
+    return -1;
+  } else if (df->r_param && df->param) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s':"
+               "'.r_param' and '.param' are mutually exclusive.",
+               line);
+    return -1;
+  } else if (df->r_ret && df->ret) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s':"
+               "'.r_ret' and '.ret' are mutually exclusive.",
+               line);
+    return -1;
+  } else if ((df->r_ret || df->ret) && (df->r_param || df->param)) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s':"
+               "`ret` and `param` are mutually exclusives.",
+               line);
+    return -1;
+  } else if (!(df->r_function || df->function)) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s':"
+               " must take a function name.",
+               line);
+    return -1;
+  } else if (!(df->allow ^ df->drop)) {
+    sp_log_err("config",
+               "Invalid configuration line: 'sp.disabled_functions%s': The "
+               "rule must either be a `drop` or and `allow` one.",
+               line);
+    return -1;
+  }
+  if (df->param && strchr(df->param, '[')) {  // assume that this is an array
+    df->param_array_keys = sp_new_list();
+    if (0 != array_to_list(&df->param, &df->param_array_keys)) {
+      pefree(df->param_array_keys, 1);
+      return -1;
+    }
+    df->param_is_array = 1;
+  }
+  
+  if (df->var && strchr(df->var, '[')) {  // assume that this is an array
+    df->var_array_keys = sp_new_list();
+    if (0 != array_to_list(&df->var, &df->var_array_keys)) {
+      pefree(df->var_array_keys, 1);
+      return -1;
+    }
+    df->var_is_array = 1;
+  }
+  bool match = false;
+  const char *key[4] = {"include", "include_once", "require", "require_once"};
+  for (size_t i = 0; i < 4; i++) {
+    if (df->r_function && true == is_regexp_matching(df->r_function, key[i])) {
+      match = true;
+      break;
+    } else if (df->function && 0 == strcmp(df->function, key[i])) {
+      match = true;
+      break;
+    }
+  }
+  if (true == match && df->regexp) {
+    sp_list_insert(
+        SNUFFLEUPAGUS_G(config).config_regexp_inclusion->regexp_inclusion,
+        df->regexp);
+  } else if (df->ret || df->r_ret || df->ret_type) {
+    sp_list_insert(
+        SNUFFLEUPAGUS_G(config).config_disabled_functions_ret->disabled_functions,
+        df);
+  } else {
+    sp_list_insert(
+        SNUFFLEUPAGUS_G(config).config_disabled_functions->disabled_functions,
+        df);
+  }
+  return ret;
+}
+int parse_upload_validation(char *line) {
+  bool disable = false, enable = false;
+  sp_config_functions sp_config_funcs_upload_validation[] = {
+      {parse_str, SP_TOKEN_UPLOAD_SCRIPT,
+       &(SNUFFLEUPAGUS_G(config).config_upload_validation->script)},
+      {parse_empty, SP_TOKEN_SIMULATION,
+       &(SNUFFLEUPAGUS_G(config).config_upload_validation->simulation)},
+      {parse_empty, SP_TOKEN_ENABLE, &(enable)},
+      {parse_empty, SP_TOKEN_DISABLE, &(disable)},
+      {0}};
+  int ret = parse_keywords(sp_config_funcs_upload_validation, line);
+  if (0 != ret) {
+    return ret;
+  }
+  if (!(enable ^ disable)) {
+    sp_log_err("config", "A rule can't be enabled and disabled.");
+    return -1;
+  } 
+  SNUFFLEUPAGUS_G(config).config_upload_validation->enable = enable;
+  char const *script = SNUFFLEUPAGUS_G(config).config_upload_validation->script;
+  if (!script) {
+    sp_log_err("config", "The `script` directive is mandatory in %s",
+      line);
+    return -1;
+  } else if (-1 == access(script, F_OK)) {
+    sp_log_err("config", "The `script` (%s) doesn't exist.", script);
+    return -1;
+  } else if (-1 == access(script, X_OK)) {
+    sp_log_err("config", "The `script` (%s) isn't executable.", script);
+    return -1;
+  }
+  
+  return ret;
+}
diff --git a/src/sp_config_keywords.h b/src/sp_config_keywords.h
new file mode 100644
index 0000000..40fac47
--- /dev/null
+++ b/src/sp_config_keywords.h
@@ -0,0 +1,16 @@
+#ifndef SP_CONFIG_KEYWORDS_H
+#define SP_CONFIG_KEYWORDS_H
+#include "php_snuffleupagus.h"
+int parse_random(char *line);
+int parse_disable_xxe(char *line);
+int parse_auto_cookie_secure(char *line);
+int parse_global_strict(char *line);
+int parse_global(char *line) ;
+int parse_cookie_encryption(char *line);
+int parse_unserialize(char *line) ;
+int parse_readonly_exec(char *line);
+int parse_disabled_functions(char *line) ;
+int parse_upload_validation(char *line);
+#endif // __SP_CONFIG_KEYWORDS_H
+\ No newline at end of file
diff --git a/src/sp_config_utils.c b/src/sp_config_utils.c
new file mode 100644
index 0000000..e05e95e
--- /dev/null
+++ b/src/sp_config_utils.c
@@ -0,0 +1,211 @@
+#include "php_snuffleupagus.h"
+static int validate_int(const char *value);
+static int validate_str(const char *value);
+static sp_pure int validate_int(const char *value) {
+  for (size_t i = 0; i < strlen(value); i++) {
+    if (!isdigit(value[i])) {
+      return -1;
+    }
+  }
+  return 0;
+}
+static sp_pure int validate_str(const char *value) {
+  int balance = 0;  // ghetto [] validation
+  if (!strchr(value, '[')) {
+    return 0;
+  }
+  for (size_t i = 0; i < strlen(value); i++) {
+    if (value[i] == '[') {
+      balance++;
+    } else if (value[i] == ']') {
+      balance--;
+    }
+    if (balance < 0) {
+      return -1;
+    }
+  }
+  return balance != 0;
+}
+int parse_keywords(sp_config_functions *funcs, char *line) {
+  int value_len = 0;
+  const char *original_line = line;
+  for (size_t i = 0; funcs[i].func; i++) {
+    if (!strncmp(funcs[i].token, line, strlen(funcs[i].token))) {
+      line += strlen(funcs[i].token);
+      value_len = funcs[i].func(line, funcs[i].token, funcs[i].retval) + 1;
+      if (value_len == 0) {  // bad parameter
+        return -1;
+      }
+      line += value_len;
+      i = -1;  // we start the loop again
+    }
+  }
+  while (*line == ';' || *line == '\t' || *line == ' ') {
+    line++;
+  }
+  if (*line == '#') {
+    return 0;
+  }
+  if (*line) {
+    sp_log_err("config", "Trailing chars '%s' at the end of '%s'.", line,
+               original_line);
+    return -1;
+  }
+  return 0;
+}
+static char *get_string(size_t *consumed, char *restrict line,
+                        const char *restrict keyword) {
+  enum { IN_ESCAPE, NONE } state = NONE;
+  char *original_line = line;
+  size_t j = 0;
+  char *ret = NULL;
+  if (NULL == line) {
+    goto err;
+  }
+  ret = pecalloc(sizeof(char), strlen(original_line) + 1, 1);
+  /* The first char of a string is always '"', since they MUST be quoted. */
+  if ('"' == *line) {
+    line++;
+  } else {
+    goto err;
+  }
+  for (size_t i = 0; line[i] && j < strlen(original_line) - 2; i++) {
+    switch (line[i]) {
+      case '"':
+        /* A double quote at this point is either:
+          - at the very end of the string.
+          - escaped
+          */
+        if ((state == NONE) && (line[i + 1] == SP_TOKEN_END_PARAM)) {
+          /* The `+2` if for
+           1. the terminal double-quote
+           2. the SP_TOKEN_END_PARAM
+           */
+          *consumed = i + 2;
+          return ret;
+        } else if (state == IN_ESCAPE) {
+          break;  // we're on an escped double quote
+        } else {
+          goto err;
+        }
+      case '\\':
+        if (state == NONE) {
+          state = IN_ESCAPE;
+          continue;
+        }
+      default:
+        break;
+    }
+    if (state == IN_ESCAPE) {
+      state = NONE;
+    }
+    ret[j++] = line[i];
+  }
+err:
+  sp_log_err("error",
+             "There is an issue with the parsing of '%s': it doesn't look like a valid string.",
+             original_line ? original_line : "NULL");
+  line = NULL;
+  return NULL;
+}
+static char *get_misc(char *restrict line, const char *restrict keyword) {
+  size_t i = 0;
+  char *ret = pecalloc(sizeof(char), 1024, 1);
+  while (i < 1024 - 1 && line[i] && line[i] != SP_TOKEN_END_PARAM) {
+    ret[i] = line[i];
+    i++;
+  }
+  if (line[i] != SP_TOKEN_END_PARAM) {
+    if (i >= 1024 - 1) {
+      sp_log_err("config", "The following line is too long: %s.", line);
+                } else {
+      sp_log_err("config", "Missing closing %c in line %s.", SP_TOKEN_END_PARAM,
+                 line);
+                }
+    return NULL;
+  } else if (i == 0) {
+    sp_log_err("config", "The keyword %s%c is expecting a parameter.",
+     keyword, SP_TOKEN_END_PARAM);
+    return NULL;
+  }
+  return ret;
+}
+char *get_param(size_t *consumed, char *restrict line, sp_type type,
+                const char *restrict keyword) {
+  char *retval = NULL;
+  if (type == SP_TYPE_STR) {
+    retval = get_string(consumed, line, keyword);
+  } else {
+    retval = get_misc(line, keyword);
+    *consumed = retval ? strlen(retval) : 0;
+  }
+  if (retval) {
+    if (type == SP_TYPE_STR && 0 == validate_str(retval)) {
+      return retval;
+    } else if (type == SP_TYPE_INT && 0 == validate_int(retval)) {
+      return retval;
+    }
+  }
+  return NULL;
+}
+// FIXME this is leaking like hell @blotus
+int array_to_list(char **name_ptr, sp_node_t **keys) {
+  int in_key = 0;
+  size_t i = 0;
+  char *name = *name_ptr;
+  char *key_name = ecalloc(strlen(name) + 1, 1);  // im way too lazy for
+                                                       // now
+  char *tmp = ecalloc(strlen(name) + 1, 1);
+  for (i = 0; name[i] != '['; i++) {
+    tmp[i] = name[i];
+  }
+  tmp[i] = 0;
+  for (size_t j = 0; name[i]; i++) {
+    const char c = name[i];
+    if (c == '[') {
+      if (in_key == 0) {
+        in_key = 1;
+      } else {
+        efree(key_name);
+        return -1;
+      }
+    } else if (c == ']') {
+      if (in_key == 0) {
+        efree(key_name);
+        return -1;
+      } else {
+        in_key = 0;
+        j = 0;
+        sp_list_insert(*keys, pestrdup(key_name, 1));
+        memset(key_name, 0, strlen(name) + 1);
+      }
+    } else if (in_key == 1) {
+      key_name[j] = c;
+      j++;
+    }
+  }
+  efree(key_name);
+  *name_ptr = pestrdup(tmp, 1);
+  return in_key;
+}
diff --git a/src/sp_config_utils.h b/src/sp_config_utils.h
new file mode 100644
index 0000000..f2f8fce
--- /dev/null
+++ b/src/sp_config_utils.h
@@ -0,0 +1,8 @@
+#ifndef SP_CONFIG_UTILS
+#define SP_CONFIG_UTILS
+int parse_keywords(sp_config_functions *, char *);
+char *get_param(size_t *, char *restrict, sp_type, const char *restrict);
+int array_to_list(char **, sp_node_t **);
+#endif /* SP_CONFIG_UTILS */
diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c
new file mode 100644
index 0000000..5248486
--- /dev/null
+++ b/src/sp_cookie_encryption.c
@@ -0,0 +1,216 @@
+#include "php_snuffleupagus.h"
+#include "ext/standard/url.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+static unsigned int nonce_d = 0;
+static inline void generate_key(unsigned char *key) {
+  PHP_SHA256_CTX ctx;
+  const char *user_agent = sp_getenv("HTTP_USER_AGENT");
+  const char *remote_addr = sp_getenv("REMOTE_ADDR");
+  const char *encryption_key =
+      SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key;
+  /* 32 is the size of a SHA256. */
+  assert(32 == crypto_secretbox_KEYBYTES);
+  PHP_SHA256Init(&ctx);
+  if (user_agent) {
+    PHP_SHA256Update(&ctx, (unsigned char *)user_agent, strlen(user_agent));
+  }
+  if (remote_addr) {
+    char out[128];
+          apply_mask_on_ip(out, remote_addr);
+    PHP_SHA256Update(&ctx, (unsigned char*)out, sizeof(out));
+  }
+  if (encryption_key) {
+    PHP_SHA256Update(&ctx, (const unsigned char *)encryption_key,
+                     strlen(encryption_key));
+  }
+  PHP_SHA256Final((unsigned char *)key, &ctx);
+}
+int decrypt_cookie(zval *pDest, int num_args, va_list args,
+                   zend_hash_key *hash_key) {
+  unsigned char key[crypto_secretbox_KEYBYTES] = {0};
+  size_t value_len;
+  zend_string *debase64;
+  unsigned char *decrypted;
+  int ret = 0;
+  /* If the cookie isn't in the conf, it shouldn't be encrypted. */
+  if (0 ==
+      zend_hash_exists(SNUFFLEUPAGUS_G(config).config_cookie_encryption->names,
+                       hash_key->key)) {
+    return ZEND_HASH_APPLY_KEEP;
+  }
+  generate_key(key);
+  value_len = php_url_decode(Z_STRVAL_P(pDest), Z_STRLEN_P(pDest));
+  if (value_len == 0) {
+    return ZEND_HASH_APPLY_KEEP;
+  }
+  debase64 = php_base64_decode((unsigned char *)(Z_STRVAL_P(pDest)), value_len);
+  if (value_len <
+      crypto_secretbox_NONCEBYTES + crypto_secretbox_ZEROBYTES) {
+    sp_log_msg("cookie_encryption", LOG_DROP,
+        "Buffer underflow tentative detected in cookie encryption handling.");
+    return ZEND_HASH_APPLY_REMOVE;
+  }
+  decrypted = pecalloc(value_len, 1, 0);
+  ret = crypto_secretbox_open(
+      decrypted,
+      (unsigned char *)(ZSTR_VAL(debase64) + crypto_secretbox_NONCEBYTES),
+      ZSTR_LEN(debase64) - crypto_secretbox_NONCEBYTES,
+      (unsigned char *)ZSTR_VAL(debase64), key);
+  if (ret == -1) {
+    sp_log_msg("cookie_encryption", LOG_DROP,
+      "Something went wrong with the decryption of %s.",
+               ZSTR_VAL(hash_key->key));
+    return ZEND_HASH_APPLY_REMOVE;
+  }
+  ZVAL_STRINGL(pDest, (char *)(decrypted + crypto_secretbox_ZEROBYTES),
+               ZSTR_LEN(debase64) - crypto_secretbox_NONCEBYTES - 1 -
+                   crypto_secretbox_ZEROBYTES);
+  return ZEND_HASH_APPLY_KEEP;
+}
+/**
+  This function will return the `data` of length `data_len` encrypted in the
+  form
+  base64(nonce | encrypted_data) (with `|` being the concatenation
+  operation).
+  The `nonce` is time-based.
+*/
+static zend_string *encrypt_data(char *data, unsigned long long data_len) {
+  const size_t encrypted_msg_len = crypto_secretbox_ZEROBYTES + data_len + 1;
+  const size_t emsg_and_nonce_len = encrypted_msg_len + crypto_secretbox_NONCEBYTES;
+  unsigned char key[crypto_secretbox_KEYBYTES] = {0};
+  unsigned char nonce[crypto_secretbox_NONCEBYTES] = {0};
+  unsigned char *data_to_encrypt = pecalloc(encrypted_msg_len, 1, 0);
+  unsigned char *encrypted_data = pecalloc(emsg_and_nonce_len, 1, 1);
+  generate_key(key);
+  /* tweetnacl's API requires the message to be padded with
+  crypto_secretbox_ZEROBYTES zeroes. */
+  memcpy(data_to_encrypt + crypto_secretbox_ZEROBYTES, data, data_len);
+  assert(sizeof(size_t) <= crypto_secretbox_NONCEBYTES);
+  nonce_d++;
+  sscanf((char*)nonce, "%ud", &nonce_d); 
+  memcpy(encrypted_data, nonce, crypto_secretbox_NONCEBYTES);
+  crypto_secretbox(encrypted_data + crypto_secretbox_NONCEBYTES,
+                   data_to_encrypt, encrypted_msg_len, nonce, key);
+  zend_string *z = php_base64_encode(encrypted_data, emsg_and_nonce_len);
+  sp_log_debug("cookie_encryption", "Cookie value:%s:", z->val);
+  return z;
+}
+PHP_FUNCTION(sp_setcookie) {
+  zval params[7] = { 0 };
+  zend_string *name = NULL, *value = NULL, *path = NULL, *domain = NULL;
+  zend_long expires = 0;
+  zend_bool secure = 0, httponly = 0;
+  zval ret_val;
+  zval func_name;
+  ZEND_PARSE_PARAMETERS_START(1, 7)
+  Z_PARAM_STR(name)
+  Z_PARAM_OPTIONAL
+  Z_PARAM_STR(value)
+  Z_PARAM_LONG(expires)
+  Z_PARAM_STR(path)
+  Z_PARAM_STR(domain)
+  Z_PARAM_BOOL(secure)
+  Z_PARAM_BOOL(httponly)
+  ZEND_PARSE_PARAMETERS_END();
+  /* If the request was issued over HTTPS, the cookie should be "secure" */
+  if (SNUFFLEUPAGUS_G(config).config_auto_cookie_secure) {
+    const zval server_vars = PG(http_globals)[TRACK_VARS_SERVER];
+    if (Z_TYPE(server_vars) == IS_ARRAY) {
+      const zval *is_https =
+          zend_hash_str_find(Z_ARRVAL(server_vars), "HTTPS", strlen("HTTPS"));
+      if (NULL != is_https) {
+        secure = 1;
+      }
+    }
+  }
+  /* If the cookie's value is encrypted, it won't be usable by
+   * javascript anyway.
+   */
+  if (zend_hash_exists(SNUFFLEUPAGUS_G(config).config_cookie_encryption->names,
+                       name) > 0) {
+    httponly = 1;
+  }
+  /* Shall we encrypt the cookie's value? */
+  if (zend_hash_exists(SNUFFLEUPAGUS_G(config).config_cookie_encryption->names,
+                       name) > 0 && value) {
+    zend_string *encrypted_data = encrypt_data(value->val, value->len);
+    ZVAL_STR_COPY(&params[1], encrypted_data);
+    zend_string_release(encrypted_data);
+  } else if (value) {
+    ZVAL_STR_COPY(&params[1], value);
+  }
+  ZVAL_STRING(&func_name, "setcookie");
+  ZVAL_STR_COPY(&params[0], name);
+  ZVAL_LONG(&params[2], expires);
+  if (path) {
+    ZVAL_STR_COPY(&params[3], path);
+  }
+  if (domain) {
+    ZVAL_STR_COPY(&params[4], domain);
+  }
+  if (secure) {
+    ZVAL_LONG(&params[5], secure);
+  }
+  if (httponly) {
+    ZVAL_LONG(&params[6], httponly);
+  }
+  /* This is the _fun_ part: because PHP is utterly idiotic and nonsensical,
+  the `call_user_function` macro will __discard__ (yes) its first argument
+  (the hashtable), effectively calling functions from `CG(function_table)`.
+  This is why were replacing our hook with the original function, calling
+  the function, and then re-hooking it. */
+  void (*handler)(INTERNAL_FUNCTION_PARAMETERS);
+  handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook), "setcookie",
+                                   strlen("setcookie"));
+  zend_internal_function *func = zend_hash_str_find_ptr(
+      CG(function_table), "setcookie", strlen("setcookie"));
+  func->handler = handler;
+  call_user_function(CG(function_table), NULL, &func_name, &ret_val, 7, params);
+  func->handler = PHP_FN(sp_setcookie);
+}
+int hook_cookies() {
+  HOOK_FUNCTION("setcookie", sp_internal_functions_hook, PHP_FN(sp_setcookie), false);
+  return SUCCESS;
+}
diff --git a/src/sp_cookie_encryption.h b/src/sp_cookie_encryption.h
new file mode 100644
index 0000000..9904738
--- /dev/null
+++ b/src/sp_cookie_encryption.h
@@ -0,0 +1,17 @@
+#ifndef __SP_COOKIE_ENCRYPTION
+#define __SP_COOKIE_ENCRYPTION
+#include "SAPI.h"
+#include "tweetnacl.h"
+#include "sp_utils.h"
+#include "ext/hash/php_hash.h"
+#include "ext/hash/php_hash_sha.h"
+#include "ext/standard/base64.h"
+int hook_cookies();
+int decrypt_cookie(zval *pDest, int num_args, va_list args, zend_hash_key *hash_key);
+#endif /* __SP_COOKIE_ENCRYPTION */
diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c
new file mode 100644
index 0000000..d11b3d0
--- /dev/null
+++ b/src/sp_disable_xxe.c
@@ -0,0 +1,25 @@
+#include "php_snuffleupagus.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; }
+int hook_libxml_disable_entity_loader() {
+  zval func_name;
+  zval hmac;
+  zval params[1];
+  TSRMLS_FETCH();
+  /* Call the php function here instead of re-implementing it is a bit
+   * ugly, but we do not want to introduce compile-time dependencies against
+   * libxml. */
+  ZVAL_STRING(&func_name, "libxml_disable_entity_loader");
+  ZVAL_STRING(&params[0], "true");
+  call_user_function(CG(function_table), NULL, &func_name, &hmac, 1, params);
+  HOOK_FUNCTION("libxml_disable_entity_loader", sp_internal_functions_hook,
+                PHP_FN(sp_libxml_disable_entity_loader), false);
+  return SUCCESS;
+}
diff --git a/src/sp_disable_xxe.h b/src/sp_disable_xxe.h
new file mode 100644
index 0000000..274c169
--- /dev/null
+++ b/src/sp_disable_xxe.h
@@ -0,0 +1,6 @@
+#ifndef __SP_DISABLE_XXE_H
+#define __SP_DISABLE_XXE_H
+int hook_libxml_disable_entity_loader();
+#endif /* __SP_DISABLE_XXE_H */
diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c
new file mode 100644
index 0000000..55d782b
--- /dev/null
+++ b/src/sp_disabled_functions.c
@@ -0,0 +1,356 @@
+#include "php_snuffleupagus.h"
+#include "zend_execute.h"
+#include "zend_hash.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus);
+ZEND_COLD static zend_always_inline bool is_hash_matching(
+    const char* current_filename,
+    sp_disabled_function const* const config_node) {
+  char current_file_hash[SHA256_SIZE * 2];
+  compute_hash(current_filename, current_file_hash);
+  return (0 == strncmp(current_file_hash, config_node->hash, SHA256_SIZE));
+}
+static zend_always_inline char* get_complete_function_path(
+    zend_execute_data const* const execute_data) {
+  char const* class_name;
+  char const* const function_name =
+      ZSTR_VAL(execute_data->func->common.function_name);
+  char* complete_path_function = NULL;
+  class_name = get_active_class_name(NULL);
+  if (*class_name) {
+    const size_t len = strlen(class_name) + 2 + strlen(function_name) + 1;
+    complete_path_function = emalloc(len);
+    snprintf(complete_path_function, len, "%s::%s", class_name, function_name);
+  } else {
+    complete_path_function = estrdup(function_name);
+  }
+  return complete_path_function;
+}
+static bool is_local_var_matching(zend_execute_data *execute_data, const sp_disabled_function *const config_node) {
+  zend_execute_data *orig_execute_data = execute_data;
+  
+  /*because execute_data points to hooked function data,
+   which we dont care about */
+  zend_execute_data *current = execute_data->prev_execute_data;
+  zval *value = NULL;
+  
+  while (current) {
+    zend_string *key = NULL;
+    EG(current_execute_data) = current;
+    zend_array *symtable = zend_rebuild_symbol_table();
+    ZEND_HASH_FOREACH_STR_KEY_VAL(symtable, key, value) {
+      if (0 == strcmp(config_node->var, key->val)) { // is the var name right?
+        if (Z_TYPE_P(value) == IS_INDIRECT) {
+          value = Z_INDIRECT_P(value);
+        }
+        if (Z_TYPE_P(value) != IS_ARRAY) {
+          char *var_value_str = sp_convert_to_string(value);
+          if (true == sp_match_value(var_value_str, config_node->value, config_node->regexp)) {
+            efree(var_value_str);
+            EG(current_execute_data) = orig_execute_data;
+            return true;
+          }
+          efree(var_value_str);
+        }
+        else {
+          EG(current_execute_data) = orig_execute_data;
+          return sp_match_array_key_recurse(value, config_node->var_array_keys, config_node->value, NULL);
+        }
+      }
+    }
+    ZEND_HASH_FOREACH_END();
+    current = current->prev_execute_data;
+  }
+  EG(current_execute_data) = orig_execute_data;
+  return false;
+}
+bool should_disable(zend_execute_data* execute_data) {
+  const char* current_filename = zend_get_executed_filename(TSRMLS_C);
+  const sp_node_t* config =
+      SNUFFLEUPAGUS_G(config).config_disabled_functions->disabled_functions;
+  const char* function_name =
+      ZSTR_VAL(execute_data->func->common.function_name);
+  char* complete_path_function;
+  char const* client_ip = sp_getenv("REMOTE_ADDR");
+  if (!function_name) {
+    return false;
+  }
+  if (!config || !config->data) {
+    return false;
+  }
+  complete_path_function = get_complete_function_path(execute_data);
+  while (config) {
+    sp_disabled_function const* const config_node =
+        (sp_disabled_function*)(config->data);
+    const char* arg_name = NULL;
+    const char* arg_value_str = NULL;
+    if (false == config_node->enable) {
+      goto next;
+    }
+    if (config_node->function) { /* Litteral match against the function name. */
+      if (0 != strcmp(config_node->function, complete_path_function)) {
+        goto next;
+      }
+    } else if (config_node->r_function) {
+      if (false ==
+          is_regexp_matching(config_node->r_function, complete_path_function)) {
+        goto next;
+      }
+    }
+    if (config_node->var) {
+      if (false == is_local_var_matching(execute_data, config_node)) {
+        goto next;
+      }
+    }
+    if (config_node->filename) { /* Check the current file name. */
+      if (0 != strcmp(current_filename, config_node->filename)) {
+        goto next;
+      }
+    } else if (config_node->r_filename) {
+      if (false ==
+          is_regexp_matching(config_node->r_filename, current_filename)) {
+        goto next;
+      }
+    }
+    if (config_node->hash) {
+      if (false == is_hash_matching(current_filename, config_node)) {
+        goto next;
+      }
+    }
+    if (client_ip && config_node->cidr &&
+        (false == cidr_match(client_ip, config_node->cidr))) {
+      goto next;
+    }
+    /* Check if we filter on parameter value*/
+    if (config_node->param || config_node->r_param) {
+      const unsigned int nb_param = execute_data->func->common.num_args;
+      bool arg_matched = false;
+      for (unsigned int i = 0; i < nb_param; i++) {
+        arg_matched = false;
+        if (ZEND_USER_CODE(execute_data->func->type)) {  // yay consistency
+          arg_name = ZSTR_VAL(execute_data->func->common.arg_info[i].name);
+        } else {
+          arg_name = execute_data->func->internal_function.arg_info[i].name;
+        }
+        const bool arg_matching =
+            config_node->param && (0 == strcmp(arg_name, config_node->param));
+        const bool pcre_matching =
+            config_node->r_param &&
+            (true == is_regexp_matching(config_node->r_param, arg_name));
+        /* This is the parameter name we're looking for. */
+        if (true == arg_matching || true == pcre_matching) {
+          zval* arg_value = ZEND_CALL_VAR_NUM(execute_data, i);
+          if (config_node->param_type) {  // Are we matching on the `type`?
+            if (config_node->param_type == Z_TYPE_P(arg_value)) {
+              arg_matched = true;
+              break;
+            }
+          } else if (Z_TYPE_P(arg_value) == IS_ARRAY) {
+            arg_value_str = estrdup("Array");
+            // match on arr -> match on all key content, if a key is an array,
+            // ignore it
+            // match on arr[foo] -> match only on key foo, if the key is an
+            // array, match on all keys content
+            if (config_node->param_is_array == true) {
+              if (true == sp_match_array_key_recurse(
+                              arg_value, config_node->param_array_keys,
+                              config_node->value, config_node->regexp)) {
+                arg_matched = true;
+                break;
+              }
+            } else {  // match on all keys, but don't go into subarray
+              if (true == sp_match_array_key(arg_value, config_node->value,
+                                             config_node->regexp)) {
+                arg_matched = true;
+                break;
+              }
+            }
+          } else {
+            arg_value_str = sp_convert_to_string(arg_value);
+            if (true == sp_match_value(arg_value_str, config_node->value,
+                                       config_node->regexp)) {
+              arg_matched = true;
+              break;
+            }
+          }
+        }
+      }
+      if (false == arg_matched) {
+        goto next;
+      }
+    }
+    /* Everything matched.*/
+    if (true == config_node->allow) {
+      goto allow;
+    }
+    sp_log_disable(complete_path_function, arg_name, arg_value_str,
+                   config_node);
+    if (true == config_node->simulation) {
+      goto next;
+    } else {  // We've got a match, the function won't be executed
+      efree(complete_path_function);
+      return true;
+    }
+next:
+config = config->next;
+  }
+allow:
+  efree(complete_path_function);
+  return false;
+}
+static bool should_drop_on_ret(zval* return_value,
+                               const zend_execute_data* const execute_data) {
+  const sp_node_t* config =
+      SNUFFLEUPAGUS_G(config).config_disabled_functions_ret->disabled_functions;
+  char* complete_path_function = get_complete_function_path(execute_data);
+  const char* current_filename = zend_get_executed_filename(TSRMLS_C);
+  if (!config || !config->data) {
+    return false;
+  }
+  while (config) {
+    char* ret_value_str = NULL;
+    sp_disabled_function const* const config_node =
+        (sp_disabled_function*)(config->data);
+    if (false == config_node->enable) {
+      goto next;
+    }
+    if (config_node->function) {
+      if (0 != strcmp(config_node->function, complete_path_function)) {
+        goto next;
+      }
+    } else if (config_node->r_function) {
+      if (false ==
+          is_regexp_matching(config_node->r_function, complete_path_function)) {
+        goto next;
+      }
+    }
+    if (config_node->filename) { /* Check the current file name. */
+      if (0 != strcmp(current_filename, config_node->filename)) {
+        goto next;
+      }
+    } else if (config_node->r_filename) {
+      if (false ==
+          is_regexp_matching(config_node->r_filename, current_filename)) {
+        goto next;
+      }
+    }
+    if (config_node->hash) {
+      if (false == is_hash_matching(current_filename, config_node)) {
+        goto next;
+      }
+    }
+    ret_value_str = sp_convert_to_string(return_value);  // FIXME memleak
+    bool match_type = (config_node->ret_type) &&
+                      (config_node->ret_type == Z_TYPE_P(return_value));
+    bool match_value = (config_node->ret || config_node->r_ret) &&
+                       (true == sp_match_value(ret_value_str, config_node->ret,
+                                               config_node->r_ret));
+    if (true == match_type || match_value) {
+      if (true == config_node->allow) {
+        efree(complete_path_function);
+        return false;
+      }
+      sp_log_disable_ret(complete_path_function, ret_value_str, config_node);
+      if (false == config_node->simulation) {
+        efree(complete_path_function);
+        return true;
+      }
+    }
+  next:
+    config = config->next;
+  }
+  efree(complete_path_function);
+  return false;
+}
+ZEND_FUNCTION(check_disabled_function) {
+  void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS);
+  const char* current_function_name = get_active_function_name(TSRMLS_C);
+  if (true == should_disable(execute_data)) {
+    return;
+  }
+  if ((orig_handler = zend_hash_str_find_ptr(
+           SNUFFLEUPAGUS_G(disabled_functions_hook), current_function_name,
+           strlen(current_function_name)))) {
+    orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+    if (true == should_drop_on_ret(return_value, execute_data)) {
+      zend_bailout();
+    }
+  } else {
+    sp_log_err(
+        "disabled_functions",
+        "Unable to find the pointer to the original function '%s' in the "
+        "hashtable.\n",
+        current_function_name);
+  }
+}
+static int hook_functions(const sp_node_t* config) {
+  while (config && config->data) {
+    const char* function_name = ((sp_disabled_function*)config->data)->function;
+    const pcre* function_name_regexp =
+        ((sp_disabled_function*)config->data)->r_function;
+    if (NULL != function_name) {  // hook function by name
+      HOOK_FUNCTION(function_name, disabled_functions_hook,
+                    PHP_FN(check_disabled_function), false);
+    } else if (NULL != function_name_regexp) {  // hook function by regexp
+      HOOK_FUNCTION_BY_REGEXP(function_name_regexp, disabled_functions_hook,
+                              PHP_FN(check_disabled_function), false);
+    } else {
+      return FAILURE;
+    }
+    config = config->next;
+  }
+  return SUCCESS;
+}
+int hook_disabled_functions(void) {
+  TSRMLS_FETCH();
+  int ret = SUCCESS;
+  ret |= hook_functions(
+      SNUFFLEUPAGUS_G(config).config_disabled_functions->disabled_functions);
+  ret |= hook_functions(SNUFFLEUPAGUS_G(config)
+                            .config_disabled_functions_ret->disabled_functions);
+  return ret;
+}
diff --git a/src/sp_disabled_functions.h b/src/sp_disabled_functions.h
new file mode 100644
index 0000000..680eabb
--- /dev/null
+++ b/src/sp_disabled_functions.h
@@ -0,0 +1,11 @@
+#ifndef __SP_DISABLE_FUNCTIONS_H
+#define __SP_DISABLE_FUNCTIONS_H
+#include "ext/hash/php_hash.h"
+#include "ext/hash/php_hash_sha.h"
+#include "ext/standard/md5.h"
+int hook_disabled_functions();
+bool should_disable(zend_execute_data* function_name);
+#endif /* __SP_DISABLE_FUNCTIONS_H */
diff --git a/src/sp_execute.c b/src/sp_execute.c
new file mode 100644
index 0000000..faf126c
--- /dev/null
+++ b/src/sp_execute.c
@@ -0,0 +1,100 @@
+#include "php_snuffleupagus.h"
+#include <errno.h>
+#include <string.h>
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus);
+static void (*orig_execute_ex)(zend_execute_data *execute_data);
+static int (*orig_zend_stream_open)(const char *filename,
+                                             zend_file_handle *handle);
+// FIXME handle symlink
+ZEND_COLD static inline void terminate_if_writable(const char *filename) {
+  if (0 == access(filename, W_OK)) {
+    if (true == SNUFFLEUPAGUS_G(config).config_readonly_exec->simulation) {
+      sp_log_msg("readonly_exec", LOG_NOTICE,
+        "Attempted execution of a writable file (%s).", filename);
+    } else {
+      sp_log_msg("readonly_exec", LOG_DROP,
+        "Attempted execution of a writable file (%s).", filename);
+      sp_terminate();
+    }
+  } else {
+    if (EACCES != errno) {
+      sp_log_err("Writable execution", "Error while accessing %s: %s", filename,
+        strerror(errno));
+    }
+  }
+}
+static void check_inclusion_regexp(const char * const filename) {
+  if (SNUFFLEUPAGUS_G(config).config_regexp_inclusion->regexp_inclusion) {
+    const sp_node_t* config = SNUFFLEUPAGUS_G(config).config_regexp_inclusion->regexp_inclusion;
+    if (!config || !config->data) {
+      return;
+    }
+    while (config) {
+      pcre *config_node = (pcre*)(config->data);
+      if (false == is_regexp_matching(config_node, filename)) {
+        sp_log_msg("include", LOG_DROP, "Inclusion of a forbidden file (%s).", filename);
+        sp_terminate();
+      }
+      config = config->next;
+    }
+  }
+}
+static void sp_execute_ex(zend_execute_data *execute_data) {
+  if (NULL == execute_data->func->common.function_name) {
+    goto execute;
+  }
+  if (true == should_disable(execute_data)) {
+    return;
+  }
+  if (execute_data->func->op_array.type == ZEND_EVAL_CODE) {
+    sp_log_debug("Currently in an eval\n");
+  }
+  if (NULL != execute_data->func->op_array.filename) {
+    if (true == SNUFFLEUPAGUS_G(config).config_readonly_exec->enable) {
+      terminate_if_writable(ZSTR_VAL(execute_data->func->op_array.filename));
+    }
+}
+execute:
+  orig_execute_ex(execute_data);
+}
+static int sp_stream_open(const char *filename,
+                                   zend_file_handle *handle) {
+  const zend_execute_data *data = EG(current_execute_data);
+  if ((NULL != data) && (NULL != data->opline) && 
+      (ZEND_INCLUDE_OR_EVAL == data->opline->opcode)) {
+    if (true == SNUFFLEUPAGUS_G(config).config_readonly_exec->enable) {
+      terminate_if_writable(filename);
+    }
+    check_inclusion_regexp(filename);
+  }
+  return orig_zend_stream_open(filename, handle);
+}
+int hook_execute(void) {
+  TSRMLS_FETCH();
+  /* zend_execute_ex is used for "classic" function calls */
+  orig_execute_ex = zend_execute_ex;
+  zend_execute_ex = sp_execute_ex;
+  /* zend_stream_open_function is used FIXME */
+  orig_zend_stream_open = zend_stream_open_function;
+  zend_stream_open_function = sp_stream_open;
+  /* zend_execute_internal is used for "indirect" functions call,
+   * like array_map or call_user_func. */
+  return SUCCESS;
+}
diff --git a/src/sp_execute.h b/src/sp_execute.h
new file mode 100644
index 0000000..8345736
--- /dev/null
+++ b/src/sp_execute.h
@@ -0,0 +1,6 @@
+#ifndef SP_EXECUTE_H
+#define SP_EXECUTE_H
+int hook_execute(void);
+#endif /* SP_EXECUTE_H */
diff --git a/src/sp_harden_rand.c b/src/sp_harden_rand.c
new file mode 100644
index 0000000..e0e35ff
--- /dev/null
+++ b/src/sp_harden_rand.c
@@ -0,0 +1,77 @@
+#include "php_snuffleupagus.h"
+extern ZEND_API zend_class_entry *zend_ce_error;
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+/* This function is needed because `rand` and `mt_rand` parameters
+ * are optional, while the ones from `random_int` aren't. */
+static void random_int_wrapper(INTERNAL_FUNCTION_PARAMETERS) {
+  zend_long min, max, result;
+  switch (EX_NUM_ARGS()) {
+  case 0:
+    min = 0;
+    max = PHP_MT_RAND_MAX;
+    break;
+  case 1:
+    ZEND_PARSE_PARAMETERS_START_EX(ZEND_PARSE_PARAMS_QUIET, 1, 1);
+    Z_PARAM_LONG(min);
+    ZEND_PARSE_PARAMETERS_END();
+    max = PHP_MT_RAND_MAX;
+    break;
+  case 2:
+  default:
+    ZEND_PARSE_PARAMETERS_START_EX(ZEND_PARSE_PARAMS_QUIET, 0, 2);
+    Z_PARAM_LONG(min);
+    Z_PARAM_LONG(max);
+    ZEND_PARSE_PARAMETERS_END();
+  }
+  if (min > max) {
+    if (php_random_int_throw(max, min, &result) == FAILURE) {
+      return;
+    }
+  } else {
+    if (php_random_int_throw(min, max, &result) == FAILURE) {
+      return;
+    }
+  }
+  RETURN_LONG(result);
+}
+PHP_FUNCTION(sp_rand) {
+  void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS);
+  if ((orig_handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook), "rand",
+                                             strlen("rand")))) {
+    /* call the original `rand` function,
+     * since we might no be the only ones to hook it*/
+    orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+  }
+  random_int_wrapper(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+}
+PHP_FUNCTION(sp_mt_rand) {
+  void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS);
+  if ((orig_handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook),
+                                             "mt_rand", strlen("mt_rand")))) {
+    /* call the original `mt_rand` function,
+     * since we might no be the only ones to hook it*/
+    orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+  }
+  random_int_wrapper(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+}
+int hook_rand() {
+  TSRMLS_FETCH();
+  HOOK_FUNCTION("rand", sp_internal_functions_hook, PHP_FN(sp_rand), false);
+  HOOK_FUNCTION("mt_rand", sp_internal_functions_hook, PHP_FN(sp_mt_rand), false);
+  return SUCCESS;
+}
diff --git a/src/sp_harden_rand.h b/src/sp_harden_rand.h
new file mode 100644
index 0000000..53ebdd0
--- /dev/null
+++ b/src/sp_harden_rand.h
@@ -0,0 +1,10 @@
+#ifndef __SP_HARDEN_RAND_H
+#define __SP_HARDEN_RAND_H
+#include "ext/standard/php_rand.h"
+#include "ext/standard/php_random.h"
+#include "zend_exceptions.h"
+int hook_rand();
+#endif /* __SP_HARDEN_RAND_H */
diff --git a/src/sp_list.c b/src/sp_list.c
new file mode 100644
index 0000000..04154b7
--- /dev/null
+++ b/src/sp_list.c
@@ -0,0 +1,37 @@
+#include "sp_list.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include "php_snuffleupagus.h"
+void sp_list_free(sp_node_t *node) {
+  while(node) {
+    sp_node_t *tmp = node->next;
+    pefree(node, 1);
+    node = tmp;
+  }
+}
+sp_node_t *sp_new_list() {
+  sp_node_t *new = pecalloc(sizeof(*new), 1, 1);
+  new->next = new->data = new->head = NULL;
+  return new;
+}
+void sp_list_insert(sp_node_t *list, void *data) {
+  if (list->head == NULL) {
+    list->data = data;
+    list->next = NULL;
+    list->head = list;
+  } else {
+    sp_node_t *new = pecalloc(sizeof(*new), 1, 1);
+    new->data = data;
+    new->next = NULL;
+    new->head = list;
+    while (list->next) {
+      list = list->next;
+    }
+    list->next = new;
+  }
+}
diff --git a/src/sp_list.h b/src/sp_list.h
new file mode 100644
index 0000000..48b11f6
--- /dev/null
+++ b/src/sp_list.h
@@ -0,0 +1,15 @@
+#ifndef SP_LIST_H
+#define SP_LIST_H
+typedef struct sp_node_s {
+  struct sp_node_s *next;
+  struct sp_node_s *head;
+  void *data;
+} sp_node_t;
+sp_node_t *sp_new_list();
+void sp_list_insert(sp_node_t *, void *);
+void sp_list_free(sp_node_t *);
+#endif
diff --git a/src/sp_network_utils.c b/src/sp_network_utils.c
new file mode 100644
index 0000000..28bc324
--- /dev/null
+++ b/src/sp_network_utils.c
@@ -0,0 +1,159 @@
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include "php_snuffleupagus.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+static inline bool cidr4_match(const struct in_addr addr,
+                               const struct in_addr net, uint8_t bits);
+static inline bool cidr6_match(const struct in6_addr address,
+                               const struct in6_addr network, uint8_t bits);
+static inline int get_ip_version(const char *ip);
+void apply_mask_on_ip(char *out, const char *const remote_addr) {
+  uint8_t mask4 = SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv4;
+  uint8_t mask6 = SNUFFLEUPAGUS_G(config).config_cookie_encryption->mask_ipv6;
+  const int ip_version = get_ip_version(remote_addr);
+  memset(out, 0, 128);
+  if (ip_version == AF_INET) {
+    struct in_addr out4;
+    inet_pton(AF_INET, remote_addr, &out4);
+    const long n = out4.s_addr & htonl(0xFFFFFFFFu << (32 - mask4));
+    out[0] = (n >> 24) & 0xFF;
+    out[1] = (n >> 16) & 0xFF;
+    out[2] = (n >> 8) & 0xFF;
+    out[3] = (n >> 0) & 0xFF;
+  } else if (ip_version == AF_INET6) {
+    inet_pton(AF_INET6, remote_addr, out);
+    uint32_t *p_ip = (uint32_t *)out;
+    while (32 < mask6) {
+      *p_ip = 0xFFFFFFFFu;
+      p_ip++;
+      mask6 -= 32;
+    }
+    if (0 != mask6) {
+      *p_ip = htonl(0xFFFFFFFFu << (32 - mask6));
+    }
+  } else {
+    sp_log_err("ip_mask", "It seems that %s isn't a valid ip.", remote_addr);
+  }
+}
+/* http://fxr.watson.org/fxr/source/include/net/xfrm.h?v=linux-2.6#L840 */
+static inline bool cidr4_match(const struct in_addr addr,
+                               const struct in_addr net, uint8_t bits) {
+  if (bits == 0) {  // C99 6.5.7 (3): u32 << 32 is undefined behaviour
+    return true;
+  }
+  return !((addr.s_addr ^ net.s_addr) & htonl(0xFFFFFFFFu << (32 - bits)));
+}
+static inline bool cidr6_match(const struct in6_addr address,
+                               const struct in6_addr network, uint8_t bits) {
+  //#ifdef LINUX
+  const uint32_t *a = address.s6_addr32;
+  const uint32_t *n = network.s6_addr32;
+  /*
+#else
+  const uint32_t *a = address.__u6_addr.__u6_addr32;
+  const uint32_t *n = network.__u6_addr.__u6_addr32;
+#endif
+*/
+  int bits_whole, bits_incomplete;
+  bits_whole = bits >> 5;         // number of whole u32
+  bits_incomplete = bits & 0x1F;  // number of bits in incomplete u32
+  if (bits_whole) {
+    if (memcmp(a, n, bits_whole << 2)) {
+      return false;
+    }
+  }
+  if (bits_incomplete) {
+    uint32_t mask = htonl((0xFFFFFFFFu) << (32 - bits_incomplete));
+    if ((a[bits_whole] ^ n[bits_whole]) & mask) {
+      return false;
+    }
+  }
+  return true;
+}
+static inline int get_ip_version(const char *ip) {
+  struct in_addr out4;
+  struct in6_addr out6;
+  int res = inet_pton(AF_INET, ip, &out4);
+  if (0 == res) {
+    if (1 == inet_pton(AF_INET6, ip, &out6)) {
+      return AF_INET6;
+    } else {
+      return -1;
+    }
+  } else if (1 == res) {
+    return AF_INET;
+  } else {
+    return -1;
+  }
+}
+// TODO factorise a bit this function
+bool cidr_match(const char *ip, const sp_cidr *cidr) {
+  struct in_addr out4;
+  struct in6_addr out6;
+  switch (get_ip_version(ip)) {
+    case AF_INET:
+      if (AF_INET != cidr->ip_version) {
+        return false;
+      }
+      inet_pton(AF_INET, ip, &out4);
+      return cidr4_match(out4, cidr->ip.ipv4, cidr->mask);
+    case AF_INET6:
+      if (AF_INET6 != cidr->ip_version) {
+        return false;
+      }
+      inet_pton(AF_INET6, ip, &out6);
+      return cidr6_match(out6, cidr->ip.ipv6, cidr->mask);
+    default:
+      sp_log_err("cidr_match", "Weird ip (%s) family", ip);
+      break;
+  }
+  return false;
+}
+int get_ip_and_cidr(char *ip, sp_cidr *cidr) {
+  errno = 0;
+  char *mask = strchr(ip, '/');
+  if (NULL == mask) {
+    sp_log_err("config",
+                        "'%s' isn't a valid network mask, it seems that you forgot a '/'.",
+            ip);
+    return -1;
+  }
+  if (sscanf(mask + 1, "%hhu", &(cidr->mask)) != 1) {
+    sp_log_err("config", "'%s' isn't a valid network mask.", mask + 1);
+    return -1;
+  }
+  ip[mask - ip] = '\0';  // NULL the '/' char
+  cidr->ip_version = get_ip_version(ip);
+  if (AF_INET == cidr->ip_version) {
+    if (cidr->mask > 32) {
+      sp_log_err("config", "'%d' isn't a valid ipv4 mask.", cidr->mask);
+      return -1;
+    }
+    inet_pton(AF_INET, ip, &(cidr->ip.ipv4));
+  } else if (AF_INET6 == cidr->ip_version) {
+    inet_pton(AF_INET6, ip, &(cidr->ip.ipv6));
+  } else {
+    return -1;
+  }
+  ip[mask - ip] = '/';
+  return 0;
+}
diff --git a/src/sp_network_utils.h b/src/sp_network_utils.h
new file mode 100644
index 0000000..6b6ce92
--- /dev/null
+++ b/src/sp_network_utils.h
@@ -0,0 +1,8 @@
+#ifndef SP_NETWORK_UTILS_H
+#define SP_NETWORK_UTILS_H
+int get_ip_and_cidr(char *, sp_cidr *);
+bool cidr_match(const char *, const sp_cidr *);
+void apply_mask_on_ip(char *, const char * const);
+#endif /*SP_NETWORK_UTILS_H*/
diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c
new file mode 100644
index 0000000..b5b67b4
--- /dev/null
+++ b/src/sp_unserialize.c
@@ -0,0 +1,111 @@
+#include "php_snuffleupagus.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
+PHP_FUNCTION(sp_serialize) {
+  void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS);
+  /* Call the original `serialize` function. */
+  if ((orig_handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook),
+                                             "serialize", 9))) {
+    orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+  } else {
+    sp_log_err("disabled_functions",
+        "Unable to find the pointer to the original function 'serialize' in "
+        "the hashtable.\n");
+  }
+  /* Compute the HMAC of the textual representation of the serialized data*/
+  zval func_name;
+  zval hmac;
+  zval params[3];
+  ZVAL_STRING(&func_name, "hash_hmac");
+  ZVAL_STRING(&params[0], "sha256");
+  params[1] = *return_value;
+  ZVAL_STRING(&params[2],
+              SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key);
+  call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params);
+  size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac);
+  zend_string *res = zend_string_alloc(len, 0);
+  memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value));
+  memcpy(ZSTR_VAL(res) + Z_STRLEN_P(return_value), Z_STRVAL(hmac),
+         Z_STRLEN(hmac));
+  ZSTR_VAL(res)[len] = '\0';
+  /* Append the computed HMAC to the serialized data. */
+  return_value->value.str = res;
+  return;
+}
+PHP_FUNCTION(sp_unserialize) {
+  void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS);
+  char *buf = NULL;
+  char *serialized_str = NULL;
+  char *hmac = NULL;
+  zval expected_hmac;
+  size_t buf_len = 0;
+  zval *opts = NULL;
+  if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|a", &buf, &buf_len, &opts) ==
+      FAILURE) {
+    RETURN_FALSE;
+  }
+  /* 64 is the length of HMAC-256 */
+  if (buf_len < 64) {
+    sp_log_msg("unserialize", LOG_DROP, "The serialized object is too small.");
+    RETURN_FALSE;
+  }
+  hmac = buf + buf_len - 64;
+  serialized_str = ecalloc(sizeof(*serialized_str) * (buf_len - 64 + 1), 1);
+  memcpy(serialized_str, buf, buf_len - 64);
+  zval func_name;
+  ZVAL_STRING(&func_name, "hash_hmac");
+  zval params[3];
+  ZVAL_STRING(&params[0], "sha256");
+  ZVAL_STRING(&params[1], serialized_str);
+  ZVAL_STRING(&params[2],
+              SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key);
+  call_user_function(CG(function_table), NULL, &func_name, &expected_hmac, 3,
+                     params);
+  unsigned int status = 0;
+  for (uint8_t i = 0; i < 64; i++) {
+    status |= (hmac[i] ^ (Z_STRVAL(expected_hmac))[i]);
+  }
+  if (0 == status) {
+    if ((orig_handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook),
+                                               "unserialize", 11))) {
+      orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+    }
+  } else {
+    if ( true == SNUFFLEUPAGUS_G(config).config_unserialize->simulation) {
+      sp_log_msg("unserialize", LOG_NOTICE, "Invalid HMAC for %s", serialized_str);
+      if ((orig_handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook),
+                                               "unserialize", 11))) {
+        orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+      }
+    } else {
+      sp_log_msg("unserialize", LOG_DROP, "Invalid HMAC for %s", serialized_str);
+    }
+  }
+  efree(serialized_str);
+  return;
+}
+int hook_serialize(void) {
+  TSRMLS_FETCH();
+  HOOK_FUNCTION("serialize", sp_internal_functions_hook, PHP_FN(sp_serialize), false);
+  HOOK_FUNCTION("unserialize", sp_internal_functions_hook, PHP_FN(sp_unserialize), false);
+  return SUCCESS;
+}
diff --git a/src/sp_unserialize.h b/src/sp_unserialize.h
new file mode 100644
index 0000000..557c60c
--- /dev/null
+++ b/src/sp_unserialize.h
@@ -0,0 +1,9 @@
+#ifndef SP_UNSERIALIZE_H
+#define SP_UNSERIALIZE_H
+int hook_serialize(void);
+PHP_FUNCTION(sp_serialize);
+PHP_FUNCTION(sp_unserialize);
+#endif /* SP_UNSERIALIZE_H */
diff --git a/src/sp_upload_validation.c b/src/sp_upload_validation.c
new file mode 100644
index 0000000..bbd7eae
--- /dev/null
+++ b/src/sp_upload_validation.c
@@ -0,0 +1,92 @@
+#include "php_snuffleupagus.h"
+#include "rfc1867.h"
+ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus);
+#define EFREE_3(env)               \
+  for (size_t i = 0; i < 4; i++) { \
+    efree(env[i]);                 \
+  }
+void hook_upload() {
+  sp_rfc1867_orig_callback = php_rfc1867_callback;
+  php_rfc1867_callback = sp_rfc1867_callback;
+}
+int sp_rfc1867_callback(unsigned int event, void *event_data, void **extra) {
+  int retval = SUCCESS;
+  if (sp_rfc1867_orig_callback) {
+    retval = sp_rfc1867_orig_callback(event, event_data, extra);
+  }
+  if (event == MULTIPART_EVENT_END) {
+    zend_string *file_key __attribute__((unused)) = NULL;
+    zval *file;
+    pid_t pid;
+    sp_log_debug(
+        "Got %d files",
+        zend_hash_num_elements(Z_ARRVAL(PG(http_globals)[TRACK_VARS_FILES])));
+    ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL(PG(http_globals)[TRACK_VARS_FILES]),
+                                  file_key, file) {  // for each uploaded file
+      char *filename =
+          Z_STRVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "name", 4));
+      char *tmp_name =
+          Z_STRVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "tmp_name", 8));
+      size_t filesize =
+          Z_LVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "size", 4));
+      char *cmd[3] = {0};
+      char *env[5] = {0};
+      sp_log_debug("Filename: %s\nTmpname: %s\nSize: %d\nError: %d\nScript: %s",
+                   filename, tmp_name, filesize,
+                   Z_LVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "error", 5)),
+                   SNUFFLEUPAGUS_G(config).config_upload_validation->script);
+      cmd[0] = SNUFFLEUPAGUS_G(config).config_upload_validation->script;
+      cmd[1] = tmp_name;
+      cmd[2] = NULL;
+      spprintf(&env[0], 0, "SP_FILENAME=%s", filename);
+      spprintf(&env[1], 0, "SP_REMOTE_ADDR=%s", sp_getenv("REMOTE_ADDR"));
+      spprintf(&env[2], 0, "SP_CURRENT_FILE=%s",
+               zend_get_executed_filename(TSRMLS_C));
+      spprintf(&env[3], 0, "SP_FILESIZE=%zu", filesize);
+      env[4] = NULL;
+      if ((pid = fork()) == 0) {
+        if (execve(SNUFFLEUPAGUS_G(config).config_upload_validation->script,
+                   cmd, env) == -1) {
+          sp_log_err("upload_validation", "Could not call '%s' : %s",
+                     SNUFFLEUPAGUS_G(config).config_upload_validation->script,
+                     strerror(errno));
+          EFREE_3(env);
+          exit(1);
+        }
+      } else if (pid == -1) {
+        sp_log_err("upload_validation", "Could not fork process : %s\n",
+                   strerror(errno));
+        EFREE_3(env);
+        continue;
+      }
+      EFREE_3(env);
+      int waitstatus;
+      wait(&waitstatus);
+      if (WEXITSTATUS(waitstatus) != 0) {  // Nope
+        char *uri = sp_getenv("REQUEST_URI");
+        int sim = SNUFFLEUPAGUS_G(config).config_upload_validation->simulation;
+        sp_log_msg("upload_valiation", sim?LOG_NOTICE:LOG_DROP,
+          "The upload of %s on %s was rejected.", filename, uri?uri:"?");
+        if (!SNUFFLEUPAGUS_G(config).config_upload_validation->simulation) {
+          zend_bailout();
+        }
+      }
+    }
+    ZEND_HASH_FOREACH_END();
+  }
+  return retval;
+}
diff --git a/src/sp_upload_validation.h b/src/sp_upload_validation.h
new file mode 100644
index 0000000..3d59527
--- /dev/null
+++ b/src/sp_upload_validation.h
@@ -0,0 +1,9 @@
+#ifndef __SP_UPLOAD_VALIDATION_H__
+#define __SP_UPLOAD_VALIDATION_H__
+void hook_upload();
+int (*sp_rfc1867_orig_callback)(unsigned int event, void *event_data, void **extra);
+int sp_rfc1867_callback(unsigned int event, void *event_data, void **extra);
+#endif
diff --git a/src/sp_utils.c b/src/sp_utils.c
new file mode 100644
index 0000000..087f431
--- /dev/null
+++ b/src/sp_utils.c
@@ -0,0 +1,425 @@
+#include "php_snuffleupagus.h"
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+static inline void _sp_log_err(const char* fmt, ...) {
+  char* msg;
+  va_list args;
+  va_start(args, fmt);
+  vspprintf(&msg, 0, fmt, args);
+  va_end(args);
+  php_log_err(msg);
+}
+void sp_log_msg(char const *feature, char const *level, const char* fmt, ...) {
+  char* msg;
+  va_list args;
+  va_start(args, fmt);
+  vspprintf(&msg, 0, fmt, args);
+  va_end(args);
+  char const * const client_ip = sp_getenv("REMOTE_ADDR");
+  _sp_log_err("[snuffleupagus][%s][%s][%s] %s", client_ip?client_ip:"0.0.0.0",
+    feature, level, msg);
+}
+int compute_hash(const char* const filename, char* file_hash) {
+  unsigned char buf[1024];
+  unsigned char digest[SHA256_SIZE];
+  PHP_SHA256_CTX context;
+  size_t n;
+  php_stream* stream =
+      php_stream_open_wrapper(filename, "rb", REPORT_ERRORS, NULL);
+  if (!stream) {
+    sp_log_err("hash_computation", "Can not open the file %s to compute its hash.\n", filename);
+    return -1;
+  }
+  PHP_SHA256Init(&context);
+  while ((n = php_stream_read(stream, (char*)buf, sizeof(buf))) > 0) {
+    PHP_SHA256Update(&context, buf, n);
+  }
+  PHP_SHA256Final(digest, &context);
+  php_stream_close(stream);
+  make_digest_ex(file_hash, digest, SHA256_SIZE);
+  return 0;
+}
+static void construct_filename(char* filename, const char* folder) {
+  time_t t = time(NULL);
+  struct tm* tm = localtime(&t);  // FIXME use `localtime_r` instead
+  struct timeval tval;
+  struct stat st = {0};
+  if (-1 == stat(folder, &st)) {
+    mkdir(folder, 0700);
+  }
+  memcpy(filename, folder, strlen(folder));
+  strcat(filename, "sp_dump_");
+  strftime(filename + strlen(filename), 27, "%F_%T:", tm);
+  gettimeofday(&tval, NULL);
+  sprintf(filename + strlen(filename), "%04ld", tval.tv_usec);
+  strcat(filename, "_");
+  char* remote_addr = getenv("REMOTE_ADDR");
+  if (remote_addr) {
+    strcat(filename, remote_addr);
+  } else {
+    strcat(filename, "0.0.0.0");
+  }
+  strcat(filename, ".dump");
+}
+int sp_log_request(const char* folder) {
+  FILE* file;
+  const char* current_filename = zend_get_executed_filename(TSRMLS_C);
+  const int current_line = zend_get_executed_lineno(TSRMLS_C);
+  char filename[MAX_FOLDER_LEN] = {0};
+  const struct {
+    const char* str;
+    const int key;
+  } zones[] = {{"GET", TRACK_VARS_GET},       {"POST", TRACK_VARS_POST},
+               {"COOKIE", TRACK_VARS_COOKIE}, {"SERVER", TRACK_VARS_SERVER},
+               {"ENV", TRACK_VARS_ENV},       {NULL, 0}};
+  construct_filename(filename, folder);
+  if (NULL == (file = fopen(filename, "a"))) {
+    sp_log_err("request_logging", "Unable to open %s", filename);
+    return -1;
+  }
+  fprintf(file, "%s:%d\n", current_filename, current_line);
+  for (size_t i = 0; i < (sizeof(zones) / sizeof(zones[0])) - 1; i++) {
+    zval* variable_value;
+    zend_string* variable_key;
+    size_t params_len = strlen(zones[i].str) + 1;
+    char* param;
+    size_t size_max = 2048;
+    if (Z_TYPE(PG(http_globals)[zones[i].key]) == IS_UNDEF) {
+      continue;
+    }
+    const HashTable* ht = Z_ARRVAL(PG(http_globals)[zones[i].key]);
+    // Compute the size of the allocation
+    ZEND_HASH_FOREACH_STR_KEY_VAL(ht, variable_key, variable_value) {
+      params_len += snprintf(NULL, 0, "%s=%s&", ZSTR_VAL(variable_key),
+                             Z_STRVAL_P(variable_value));
+    }
+    ZEND_HASH_FOREACH_END();
+    params_len = params_len>size_max?size_max:params_len;
+#define NCAT_AND_DEC(a, b, c) strncat(a, b, c); c -= strlen(b);
+    // Allocate and copy the data
+    // FIXME Why are we even allocating?
+    param = pecalloc(params_len, 1, 0);
+    NCAT_AND_DEC(param, zones[i].str, params_len);
+    NCAT_AND_DEC(param, ":", params_len);
+    ZEND_HASH_FOREACH_STR_KEY_VAL(ht, variable_key, variable_value) {
+      NCAT_AND_DEC(param, ZSTR_VAL(variable_key), params_len);
+      NCAT_AND_DEC(param, "=", params_len);
+      NCAT_AND_DEC(param, Z_STRVAL_P(variable_value), params_len);
+      NCAT_AND_DEC(param, "&", params_len);
+    }
+    ZEND_HASH_FOREACH_END();
+    param[strlen(param) - 1] = '\0';
+    fputs(param, file);
+    fputs("\n", file);
+  }
+  fclose(file);
+#undef CAT_AND_DEC
+  return 0;
+}
+static char *zv_str_to_char(zval *zv) {
+  zval copy;
+  char *ret;
+  ZVAL_ZVAL(&copy, zv, 1, 0);
+  //  str = zend_string_dup(Z_STR_P(zv), 0);
+  for (size_t i = 0; i < Z_STRLEN(copy); i++) {
+    if (Z_STRVAL(copy)[i] == '\0') {
+      Z_STRVAL(copy)[i] = '0';
+    }
+  }
+  ret = estrdup(Z_STRVAL(copy));
+  //  zend_string_release(str);
+  return ret;  
+}
+char* sp_convert_to_string(zval* zv) {
+  switch (Z_TYPE_P(zv)) {
+    case IS_FALSE:
+      return estrdup("FALSE");
+    case IS_TRUE:
+      return estrdup("TRUE");
+    case IS_NULL:
+      return estrdup("NULL");
+    case IS_LONG: {
+        char *msg;
+        spprintf(&msg, 0, ZEND_LONG_FMT, Z_LVAL_P(zv));
+        return msg;
+      }
+    case IS_DOUBLE: {
+        char *msg;
+        spprintf(&msg, 0, "%f", Z_DVAL_P(zv));
+        return msg;
+      }
+    case IS_STRING:{
+      return zv_str_to_char(zv);
+      }
+    case IS_OBJECT:
+      return estrdup("OBJECT");
+    case IS_ARRAY:
+      return estrdup("ARRAY");
+    case IS_RESOURCE:
+      return estrdup("RESOURCE");
+  }
+  return estrdup("");
+}
+bool sp_match_value(const char* value, const char* to_match, const pcre* rx) {
+  if (to_match) {
+    if (0 == strcmp(value, to_match)) {
+      return true;
+    }
+  } else if (rx) {
+    int substrvec[30];
+    int ret = pcre_exec(rx, NULL, value, strlen(value), 0, 0, substrvec, 30);
+    if (ret < 0) {
+      if (ret != PCRE_ERROR_NOMATCH) {
+        sp_log_err("regexp", "Something went wrong with a regexp.");
+        return false;
+      }
+      return false;
+    }
+    return true;
+  }
+  return false;
+}
+void sp_log_disable(const char* restrict path, const char* restrict arg_name,
+                    const char* restrict arg_value,
+                    const sp_disabled_function* config_node) {
+  const char* dump = config_node->dump;
+  const char* alias = config_node->alias;
+  const int sim = config_node->simulation;
+  if (arg_name) {
+    if (alias) {
+      sp_log_msg("disabled_function", sim?LOG_NOTICE:LOG_DROP,
+          "The call to the function '%s' in %s:%d has been disabled, "
+          "because its argument '%s' content (%s) matched the rule '%s'.",
+          path, zend_get_executed_filename(TSRMLS_C),
+          zend_get_executed_lineno(TSRMLS_C), arg_name, arg_value?arg_value:"?",
+           alias);
+    } else {
+      sp_log_msg("disabled_function", sim?LOG_NOTICE:LOG_DROP,
+          "The call to the function '%s' in %s:%d has been disabled, "
+          "because its argument '%s' content (%s) matched a rule.",
+          path, zend_get_executed_filename(TSRMLS_C),
+          zend_get_executed_lineno(TSRMLS_C), arg_name,
+           arg_value?arg_value:"?");
+    }
+  } else {
+    if (alias) {
+      sp_log_msg("disabled_function", sim?LOG_NOTICE:LOG_DROP,
+          "The call to the function '%s' in %s:%d has been disabled, "
+          "because of the the rule '%s'.",path,
+          zend_get_executed_filename(TSRMLS_C),
+          zend_get_executed_lineno(TSRMLS_C), alias);
+    } else {
+      sp_log_msg("disabled_function", sim?LOG_NOTICE:LOG_DROP,
+                 "The call to the function '%s' in %s:%d has been disabled.",
+                                 path, zend_get_executed_filename(TSRMLS_C),
+                 zend_get_executed_lineno(TSRMLS_C));
+    }
+  }
+  if (dump) {
+    sp_log_request(config_node->dump);
+  }
+}
+void sp_log_disable_ret(const char* restrict path,
+                        const char* restrict ret_value,
+                        const sp_disabled_function* config_node) {
+  const char* dump = config_node->dump;
+  const char* alias = config_node->alias;
+  const int sim = config_node->simulation;
+  if (alias) {
+    sp_log_msg("disabled_function", sim?LOG_NOTICE:LOG_DROP,
+        "The execution has been aborted in %s:%d, "
+        "because the function '%s' returned '%s', which matched the rule '%s'.",
+        zend_get_executed_filename(TSRMLS_C),
+        zend_get_executed_lineno(TSRMLS_C), path, ret_value?ret_value:"?", alias);
+  } else {
+    sp_log_msg("disabled_function", sim?LOG_NOTICE:LOG_DROP,
+        "The execution has been aborted in %s:%d, "
+        "because the return value (%s) of the function '%s' matched a rule.",
+        zend_get_executed_filename(TSRMLS_C),
+        zend_get_executed_lineno(TSRMLS_C), ret_value?ret_value:"?", path);
+  }
+  if (dump) {
+    sp_log_request(dump);
+  }
+}
+int sp_match_array_key(const zval* zv, const char* to_match, const pcre* rx) {
+  zend_string* key;
+  zval* value;
+  char* arg_value_str;
+  ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(zv), key, value) {
+    if (Z_TYPE_P(value) == IS_ARRAY) {
+      continue;
+    }
+    arg_value_str = sp_convert_to_string(value);
+    if (!sp_match_value(arg_value_str, to_match, rx)) {
+      efree(arg_value_str);
+      continue;
+    } else {
+      efree(arg_value_str);
+      return 1;
+    }
+  }
+  ZEND_HASH_FOREACH_END();
+  (void)key;  // silence a compiler warning
+  return 0;
+}
+int sp_match_array_key_recurse(const zval* arr, sp_node_t* keys,
+                               const char* to_match, const pcre* rx) {
+  zend_string* key;
+  zval* value;
+  sp_node_t* current = keys;
+  if (current == NULL) {
+    return 0;
+  }
+  ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(arr), key, value) {
+    if (Z_TYPE_P(value) == IS_ARRAY && !strcmp(ZSTR_VAL(key), current->data)) {
+      return sp_match_array_key_recurse(value, current->next, to_match, rx);
+    }
+    if (!strcmp(ZSTR_VAL(key), current->data) && current->next == NULL) {
+      if (!to_match && !rx) {
+        return 1;
+      }
+      if (Z_TYPE_P(value) == IS_ARRAY) {
+        return sp_match_array_key(value, to_match, rx);
+      } else {
+        char *value_str = sp_convert_to_string(value);
+        if (sp_match_value(value_str, to_match, rx)) {
+          efree(value_str);
+          return 1;
+        } else {
+          efree (value_str);
+          return 0;
+        }
+      }
+    }
+  }
+  ZEND_HASH_FOREACH_END();
+  return 0;
+}
+zend_always_inline char* sp_getenv(char* var) {
+  if (sapi_module.getenv) {
+    return sapi_module.getenv(ZEND_STRL(var));
+  } else {
+    return getenv(var);
+  }
+}
+zend_always_inline int is_regexp_matching(const pcre* regexp, const char* str) {
+  int vec[30];
+  int ret = pcre_exec(regexp, NULL, str, strlen(str), 0, 0, vec, sizeof(vec));
+  if (ret < 0) {
+    if (ret != PCRE_ERROR_NOMATCH) {
+      sp_log_err("regexp", "Something went wrong with a regexp.");
+    }
+    return false;
+  }
+  return true;
+}
+int hook_function(const char* original_name, HashTable* hook_table,
+                  void (*new_function)(INTERNAL_FUNCTION_PARAMETERS),
+                  bool hook_execution_table) {
+  zend_internal_function* func;
+  HashTable *ht = hook_execution_table==true?EG(function_table):CG(function_table);
+  /* The `mb` module likes to hook functions, like strlen->mb_strlen,
+   * so we have to hook both of them. */
+  if (0 == strncmp(original_name, "mb_", 3)) {
+    CG(compiler_options) |= ZEND_COMPILE_NO_BUILTIN_STRLEN;
+    if (zend_hash_str_find(ht,
+                           VAR_AND_LEN(original_name + 3))) {
+      hook_function(original_name + 3, hook_table, new_function, hook_execution_table);
+    }
+  } else {  // TODO this can be moved somewhere else to gain some marginal perfs
+    CG(compiler_options) |= ZEND_COMPILE_NO_BUILTIN_STRLEN;
+    char* mb_name = pecalloc(strlen(original_name) + 3 + 1, 1, 0);
+    memcpy(mb_name, "mb_", 3);
+    memcpy(mb_name + 3, VAR_AND_LEN(original_name));
+    if (zend_hash_str_find(CG(function_table), VAR_AND_LEN(mb_name))) {
+      hook_function(mb_name, hook_table, new_function, hook_execution_table);
+    }
+  }
+  if ((func = zend_hash_str_find_ptr(CG(function_table),
+                                     VAR_AND_LEN(original_name)))) {
+    if (func->handler == new_function) {
+      /* Success !*/
+    } else if (zend_hash_str_add_new_ptr((hook_table),
+                                         VAR_AND_LEN(original_name),
+                                         func->handler) == NULL) {
+      sp_log_err("function_pointer_saving",
+                          "Could not save function pointer for %s", original_name);
+      return FAILURE;
+    } else {
+      func->handler = new_function;
+    }
+  }
+  return SUCCESS;
+}
+int hook_regexp(const pcre* regexp, HashTable* hook_table,
+                void (*new_function)(INTERNAL_FUNCTION_PARAMETERS),
+                bool hook_execution_table) {
+  zend_string* key;
+  HashTable *ht = hook_execution_table==true?EG(function_table):CG(function_table);
+  ZEND_HASH_FOREACH_STR_KEY(ht, key) {
+    if (key) {
+      int vec[30];
+      int ret = pcre_exec(regexp, NULL, key->val, key->len, 0, 0, vec, 30);
+      if (ret < 0) { /* Error or no match*/
+        if (PCRE_ERROR_NOMATCH != ret) {
+          sp_log_err("pcre", "Runtime error with pcre, error code: %d", ret);
+          return FAILURE;
+        }
+        continue;
+      }
+      hook_function(key->val, hook_table, new_function, hook_execution_table);
+    }
+  }
+  ZEND_HASH_FOREACH_END();
+  return SUCCESS;
+}
diff --git a/src/sp_utils.h b/src/sp_utils.h
new file mode 100644
index 0000000..37dd2c0
--- /dev/null
+++ b/src/sp_utils.h
@@ -0,0 +1,68 @@
+#ifndef SP_UTILS_H
+#define SP_UTILS_H
+#include "sp_config.h"
+#include "sp_list.h"
+#if defined(__GNUC__)
+# if __GNUC__ >= 3
+#  define sp_pure __attribute__((pure))
+#  define sp_const __attribute__((const))
+# else
+#  define sp_pure
+#  define sp_const
+# endif
+#endif
+/* The dump filename are of the form
+ * `sp_dump_DATE_IPADDR.dump`, with:
+ * - DATE being the output of asctime, 26 chars long
+ * - IP_ADDR being an IP adress, with a maximum size of 15
+ *
+ *   We keep one char for the terminal \0, and one for the leading slash.
+ */
+#define MAX_FOLDER_LEN                                        \
+  PATH_MAX - 1 - sizeof("sp_dump_") - 26 - sizeof("_") - 15 - \
+      sizeof(".dump") - 1
+#define VAR_AND_LEN(var) var, strlen(var)
+#define SHA256_SIZE 32
+#define HOOK_FUNCTION(original_name, hook_table, new_function, execution) \
+  hook_function(original_name, SNUFFLEUPAGUS_G(hook_table), new_function, execution)
+#define HOOK_FUNCTION_BY_REGEXP(regexp, hook_table, new_function, execution) \
+  hook_regexp(regexp, SNUFFLEUPAGUS_G(hook_table), new_function, execution)
+#define LOG_NOTICE "notice"
+#define LOG_DROP "drop"
+#define LOG_DEBUG "debug"
+#define LOG_ERROR "error"
+#define sp_log_err(feature, ...) sp_log_msg(feature, LOG_ERROR, __VA_ARGS__)
+#ifdef SP_DEBUG
+    #define sp_log_debug(...) sp_log_msg("DEBUG", LOG_DEBUG, __VA_ARGS__)
+#else
+    #define sp_log_debug(...)
+#endif
+void sp_log_msg(char const *feature, char const *level, const char* fmt, ...);
+int compute_hash(const char *const filename, char *file_hash);
+char *sp_convert_to_string(zval *);
+bool sp_match_value(const char *, const char *, const pcre *);
+int sp_match_array_key(const zval *, const char *, const pcre *);
+int sp_match_array_key_recurse(const zval *, sp_node_t *, const char *,
+                               const pcre *);
+void sp_log_disable(const char *restrict, const char *restrict,
+                    const char *restrict, const sp_disabled_function *);
+void sp_log_disable_ret(const char *restrict, const char *restrict,
+                        const sp_disabled_function *);
+char *sp_getenv(char *);
+int is_regexp_matching(const pcre *, const char *);
+int hook_function(const char *, HashTable *,
+                  void (*)(INTERNAL_FUNCTION_PARAMETERS), bool);
+int hook_regexp(const pcre *, HashTable *,
+                void (*)(INTERNAL_FUNCTION_PARAMETERS), bool);
+#endif /* SP_UTILS_H */
diff --git a/src/tests/broken_conf.phpt b/src/tests/broken_conf.phpt
new file mode 100644
index 0000000..ae0ef6e
--- /dev/null
+++ b/src/tests/broken_conf.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration prefix for 'this is a broken line'.
diff --git a/src/tests/broken_conf2.phpt b/src/tests/broken_conf2.phpt
new file mode 100644
index 0000000..88a2232
--- /dev/null
+++ b/src/tests/broken_conf2.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf2.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration section 'sp.wrong'.
diff --git a/src/tests/broken_conf_config_regexp.phpt b/src/tests/broken_conf_config_regexp.phpt
new file mode 100644
index 0000000..75bc603
--- /dev/null
+++ b/src/tests/broken_conf_config_regexp.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_config_regexp.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Failed to compile '*.': nothing to repeat.
+[snuffleupagus][0.0.0.0][config][error] '.filename_r()' is expecting a valid regexp, and not '"*."'.
diff --git a/src/tests/broken_conf_enable_disable.phpt b/src/tests/broken_conf_enable_disable.phpt
new file mode 100644
index 0000000..2f3fe19
--- /dev/null
+++ b/src/tests/broken_conf_enable_disable.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Global strict mode
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/borken_conf_enable_disable.ini
+--FILE--
+--EXPECTF--
+[snuffleupagus][0.0.0.0][config][error] A rule can't be enabled and disabled.
diff --git a/src/tests/broken_conf_expecting_bool.phpt b/src/tests/broken_conf_expecting_bool.phpt
new file mode 100644
index 0000000..80e1b61
--- /dev/null
+++ b/src/tests/broken_conf_expecting_bool.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bad boolean value in configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_expecting_bool.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Trailing chars '337);' at the end of '.enable(1337);'.
diff --git a/src/tests/broken_conf_expecting_int.phpt b/src/tests/broken_conf_expecting_int.phpt
new file mode 100644
index 0000000..e806337
--- /dev/null
+++ b/src/tests/broken_conf_expecting_int.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bad integer value in configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_expecting_int.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][error][error] .mask_ipv4() is expecting a valid integer.
diff --git a/src/tests/broken_conf_invalid_cidr.phpt b/src/tests/broken_conf_invalid_cidr.phpt
new file mode 100644
index 0000000..515091b
--- /dev/null
+++ b/src/tests/broken_conf_invalid_cidr.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_cidr.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] '42' isn't a valid ipv4 mask.
diff --git a/src/tests/broken_conf_invalid_cidr6.phpt b/src/tests/broken_conf_invalid_cidr6.phpt
new file mode 100644
index 0000000..d20cfcd
--- /dev/null
+++ b/src/tests/broken_conf_invalid_cidr6.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_cidr6.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] 'ZZZ' isn't a valid network mask.
diff --git a/src/tests/broken_conf_invalid_cidr6_no_slash.phpt b/src/tests/broken_conf_invalid_cidr6_no_slash.phpt
new file mode 100644
index 0000000..de70a05
--- /dev/null
+++ b/src/tests/broken_conf_invalid_cidr6_no_slash.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration, invalid cidr for ipv6 because there is no `/` in it
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_cidr6_no_slash.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] '2001:0db8:0000:0000:0000:ff00:0042:8329' isn't a valid network mask, it seems that you forgot a '/'.
diff --git a/src/tests/broken_conf_invalid_cidr6_too_big.phpt b/src/tests/broken_conf_invalid_cidr6_too_big.phpt
new file mode 100644
index 0000000..47d4a5d
--- /dev/null
+++ b/src/tests/broken_conf_invalid_cidr6_too_big.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration, cidr for ipv6 is too big, that will `mod` to 25.
+(13337%128 = 25)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_cidr6_too_big.ini
+--FILE--
+--EXPECT--
diff --git a/src/tests/broken_conf_invalid_cidr_value.phpt b/src/tests/broken_conf_invalid_cidr_value.phpt
new file mode 100644
index 0000000..712f123
--- /dev/null
+++ b/src/tests/broken_conf_invalid_cidr_value.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Broken configuration, invalid cidr value
+(13337%128 = 25)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_cidr_value.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][error][error] There is an issue with the parsing of '"': it doesn't look like a valid string.
+[snuffleupagus][0.0.0.0][config][error] " doesn't contain a valid cidr.
diff --git a/src/tests/broken_conf_invalid_type.phpt b/src/tests/broken_conf_invalid_type.phpt
new file mode 100644
index 0000000..29d2ff5
--- /dev/null
+++ b/src/tests/broken_conf_invalid_type.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken conf with wrong type
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_type.ini
+--FILE--
+--EXPECTF--
+[snuffleupagus][0.0.0.0][error][error] There is an issue with the parsing of '"totally_wrong"_type")': it doesn't look like a valid string.
diff --git a/src/tests/broken_conf_line_empty_string.phpt b/src/tests/broken_conf_line_empty_string.phpt
new file mode 100644
index 0000000..c4334b9
--- /dev/null
+++ b/src/tests/broken_conf_line_empty_string.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Configuration line with an empty string
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_line_empty_string.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][error][error] There is an issue with the parsing of '': it doesn't look like a valid string.
diff --git a/src/tests/broken_conf_line_no_closing.phpt b/src/tests/broken_conf_line_no_closing.phpt
new file mode 100644
index 0000000..07c94e4
--- /dev/null
+++ b/src/tests/broken_conf_line_no_closing.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Configuration line without closing parenthese
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_line_no_closing.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][error][error] There is an issue with the parsing of '"123"': it doesn't look like a valid string.
diff --git a/src/tests/broken_conf_line_too_long.phpt b/src/tests/broken_conf_line_too_long.phpt
new file mode 100644
index 0000000..8e82708
--- /dev/null
+++ b/src/tests/broken_conf_line_too_long.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Line too long in configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_line_too_long.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] The following line is too long: 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111);.
+[snuffleupagus][0.0.0.0][error][error] .mask_ipv4() is expecting a valid integer.
diff --git a/src/tests/broken_conf_lots_of_quotes.phpt b/src/tests/broken_conf_lots_of_quotes.phpt
new file mode 100644
index 0000000..e877cfa
--- /dev/null
+++ b/src/tests/broken_conf_lots_of_quotes.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Configuration line with too many quotes
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_lots_of_quotes.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][error][error] There is an issue with the parsing of '"this\"is a weird\"\"\"cookie\"name"");': it doesn't look like a valid string.
diff --git a/src/tests/broken_conf_mutually_exclusive.phpt b/src/tests/broken_conf_mutually_exclusive.phpt
new file mode 100644
index 0000000..9de7e5a
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("system").param("id").value("42").value_r("^id$").drop();':'.value' and '.regexp' are mutually exclusives.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_mutually_exclusive2.phpt b/src/tests/broken_conf_mutually_exclusive2.phpt
new file mode 100644
index 0000000..9d3ea36
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive2.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive2.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("system").function_r("system").param("id").value("42").drop();': '.r_function' and '.function' are mutually exclusive.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_mutually_exclusive3.phpt b/src/tests/broken_conf_mutually_exclusive3.phpt
new file mode 100644
index 0000000..58686a3
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive3.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive3.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("system").param("id").value("42").filename_r("^id$").filename("pouet.txt").drop();':'.r_filename' and '.filename' are mutually exclusive.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_mutually_exclusive4.phpt b/src/tests/broken_conf_mutually_exclusive4.phpt
new file mode 100644
index 0000000..d854380
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive4.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive4.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("system").param("id").value("42").param_r("^id$").drop();':'.r_param' and '.param' are mutually exclusive.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_mutually_exclusive5.phpt b/src/tests/broken_conf_mutually_exclusive5.phpt
new file mode 100644
index 0000000..a265c30
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive5.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive5.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("system").ret("0").drop().ret_r("^0$");':'.r_ret' and '.ret' are mutually exclusive.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_mutually_exclusive6.phpt b/src/tests/broken_conf_mutually_exclusive6.phpt
new file mode 100644
index 0000000..d0cdb85
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive6.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive6.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("system").param("id").value("42").ret_r("^0$").drop();':`ret` and `param` are mutually exclusives.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_mutually_exclusive7.phpt b/src/tests/broken_conf_mutually_exclusive7.phpt
new file mode 100644
index 0000000..c9a3513
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive7.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive7.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("system").ret("0").drop().allow();': The rule must either be a `drop` or and `allow` one.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_mutually_exclusive8.phpt b/src/tests/broken_conf_mutually_exclusive8.phpt
new file mode 100644
index 0000000..7c5baee
--- /dev/null
+++ b/src/tests/broken_conf_mutually_exclusive8.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_mutually_exclusive8.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.ret("0").drop();': must take a function name.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_no_closing_misc.phpt b/src/tests/broken_conf_no_closing_misc.phpt
new file mode 100644
index 0000000..1d1e112
--- /dev/null
+++ b/src/tests/broken_conf_no_closing_misc.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Configuration line without closing parenthese, misc
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_no_closing_misc.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Missing closing ) in line 123.
+[snuffleupagus][0.0.0.0][error][error] .mask_ipv4() is expecting a valid integer.
diff --git a/src/tests/broken_conf_weird_keyword.phpt b/src/tests/broken_conf_weird_keyword.phpt
new file mode 100644
index 0000000..5293791
--- /dev/null
+++ b/src/tests/broken_conf_weird_keyword.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bad config, unknown keyword
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_weird_keyword.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][config][error] Trailing chars '.not_a_valid_keyword("test");' at the end of '.enable().not_a_valid_keyword("test");'.
+\ No newline at end of file
diff --git a/src/tests/broken_conf_wrong_quotes.phpt b/src/tests/broken_conf_wrong_quotes.phpt
new file mode 100644
index 0000000..b6324fe
--- /dev/null
+++ b/src/tests/broken_conf_wrong_quotes.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Configuration line with too many quotes
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_wrong_quotes.ini
+--FILE--
+--EXPECT--
+[snuffleupagus][0.0.0.0][error][error] There is an issue with the parsing of '"\)': it doesn't look like a valid string.
diff --git a/src/tests/broken_conf_wrong_type.phpt b/src/tests/broken_conf_wrong_type.phpt
new file mode 100644
index 0000000..338ca3a
--- /dev/null
+++ b/src/tests/broken_conf_wrong_type.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken conf with wrong type
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_wrong_type.ini
+--FILE--
+--EXPECTF--
+[snuffleupagus][0.0.0.0][error][error] .ret_type() is expecting a valid php type ('false', 'true', 'array'. 'object', 'long', 'double', 'null', 'resource', 'reference', 'undef').
diff --git a/src/tests/broken_regexp.phpt b/src/tests/broken_regexp.phpt
new file mode 100644
index 0000000..cbfef7d
--- /dev/null
+++ b/src/tests/broken_regexp.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken regexp
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_regexp.ini
+--FILE--
+--EXPECTF--
+[snuffleupagus][0.0.0.0][config][error] '.value_r()' is expecting a valid regexp, and not '"^$["'.
diff --git a/src/tests/config/borken_conf_enable_disable.ini b/src/tests/config/borken_conf_enable_disable.ini
new file mode 100644
index 0000000..4e95294
--- /dev/null
+++ b/src/tests/config/borken_conf_enable_disable.ini
@@ -0,0 +1 @@
+sp.global_strict.disable().enable();
diff --git a/src/tests/config/broken_conf.ini b/src/tests/config/broken_conf.ini
new file mode 100644
index 0000000..0595320
--- /dev/null
+++ b/src/tests/config/broken_conf.ini
@@ -0,0 +1 @@
+this is a broken line
diff --git a/src/tests/config/broken_conf2.ini b/src/tests/config/broken_conf2.ini
new file mode 100644
index 0000000..fdb6b8f
--- /dev/null
+++ b/src/tests/config/broken_conf2.ini
@@ -0,0 +1 @@
+sp.wrong
diff --git a/src/tests/config/broken_conf_expecting_bool.ini b/src/tests/config/broken_conf_expecting_bool.ini
new file mode 100644
index 0000000..51c28b2
--- /dev/null
+++ b/src/tests/config/broken_conf_expecting_bool.ini
@@ -0,0 +1,5 @@
+    # this is an example of broken conf
+     ; this is another comment
+sp.harden_random.enable(1337);
diff --git a/src/tests/config/broken_conf_expecting_int.ini b/src/tests/config/broken_conf_expecting_int.ini
new file mode 100644
index 0000000..8e2efea
--- /dev/null
+++ b/src/tests/config/broken_conf_expecting_int.ini
@@ -0,0 +1,2 @@
+sp.global.secret_key("abcdef");
+sp.cookie_encryption.cookie("super_cookie").mask_ipv4(abc);
diff --git a/src/tests/config/broken_conf_invalid_cidr.ini b/src/tests/config/broken_conf_invalid_cidr.ini
new file mode 100644
index 0000000..0cdc695
--- /dev/null
+++ b/src/tests/config/broken_conf_invalid_cidr.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().cidr("127.0.0.1/42");
diff --git a/src/tests/config/broken_conf_invalid_cidr6.ini b/src/tests/config/broken_conf_invalid_cidr6.ini
new file mode 100644
index 0000000..e5a120c
--- /dev/null
+++ b/src/tests/config/broken_conf_invalid_cidr6.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().cidr("2001:0db8:0000:0000:0000:ff00:0042:8329/ZZZ");
diff --git a/src/tests/config/broken_conf_invalid_cidr6_no_slash.ini b/src/tests/config/broken_conf_invalid_cidr6_no_slash.ini
new file mode 100644
index 0000000..e4cf835
--- /dev/null
+++ b/src/tests/config/broken_conf_invalid_cidr6_no_slash.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().cidr("2001:0db8:0000:0000:0000:ff00:0042:8329");
diff --git a/src/tests/config/broken_conf_invalid_cidr6_too_big.ini b/src/tests/config/broken_conf_invalid_cidr6_too_big.ini
new file mode 100644
index 0000000..417dee7
--- /dev/null
+++ b/src/tests/config/broken_conf_invalid_cidr6_too_big.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().cidr("2001:0db8:0000:0000:0000:ff00:0042:8329/13337");
diff --git a/src/tests/config/broken_conf_invalid_cidr_value.ini b/src/tests/config/broken_conf_invalid_cidr_value.ini
new file mode 100644
index 0000000..733e889
--- /dev/null
+++ b/src/tests/config/broken_conf_invalid_cidr_value.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().cidr("
diff --git a/src/tests/config/broken_conf_invalid_type.ini b/src/tests/config/broken_conf_invalid_type.ini
new file mode 100644
index 0000000..b2cd8cd
--- /dev/null
+++ b/src/tests/config/broken_conf_invalid_type.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("strpos").ret_type("totally_wrong"_type")
diff --git a/src/tests/config/broken_conf_line_empty_string.ini b/src/tests/config/broken_conf_line_empty_string.ini
new file mode 100644
index 0000000..74d0e5a
--- /dev/null
+++ b/src/tests/config/broken_conf_line_empty_string.ini
@@ -0,0 +1 @@
+sp.cookie_encryption.mask_ipv4(123).cookie(
diff --git a/src/tests/config/broken_conf_line_no_closing.ini b/src/tests/config/broken_conf_line_no_closing.ini
new file mode 100644
index 0000000..bcac291
--- /dev/null
+++ b/src/tests/config/broken_conf_line_no_closing.ini
@@ -0,0 +1 @@
+sp.cookie_encryption.mask_ipv4(123).cookie("123"
diff --git a/src/tests/config/broken_conf_line_too_long.ini b/src/tests/config/broken_conf_line_too_long.ini
new file mode 100644
index 0000000..ed057a5
--- /dev/null
+++ b/src/tests/config/broken_conf_line_too_long.ini
@@ -0,0 +1 @@
+sp.cookie_encryption.cookie("super_cookie").mask_ipv4(1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111);
diff --git a/src/tests/config/broken_conf_lots_of_quotes.ini b/src/tests/config/broken_conf_lots_of_quotes.ini
new file mode 100644
index 0000000..dfd48e7
--- /dev/null
+++ b/src/tests/config/broken_conf_lots_of_quotes.ini
@@ -0,0 +1 @@
+sp.cookie_encryption.mask_ipv4(123).cookie("this\"is a weird\"\"\"cookie\"name"");
diff --git a/src/tests/config/broken_conf_mutually_exclusive.ini b/src/tests/config/broken_conf_mutually_exclusive.ini
new file mode 100644
index 0000000..af1d505
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").param("id").value("42").value_r("^id$").drop();
diff --git a/src/tests/config/broken_conf_mutually_exclusive2.ini b/src/tests/config/broken_conf_mutually_exclusive2.ini
new file mode 100644
index 0000000..29b21d4
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive2.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").function_r("system").param("id").value("42").drop();
diff --git a/src/tests/config/broken_conf_mutually_exclusive3.ini b/src/tests/config/broken_conf_mutually_exclusive3.ini
new file mode 100644
index 0000000..556de08
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive3.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").param("id").value("42").filename_r("^id$").filename("pouet.txt").drop();
diff --git a/src/tests/config/broken_conf_mutually_exclusive4.ini b/src/tests/config/broken_conf_mutually_exclusive4.ini
new file mode 100644
index 0000000..d212ad4
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive4.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").param("id").value("42").param_r("^id$").drop();
diff --git a/src/tests/config/broken_conf_mutually_exclusive5.ini b/src/tests/config/broken_conf_mutually_exclusive5.ini
new file mode 100644
index 0000000..5b64079
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive5.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").ret("0").drop().ret_r("^0$");
diff --git a/src/tests/config/broken_conf_mutually_exclusive6.ini b/src/tests/config/broken_conf_mutually_exclusive6.ini
new file mode 100644
index 0000000..d08ee58
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive6.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").param("id").value("42").ret_r("^0$").drop();
diff --git a/src/tests/config/broken_conf_mutually_exclusive7.ini b/src/tests/config/broken_conf_mutually_exclusive7.ini
new file mode 100644
index 0000000..645c26c
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive7.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").ret("0").drop().allow();
diff --git a/src/tests/config/broken_conf_mutually_exclusive8.ini b/src/tests/config/broken_conf_mutually_exclusive8.ini
new file mode 100644
index 0000000..b08ef57
--- /dev/null
+++ b/src/tests/config/broken_conf_mutually_exclusive8.ini
@@ -0,0 +1 @@
+sp.disable_functions.ret("0").drop();
diff --git a/src/tests/config/broken_conf_no_closing_misc.ini b/src/tests/config/broken_conf_no_closing_misc.ini
new file mode 100644
index 0000000..2cb79a8
--- /dev/null
+++ b/src/tests/config/broken_conf_no_closing_misc.ini
@@ -0,0 +1 @@
+sp.cookie_encryption.cookie("123").mask_ipv4(123
diff --git a/src/tests/config/broken_conf_to_few_args.ini b/src/tests/config/broken_conf_to_few_args.ini
new file mode 100644
index 0000000..89e19be
--- /dev/null
+++ b/src/tests/config/broken_conf_to_few_args.ini
@@ -0,0 +1 @@
+sp.harden_random.enable();
diff --git a/src/tests/config/broken_conf_weird_keyword.ini b/src/tests/config/broken_conf_weird_keyword.ini
new file mode 100644
index 0000000..bf5e7f5
--- /dev/null
+++ b/src/tests/config/broken_conf_weird_keyword.ini
@@ -0,0 +1 @@
+sp.harden_random.enable().not_a_valid_keyword("test");
diff --git a/src/tests/config/broken_conf_wrong_quotes.ini b/src/tests/config/broken_conf_wrong_quotes.ini
new file mode 100644
index 0000000..c8cc949
--- /dev/null
+++ b/src/tests/config/broken_conf_wrong_quotes.ini
@@ -0,0 +1 @@
+sp.cookie_encryption.mask_ipv4(123).cookie("\)
diff --git a/src/tests/config/broken_conf_wrong_type.ini b/src/tests/config/broken_conf_wrong_type.ini
new file mode 100644
index 0000000..6ecca6a
--- /dev/null
+++ b/src/tests/config/broken_conf_wrong_type.ini
@@ -0,0 +1,5 @@
+sp.disable_functions.function("strpos").ret_type("undef").drop().alias("Return value is undef");
+sp.disable_functions.function("strpos").ret_type("null").drop().alias("Return value is null");
+sp.disable_functions.function("strpos").ret_type("object").drop().alias("Return value is object");
+sp.disable_functions.function("strpos").ret_type("reference").drop().alias("Return value is reference");
+sp.disable_functions.function("strpos").ret_type("totally_wrong_type").drop().alias("Return value is FALSE");
diff --git a/src/tests/config/broken_config_regexp.ini b/src/tests/config/broken_config_regexp.ini
new file mode 100644
index 0000000..efad83e
--- /dev/null
+++ b/src/tests/config/broken_config_regexp.ini
@@ -0,0 +1 @@
+sp.disable_functions.function_r("^system$").filename_r("*.").drop();
diff --git a/src/tests/config/broken_regexp.ini b/src/tests/config/broken_regexp.ini
new file mode 100644
index 0000000..8e1f69a
--- /dev/null
+++ b/src/tests/config/broken_regexp.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("AwesomeClass::method3").param("a").drop().value_r("^$[");
diff --git a/src/tests/config/config_disable_writable.ini b/src/tests/config/config_disable_writable.ini
new file mode 100644
index 0000000..9f90601
--- /dev/null
+++ b/src/tests/config/config_disable_writable.ini
@@ -0,0 +1 @@
+  sp.readonly_exec.enable();
diff --git a/src/tests/config/config_disable_writable_disabled.ini b/src/tests/config/config_disable_writable_disabled.ini
new file mode 100644
index 0000000..6a33437
--- /dev/null
+++ b/src/tests/config/config_disable_writable_disabled.ini
@@ -0,0 +1 @@
+  sp.readonly_exec.disable();
diff --git a/src/tests/config/config_disable_writable_simulation.ini b/src/tests/config/config_disable_writable_simulation.ini
new file mode 100644
index 0000000..52a43ba
--- /dev/null
+++ b/src/tests/config/config_disable_writable_simulation.ini
@@ -0,0 +1 @@
+  sp.readonly_exec.enable().simulation();
diff --git a/src/tests/config/config_disabled_functions_filename_r.ini b/src/tests/config/config_disabled_functions_filename_r.ini
new file mode 100644
index 0000000..b92f136
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_filename_r.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function_r("^system$").filename_r("\\.txt$").drop();
+sp.disable_functions.function_r("^shell_exec$").filename_r("\\.php$").drop();
diff --git a/src/tests/config/config_disabled_functions_method.ini b/src/tests/config/config_disabled_functions_method.ini
new file mode 100644
index 0000000..4d088d2
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_method.ini
@@ -0,0 +1,3 @@
+sp.disable_functions.function("AwesomeClass::method1").drop();
+sp.disable_functions.function("method2").drop();
+sp.disable_functions.function("AwesomeClass::method3").param("a").value("pouet").drop();
diff --git a/src/tests/config/config_disabled_functions_name_r.ini b/src/tests/config/config_disabled_functions_name_r.ini
new file mode 100644
index 0000000..3f7178e
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_name_r.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function_r("^not_system$").ret("42").drop();
+sp.disable_functions.function_r("^system$").ret("1337").drop();
diff --git a/src/tests/config/config_disabled_functions_name_type.ini b/src/tests/config/config_disabled_functions_name_type.ini
new file mode 100644
index 0000000..2b433df
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_name_type.ini
@@ -0,0 +1 @@
+sp.disable_functions.function_r("^strcmp$").param("str1").param_type("array").drop();
diff --git a/src/tests/config/config_disabled_functions_namespace.ini b/src/tests/config/config_disabled_functions_namespace.ini
new file mode 100644
index 0000000..d09b81b
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_namespace.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function("strcmp").drop();
+sp.disable_functions.function("my_super_namespace::my_function").drop();
diff --git a/src/tests/config/config_disabled_functions_nul_byte.ini b/src/tests/config/config_disabled_functions_nul_byte.ini
new file mode 100644
index 0000000..7994583
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_nul_byte.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").param("command").value_r("id").drop();
+\ No newline at end of file
diff --git a/src/tests/config/config_disabled_functions_param.ini b/src/tests/config/config_disabled_functions_param.ini
new file mode 100644
index 0000000..7363781
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param.ini
@@ -0,0 +1,6 @@
+sp.disable_functions.function("system").param("command").value_r("^id$").alias("1").drop();
+sp.disable_functions.function("array_sum").param("array").value_r("^8$").alias("2").drop();
+sp.disable_functions.function("shell_exec").param("cmd").value("id").alias("3").drop();
+sp.disable_functions.function("shell_exec").param("cmd").value("bla").alias("4").drop();
+sp.disable_functions.function("strcmp").param("str1").value("bla").alias("5").drop().simulation();
+sp.disable_functions.function("strncmp").param("str1").value("bla").drop().simulation();
diff --git a/src/tests/config/config_disabled_functions_param_alias.ini b/src/tests/config/config_disabled_functions_param_alias.ini
new file mode 100644
index 0000000..f8d9f43
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param_alias.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function("system").alias("1").drop();
+sp.disable_functions.function("shell_exec").alias("2").drop().simulation();
diff --git a/src/tests/config/config_disabled_functions_param_allow.ini b/src/tests/config/config_disabled_functions_param_allow.ini
new file mode 100644
index 0000000..e349b38
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param_allow.ini
@@ -0,0 +1,3 @@
+sp.disable_functions.function("system").param("command").value("echo win").filename("test.php").drop();
+sp.disable_functions.function("system").param("command").value("echo win").allow();
+sp.disable_functions.function("system").drop();
diff --git a/src/tests/config/config_disabled_functions_param_array.ini b/src/tests/config/config_disabled_functions_param_array.ini
new file mode 100644
index 0000000..7b71692
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param_array.ini
@@ -0,0 +1,4 @@
+sp.disable_functions.function("foo").param("arr").value("abcd").alias("1").drop();
+sp.disable_functions.function("foo").param("arr[bla]").value("abcdef").alias("2").drop();
+sp.disable_functions.function("foo").param("arr[test]").alias("3").drop();
+sp.disable_functions.function("foo").param("arr[test2][foo][lol]").value("aaa").alias("4").drop();
diff --git a/src/tests/config/config_disabled_functions_param_int.ini b/src/tests/config/config_disabled_functions_param_int.ini
new file mode 100644
index 0000000..2552f0a
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param_int.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function("foobar").param("id").value("42").drop();
+sp.disable_functions.function("foobar").param("id").value_r("^1337").drop();
diff --git a/src/tests/config/config_disabled_functions_param_r.ini b/src/tests/config/config_disabled_functions_param_r.ini
new file mode 100644
index 0000000..d9f6692
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param_r.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").param_r("^command$").value("id").drop();
diff --git a/src/tests/config/config_disabled_functions_param_runtime.ini b/src/tests/config/config_disabled_functions_param_runtime.ini
new file mode 100644
index 0000000..641bd0a
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param_runtime.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("test").param("param").value_r("1337").drop();
diff --git a/src/tests/config/config_disabled_functions_param_str_representation.ini b/src/tests/config/config_disabled_functions_param_str_representation.ini
new file mode 100644
index 0000000..7171a30
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_param_str_representation.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("var_export").param("var").value("bla").drop();
diff --git a/src/tests/config/config_disabled_functions_require.ini b/src/tests/config/config_disabled_functions_require.ini
new file mode 100644
index 0000000..474fada
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_require.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("require").param("").value_r("meh$").drop();
diff --git a/src/tests/config/config_disabled_functions_ret_allow.ini b/src/tests/config/config_disabled_functions_ret_allow.ini
new file mode 100644
index 0000000..1884227
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_ret_allow.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function("strpos").hash("70b33f3eaf585b245640bb2c92445d0040b2bcb31395aa25dede9f2df4dbcbe8").allow();
+sp.disable_functions.function("strpos").drop();
diff --git a/src/tests/config/config_disabled_functions_ret_allow_value.ini b/src/tests/config/config_disabled_functions_ret_allow_value.ini
new file mode 100644
index 0000000..e179819
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_ret_allow_value.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("strpos").ret("0").allow();
diff --git a/src/tests/config/config_disabled_functions_ret_right_hash.ini b/src/tests/config/config_disabled_functions_ret_right_hash.ini
new file mode 100644
index 0000000..6f49177
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_ret_right_hash.ini
@@ -0,0 +1,4 @@
+sp.disable_functions.function("system").ret("1").drop();
+sp.disable_functions.function("system").ret("1337").hash("123456789597a81a2b862cdb49920e2cba2e5979a3fc374c58c803e8f5c99a10").drop();
+sp.disable_functions.function("system").ret("1338").hash("522a976fa597a81a2b862cdb49920e2cba2e5979a3fc374c58c803e8f5c99a10").drop();
+sp.disable_functions.function("system").ret("1337").hash("522a976fa597a81a2b862cdb49920e2cba2e5979a3fc374c58c803e8f5c99a10").drop();
diff --git a/src/tests/config/config_disabled_functions_ret_simulation.ini b/src/tests/config/config_disabled_functions_ret_simulation.ini
new file mode 100644
index 0000000..ee46c4b
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_ret_simulation.ini
@@ -0,0 +1,3 @@
+sp.disable_functions.function("strpos").ret("0").simulation().drop();
+sp.disable_functions.function("stripos").ret("0").simulation().drop().alias("1");
+sp.disable_functions.function("strcmp").ret("0").drop();
diff --git a/src/tests/config/config_disabled_functions_right_hash.ini b/src/tests/config/config_disabled_functions_right_hash.ini
new file mode 100644
index 0000000..fab68fa
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_right_hash.ini
@@ -0,0 +1,3 @@
+sp.disable_functions.function("system").hash("1337c3ad8cf096272cd0e78768af3b11325f498de5c2c36f40adc43643af378a").allow();
+sp.disable_functions.function("system").hash("d259c3ad8cf096272cd0e78768af3b11325f498de5c2c36f40adc43643af378a").allow();
+sp.disable_functions.function("system").drop();
+\ No newline at end of file
diff --git a/src/tests/config/config_disabled_user_functions.ini b/src/tests/config/config_disabled_user_functions.ini
new file mode 100644
index 0000000..15cbccc
--- /dev/null
+++ b/src/tests/config/config_disabled_user_functions.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("my_super_function").drop();
diff --git a/src/tests/config/config_encrypted_cookies.ini b/src/tests/config/config_encrypted_cookies.ini
new file mode 100644
index 0000000..710e863
--- /dev/null
+++ b/src/tests/config/config_encrypted_cookies.ini
@@ -0,0 +1,3 @@
+sp.global.secret_key("abcdef");
+sp.cookie_encryption.cookie("super_cookie").mask_ipv4(8).mask_ipv6(2);
+sp.auto_cookie_secure.enable();
diff --git a/src/tests/config/config_noncore_function_hooking.ini b/src/tests/config/config_noncore_function_hooking.ini
new file mode 100644
index 0000000..88f2acf
--- /dev/null
+++ b/src/tests/config/config_noncore_function_hooking.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("custom_fun").drop();
diff --git a/src/tests/config/config_rand_harden_disabled.ini b/src/tests/config/config_rand_harden_disabled.ini
new file mode 100644
index 0000000..b9cd227
--- /dev/null
+++ b/src/tests/config/config_rand_harden_disabled.ini
@@ -0,0 +1 @@
+sp.harden_random.disable();              
diff --git a/src/tests/config/config_serialize.ini b/src/tests/config/config_serialize.ini
new file mode 100644
index 0000000..f2c1699
--- /dev/null
+++ b/src/tests/config/config_serialize.ini
@@ -0,0 +1,2 @@
+sp.global.secret_key("abcdef");
+sp.unserialize_hmac.enable();
+\ No newline at end of file
diff --git a/src/tests/config/config_serialize_sim.ini b/src/tests/config/config_serialize_sim.ini
new file mode 100644
index 0000000..7f015e0
--- /dev/null
+++ b/src/tests/config/config_serialize_sim.ini
@@ -0,0 +1,2 @@
+sp.global.secret_key("abcdef");
+sp.unserialize_hmac.enable().simulation();
diff --git a/src/tests/config/disable_xxe.ini b/src/tests/config/disable_xxe.ini
new file mode 100644
index 0000000..bc9d1f2
--- /dev/null
+++ b/src/tests/config/disable_xxe.ini
@@ -0,0 +1 @@
+sp.disable_xxe.enable();
diff --git a/src/tests/config/disable_xxe_disable.ini b/src/tests/config/disable_xxe_disable.ini
new file mode 100644
index 0000000..bb1e432
--- /dev/null
+++ b/src/tests/config/disable_xxe_disable.ini
@@ -0,0 +1 @@
+sp.disable_xxe.disable();
diff --git a/src/tests/config/disabled_function_local_var.ini b/src/tests/config/disabled_function_local_var.ini
new file mode 100644
index 0000000..64d98dc
--- /dev/null
+++ b/src/tests/config/disabled_function_local_var.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function("phpinfo").var("b").value("1337").drop();
+sp.disable_functions.function("strlen").var("a").value("1337").drop();
diff --git a/src/tests/config/disabled_function_super_global_var.ini b/src/tests/config/disabled_function_super_global_var.ini
new file mode 100644
index 0000000..e0c87e1
--- /dev/null
+++ b/src/tests/config/disabled_function_super_global_var.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("strlen").var("_GET[bla]").value("test2").drop();
diff --git a/src/tests/config/disabled_functions.ini b/src/tests/config/disabled_functions.ini
new file mode 100644
index 0000000..cf54164
--- /dev/null
+++ b/src/tests/config/disabled_functions.ini
@@ -0,0 +1,7 @@
+sp.disable_functions.function("system").drop();
+sp.disable_functions.function("vprintf").hash("123456789").drop();
+sp.disable_functions.function("printf").disable().drop();
+sp.disable_functions.function("printf").simulation().drop();
+sp.disable_functions.function("print").disable().drop();  # this is a comment
+sp.disable_functions.function_r("^var_dump$").drop();
+sp.disable_functions.function("sprintf").filename("wrong file name").drop();
diff --git a/src/tests/config/disabled_functions_cidr.ini b/src/tests/config/disabled_functions_cidr.ini
new file mode 100644
index 0000000..9e527ba
--- /dev/null
+++ b/src/tests/config/disabled_functions_cidr.ini
@@ -0,0 +1,4 @@
+sp.disable_functions.function("system").drop().cidr("127.0.0.1/8");
+sp.disable_functions.function("printf").drop().cidr("10.0.0.1/8");
+sp.disable_functions.function("strpos").drop().cidr("2001:0db8:0000:0000:0000:ff00:0042:8329/24");
+sp.disable_functions.function("printf").drop().cidr("2002:0db8:0000:0000:0000:ff00:0042:8329/24");
diff --git a/src/tests/config/disabled_functions_mb.ini b/src/tests/config/disabled_functions_mb.ini
new file mode 100644
index 0000000..b6afd97
--- /dev/null
+++ b/src/tests/config/disabled_functions_mb.ini
@@ -0,0 +1,2 @@
+sp.disable_functions.function("strlen").drop();
+sp.disable_functions.function("mb_strlen").drop();
diff --git a/src/tests/config/disabled_functions_ret.ini b/src/tests/config/disabled_functions_ret.ini
new file mode 100644
index 0000000..2b769a9
--- /dev/null
+++ b/src/tests/config/disabled_functions_ret.ini
@@ -0,0 +1,5 @@
+sp.disable_functions.function("testFunction").ret("0").drop().disable();
+sp.disable_functions.function("strpos").ret("0").drop().filename_r(".*\\.php");
+sp.disable_functions.function_r("str[ia]pos").ret_r("^[^a-z]+$").drop();
+sp.disable_functions.function_r("stripos").ret_r("^[^a-z]+").drop();
+sp.disable_functions.function("Bob::a").ret("0").drop();
diff --git a/src/tests/config/disabled_functions_ret_type.ini b/src/tests/config/disabled_functions_ret_type.ini
new file mode 100644
index 0000000..56c8e57
--- /dev/null
+++ b/src/tests/config/disabled_functions_ret_type.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("strpos").ret_type("false").drop().alias("Return value is FALSE");
diff --git a/src/tests/config/disabled_functions_ret_type_double.ini b/src/tests/config/disabled_functions_ret_type_double.ini
new file mode 100644
index 0000000..a1239d8
--- /dev/null
+++ b/src/tests/config/disabled_functions_ret_type_double.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("cos").ret_type("double").drop().alias("Return value is a double");
diff --git a/src/tests/config/disabled_functions_ret_type_long.ini b/src/tests/config/disabled_functions_ret_type_long.ini
new file mode 100644
index 0000000..6cccd4d
--- /dev/null
+++ b/src/tests/config/disabled_functions_ret_type_long.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("strlen").ret_type("long").drop().alias("Return value is a long");
diff --git a/src/tests/config/disabled_functions_ret_type_resource.ini b/src/tests/config/disabled_functions_ret_type_resource.ini
new file mode 100644
index 0000000..e81cf2c
--- /dev/null
+++ b/src/tests/config/disabled_functions_ret_type_resource.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("fopen").ret_type("resource").drop().alias("Return value is a resource");
diff --git a/src/tests/config/disabled_functions_ret_type_str.ini b/src/tests/config/disabled_functions_ret_type_str.ini
new file mode 100644
index 0000000..b3ff050
--- /dev/null
+++ b/src/tests/config/disabled_functions_ret_type_str.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("substr").ret_type("string").drop().alias("Return value is a string");
diff --git a/src/tests/config/disabled_functions_ret_type_true.ini b/src/tests/config/disabled_functions_ret_type_true.ini
new file mode 100644
index 0000000..02a37dd
--- /dev/null
+++ b/src/tests/config/disabled_functions_ret_type_true.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("is_numeric").ret_type("true").drop().alias("Return value is a true");
diff --git a/src/tests/config/disabled_functions_retval.ini b/src/tests/config/disabled_functions_retval.ini
new file mode 100644
index 0000000..20422e4
--- /dev/null
+++ b/src/tests/config/disabled_functions_retval.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("str_repeat").ret("fufufu").drop();
diff --git a/src/tests/config/disabled_functions_retval_rx.ini b/src/tests/config/disabled_functions_retval_rx.ini
new file mode 100644
index 0000000..ca2bce3
--- /dev/null
+++ b/src/tests/config/disabled_functions_retval_rx.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("str_repeat").ret_r("(fu){3}").drop();
diff --git a/src/tests/config/disabled_functions_zero_cidr.ini b/src/tests/config/disabled_functions_zero_cidr.ini
new file mode 100644
index 0000000..bba1af9
--- /dev/null
+++ b/src/tests/config/disabled_functions_zero_cidr.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().cidr("0.0.0.0/0");
diff --git a/src/tests/config/dump_request.ini b/src/tests/config/dump_request.ini
new file mode 100644
index 0000000..8c595f9
--- /dev/null
+++ b/src/tests/config/dump_request.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().dump("./dump_results/");
diff --git a/src/tests/config/dump_request_invalid_folder.ini b/src/tests/config/dump_request_invalid_folder.ini
new file mode 100644
index 0000000..b5ae154
--- /dev/null
+++ b/src/tests/config/dump_request_invalid_folder.ini
@@ -0,0 +1 @@
+sp.disable_functions.function("system").drop().dump("/root/NON_EXISTENT/FOLDER/PLEASE/");
diff --git a/src/tests/config/empty.ini b/src/tests/config/empty.ini
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/src/tests/config/empty.ini
diff --git a/src/tests/config/empty_conf.ini b/src/tests/config/empty_conf.ini
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/src/tests/config/empty_conf.ini
diff --git a/src/tests/config/encryption_key_only.ini b/src/tests/config/encryption_key_only.ini
new file mode 100644
index 0000000..7de4438
--- /dev/null
+++ b/src/tests/config/encryption_key_only.ini
@@ -0,0 +1 @@
+sp.global.secret_key("abcdef");
diff --git a/src/tests/config/global_strict.ini b/src/tests/config/global_strict.ini
new file mode 100644
index 0000000..2bc2bdc
--- /dev/null
+++ b/src/tests/config/global_strict.ini
@@ -0,0 +1 @@
+        sp.global_strict.enable();
diff --git a/src/tests/config/global_strict_disabled.ini b/src/tests/config/global_strict_disabled.ini
new file mode 100644
index 0000000..2e68471
--- /dev/null
+++ b/src/tests/config/global_strict_disabled.ini
@@ -0,0 +1 @@
+sp.global_strict.disable();
diff --git a/src/tests/config/harden_rand.ini b/src/tests/config/harden_rand.ini
new file mode 100644
index 0000000..89e19be
--- /dev/null
+++ b/src/tests/config/harden_rand.ini
@@ -0,0 +1 @@
+sp.harden_random.enable();
diff --git a/src/tests/config/upload_validation.ini b/src/tests/config/upload_validation.ini
new file mode 100644
index 0000000..0646134
--- /dev/null
+++ b/src/tests/config/upload_validation.ini
@@ -0,0 +1,2 @@
+sp.upload_validation.script("tests/upload_ko.sh");
+sp.upload_validation.enable();
diff --git a/src/tests/config/upload_validation_invalid.ini b/src/tests/config/upload_validation_invalid.ini
new file mode 100644
index 0000000..7a638a1
--- /dev/null
+++ b/src/tests/config/upload_validation_invalid.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("./tests/data/upload_invalid.sh").enable();
diff --git a/src/tests/config/upload_validation_ko.ini b/src/tests/config/upload_validation_ko.ini
new file mode 100644
index 0000000..b15977f
--- /dev/null
+++ b/src/tests/config/upload_validation_ko.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("./tests/data/upload_ko.sh").enable();
diff --git a/src/tests/config/upload_validation_ko_simulation.ini b/src/tests/config/upload_validation_ko_simulation.ini
new file mode 100644
index 0000000..da56439
--- /dev/null
+++ b/src/tests/config/upload_validation_ko_simulation.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("./tests/data/upload_ko.sh").enable().simulation();
diff --git a/src/tests/config/upload_validation_no_exist.ini b/src/tests/config/upload_validation_no_exist.ini
new file mode 100644
index 0000000..24f81a5
--- /dev/null
+++ b/src/tests/config/upload_validation_no_exist.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("fufufufufu").enable();
diff --git a/src/tests/config/upload_validation_non_exec.ini b/src/tests/config/upload_validation_non_exec.ini
new file mode 100644
index 0000000..bdf0a57
--- /dev/null
+++ b/src/tests/config/upload_validation_non_exec.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("tests/data/upload_no_exec.sh").enable();
diff --git a/src/tests/config/upload_validation_ok.ini b/src/tests/config/upload_validation_ok.ini
new file mode 100644
index 0000000..5df8db8
--- /dev/null
+++ b/src/tests/config/upload_validation_ok.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("./tests/data/upload_ok.sh").enable();
diff --git a/src/tests/data/upload_invalid.sh b/src/tests/data/upload_invalid.sh
new file mode 100755
index 0000000..e5eb0c6
--- /dev/null
+++ b/src/tests/data/upload_invalid.sh
@@ -0,0 +1 @@
+lulz
diff --git a/src/tests/data/upload_ko.sh b/src/tests/data/upload_ko.sh
new file mode 100755
index 0000000..c4cacdc
--- /dev/null
+++ b/src/tests/data/upload_ko.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exit 1;
diff --git a/src/tests/data/upload_no_exec.sh b/src/tests/data/upload_no_exec.sh
new file mode 100644
index 0000000..6b9cafa
--- /dev/null
+++ b/src/tests/data/upload_no_exec.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exit 0;
diff --git a/src/tests/data/upload_ok.sh b/src/tests/data/upload_ok.sh
new file mode 100755
index 0000000..6b9cafa
--- /dev/null
+++ b/src/tests/data/upload_ok.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exit 0;
diff --git a/src/tests/deny_writable_execution.phpt b/src/tests/deny_writable_execution.phpt
new file mode 100644
index 0000000..2870561
--- /dev/null
+++ b/src/tests/deny_writable_execution.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Readonly execution attempt
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) print "skip";
+$filename = __DIR__ . '/test.txt';
+@unlink($filename);
+file_put_contents($filename, 'a');
+chmod($filename, 0400);
+if (is_writable($filename)) print "skip";
+@unlink($filename);
+ ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disable_writable.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+// just in case
+@unlink("$dir/non_writable_file.txt");
+@unlink("$dir/writable_file.txt");
+file_put_contents("$dir/non_writable_file.txt", '<?php echo "Code execution within a non-writable file.\n";');
+file_put_contents("$dir/writable_file.txt", '<?php echo "Code execution within a writable file.\n";');
+chmod("$dir/non_writable_file.txt", 0400);
+chmod("$dir/writable_file.txt", 0777);
+include "$dir/non_writable_file.txt";
+include "$dir/writable_file.txt";
+?>
+--EXPECTF--
+Code execution within a non-writable file.
+[snuffleupagus][0.0.0.0][readonly_exec][drop] Attempted execution of a writable file (%a/writable_file.txt).
+--CLEAN--
+<?php
+$dir = __DIR__;
+chmod("$dir/non_writable_file.txt", 0777);
+chmod("$dir/writable_file.txt", 0777);
+unlink("$dir/non_writable_file.txt");
+unlink("$dir/writable_file.txt");
+?>
+\ No newline at end of file
diff --git a/src/tests/deny_writable_execution_disabled.phpt b/src/tests/deny_writable_execution_disabled.phpt
new file mode 100644
index 0000000..6d1233b
--- /dev/null
+++ b/src/tests/deny_writable_execution_disabled.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Readonly execution attempt
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disable_writable_disabled.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+// just in case
+@unlink("$dir/non_writable_file.txt");
+@unlink("$dir/writable_file.txt");
+file_put_contents("$dir/writable_file.txt", '<?php echo "Code execution within a writable file.\n";');
+file_put_contents("$dir/non_writable_file.txt", '<?php echo "Code execution within a non-writable file.\n";');
+chmod("$dir/writable_file.txt", 0777);
+chmod("$dir/non_writable_file.txt", 0400);
+include "$dir/writable_file.txt";
+include "$dir/non_writable_file.txt";
+?>
+--EXPECT--
+Code execution within a writable file.
+Code execution within a non-writable file.
+--CLEAN--
+<?php
+$dir = __DIR__;
+chmod("$dir/non_writable_file.txt", 0777);
+chmod("$dir/writable_file.txt", 0777);
+unlink("$dir/non_writable_file.txt");
+unlink("$dir/writable_file.txt");
+?>
+\ No newline at end of file
diff --git a/src/tests/deny_writable_execution_simulation.phpt b/src/tests/deny_writable_execution_simulation.phpt
new file mode 100644
index 0000000..3278be8
--- /dev/null
+++ b/src/tests/deny_writable_execution_simulation.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Readonly execution attempt (simulation mode)
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) print "skip";
+$filename = __DIR__ . '/test.txt';
+@unlink($filename);
+file_put_contents($filename, 'a');
+chmod($filename, 0400);
+if (is_writable($filename)) print "skip";;
+@unlink($filename);
+ ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disable_writable_simulation.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+// just in case
+@unlink("$dir/non_writable_file.txt");
+@unlink("$dir/writable_file.txt");
+file_put_contents("$dir/writable_file.txt", '<?php echo "Code execution within a writable file.\n";');
+file_put_contents("$dir/non_writable_file.txt", '<?php echo "Code execution within a non-writable file.\n";');
+chmod("$dir/writable_file.txt", 0777);
+chmod("$dir/non_writable_file.txt", 0400);
+include "$dir/writable_file.txt";
+include "$dir/non_writable_file.txt";
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][readonly_exec][notice] Attempted execution of a writable file (%a/writable_file.txt).
+Code execution within a writable file.
+Code execution within a non-writable file.
+--CLEAN--
+<?php
+$dir = __DIR__;
+chmod("$dir/non_writable_file.txt", 0777);
+chmod("$dir/writable_file.txt", 0777);
+unlink("$dir/non_writable_file.txt");
+unlink("$dir/writable_file.txt");
+?>
+\ No newline at end of file
diff --git a/src/tests/disable_xxe_dom.phpt b/src/tests/disable_xxe_dom.phpt
new file mode 100644
index 0000000..47f3db3
--- /dev/null
+++ b/src/tests/disable_xxe_dom.phpt
@@ -0,0 +1,71 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) die "skip";
+ if (!extension_loaded("dom")) die "skip";
+ ?>
+--INI--
+extension=`php-config --extension-dir`/dom.so 
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(true);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to true: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to false: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF--
+Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file://%a/content.txt" in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Failure to process entity foo in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Entity 'foo' not defined in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Notice: Trying to get property of non-object in %a/disable_xxe_dom.php on line %d
+libxml_disable_entity to true: 
+Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file://%a/content.txt" in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Failure to process entity foo in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Entity 'foo' not defined in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Notice: Trying to get property of non-object in %a/disable_xxe_dom.php on line %d
+libxml_disable_entity to false: 
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "content.xml");
+unlink($dir . "content.txt");
+?>
diff --git a/src/tests/disable_xxe_dom_disabled.phpt b/src/tests/disable_xxe_dom_disabled.phpt
new file mode 100644
index 0000000..b89b595
--- /dev/null
+++ b/src/tests/disable_xxe_dom_disabled.phpt
@@ -0,0 +1,56 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) die "skip";
+ if (!extension_loaded("dom")) die "skip";
+ ?>
+--INI--
+extension=`php-config --extension-dir`/dom.so 
+sp.configuration_file={PWD}/config/disable_xxe_disable.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents($dir . '/content.xml', $xml);
+libxml_disable_entity_loader(true);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to true: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to false: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF-- 
+libxml_disable_entity to true: WARNING, external entity loaded!
+libxml_disable_entity to false: WARNING, external entity loaded!
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/disable_xxe_simplexml.phpt b/src/tests/disable_xxe_simplexml.phpt
new file mode 100644
index 0000000..54404a3
--- /dev/null
+++ b/src/tests/disable_xxe_simplexml.phpt
@@ -0,0 +1,52 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) die "skip";
+ if (!extension_loaded("simplexml")) die "skip";
+ ?>
+--INI--
+extension=`php-config --extension-dir`/simplexml.so 
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(true);
+$doc = new SimpleXMLElement($xml);
+printf("libxml_disable_entity to true: %s\n", $doc->testing);
+libxml_disable_entity_loader(false);
+$doc = new SimpleXMLElement($xml);
+printf("libxml_disable_entity to false: %s\n", $doc->testing);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+$doc = new SimpleXMLElement($xml);
+printf("without xxe: %s", $doc->testing);
+?>
+--EXPECT--
+libxml_disable_entity to true: 
+libxml_disable_entity to false: 
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/disable_xxe_simplexml_oop.phpt b/src/tests/disable_xxe_simplexml_oop.phpt
new file mode 100644
index 0000000..62762eb
--- /dev/null
+++ b/src/tests/disable_xxe_simplexml_oop.phpt
@@ -0,0 +1,52 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) die "skip";
+ if (!extension_loaded("simplexml")) die "skip";
+ ?>
+--INI--
+extension=`php-config --extension-dir`/simplexml.so 
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(true);
+$doc = simplexml_load_string($xml);
+printf("libxml_disable_entity to true: %s\n", $doc->testing);
+libxml_disable_entity_loader(false);
+$doc = simplexml_load_string($xml);
+printf("libxml_disable_entity to false: %s\n", $doc->testing);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+$doc = simplexml_load_string($xml);
+printf("without xxe: %s", $doc->testing);
+?>
+--EXPECT--
+libxml_disable_entity to true: 
+libxml_disable_entity to false: 
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/disable_xxe_xml_parse.phpt b/src/tests/disable_xxe_xml_parse.phpt
new file mode 100644
index 0000000..944bc38
--- /dev/null
+++ b/src/tests/disable_xxe_xml_parse.phpt
@@ -0,0 +1,104 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) die "skip";
+ if (!extension_loaded("xml")) die "skip";
+ ?>
+--INI--
+extension=`php-config --extension-dir`/xml.so 
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+function create_parser() {
+        $parser = xml_parser_create();
+        xml_set_element_handler(
+                $parser,
+                function($parser, $name, array $attributes) {
+                        var_dump($name);
+                        echo "\n";
+                        var_dump($attributes);
+                },
+                function($parser, $name) {
+                        var_dump($name);
+                }
+        );
+        xml_set_character_data_handler(
+                $parser,
+                function ($parser, $text){
+                        echo 'text' . $text;
+                }
+        );
+        return $parser;
+}
+libxml_disable_entity_loader(true);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+libxml_disable_entity_loader(false);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+--EXPECT--
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+string(7) "TESTING"
+string(4) "TEST"
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+string(7) "TESTING"
+string(4) "TEST"
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+textfoostring(7) "TESTING"
+string(4) "TEST"
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/disabled_function_local_var.phpt b/src/tests/disabled_function_local_var.phpt
new file mode 100644
index 0000000..3142039
--- /dev/null
+++ b/src/tests/disabled_function_local_var.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Disable functions - match on a local variable
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_local_var.ini
+--FILE--
+<?php 
+$a = 1338;
+function test(){
+    echo strlen("id") . "\n";
+}
+echo "Value of a: $a\n";
+test();
+$a = 1337;
+echo "Value of a: $a\n";
+test();
+?>
+--EXPECTF--
+Value of a: 1338
+2
+Value of a: 1337
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'strlen' in %a/tests/disabled_function_local_var.php:%d has been disabled.
+\ No newline at end of file
diff --git a/src/tests/disabled_function_super_global_var.phpt b/src/tests/disabled_function_super_global_var.phpt
new file mode 100644
index 0000000..d41897a
--- /dev/null
+++ b/src/tests/disabled_function_super_global_var.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Disable functions - match on a super global
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_super_global_var.ini
+--GET--
+bla=test
+--FILE--
+<?php 
+function test(){
+    echo strlen($_GET['bla']) . "\n";
+}
+test();
+$_GET['bla'] = 'test2';
+test();
+?>
+--EXPECTF--
+4
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'strlen' in %s/tests/disabled_function_super_global_var.php:%d has been disabled.
diff --git a/src/tests/disabled_functions.phpt b/src/tests/disabled_functions.phpt
new file mode 100644
index 0000000..37da911
--- /dev/null
+++ b/src/tests/disabled_functions.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions.ini
+--FILE--
+<?php 
+system("id");
+printf("printf in simulation mode\n");
+print("print in disabled mode\n");
+var_dump("this is a super test");
+echo strpos("pouet", "o");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions.php:%d has been disabled.
+[snuffleupagus][0.0.0.0][disabled_function][notice] The call to the function 'printf' in %a/tests/disabled_functions.php:%d has been disabled.
+printf in simulation mode
+print in disabled mode
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'var_dump' in %a/tests/disabled_functions.php:%d has been disabled.
+1
diff --git a/src/tests/disabled_functions_cidr.phpt b/src/tests/disabled_functions_cidr.phpt
new file mode 100644
index 0000000..5b13107
--- /dev/null
+++ b/src/tests/disabled_functions_cidr.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_cidr.ini
+--FILE--
+<?php
+system("echo 42");
+printf("1337");
+?>
+--EXPECTF--
+[snuffleupagus][127.0.0.1][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_cidr.php:2 has been disabled.
+1337
diff --git a/src/tests/disabled_functions_cidr_6.phpt b/src/tests/disabled_functions_cidr_6.phpt
new file mode 100644
index 0000000..f2c5f5a
--- /dev/null
+++ b/src/tests/disabled_functions_cidr_6.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:ff00:0042:8328
+EOF;
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_cidr.ini
+--FILE--
+<?php
+strpos("a", "b");
+printf(1337);
+?>
+--EXPECTF--
+[snuffleupagus][2001:0db8:0000:0000:0000:ff00:0042:8328][disabled_function][drop] The call to the function 'strpos' in %a/tests/disabled_functions_cidr_6.php:2 has been disabled.
+1337
diff --git a/src/tests/disabled_functions_filename_r.phpt b/src/tests/disabled_functions_filename_r.phpt
new file mode 100644
index 0000000..ed46802
--- /dev/null
+++ b/src/tests/disabled_functions_filename_r.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - filename regexp
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_filename_r.ini
+--FILE--
+<?php 
+system("echo 42");
+shell_exec("echo 43");
+?>
+--EXPECTF--
+42
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'shell_exec' in %a/tests/disabled_functions_filename_r.php:%d has been disabled.
+\ No newline at end of file
diff --git a/src/tests/disabled_functions_mb.phpt b/src/tests/disabled_functions_mb.phpt
new file mode 100644
index 0000000..7089063
--- /dev/null
+++ b/src/tests/disabled_functions_mb.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_mb.ini
+--FILE--
+<?php 
+echo strlen("id");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'strlen' in %a/tests/disabled_functions_mb.php:2 has been disabled.
diff --git a/src/tests/disabled_functions_method.phpt b/src/tests/disabled_functions_method.phpt
new file mode 100644
index 0000000..33651b7
--- /dev/null
+++ b/src/tests/disabled_functions_method.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_method.ini
+--FILE--
+<?php 
+class AwesomeClass {
+        function method1($a) {
+                echo "method1:" . $a . "\n";
+        }
+        function method2($a) {
+                echo "method2:" . $a . "\n";
+        }
+        function method3($a) {
+                echo "method3:" . $a . "\n";
+        }
+}
+$c = new AwesomeClass();
+$c->method1("pif");
+$c->method2("paf");
+$c->method3("pouet");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'AwesomeClass::method1' in %a/tests/disabled_functions_method.php:4 has been disabled.
+method2:paf
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'AwesomeClass::method3' in %a/tests/disabled_functions_method.php:10 has been disabled, because its argument 'a' content (pouet) matched a rule.
diff --git a/src/tests/disabled_functions_name_r.phpt b/src/tests/disabled_functions_name_r.phpt
new file mode 100644
index 0000000..0e29abb
--- /dev/null
+++ b/src/tests/disabled_functions_name_r.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_name_r.ini
+--FILE--
+<?php 
+system("echo 42");
+system("echo 1337");
+?>
+--EXPECTF--
+42
+1337
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_name_r.php:3, because the return value (1337) of the function 'system' matched a rule.
diff --git a/src/tests/disabled_functions_name_type.phpt b/src/tests/disabled_functions_name_type.phpt
new file mode 100644
index 0000000..c5b24d6
--- /dev/null
+++ b/src/tests/disabled_functions_name_type.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_name_type.ini
+--FILE--
+<?php 
+echo strcmp("pouet", "pouet") . "\n";
+echo strcmp([1,23], "pouet") . "\n";
+?>
+--EXPECTF--
+0
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'strcmp' in %a/disabled_functions_name_type.php:%d has been disabled, because its argument 'str1' content (?) matched a rule.
diff --git a/src/tests/disabled_functions_namespace.phpt b/src/tests/disabled_functions_namespace.phpt
new file mode 100644
index 0000000..72c7d0b
--- /dev/null
+++ b/src/tests/disabled_functions_namespace.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Disable functions: namespaces support isn't implemented now
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_namespace.ini
+--FILE--
+<?php 
+namespace my_super_namespace {
+        function my_function() {
+                echo "1\n";
+        }
+}
+namespace my_second_namespace {
+        function my_function() {
+                echo "2\n";
+        }
+}
+namespace {
+        function my_function() {
+                echo "3\n";
+        }
+\strcmp("1", "2");
+\my_super_namespace\my_function();
+\my_second_namespace\my_function();
+my_function();
+}
+?>
+--XFAIL--
+--EXPECTF--
+[snuffleupagus] The call to the function 'strcmp' in %a/tests/disabled_functions_namespace.php:%d has been disabled.
diff --git a/src/tests/disabled_functions_noconf.phpt b/src/tests/disabled_functions_noconf.phpt
new file mode 100644
index 0000000..cb13413
--- /dev/null
+++ b/src/tests/disabled_functions_noconf.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/empty.ini
+--FILE--
+<?php 
+echo strpos("pouet", "o");
+?>
+--EXPECT--
+1
diff --git a/src/tests/disabled_functions_nul_byte.phpt b/src/tests/disabled_functions_nul_byte.phpt
new file mode 100644
index 0000000..95e87de
--- /dev/null
+++ b/src/tests/disabled_functions_nul_byte.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Disable functions with nul byte
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_nul_byte.ini
+--FILE--
+<?php 
+system("\0id");
+system("id");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_nul_byte.php:2 has been disabled, because its argument 'command' content (0id) matched a rule.
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_nul_byte.php:3 has been disabled, because its argument 'command' content (id) matched a rule.
+\ No newline at end of file
diff --git a/src/tests/disabled_functions_param.phpt b/src/tests/disabled_functions_param.phpt
new file mode 100644
index 0000000..2309217
--- /dev/null
+++ b/src/tests/disabled_functions_param.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param.ini
+--FILE--
+<?php 
+system("id");
+system("echo win");
+var_dump(array_sum([1,2,3,4,5]));
+shell_exec("id");
+echo shell_exec("echo 42");
+strcmp("bla", "ble");
+strncmp("bla", "ble", 2);
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/disabled_functions_param.php:2 has been disabled, because its argument 'command' content (id) matched the rule '1'.
+win
+int(15)
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'shell_exec' in %a/disabled_functions_param.php:5 has been disabled, because its argument 'cmd' content (id) matched the rule '3'.
+42
+[snuffleupagus][0.0.0.0][disabled_function][notice] The call to the function 'strcmp' in %a/tests/disabled_functions_param.php:7 has been disabled, because its argument 'str1' content (bla) matched the rule '5'.
+[snuffleupagus][0.0.0.0][disabled_function][notice] The call to the function 'strncmp' in %a/tests/disabled_functions_param.php:8 has been disabled, because its argument 'str1' content (bla) matched a rule.
diff --git a/src/tests/disabled_functions_param_alias.phpt b/src/tests/disabled_functions_param_alias.phpt
new file mode 100644
index 0000000..fe3d1c1
--- /dev/null
+++ b/src/tests/disabled_functions_param_alias.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - alias
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param_alias.ini
+--FILE--
+<?php 
+system("id");
+shell_exec("id");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_param_alias.php:2 has been disabled, because of the the rule '1'.
+[snuffleupagus][0.0.0.0][disabled_function][notice] The call to the function 'shell_exec' in %a/tests/disabled_functions_param_alias.php:3 has been disabled, because of the the rule '2'.
diff --git a/src/tests/disabled_functions_param_allow.phpt b/src/tests/disabled_functions_param_allow.phpt
new file mode 100644
index 0000000..b6ff01a
--- /dev/null
+++ b/src/tests/disabled_functions_param_allow.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - allow
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param_allow.ini
+--FILE--
+<?php 
+system("echo win");
+system("id");
+?>
+--EXPECTF--
+win
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_param_allow.php:3 has been disabled.
+\ No newline at end of file
diff --git a/src/tests/disabled_functions_param_array.phpt b/src/tests/disabled_functions_param_array.phpt
new file mode 100644
index 0000000..6596d1a
--- /dev/null
+++ b/src/tests/disabled_functions_param_array.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param_array.ini
+--FILE--
+<?php
+function foo($arr) {
+         echo $arr["a"]."\n";
+}
+$a=Array("a"=>"test1");
+foo($a);
+$a=Array("a"=>"abcd");
+foo($a);
+$a=Array("a"=>"abcde");
+foo($a);
+$a=Array("bla"=>"abcdef");
+foo($a);
+$a=Array("bla"=>"aaa", "a"=>"eee" );
+foo($a);
+$a=Array("test"=>"aaa", "a"=>"fff" );
+foo($a);
+$a=Array("test2"=>Array("foo"=>Array("lol"=>"bbb")), "a"=>"cccc");
+foo($a);
+$a=Array("test2"=>Array("foo"=>Array("lol"=>"aaa")), "a"=>"dddd");
+foo($a);
+?>
+--EXPECTF--
+test1
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foo' in %a/disabled_functions_param_array.php:3 has been disabled, because its argument 'arr' content (Array) matched the rule '1'.
+abcde
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foo' in %a/disabled_functions_param_array.php:3 has been disabled, because its argument 'arr' content (Array) matched the rule '2'.
+eee
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foo' in %a/disabled_functions_param_array.php:3 has been disabled, because its argument 'arr' content (Array) matched the rule '3'.
+cccc
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foo' in %a/disabled_functions_param_array.php:3 has been disabled, because its argument 'arr' content (Array) matched the rule '4'.
diff --git a/src/tests/disabled_functions_param_int.phpt b/src/tests/disabled_functions_param_int.phpt
new file mode 100644
index 0000000..3b2cc08
--- /dev/null
+++ b/src/tests/disabled_functions_param_int.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param_int.ini
+--FILE--
+<?php
+function foobar($id) {
+  echo $id."\n";
+}
+foobar(1);
+foobar(42);
+foobar(1337);
+foobar(13374242);
+foobar(0x2A);
+foobar("10");
+?>
+--EXPECTF--
+1
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foobar' in %a/tests/disabled_functions_param_int.php:3 has been disabled, because its argument 'id' content (42) matched a rule.
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foobar' in %a/tests/disabled_functions_param_int.php:3 has been disabled, because its argument 'id' content (1337) matched a rule.
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foobar' in %a/tests/disabled_functions_param_int.php:3 has been disabled, because its argument 'id' content (13374242) matched a rule.
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'foobar' in %a/tests/disabled_functions_param_int.php:3 has been disabled, because its argument 'id' content (42) matched a rule.
+10
diff --git a/src/tests/disabled_functions_param_r.phpt b/src/tests/disabled_functions_param_r.phpt
new file mode 100644
index 0000000..3708881
--- /dev/null
+++ b/src/tests/disabled_functions_param_r.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param_r.ini
+--FILE--
+<?php 
+system("id");
+system("echo win");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_param_r.php:2 has been disabled, because its argument 'command' content (id) matched a rule.
+win
diff --git a/src/tests/disabled_functions_param_str_representation.phpt b/src/tests/disabled_functions_param_str_representation.phpt
new file mode 100644
index 0000000..7cbdc0f
--- /dev/null
+++ b/src/tests/disabled_functions_param_str_representation.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Disable functions - casting various types to string internally
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param_str_representation.ini
+--FILE--
+<?php 
+echo var_export(true) . "\n";
+echo var_export(false) . "\n";
+echo var_export(null) . "\n";
+echo var_export(1) . "\n";
+echo var_export(1.0) . "\n";
+function f(&$a) {
+        echo var_export($a) . "\n";
+}
+$a = 123; f($a);
+?>
+--EXPECTF--
+true
+false
+NULL
+1
+1.0
+123
diff --git a/src/tests/disabled_functions_parse_class.phpt b/src/tests/disabled_functions_parse_class.phpt
new file mode 100644
index 0000000..af9ed88
--- /dev/null
+++ b/src/tests/disabled_functions_parse_class.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Disable functions - Parsing of an Object as a return value of a function
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret.ini
+--FILE--
+<?php 
+/*
+Because Snuffleupagus used to cast everything with the `zval_get_string` function,
+this sometimes raised exceptions, because PHP is awful.
+ */
+class Bob {
+    function a() {
+        return new StdClass;
+    }
+}
+$b = new Bob;
+echo ($b->a() instanceof StdClass)?'Y':'N';
+?>
+--EXPECT--
+Y
diff --git a/src/tests/disabled_functions_require.phpt b/src/tests/disabled_functions_require.phpt
new file mode 100644
index 0000000..1eedde4
--- /dev/null
+++ b/src/tests/disabled_functions_require.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Disable functions - Require
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_require.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+file_put_contents($dir . '/test.meh', "");
+file_put_contents($dir . '/test.bla', "");
+require $dir . '/test.meh';
+require $dir . '/test.bla';
+echo "1337";
+?>
+--XFAIL--
+PHP doesn't replace the format string, so the test is failing.
+--EXPECTF--
+[snuffleupagus][0.0.0.0][include][drop] Inclusion of a forbidden file (%a/test.bla)
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . '/test.meh');
+unlink($dir . '/test.bla');
+?>
diff --git a/src/tests/disabled_functions_ret.phpt b/src/tests/disabled_functions_ret.phpt
new file mode 100644
index 0000000..b64bf70
--- /dev/null
+++ b/src/tests/disabled_functions_ret.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Disable functions check on `ret`.
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret.ini
+--FILE--
+<?php 
+echo strpos("pouet", "p");
+echo stripos("pouet", "p");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret.php:2, because the return value (0) of the function 'strpos' matched a rule.
diff --git a/src/tests/disabled_functions_ret2.phpt b/src/tests/disabled_functions_ret2.phpt
new file mode 100644
index 0000000..b713201
--- /dev/null
+++ b/src/tests/disabled_functions_ret2.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions check on `ret`.
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret.ini
+--FILE--
+<?php 
+echo stripos("pouet", "p");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret2.php:2, because the return value (0) of the function 'stripos' matched a rule.
diff --git a/src/tests/disabled_functions_ret3.phpt b/src/tests/disabled_functions_ret3.phpt
new file mode 100644
index 0000000..d5f96d0
--- /dev/null
+++ b/src/tests/disabled_functions_ret3.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Disable functions check on `ret`.
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret.ini
+--FILE--
+<?php 
+class Bob {
+        function a() {
+        echo("We're in function `a`.\n");
+                return 1;
+        }
+}
+$b = new Bob();
+echo "`a` returned: " . $b->a() . ".\n";
+echo("We're at the end of the execution.\n");
+?>
+--EXPECTF--
+We're in function `a`.
+`a` returned: 1.
+We're at the end of the execution.
+\ No newline at end of file
diff --git a/src/tests/disabled_functions_ret_allow.phpt b/src/tests/disabled_functions_ret_allow.phpt
new file mode 100644
index 0000000..1690995
--- /dev/null
+++ b/src/tests/disabled_functions_ret_allow.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Disable functions check on `ret`.
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_ret_allow.ini
+--FILE--
+<?php 
+echo strpos("pouet", "p");
+echo stripos("pouet", "p");
+?>
+--EXPECT--
+00
+\ No newline at end of file
diff --git a/src/tests/disabled_functions_ret_allow_value.phpt b/src/tests/disabled_functions_ret_allow_value.phpt
new file mode 100644
index 0000000..881a006
--- /dev/null
+++ b/src/tests/disabled_functions_ret_allow_value.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions check on `ret` allowed
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_ret_allow_value.ini
+--FILE--
+<?php 
+echo strpos("pouet", "p");
+?>
+--EXPECT--
+0
diff --git a/src/tests/disabled_functions_ret_right_hash.phpt b/src/tests/disabled_functions_ret_right_hash.phpt
new file mode 100644
index 0000000..e0d8b5b
--- /dev/null
+++ b/src/tests/disabled_functions_ret_right_hash.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_ret_right_hash.ini
+--FILE--
+<?php 
+system("echo $((1 + 1336))");
+?>
+--EXPECTF--
+1337
diff --git a/src/tests/disabled_functions_ret_simulation.phpt b/src/tests/disabled_functions_ret_simulation.phpt
new file mode 100644
index 0000000..58af3a9
--- /dev/null
+++ b/src/tests/disabled_functions_ret_simulation.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions check on `ret` simulation
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_ret_simulation.ini
+--FILE--
+<?php 
+echo strpos("pouet", "p") . "\n";
+echo stripos("pouet", "p") . "\n";
+strcmp("p", "p") . "\n";
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][notice] The execution has been aborted in %a/disabled_functions_ret_simulation.php:2, because the return value (0) of the function 'strpos' matched a rule.
+0
+[snuffleupagus][0.0.0.0][disabled_function][notice] The execution has been aborted in %a/disabled_functions_ret_simulation.php:3, because the function 'stripos' returned '0', which matched the rule '1'.
+0
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_simulation.php:4, because the return value (0) of the function 'strcmp' matched a rule.
diff --git a/src/tests/disabled_functions_ret_type.phpt b/src/tests/disabled_functions_ret_type.phpt
new file mode 100644
index 0000000..f1c6e4c
--- /dev/null
+++ b/src/tests/disabled_functions_ret_type.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Disable functions check on `ret` by type matching on boolean
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret_type.ini
+--FILE--
+<?php 
+echo strpos("pouet", "p") . "\n";
+echo "1337\n";
+echo strpos("pouet", "123");
+?>
+--EXPECTF--
+0
+1337
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/tests/disabled_functions_ret_type.php:%d, because the function 'strpos' returned 'FALSE', which matched the rule 'Return value is FALSE'.
diff --git a/src/tests/disabled_functions_ret_type_double.phpt b/src/tests/disabled_functions_ret_type_double.phpt
new file mode 100644
index 0000000..b7942e1
--- /dev/null
+++ b/src/tests/disabled_functions_ret_type_double.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions check on `ret` by type matching (double).
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret_type_double.ini
+--FILE--
+<?php 
+echo cos(0.5) . "\n";
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_type_double.php:%d, because the function 'cos' returned '0.877583', which matched the rule 'Return value is a double'.
diff --git a/src/tests/disabled_functions_ret_type_long.phpt b/src/tests/disabled_functions_ret_type_long.phpt
new file mode 100644
index 0000000..b841c64
--- /dev/null
+++ b/src/tests/disabled_functions_ret_type_long.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions check on `ret` by type matching (long).
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret_type_long.ini
+--FILE--
+<?php 
+echo strlen("pouet") . "\n";
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_type_long.php:%d, because the function 'strlen' returned '5', which matched the rule 'Return value is a long'.
diff --git a/src/tests/disabled_functions_ret_type_resource.phpt b/src/tests/disabled_functions_ret_type_resource.phpt
new file mode 100644
index 0000000..4ceb610
--- /dev/null
+++ b/src/tests/disabled_functions_ret_type_resource.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions check on `ret` by type matching (resource).
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret_type_resource.ini
+--FILE--
+<?php 
+echo fopen("/etc/passwd", "r");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_type_resource.php:2, because the function 'fopen' returned 'RESOURCE', which matched the rule 'Return value is a resource'.
diff --git a/src/tests/disabled_functions_ret_type_str.phpt b/src/tests/disabled_functions_ret_type_str.phpt
new file mode 100644
index 0000000..8c48b1d
--- /dev/null
+++ b/src/tests/disabled_functions_ret_type_str.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions check on `ret` by type matching (string).
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret_type_str.ini
+--FILE--
+<?php 
+echo substr("pouet", 3) . "\n";
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_type_str.php:%d, because the function 'substr' returned 'et', which matched the rule 'Return value is a string'.
diff --git a/src/tests/disabled_functions_ret_type_true.phpt b/src/tests/disabled_functions_ret_type_true.phpt
new file mode 100644
index 0000000..a5eae38
--- /dev/null
+++ b/src/tests/disabled_functions_ret_type_true.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Disable functions check on `ret` by type matching (true).
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_ret_type_true.ini
+--FILE--
+<?php 
+var_dump(is_numeric("pouet")) . "\n";
+echo "1337\n";
+echo is_numeric("1234") . "\n";
+?>
+--EXPECTF--
+bool(false)
+1337
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_type_true.php:%d, because the function 'is_numeric' returned 'TRUE', which matched the rule 'Return value is a true'.
diff --git a/src/tests/disabled_functions_ret_val.phpt b/src/tests/disabled_functions_ret_val.phpt
new file mode 100644
index 0000000..8a02b29
--- /dev/null
+++ b/src/tests/disabled_functions_ret_val.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions ret val
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_retval.ini
+--FILE--
+<?php 
+echo str_repeat("fufu",1)."\n";
+echo str_repeat("fufufu",1);
+?>
+--EXPECTF--
+fufu
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_val.php:3, because the return value (fufufu) of the function 'str_repeat' matched a rule.
diff --git a/src/tests/disabled_functions_ret_val_rx.phpt b/src/tests/disabled_functions_ret_val_rx.phpt
new file mode 100644
index 0000000..1054b70
--- /dev/null
+++ b/src/tests/disabled_functions_ret_val_rx.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions ret val rx
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_retval_rx.ini
+--FILE--
+<?php 
+echo str_repeat("fufu",1)."\n";
+echo str_repeat("fufufu",1);
+?>
+--EXPECTF--
+fufu
+[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in %a/disabled_functions_ret_val_rx.php:3, because the return value (fufufu) of the function 'str_repeat' matched a rule.
diff --git a/src/tests/disabled_functions_right_hash.phpt b/src/tests/disabled_functions_right_hash.phpt
new file mode 100644
index 0000000..f3c5fb3
--- /dev/null
+++ b/src/tests/disabled_functions_right_hash.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_right_hash.ini
+--FILE--
+<?php 
+system("echo $((1 + 1336))");
+?>
+--EXPECTF--
+1337
diff --git a/src/tests/disabled_functions_runtime.phpt b/src/tests/disabled_functions_runtime.phpt
new file mode 100644
index 0000000..1c6a141
--- /dev/null
+++ b/src/tests/disabled_functions_runtime.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Disable functions - runtime inclusion
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_param_runtime.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<?php function test($param) { echo $param . "\n"; }';
+file_put_contents('file_to_include1.php', $content);
+file_put_contents('file_to_include2.php', $content);
+if (rand() % 2) {
+    include "file_to_include1.php";
+} else {
+    include "file_to_include2.php";
+}
+test('1338');test('1337');
+?>
+--EXPECTF--
+1338
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'test' in %a has been disabled, because its argument 'param' content (1337) matched a rule.
+--CLEAN--
+<?php
+unlink("file_to_include1.php");
+unlink("file_to_include2.php");
+?>
diff --git a/src/tests/disabled_functions_zero_cidr.phpt b/src/tests/disabled_functions_zero_cidr.phpt
new file mode 100644
index 0000000..35d187a
--- /dev/null
+++ b/src/tests/disabled_functions_zero_cidr.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_zero_cidr.ini
+--FILE--
+<?php
+system("echo 42");
+printf("1337");
+?>
+--EXPECTF--
+[snuffleupagus][127.0.0.1][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_zero_cidr.php:2 has been disabled.
+1337
diff --git a/src/tests/disabled_option.phpt b/src/tests/disabled_option.phpt
new file mode 100644
index 0000000..8bc7e39
--- /dev/null
+++ b/src/tests/disabled_option.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Harden rand
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_rand_harden_disabled.ini
+--FILE--
+<?php 
+srand(0);
+echo rand(0,100)."\n";
+srand(0);
+echo rand(0,100)."\n";
+?>
+--EXPECT--
+84
+84
diff --git a/src/tests/disabled_user_functions.phpt b/src/tests/disabled_user_functions.phpt
new file mode 100644
index 0000000..8952d43
--- /dev/null
+++ b/src/tests/disabled_user_functions.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Disabled user-created functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_user_functions.ini
+--FILE--
+<?php 
+function my_super_function() {
+        echo 1;
+}
+my_super_function();
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'my_super_function' in %a/tests/disabled_user_functions.php:3 has been disabled.
diff --git a/src/tests/dump_request.phpt b/src/tests/dump_request.phpt
new file mode 100644
index 0000000..a752def
--- /dev/null
+++ b/src/tests/dump_request.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Dump request
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) {
+    print "skip";
+} 
+foreach (glob("./tests/dump_results/*.dump") as $dump) {
+    unlink($dump);
+}
+rmdir("./tests/dump_results/");
+?>
+--POST--
+post_a=data_post_a&post_b=data_post_b
+--GET--
+get_a=data_get_a&get_b=data_get_b
+--COOKIE--
+cookie_a=data_cookie_a&cookie_b=data_cookie_b
+--INI--
+sp.configuration_file={PWD}/config/dump_request.ini
+--FILE--
+<?php
+mkdir("./dump_results/");
+echo "1\n";
+echo system("echo 1337;");
+$filename = glob('./dump_results/*.dump')[0];
+$res = file($filename);
+if ($res[1] != "GET:get_a=data_get_a&get_b=data_get_b\n") {
+    echo "1\n";
+} elseif ($res[2] != "POST:post_a=data_post_a&post_b=data_post_b\n") {
+    echo "2\n";
+} elseif ($res[3] != "COOKIE:cookie_a=data_cookie_a&cookie_b=data_cookie_b\n") {
+    echo "3\n";
+}
+?>
+--EXPECTF--
+1
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/dump_request.php:%d has been disabled.
diff --git a/src/tests/dump_request_invalid_folder.phpt b/src/tests/dump_request_invalid_folder.phpt
new file mode 100644
index 0000000..b866f70
--- /dev/null
+++ b/src/tests/dump_request_invalid_folder.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Dump request - invalid folder.
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { print "skip"; } 
+?>
+--POST--
+post_a=data_post_a&post_b=data_post_b
+--GET--
+get_a=data_get_a&get_b=data_get_b
+--COOKIE--
+cookie_a=data_cookie_a&cookie_b=data_cookie_b
+--INI--
+sp.configuration_file={PWD}/config/dump_request_invalid_folder.ini
+--FILE--
+<?php
+echo "1\n";
+echo system("echo 1337;");
+echo "2\n";
+?>
+--EXPECTF--
+1
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %atests/dump_request_invalid_folder.php:3 has been disabled.
+[snuffleupagus][0.0.0.0][request_logging][error] Unable to open /root/NON_EXISTENT/FOLDER/PLEASE/sp_dump_%a_0.0.0.0.dump
+2
+\ No newline at end of file
diff --git a/src/tests/dump_request_too_big.phpt b/src/tests/dump_request_too_big.phpt
new file mode 100644
index 0000000..81eb71c
--- /dev/null
+++ b/src/tests/dump_request_too_big.phpt
@@ -0,0 +1,42 @@
+--TEST--
+Dump request -- to big, so it's truncated.
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) {
+    print "skip";
+} 
+foreach (glob("./tests/dump_results/*.dump") as $dump) {
+    unlink($dump);
+}
+rmdir("./tests/dump_results/");
+?>
+--POST--
+post_a=data_post_a&post_b=data_post_b&post_c=c
+--GET--
+get_a=data_get_a&get_b=data_get_b&get_c=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaBBBB
+--COOKIE--
+cookie_a=data_cookie_a&cookie_b=data_cookie_b&data_cookie_c=cookie_c
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+sp.configuration_file={PWD}/config/dump_request.ini
+--FILE--
+<?php
+echo "1\n";
+echo system("echo 1337;");
+$filename = glob('./dump_results/*.dump')[0];
+$res = file($filename);
+if ($res[1] != "GET:get_a=data_get_a&get_b=data_get_b&get_c=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n") {
+    echo "1\n";
+} elseif ($res[2] != "POST:post_a=data_post_a&post_b=data_post_b&post_c=c\n") {
+    echo "2\n";
+} elseif ($res[3] != "COOKIE:cookie_a=data_cookie_a&cookie_b=data_cookie_b&data_cookie_c=cookie_c\n") {
+    echo "3\n";
+}
+?>
+--EXPECTF--
+1
+[snuffleupagus][127.0.0.1][disabled_function][drop] The call to the function 'system' in %a/dump_request_too_big.php:%d has been disabled.
diff --git a/src/tests/empty_conf.phpt b/src/tests/empty_conf.phpt
new file mode 100644
index 0000000..411c817
--- /dev/null
+++ b/src/tests/empty_conf.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Empty configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/empty_conf.ini
+--FILE--
+--EXPECT--
diff --git a/src/tests/encrypt_cookies.phpt b/src/tests/encrypt_cookies.phpt
new file mode 100644
index 0000000..f8bf64f
--- /dev/null
+++ b/src/tests/encrypt_cookies.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Cookie decryption in ipv4
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+--COOKIE--
+super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEmXkk3H0xheoOMxoWPEDw1Zd8NAmD9KbB2DSjQ=%3d;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(2) {
+  ["super_cookie"]=>
+  string(11) "super_value"
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_cookies2.phpt b/src/tests/encrypt_cookies2.phpt
new file mode 100644
index 0000000..be4c990
--- /dev/null
+++ b/src/tests/encrypt_cookies2.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption in ipv4
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+setcookie("super_cookie", "super_value");
+setcookie("awful_cookie", "awful_value");
+setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true);
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(0) {
+}
diff --git a/src/tests/encrypt_cookies3.phpt b/src/tests/encrypt_cookies3.phpt
new file mode 100644
index 0000000..c85c5dc
--- /dev/null
+++ b/src/tests/encrypt_cookies3.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie decryption with ipv6
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+--COOKIE--
+super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJNTUge7MpiVNi4q3DqstbcumllXBir0CbIQiDI%3D;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(2) {
+  ["super_cookie"]=>
+  string(11) "super_value"
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_cookies4.phpt b/src/tests/encrypt_cookies4.phpt
new file mode 100644
index 0000000..14d737a
--- /dev/null
+++ b/src/tests/encrypt_cookies4.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption in ipv6
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+setcookie("super_cookie", "super_value");
+setcookie("awful_cookie", "awful_value");
+setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true);
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(0) {
+}
diff --git a/src/tests/encrypt_cookies_invalid_decryption.phpt b/src/tests/encrypt_cookies_invalid_decryption.phpt
new file mode 100644
index 0000000..a5187c1
--- /dev/null
+++ b/src/tests/encrypt_cookies_invalid_decryption.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=jWjORGsgZyqzk3WA63XZBmUoSknXWnXDfAAAAAAAAAAAAAAAAAAAAAA7LiMDfkpP94jDnMVH%2Fm41GeL0Y00q3mbOFYz%2FS9mQGySu;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(1) {
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_cookies_invalid_decryption2.phpt b/src/tests/encrypt_cookies_invalid_decryption2.phpt
new file mode 100644
index 0000000..f18cf6d
--- /dev/null
+++ b/src/tests/encrypt_cookies_invalid_decryption2.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=1337;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(1) {
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_cookies_invalid_decryption3.phpt b/src/tests/encrypt_cookies_invalid_decryption3.phpt
new file mode 100644
index 0000000..f4afc32
--- /dev/null
+++ b/src/tests/encrypt_cookies_invalid_decryption3.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Cookie encryption
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+--COOKIE--
+super_cookie=;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(2) {
+  ["super_cookie"]=>
+  string(0) ""
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encryption_key_only.phpt b/src/tests/encryption_key_only.phpt
new file mode 100644
index 0000000..bf5edb5
--- /dev/null
+++ b/src/tests/encryption_key_only.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Encryption key only
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/encryption_key_only.ini
+--FILE--
+<?php
+echo 1337;
+?>
+--EXPECT--
+1337
diff --git a/src/tests/example_configuration.phpt b/src/tests/example_configuration.phpt
new file mode 100644
index 0000000..0bbf59c
--- /dev/null
+++ b/src/tests/example_configuration.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Shipped configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/../../config/examples.ini
+--FILE--
+<?php 
+system("echo 0");
+?>
+--EXPECTF--
+0
diff --git a/src/tests/global_strict.phpt b/src/tests/global_strict.phpt
new file mode 100644
index 0000000..e06721c
--- /dev/null
+++ b/src/tests/global_strict.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Global strict mode
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/global_strict.ini
+--FILE--
+<?php 
+strcmp("pouet", []);
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: strcmp() expects parameter 2 to be string, array given in %a/global_strict.php:2
+Stack trace:
+#0 %a/global_strict.php(2): strcmp('pouet', Array)
+#1 {main}
+  thrown in %a/global_strict.php on line 2
diff --git a/src/tests/global_strict_disabled.phpt b/src/tests/global_strict_disabled.phpt
new file mode 100644
index 0000000..ca3ddfa
--- /dev/null
+++ b/src/tests/global_strict_disabled.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Global strict mode
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/global_strict_disabled.ini
+--FILE--
+<?php 
+strcmp("pouet", []);
+echo 1337;
+?>
+--EXPECTF--
+Warning: strcmp() expects parameter 2 to be string, array given in %a/global_strict_disabled.php on line 2
+1337
diff --git a/src/tests/harden_mt_rand.phpt b/src/tests/harden_mt_rand.phpt
new file mode 100644
index 0000000..8887613
--- /dev/null
+++ b/src/tests/harden_mt_rand.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Harden mt_rand
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/harden_rand.ini
+--FILE--
+<?php 
+mt_srand(0);
+$a = mt_rand(0,100)."\n";
+$b = mt_rand(0,100)."\n";
+mt_srand(0);
+$c = mt_rand(0,100)."\n";
+$d = mt_rand(0,100)."\n";
+if ($a == $c && $b == $d)
+        echo 'lose';
+else
+        echo 'win';
+?>
+--EXPECT--
+win
diff --git a/src/tests/harden_rand.phpt b/src/tests/harden_rand.phpt
new file mode 100644
index 0000000..391bccc
--- /dev/null
+++ b/src/tests/harden_rand.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Harden rand
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/harden_rand.ini
+--FILE--
+<?php 
+srand(0);
+$a = rand(0,100)."\n";
+$b = rand(0,100)."\n";
+srand(0);
+$c = rand(0,100)."\n";
+$d = rand(0,100)."\n";
+rand(100,0)."\n";
+if ($a == $c && $b == $d)
+        echo 'fail';
+else
+        echo 'win';
+?>
+--EXPECT--
+win
diff --git a/src/tests/harden_rand_noargs.phpt b/src/tests/harden_rand_noargs.phpt
new file mode 100644
index 0000000..643a453
--- /dev/null
+++ b/src/tests/harden_rand_noargs.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Harden rand without any arguments
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/harden_rand.ini
+We should fix this
+--FILE--
+<?php 
+rand();
+mt_rand();
+rand(1);
+mt_rand(1);
+rand(1, 2);
+mt_rand(1, 2);
+rand(2, 1);
+mt_rand(2, 1);
+rand(2, 1, 0);
+mt_rand(2, 1, 0);
+rand("test", 1);
+mt_rand("test", 1);
+rand(1, "test");
+mt_rand(1, "test");
+rand(1, 2, "test");
+mt_rand(1, 2, "test");
+echo "Everything is fine\n";
+echo "Absolutely everything\n";
+echo 'Even with single quotes';
+?>
+--EXPECTF--
+Warning: rand() expects exactly 2 parameters, 1 given in %s/tests/harden_rand_noargs.php on line %d
+Warning: mt_rand() expects exactly 2 parameters, 1 given in %s/tests/harden_rand_noargs.php on line %d
+Warning: mt_rand(): max(1) is smaller than min(2) in %s/tests/harden_rand_noargs.php on line %d
+Warning: rand() expects exactly 2 parameters, 3 given in %s/tests/harden_rand_noargs.php on line %d
+Warning: mt_rand() expects exactly 2 parameters, 3 given in %s/tests/harden_rand_noargs.php on line %d
+Warning: rand() expects parameter 1 to be integer, string given in %s/tests/harden_rand_noargs.php on line %d
+Warning: mt_rand() expects parameter 1 to be integer, string given in %s/tests/harden_rand_noargs.php on line %d
+Warning: rand() expects parameter 2 to be integer, string given in %s/tests/harden_rand_noargs.php on line %d
+Warning: mt_rand() expects parameter 2 to be integer, string given in %s/tests/harden_rand_noargs.php on line %d
+Warning: rand() expects exactly 2 parameters, 3 given in %s/tests/harden_rand_noargs.php on line %d
+Warning: mt_rand() expects exactly 2 parameters, 3 given in %s/tests/harden_rand_noargs.php on line %d
+Everything is fine
+Absolutely everything
+Even with single quotes
diff --git a/src/tests/inexistent_conf_file.phpt b/src/tests/inexistent_conf_file.phpt
new file mode 100644
index 0000000..c7c3fcd
--- /dev/null
+++ b/src/tests/inexistent_conf_file.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Check for snuffleupagus presence
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/unexistent_configuration_file.ini
+--FILE--
+<?php ?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][config][error] Could not open configuration file %a/tests/config/unexistent_configuration_file.ini : No such file or directory
diff --git a/src/tests/loading.phpt b/src/tests/loading.phpt
new file mode 100644
index 0000000..25e2e17
--- /dev/null
+++ b/src/tests/loading.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Check for snuffleupagus presence
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--FILE--
+<?php 
+echo "snuffleupagus extension is available";
+?>
+--EXPECT--
+snuffleupagus extension is available
diff --git a/src/tests/noncore_function_hooking.phpt b/src/tests/noncore_function_hooking.phpt
new file mode 100644
index 0000000..106123c
--- /dev/null
+++ b/src/tests/noncore_function_hooking.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Hooking of user-defined functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_noncore_function_hooking.ini
+--FILE--
+<?php 
+function custom_fun($a) {
+        echo $a;
+}
+custom_fun("hello");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'custom_fun' in %a/tests/noncore_function_hooking.php:3 has been disabled.
diff --git a/src/tests/phpinfo_presence.phpt b/src/tests/phpinfo_presence.phpt
new file mode 100644
index 0000000..35ed0ed
--- /dev/null
+++ b/src/tests/phpinfo_presence.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Unserialize fail
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_serialize.ini
+--FILE--
+<?php 
+ob_start () ;
+phpinfo () ;
+$pinfo = ob_get_contents () ;
+ob_end_clean () ;
+if (strstr($pinfo, "snuffleupagus") !== FALSE) 
+        echo 1;
+else
+        echo 2;
+?>
+--EXPECT--
+1
diff --git a/src/tests/serialize.phpt b/src/tests/serialize.phpt
new file mode 100644
index 0000000..e93dbaf
--- /dev/null
+++ b/src/tests/serialize.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Test serialize hmac
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_serialize.ini
+--FILE--
+<?php 
+echo serialize("a");
+?>
+--EXPECT--
+s:1:"a";650609b417904d0d9bbf1fc44a975d13ecdf6b02b715c1a06271fb3b673f25b1
diff --git a/src/tests/setcookie.phpt b/src/tests/setcookie.phpt
new file mode 100644
index 0000000..ba1d1c1
--- /dev/null
+++ b/src/tests/setcookie.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Set cookies.
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+setcookie("name");
+setcookie("super_cookie");
+setcookie("name", "value");
+setcookie("name", "value1", 1);
+setcookie("name", "value2", 0);
+setcookie("name", "value", 1, "/super/path");
+setcookie("name", "value", 1, "/super/path", "super_domain");
+setcookie("name", "value", 1, "/super/path", "super_domain1", true);
+setcookie("name", "value", 1, "/super/path", "super_domain2", false);
+setcookie("name", "value", 1, "/super/path", "super_domain1", true, true);
+setcookie("name", "value", 1, "/super/path", "super_domain2", true, false);
+setcookie("name", "value", 1, "/super/path", "super_domain2", true, false, 1337);
+setcookie();
+echo '1337';
+?>
+--EXPECTF--
+Warning: setcookie() expects at most 7 parameters, 8 given in %a/setcookie.php on line %d
+Warning: setcookie() expects at least 1 parameter, 0 given in %a/setcookie.php on line %d
+1337
diff --git a/src/tests/shipped_configuration.phpt b/src/tests/shipped_configuration.phpt
new file mode 100644
index 0000000..c060a85
--- /dev/null
+++ b/src/tests/shipped_configuration.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Shipped configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/../../config/default.ini
+--FILE--
+<?php 
+system("echo 0");
+?>
+--EXPECTF--
+0
diff --git a/src/tests/unserialize.phpt b/src/tests/unserialize.phpt
new file mode 100644
index 0000000..b1db915
--- /dev/null
+++ b/src/tests/unserialize.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Unserialize ok
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_serialize.ini
+--FILE--
+<?php 
+$a=serialize("a");
+var_dump(unserialize($a));
+?>
+--EXPECT--
+string(1) "a"
diff --git a/src/tests/unserialize_fail.phpt b/src/tests/unserialize_fail.phpt
new file mode 100644
index 0000000..5c0bb80
--- /dev/null
+++ b/src/tests/unserialize_fail.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Unserialize fail
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_serialize.ini
+--FILE--
+<?php 
+var_dump(unserialize('s:1:"a";'));
+var_dump(unserialize('s:1:"a";alyualskdufyhalkdjsfhalkjdhflaksjdfhlkasdhflkahdawkuerylksjdfhlkssjgdflaksjdhflkasjdf'));
+var_dump(unserialize('s:1:"a";dslfjklfjfkjfdjffjfjads'));
+var_dump(unserialize(1,2,3,4));
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][unserialize][drop] The serialized object is too small.
+bool(false)
+[snuffleupagus][0.0.0.0][unserialize][drop] Invalid HMAC for s:1:"a";alyualskdufyhalkdjsfh
+NULL
+[snuffleupagus][0.0.0.0][unserialize][drop] The serialized object is too small.
+bool(false)
+Warning: unserialize() expects at most 2 parameters, 4 given in %a/tests/unserialize_fail.php on line %d
+bool(false)
+\ No newline at end of file
diff --git a/src/tests/unserialize_sim.phpt b/src/tests/unserialize_sim.phpt
new file mode 100644
index 0000000..8ebf64d
--- /dev/null
+++ b/src/tests/unserialize_sim.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Unserialize ok
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_serialize_sim.ini
+--FILE--
+<?php 
+$a=serialize("a");
+echo $a;
+var_dump(unserialize($a));
+var_dump(unserialize('s:1:"a";alyualskdufyhalkdjsfhalkjdhflaksjdfhlkasdhflkahdawkuerylksjdfhlkssjgdflaksjdh1337sjdf'));
+?>
+--EXPECT--
+s:1:"a";650609b417904d0d9bbf1fc44a975d13ecdf6b02b715c1a06271fb3b673f25b1string(1) "a"
+[snuffleupagus][0.0.0.0][unserialize][notice] Invalid HMAC for s:1:"a";alyualskdufyhalkdjsfh
+string(1) "a"
diff --git a/src/tests/upload_validation.phpt b/src/tests/upload_validation.phpt
new file mode 100644
index 0000000..c802c16
--- /dev/null
+++ b/src/tests/upload_validation.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Upload a file, validation ok, no simulation
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation.ini
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=blabla
+--blabla
+Content-Disposition: form-data; name="test"; filename="test.php"
+--blabla--
+--FILE--
+<?php
+echo 1;
+?>
+--EXPECTF--
+1
diff --git a/src/tests/upload_validation_invalid.phpt b/src/tests/upload_validation_invalid.phpt
new file mode 100644
index 0000000..f8c993b
--- /dev/null
+++ b/src/tests/upload_validation_invalid.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Upload a file, invalid validation script
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation_invalid.ini
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=blabla
+--blabla
+Content-Disposition: form-data; name="test"; filename="test.php"
+--blabla--
+--FILE--
+<?php
+echo 1;
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][upload_validation][error] Could not call './tests/data/upload_invalid.sh' : Exec format error
+[snuffleupagus][0.0.0.0][upload_valiation][drop] The upload of test.php on ? was rejected.
diff --git a/src/tests/upload_validation_ko.phpt b/src/tests/upload_validation_ko.phpt
new file mode 100644
index 0000000..cf4057a
--- /dev/null
+++ b/src/tests/upload_validation_ko.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Upload a file, validation ko, no simulation
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation_ko.ini
+output_buffering=off
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=blabla
+--blabla
+Content-Disposition: form-data; name="test"; filename="test.php"
+--blabla--
+--FILE--
+--EXPECTF--
+[snuffleupagus][0.0.0.0][upload_valiation][drop] The upload of test.php on ? was rejected.
diff --git a/src/tests/upload_validation_no_exec.phpt b/src/tests/upload_validation_no_exec.phpt
new file mode 100644
index 0000000..90a58da
--- /dev/null
+++ b/src/tests/upload_validation_no_exec.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Upload a file, validation script not executable
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation_non_exec.ini
+output_buffering=off
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=blabla
+--blabla
+Content-Disposition: form-data; name="test"; filename="test.php"
+--blabla--
+--FILE--
+<?php
+var_dump($_FILES);
+echo "\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
+?>
+--EXPECTF--
+array(1) {
+  ["test"]=>
+  array(5) {
+    ["name"]=>
+    string(8) "test.php"
+    ["type"]=>
+    string(0) ""
+    ["tmp_name"]=>
+    string(0) ""
+    ["error"]=>
+    int(3)
+    ["size"]=>
+    int(0)
+  }
+}
diff --git a/src/tests/upload_validation_nocrash.phpt b/src/tests/upload_validation_nocrash.phpt
new file mode 100644
index 0000000..6fa50d0
--- /dev/null
+++ b/src/tests/upload_validation_nocrash.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Upload validation isn't crashing
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation_ok.ini
+output_buffering=off
+--FILE--
+<?php
+echo 1;
+?>
+--EXPECTF--
+1
diff --git a/src/tests/upload_validation_ok.phpt b/src/tests/upload_validation_ok.phpt
new file mode 100644
index 0000000..f9b5015
--- /dev/null
+++ b/src/tests/upload_validation_ok.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Upload a file, validation ok, no simulation
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation_ok.ini
+output_buffering=off
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=blabla
+--blabla
+Content-Disposition: form-data; name="test"; filename="test.php"
+--blabla--
+--FILE--
+<?php
+echo 1;
+?>
+--EXPECTF--
+1
diff --git a/src/tweetnacl.c b/src/tweetnacl.c
new file mode 100644
index 0000000..937e879
--- /dev/null
+++ b/src/tweetnacl.c
@@ -0,0 +1,842 @@
+#include "tweetnacl.h"
+#define FOR(i,n) for (i = 0;i < n;++i)
+#define sv static void
+typedef unsigned char u8;
+typedef unsigned long u32;
+typedef unsigned long long u64;
+typedef long long i64;
+typedef i64 gf[16];
+/* it's really stupid that there isn't a syscall for this */
+static int fd = -1;
+void randombytes(unsigned char *x,unsigned long long xlen)
+{
+  int i;
+  if (fd == -1) {
+    for (;;) {
+      fd = open("/dev/urandom",O_RDONLY);
+      if (fd != -1) break;
+      sleep(1);
+    }
+  }
+  while (xlen > 0) {
+    if (xlen < 1048576) i = xlen; else i = 1048576;
+    i = read(fd,x,i);
+    if (i < 1) {
+      sleep(1);
+      continue;
+    }
+    x += i;
+    xlen -= i;
+  }
+}
+static const u8
+  _0[16],
+  _9[32] = {9};
+static const gf
+  gf0,
+  gf1 = {1},
+  _121665 = {0xDB41,1},
+  D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203},
+  D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406},
+  X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169},
+  Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666},
+  I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83};
+static u32 L32(u32 x,int c) { return (x << c) | ((x&0xffffffff) >> (32 - c)); }
+static u32 ld32(const u8 *x)
+{
+  u32 u = x[3];
+  u = (u<<8)|x[2];
+  u = (u<<8)|x[1];
+  return (u<<8)|x[0];
+}
+static u64 dl64(const u8 *x)
+{
+  u64 i,u=0;
+  FOR(i,8) u=(u<<8)|x[i];
+  return u;
+}
+sv st32(u8 *x,u32 u)
+{
+  int i;
+  FOR(i,4) { x[i] = u; u >>= 8; }
+}
+sv ts64(u8 *x,u64 u)
+{
+  int i;
+  for (i = 7;i >= 0;--i) { x[i] = u; u >>= 8; }
+}
+static int vn(const u8 *x,const u8 *y,int n)
+{
+  int i = 0;
+  u32 d = 0;
+  FOR(i,n) d |= x[i]^y[i];
+  return (1 & ((d - 1) >> 8)) - 1;
+}
+int crypto_verify_16(const u8 *x,const u8 *y)
+{
+  return vn(x,y,16);
+}
+int crypto_verify_32(const u8 *x,const u8 *y)
+{
+  return vn(x,y,32);
+}
+sv core(u8 *out,const u8 *in,const u8 *k,const u8 *c,int h)
+{
+  u32 w[16],x[16],y[16],t[4];
+  int i,j,m;
+  FOR(i,4) {
+    x[5*i] = ld32(c+4*i);
+    x[1+i] = ld32(k+4*i);
+    x[6+i] = ld32(in+4*i);
+    x[11+i] = ld32(k+16+4*i);
+  }
+  FOR(i,16) y[i] = x[i];
+  FOR(i,20) {
+    FOR(j,4) {
+      FOR(m,4) t[m] = x[(5*j+4*m)%16];
+      t[1] ^= L32(t[0]+t[3], 7);
+      t[2] ^= L32(t[1]+t[0], 9);
+      t[3] ^= L32(t[2]+t[1],13);
+      t[0] ^= L32(t[3]+t[2],18);
+      FOR(m,4) w[4*j+(j+m)%4] = t[m];
+    }
+    FOR(m,16) x[m] = w[m];
+  }
+  if (h) {
+    FOR(i,16) x[i] += y[i];
+    FOR(i,4) {
+      x[5*i] -= ld32(c+4*i);
+      x[6+i] -= ld32(in+4*i);
+    }
+    FOR(i,4) {
+      st32(out+4*i,x[5*i]);
+      st32(out+16+4*i,x[6+i]);
+    }
+  } else
+    FOR(i,16) st32(out + 4 * i,x[i] + y[i]);
+}
+int crypto_core_salsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c)
+{
+  core(out,in,k,c,0);
+  return 0;
+}
+int crypto_core_hsalsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c)
+{
+  core(out,in,k,c,1);
+  return 0;
+}
+static const u8 sigma[16] = "expand 32-byte k";
+int crypto_stream_salsa20_xor(u8 *c,const u8 *m,u64 b,const u8 *n,const u8 *k)
+{
+  u8 z[16],x[64];
+  u32 u,i;
+  if (!b) return 0;
+  FOR(i,16) z[i] = 0;
+  FOR(i,8) z[i] = n[i];
+  while (b >= 64) {
+    crypto_core_salsa20(x,z,k,sigma);
+    FOR(i,64) c[i] = (m?m[i]:0) ^ x[i];
+    u = 1;
+    for (i = 8;i < 16;++i) {
+      u += (u32) z[i];
+      z[i] = u;
+      u >>= 8;
+    }
+    b -= 64;
+    c += 64;
+    if (m) m += 64;
+  }
+  if (b) {
+    crypto_core_salsa20(x,z,k,sigma);
+    FOR(i,b) c[i] = (m?m[i]:0) ^ x[i];
+  }
+  return 0;
+}
+int crypto_stream_salsa20(u8 *c,u64 d,const u8 *n,const u8 *k)
+{
+  return crypto_stream_salsa20_xor(c,0,d,n,k);
+}
+int crypto_stream(u8 *c,u64 d,const u8 *n,const u8 *k)
+{
+  u8 s[32];
+  crypto_core_hsalsa20(s,n,k,sigma);
+  return crypto_stream_salsa20(c,d,n+16,s);
+}
+int crypto_stream_xor(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k)
+{
+  u8 s[32];
+  crypto_core_hsalsa20(s,n,k,sigma);
+  return crypto_stream_salsa20_xor(c,m,d,n+16,s);
+}
+sv add1305(u32 *h,const u32 *c)
+{
+  u32 j,u = 0;
+  FOR(j,17) {
+    u += h[j] + c[j];
+    h[j] = u & 255;
+    u >>= 8;
+  }
+}
+static const u32 minusp[17] = {
+  5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 252
+} ;
+int crypto_onetimeauth(u8 *out,const u8 *m,u64 n,const u8 *k)
+{
+  u32 s,i,j,u,x[17],r[17],h[17],c[17],g[17];
+  FOR(j,17) r[j]=h[j]=0;
+  FOR(j,16) r[j]=k[j];
+  r[3]&=15;
+  r[4]&=252;
+  r[7]&=15;
+  r[8]&=252;
+  r[11]&=15;
+  r[12]&=252;
+  r[15]&=15;
+  while (n > 0) {
+    FOR(j,17) c[j] = 0;
+    for (j = 0;(j < 16) && (j < n);++j) c[j] = m[j];
+    c[j] = 1;
+    m += j; n -= j;
+    add1305(h,c);
+    FOR(i,17) {
+      x[i] = 0;
+      FOR(j,17) x[i] += h[j] * ((j <= i) ? r[i - j] : 320 * r[i + 17 - j]);
+    }
+    FOR(i,17) h[i] = x[i];
+    u = 0;
+    FOR(j,16) {
+      u += h[j];
+      h[j] = u & 255;
+      u >>= 8;
+    }
+    u += h[16]; h[16] = u & 3;
+    u = 5 * (u >> 2);
+    FOR(j,16) {
+      u += h[j];
+      h[j] = u & 255;
+      u >>= 8;
+    }
+    u += h[16]; h[16] = u;
+  }
+  FOR(j,17) g[j] = h[j];
+  add1305(h,minusp);
+  s = -(h[16] >> 7);
+  FOR(j,17) h[j] ^= s & (g[j] ^ h[j]);
+  FOR(j,16) c[j] = k[j + 16];
+  c[16] = 0;
+  add1305(h,c);
+  FOR(j,16) out[j] = h[j];
+  return 0;
+}
+int crypto_onetimeauth_verify(const u8 *h,const u8 *m,u64 n,const u8 *k)
+{
+  u8 x[16];
+  crypto_onetimeauth(x,m,n,k);
+  return crypto_verify_16(h,x);
+}
+int crypto_secretbox(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k)
+{
+  int i;
+  if (d < 32) return -1;
+  crypto_stream_xor(c,m,d,n,k);
+  crypto_onetimeauth(c + 16,c + 32,d - 32,c);
+  FOR(i,16) c[i] = 0;
+  return 0;
+}
+int crypto_secretbox_open(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *k)
+{
+  int i;
+  u8 x[32];
+  if (d < 32) return -1;
+  crypto_stream(x,32,n,k);
+  if (crypto_onetimeauth_verify(c + 16,c + 32,d - 32,x) != 0) return -1;
+  crypto_stream_xor(m,c,d,n,k);
+  FOR(i,32) m[i] = 0;
+  return 0;
+}
+sv set25519(gf r, const gf a)
+{
+  int i;
+  FOR(i,16) r[i]=a[i];
+}
+sv car25519(gf o)
+{
+  int i;
+  i64 c;
+  FOR(i,16) {
+    o[i]+=(1LL<<16);
+    c=o[i]>>16;
+    o[(i+1)*(i<15)]+=c-1+37*(c-1)*(i==15);
+    o[i]-=c<<16;
+  }
+}
+sv sel25519(gf p,gf q,int b)
+{
+  i64 t,i,c=~(b-1);
+  FOR(i,16) {
+    t= c&(p[i]^q[i]);
+    p[i]^=t;
+    q[i]^=t;
+  }
+}
+sv pack25519(u8 *o,const gf n)
+{
+  int i,j,b;
+  gf m,t;
+  FOR(i,16) t[i]=n[i];
+  car25519(t);
+  car25519(t);
+  car25519(t);
+  FOR(j,2) {
+    m[0]=t[0]-0xffed;
+    for(i=1;i<15;i++) {
+      m[i]=t[i]-0xffff-((m[i-1]>>16)&1);
+      m[i-1]&=0xffff;
+    }
+    m[15]=t[15]-0x7fff-((m[14]>>16)&1);
+    b=(m[15]>>16)&1;
+    m[14]&=0xffff;
+    sel25519(t,m,1-b);
+  }
+  FOR(i,16) {
+    o[2*i]=t[i]&0xff;
+    o[2*i+1]=t[i]>>8;
+  }
+}
+static int neq25519(const gf a, const gf b)
+{
+  u8 c[32],d[32];
+  pack25519(c,a);
+  pack25519(d,b);
+  return crypto_verify_32(c,d);
+}
+static u8 par25519(const gf a)
+{
+  u8 d[32];
+  pack25519(d,a);
+  return d[0]&1;
+}
+sv unpack25519(gf o, const u8 *n)
+{
+  int i;
+  FOR(i,16) o[i]=n[2*i]+((i64)n[2*i+1]<<8);
+  o[15]&=0x7fff;
+}
+sv A(gf o,const gf a,const gf b)
+{
+  int i;
+  FOR(i,16) o[i]=a[i]+b[i];
+}
+sv Z(gf o,const gf a,const gf b)
+{
+  int i;
+  FOR(i,16) o[i]=a[i]-b[i];
+}
+sv M(gf o,const gf a,const gf b)
+{
+  i64 i,j,t[31];
+  FOR(i,31) t[i]=0;
+  FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j];
+  FOR(i,15) t[i]+=38*t[i+16];
+  FOR(i,16) o[i]=t[i];
+  car25519(o);
+  car25519(o);
+}
+sv S(gf o,const gf a)
+{
+  M(o,a,a);
+}
+sv inv25519(gf o,const gf i)
+{
+  gf c;
+  int a;
+  FOR(a,16) c[a]=i[a];
+  for(a=253;a>=0;a--) {
+    S(c,c);
+    if(a!=2&&a!=4) M(c,c,i);
+  }
+  FOR(a,16) o[a]=c[a];
+}
+sv pow2523(gf o,const gf i)
+{
+  gf c;
+  int a;
+  FOR(a,16) c[a]=i[a];
+  for(a=250;a>=0;a--) {
+    S(c,c);
+    if(a!=1) M(c,c,i);
+  }
+  FOR(a,16) o[a]=c[a];
+}
+int crypto_scalarmult(u8 *q,const u8 *n,const u8 *p)
+{
+  u8 z[32];
+  i64 x[80],r,i;
+  gf a,b,c,d,e,f;
+  FOR(i,31) z[i]=n[i];
+  z[31]=(n[31]&127)|64;
+  z[0]&=248;
+  unpack25519(x,p);
+  FOR(i,16) {
+    b[i]=x[i];
+    d[i]=a[i]=c[i]=0;
+  }
+  a[0]=d[0]=1;
+  for(i=254;i>=0;--i) {
+    r=(z[i>>3]>>(i&7))&1;
+    sel25519(a,b,r);
+    sel25519(c,d,r);
+    A(e,a,c);
+    Z(a,a,c);
+    A(c,b,d);
+    Z(b,b,d);
+    S(d,e);
+    S(f,a);
+    M(a,c,a);
+    M(c,b,e);
+    A(e,a,c);
+    Z(a,a,c);
+    S(b,a);
+    Z(c,d,f);
+    M(a,c,_121665);
+    A(a,a,d);
+    M(c,c,a);
+    M(a,d,f);
+    M(d,b,x);
+    S(b,e);
+    sel25519(a,b,r);
+    sel25519(c,d,r);
+  }
+  FOR(i,16) {
+    x[i+16]=a[i];
+    x[i+32]=c[i];
+    x[i+48]=b[i];
+    x[i+64]=d[i];
+  }
+  inv25519(x+32,x+32);
+  M(x+16,x+16,x+32);
+  pack25519(q,x+16);
+  return 0;
+}
+int crypto_scalarmult_base(u8 *q,const u8 *n)
+{ 
+  return crypto_scalarmult(q,n,_9);
+}
+int crypto_box_keypair(u8 *y,u8 *x)
+{
+  randombytes(x,32);
+  return crypto_scalarmult_base(y,x);
+}
+int crypto_box_beforenm(u8 *k,const u8 *y,const u8 *x)
+{
+  u8 s[32];
+  crypto_scalarmult(s,x,y);
+  return crypto_core_hsalsa20(k,_0,s,sigma);
+}
+int crypto_box_afternm(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k)
+{
+  return crypto_secretbox(c,m,d,n,k);
+}
+int crypto_box_open_afternm(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *k)
+{
+  return crypto_secretbox_open(m,c,d,n,k);
+}
+int crypto_box(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *y,const u8 *x)
+{
+  u8 k[32];
+  crypto_box_beforenm(k,y,x);
+  return crypto_box_afternm(c,m,d,n,k);
+}
+int crypto_box_open(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *y,const u8 *x)
+{
+  u8 k[32];
+  crypto_box_beforenm(k,y,x);
+  return crypto_box_open_afternm(m,c,d,n,k);
+}
+static u64 R(u64 x,int c) { return (x >> c) | (x << (64 - c)); }
+static u64 Ch(u64 x,u64 y,u64 z) { return (x & y) ^ (~x & z); }
+static u64 Maj(u64 x,u64 y,u64 z) { return (x & y) ^ (x & z) ^ (y & z); }
+static u64 Sigma0(u64 x) { return R(x,28) ^ R(x,34) ^ R(x,39); }
+static u64 Sigma1(u64 x) { return R(x,14) ^ R(x,18) ^ R(x,41); }
+static u64 sigma0(u64 x) { return R(x, 1) ^ R(x, 8) ^ (x >> 7); }
+static u64 sigma1(u64 x) { return R(x,19) ^ R(x,61) ^ (x >> 6); }
+static const u64 K[80] = 
+{
+  0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+  0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+  0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+  0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+  0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+  0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+  0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+  0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+  0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+  0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+  0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+  0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+  0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+  0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+  0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+  0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+  0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+  0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+  0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+  0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+int crypto_hashblocks(u8 *x,const u8 *m,u64 n)
+{
+  u64 z[8],b[8],a[8],w[16],t;
+  int i,j;
+  FOR(i,8) z[i] = a[i] = dl64(x + 8 * i);
+  while (n >= 128) {
+    FOR(i,16) w[i] = dl64(m + 8 * i);
+    FOR(i,80) {
+      FOR(j,8) b[j] = a[j];
+      t = a[7] + Sigma1(a[4]) + Ch(a[4],a[5],a[6]) + K[i] + w[i%16];
+      b[7] = t + Sigma0(a[0]) + Maj(a[0],a[1],a[2]);
+      b[3] += t;
+      FOR(j,8) a[(j+1)%8] = b[j];
+      if (i%16 == 15)
+        FOR(j,16)
+          w[j] += w[(j+9)%16] + sigma0(w[(j+1)%16]) + sigma1(w[(j+14)%16]);
+    }
+    FOR(i,8) { a[i] += z[i]; z[i] = a[i]; }
+    m += 128;
+    n -= 128;
+  }
+  FOR(i,8) ts64(x+8*i,z[i]);
+  return n;
+}
+static const u8 iv[64] = {
+  0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08,
+  0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b,
+  0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b,
+  0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1,
+  0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1,
+  0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f,
+  0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b,
+  0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79
+} ;
+int crypto_hash(u8 *out,const u8 *m,u64 n)
+{
+  u8 h[64],x[256];
+  u64 i,b = n;
+  FOR(i,64) h[i] = iv[i];
+  crypto_hashblocks(h,m,n);
+  m += n;
+  n &= 127;
+  m -= n;
+  FOR(i,256) x[i] = 0;
+  FOR(i,n) x[i] = m[i];
+  x[n] = 128;
+  n = 256-128*(n<112);
+  x[n-9] = b >> 61;
+  ts64(x+n-8,b<<3);
+  crypto_hashblocks(h,x,n);
+  FOR(i,64) out[i] = h[i];
+  return 0;
+}
+sv add(gf p[4],gf q[4])
+{
+  gf a,b,c,d,t,e,f,g,h;
+  
+  Z(a, p[1], p[0]);
+  Z(t, q[1], q[0]);
+  M(a, a, t);
+  A(b, p[0], p[1]);
+  A(t, q[0], q[1]);
+  M(b, b, t);
+  M(c, p[3], q[3]);
+  M(c, c, D2);
+  M(d, p[2], q[2]);
+  A(d, d, d);
+  Z(e, b, a);
+  Z(f, d, c);
+  A(g, d, c);
+  A(h, b, a);
+  M(p[0], e, f);
+  M(p[1], h, g);
+  M(p[2], g, f);
+  M(p[3], e, h);
+}
+sv cswap(gf p[4],gf q[4],u8 b)
+{
+  int i;
+  FOR(i,4)
+    sel25519(p[i],q[i],b);
+}
+sv pack(u8 *r,gf p[4])
+{
+  gf tx, ty, zi;
+  inv25519(zi, p[2]); 
+  M(tx, p[0], zi);
+  M(ty, p[1], zi);
+  pack25519(r, ty);
+  r[31] ^= par25519(tx) << 7;
+}
+sv scalarmult(gf p[4],gf q[4],const u8 *s)
+{
+  int i;
+  set25519(p[0],gf0);
+  set25519(p[1],gf1);
+  set25519(p[2],gf1);
+  set25519(p[3],gf0);
+  for (i = 255;i >= 0;--i) {
+    u8 b = (s[i/8]>>(i&7))&1;
+    cswap(p,q,b);
+    add(q,p);
+    add(p,p);
+    cswap(p,q,b);
+  }
+}
+sv scalarbase(gf p[4],const u8 *s)
+{
+  gf q[4];
+  set25519(q[0],X);
+  set25519(q[1],Y);
+  set25519(q[2],gf1);
+  M(q[3],X,Y);
+  scalarmult(p,q,s);
+}
+int crypto_sign_keypair(u8 *pk, u8 *sk)
+{
+  u8 d[64];
+  gf p[4];
+  int i;
+  randombytes(sk, 32);
+  crypto_hash(d, sk, 32);
+  d[0] &= 248;
+  d[31] &= 127;
+  d[31] |= 64;
+  scalarbase(p,d);
+  pack(pk,p);
+  FOR(i,32) sk[32 + i] = pk[i];
+  return 0;
+}
+static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10};
+sv modL(u8 *r,i64 x[64])
+{
+  i64 carry,i,j;
+  for (i = 63;i >= 32;--i) {
+    carry = 0;
+    for (j = i - 32;j < i - 12;++j) {
+      x[j] += carry - 16 * x[i] * L[j - (i - 32)];
+      carry = (x[j] + 128) >> 8;
+      x[j] -= carry << 8;
+    }
+    x[j] += carry;
+    x[i] = 0;
+  }
+  carry = 0;
+  FOR(j,32) {
+    x[j] += carry - (x[31] >> 4) * L[j];
+    carry = x[j] >> 8;
+    x[j] &= 255;
+  }
+  FOR(j,32) x[j] -= carry * L[j];
+  FOR(i,32) {
+    x[i+1] += x[i] >> 8;
+    r[i] = x[i] & 255;
+  }
+}
+sv reduce(u8 *r)
+{
+  i64 x[64],i;
+  FOR(i,64) x[i] = (u64) r[i];
+  FOR(i,64) r[i] = 0;
+  modL(r,x);
+}
+int crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 n,const u8 *sk)
+{
+  u8 d[64],h[64],r[64];
+  u64 i;
+  i64 j,x[64];
+  gf p[4];
+  crypto_hash(d, sk, 32);
+  d[0] &= 248;
+  d[31] &= 127;
+  d[31] |= 64;
+  *smlen = n+64;
+  FOR(i,n) sm[64 + i] = m[i];
+  FOR(i,32) sm[32 + i] = d[32 + i];
+  crypto_hash(r, sm+32, n+32);
+  reduce(r);
+  scalarbase(p,r);
+  pack(sm,p);
+  FOR(i,32) sm[i+32] = sk[i+32];
+  crypto_hash(h,sm,n + 64);
+  reduce(h);
+  FOR(i,64) x[i] = 0;
+  FOR(i,32) x[i] = (u64) r[i];
+  FOR(i,32) FOR(j,32) x[i+j] += h[i] * (u64) d[j];
+  modL(sm + 32,x);
+  return 0;
+}
+static int unpackneg(gf r[4],const u8 p[32])
+{
+  gf t, chk, num, den, den2, den4, den6;
+  set25519(r[2],gf1);
+  unpack25519(r[1],p);
+  S(num,r[1]);
+  M(den,num,D);
+  Z(num,num,r[2]);
+  A(den,r[2],den);
+  S(den2,den);
+  S(den4,den2);
+  M(den6,den4,den2);
+  M(t,den6,num);
+  M(t,t,den);
+  pow2523(t,t);
+  M(t,t,num);
+  M(t,t,den);
+  M(t,t,den);
+  M(r[0],t,den);
+  S(chk,r[0]);
+  M(chk,chk,den);
+  if (neq25519(chk, num)) M(r[0],r[0],I);
+  S(chk,r[0]);
+  M(chk,chk,den);
+  if (neq25519(chk, num)) return -1;
+  if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]);
+  M(r[3],r[0],r[1]);
+  return 0;
+}
+int crypto_sign_open(u8 *m,u64 *mlen,const u8 *sm,u64 n,const u8 *pk)
+{
+  u64 i;
+  u8 t[32],h[64];
+  gf p[4],q[4];
+  *mlen = -1;
+  if (n < 64) return -1;
+  if (unpackneg(q,pk)) return -1;
+  FOR(i,n) m[i] = sm[i];
+  FOR(i,32) m[i+32] = pk[i];
+  crypto_hash(h,m,n);
+  reduce(h);
+  scalarmult(p,q,h);
+  scalarbase(q,sm + 32);
+  add(p,q);
+  pack(t,p);
+  n -= 64;
+  if (crypto_verify_32(sm, t)) {
+    FOR(i,n) m[i] = 0;
+    return -1;
+  }
+  FOR(i,n) m[i] = sm[i + 64];
+  *mlen = n;
+  return 0;
+}
diff --git a/src/tweetnacl.h b/src/tweetnacl.h
new file mode 100644
index 0000000..508876d
--- /dev/null
+++ b/src/tweetnacl.h
@@ -0,0 +1,277 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#ifndef TWEETNACL_H
+#define TWEETNACL_H
+#define crypto_auth_PRIMITIVE "hmacsha512256"
+#define crypto_auth crypto_auth_hmacsha512256
+#define crypto_auth_verify crypto_auth_hmacsha512256_verify
+#define crypto_auth_BYTES crypto_auth_hmacsha512256_BYTES
+#define crypto_auth_KEYBYTES crypto_auth_hmacsha512256_KEYBYTES
+#define crypto_auth_IMPLEMENTATION crypto_auth_hmacsha512256_IMPLEMENTATION
+#define crypto_auth_VERSION crypto_auth_hmacsha512256_VERSION
+#define crypto_auth_hmacsha512256_tweet_BYTES 32
+#define crypto_auth_hmacsha512256_tweet_KEYBYTES 32
+extern int crypto_auth_hmacsha512256_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *);
+extern int crypto_auth_hmacsha512256_tweet_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *);
+#define crypto_auth_hmacsha512256_tweet_VERSION "-"
+#define crypto_auth_hmacsha512256 crypto_auth_hmacsha512256_tweet
+#define crypto_auth_hmacsha512256_verify crypto_auth_hmacsha512256_tweet_verify
+#define crypto_auth_hmacsha512256_BYTES crypto_auth_hmacsha512256_tweet_BYTES
+#define crypto_auth_hmacsha512256_KEYBYTES crypto_auth_hmacsha512256_tweet_KEYBYTES
+#define crypto_auth_hmacsha512256_VERSION crypto_auth_hmacsha512256_tweet_VERSION
+#define crypto_auth_hmacsha512256_IMPLEMENTATION "crypto_auth/hmacsha512256/tweet"
+#define crypto_box_PRIMITIVE "curve25519xsalsa20poly1305"
+#define crypto_box crypto_box_curve25519xsalsa20poly1305
+#define crypto_box_open crypto_box_curve25519xsalsa20poly1305_open
+#define crypto_box_keypair crypto_box_curve25519xsalsa20poly1305_keypair
+#define crypto_box_beforenm crypto_box_curve25519xsalsa20poly1305_beforenm
+#define crypto_box_afternm crypto_box_curve25519xsalsa20poly1305_afternm
+#define crypto_box_open_afternm crypto_box_curve25519xsalsa20poly1305_open_afternm
+#define crypto_box_PUBLICKEYBYTES crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES
+#define crypto_box_SECRETKEYBYTES crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES
+#define crypto_box_BEFORENMBYTES crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES
+#define crypto_box_NONCEBYTES crypto_box_curve25519xsalsa20poly1305_NONCEBYTES
+#define crypto_box_ZEROBYTES crypto_box_curve25519xsalsa20poly1305_ZEROBYTES
+#define crypto_box_BOXZEROBYTES crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES
+#define crypto_box_IMPLEMENTATION crypto_box_curve25519xsalsa20poly1305_IMPLEMENTATION
+#define crypto_box_VERSION crypto_box_curve25519xsalsa20poly1305_VERSION
+#define crypto_box_curve25519xsalsa20poly1305_tweet_PUBLICKEYBYTES 32
+#define crypto_box_curve25519xsalsa20poly1305_tweet_SECRETKEYBYTES 32
+#define crypto_box_curve25519xsalsa20poly1305_tweet_BEFORENMBYTES 32
+#define crypto_box_curve25519xsalsa20poly1305_tweet_NONCEBYTES 24
+#define crypto_box_curve25519xsalsa20poly1305_tweet_ZEROBYTES 32
+#define crypto_box_curve25519xsalsa20poly1305_tweet_BOXZEROBYTES 16
+extern int crypto_box_curve25519xsalsa20poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *,const unsigned char *);
+extern int crypto_box_curve25519xsalsa20poly1305_tweet_open(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *,const unsigned char *);
+extern int crypto_box_curve25519xsalsa20poly1305_tweet_keypair(unsigned char *,unsigned char *);
+extern int crypto_box_curve25519xsalsa20poly1305_tweet_beforenm(unsigned char *,const unsigned char *,const unsigned char *);
+extern int crypto_box_curve25519xsalsa20poly1305_tweet_afternm(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+extern int crypto_box_curve25519xsalsa20poly1305_tweet_open_afternm(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+#define crypto_box_curve25519xsalsa20poly1305_tweet_VERSION "-"
+#define crypto_box_curve25519xsalsa20poly1305 crypto_box_curve25519xsalsa20poly1305_tweet
+#define crypto_box_curve25519xsalsa20poly1305_open crypto_box_curve25519xsalsa20poly1305_tweet_open
+#define crypto_box_curve25519xsalsa20poly1305_keypair crypto_box_curve25519xsalsa20poly1305_tweet_keypair
+#define crypto_box_curve25519xsalsa20poly1305_beforenm crypto_box_curve25519xsalsa20poly1305_tweet_beforenm
+#define crypto_box_curve25519xsalsa20poly1305_afternm crypto_box_curve25519xsalsa20poly1305_tweet_afternm
+#define crypto_box_curve25519xsalsa20poly1305_open_afternm crypto_box_curve25519xsalsa20poly1305_tweet_open_afternm
+#define crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES crypto_box_curve25519xsalsa20poly1305_tweet_PUBLICKEYBYTES
+#define crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES crypto_box_curve25519xsalsa20poly1305_tweet_SECRETKEYBYTES
+#define crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES crypto_box_curve25519xsalsa20poly1305_tweet_BEFORENMBYTES
+#define crypto_box_curve25519xsalsa20poly1305_NONCEBYTES crypto_box_curve25519xsalsa20poly1305_tweet_NONCEBYTES
+#define crypto_box_curve25519xsalsa20poly1305_ZEROBYTES crypto_box_curve25519xsalsa20poly1305_tweet_ZEROBYTES
+#define crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES crypto_box_curve25519xsalsa20poly1305_tweet_BOXZEROBYTES
+#define crypto_box_curve25519xsalsa20poly1305_VERSION crypto_box_curve25519xsalsa20poly1305_tweet_VERSION
+#define crypto_box_curve25519xsalsa20poly1305_IMPLEMENTATION "crypto_box/curve25519xsalsa20poly1305/tweet"
+#define crypto_core_PRIMITIVE "salsa20"
+#define crypto_core crypto_core_salsa20
+#define crypto_core_OUTPUTBYTES crypto_core_salsa20_OUTPUTBYTES
+#define crypto_core_INPUTBYTES crypto_core_salsa20_INPUTBYTES
+#define crypto_core_KEYBYTES crypto_core_salsa20_KEYBYTES
+#define crypto_core_CONSTBYTES crypto_core_salsa20_CONSTBYTES
+#define crypto_core_IMPLEMENTATION crypto_core_salsa20_IMPLEMENTATION
+#define crypto_core_VERSION crypto_core_salsa20_VERSION
+#define crypto_core_salsa20_tweet_OUTPUTBYTES 64
+#define crypto_core_salsa20_tweet_INPUTBYTES 16
+#define crypto_core_salsa20_tweet_KEYBYTES 32
+#define crypto_core_salsa20_tweet_CONSTBYTES 16
+extern int crypto_core_salsa20_tweet(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *);
+#define crypto_core_salsa20_tweet_VERSION "-"
+#define crypto_core_salsa20 crypto_core_salsa20_tweet
+#define crypto_core_salsa20_OUTPUTBYTES crypto_core_salsa20_tweet_OUTPUTBYTES
+#define crypto_core_salsa20_INPUTBYTES crypto_core_salsa20_tweet_INPUTBYTES
+#define crypto_core_salsa20_KEYBYTES crypto_core_salsa20_tweet_KEYBYTES
+#define crypto_core_salsa20_CONSTBYTES crypto_core_salsa20_tweet_CONSTBYTES
+#define crypto_core_salsa20_VERSION crypto_core_salsa20_tweet_VERSION
+#define crypto_core_salsa20_IMPLEMENTATION "crypto_core/salsa20/tweet"
+#define crypto_core_hsalsa20_tweet_OUTPUTBYTES 32
+#define crypto_core_hsalsa20_tweet_INPUTBYTES 16
+#define crypto_core_hsalsa20_tweet_KEYBYTES 32
+#define crypto_core_hsalsa20_tweet_CONSTBYTES 16
+extern int crypto_core_hsalsa20_tweet(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *);
+#define crypto_core_hsalsa20_tweet_VERSION "-"
+#define crypto_core_hsalsa20 crypto_core_hsalsa20_tweet
+#define crypto_core_hsalsa20_OUTPUTBYTES crypto_core_hsalsa20_tweet_OUTPUTBYTES
+#define crypto_core_hsalsa20_INPUTBYTES crypto_core_hsalsa20_tweet_INPUTBYTES
+#define crypto_core_hsalsa20_KEYBYTES crypto_core_hsalsa20_tweet_KEYBYTES
+#define crypto_core_hsalsa20_CONSTBYTES crypto_core_hsalsa20_tweet_CONSTBYTES
+#define crypto_core_hsalsa20_VERSION crypto_core_hsalsa20_tweet_VERSION
+#define crypto_core_hsalsa20_IMPLEMENTATION "crypto_core/hsalsa20/tweet"
+#define crypto_hashblocks_PRIMITIVE "sha512"
+#define crypto_hashblocks crypto_hashblocks_sha512
+#define crypto_hashblocks_STATEBYTES crypto_hashblocks_sha512_STATEBYTES
+#define crypto_hashblocks_BLOCKBYTES crypto_hashblocks_sha512_BLOCKBYTES
+#define crypto_hashblocks_IMPLEMENTATION crypto_hashblocks_sha512_IMPLEMENTATION
+#define crypto_hashblocks_VERSION crypto_hashblocks_sha512_VERSION
+#define crypto_hashblocks_sha512_tweet_STATEBYTES 64
+#define crypto_hashblocks_sha512_tweet_BLOCKBYTES 128
+extern int crypto_hashblocks_sha512_tweet(unsigned char *,const unsigned char *,unsigned long long);
+#define crypto_hashblocks_sha512_tweet_VERSION "-"
+#define crypto_hashblocks_sha512 crypto_hashblocks_sha512_tweet
+#define crypto_hashblocks_sha512_STATEBYTES crypto_hashblocks_sha512_tweet_STATEBYTES
+#define crypto_hashblocks_sha512_BLOCKBYTES crypto_hashblocks_sha512_tweet_BLOCKBYTES
+#define crypto_hashblocks_sha512_VERSION crypto_hashblocks_sha512_tweet_VERSION
+#define crypto_hashblocks_sha512_IMPLEMENTATION "crypto_hashblocks/sha512/tweet"
+#define crypto_hashblocks_sha256_tweet_STATEBYTES 32
+#define crypto_hashblocks_sha256_tweet_BLOCKBYTES 64
+extern int crypto_hashblocks_sha256_tweet(unsigned char *,const unsigned char *,unsigned long long);
+#define crypto_hashblocks_sha256_tweet_VERSION "-"
+#define crypto_hashblocks_sha256 crypto_hashblocks_sha256_tweet
+#define crypto_hashblocks_sha256_STATEBYTES crypto_hashblocks_sha256_tweet_STATEBYTES
+#define crypto_hashblocks_sha256_BLOCKBYTES crypto_hashblocks_sha256_tweet_BLOCKBYTES
+#define crypto_hashblocks_sha256_VERSION crypto_hashblocks_sha256_tweet_VERSION
+#define crypto_hashblocks_sha256_IMPLEMENTATION "crypto_hashblocks/sha256/tweet"
+#define crypto_hash_PRIMITIVE "sha512"
+#define crypto_hash crypto_hash_sha512
+#define crypto_hash_BYTES crypto_hash_sha512_BYTES
+#define crypto_hash_IMPLEMENTATION crypto_hash_sha512_IMPLEMENTATION
+#define crypto_hash_VERSION crypto_hash_sha512_VERSION
+#define crypto_hash_sha512_tweet_BYTES 64
+extern int crypto_hash_sha512_tweet(unsigned char *,const unsigned char *,unsigned long long);
+#define crypto_hash_sha512_tweet_VERSION "-"
+#define crypto_hash_sha512 crypto_hash_sha512_tweet
+#define crypto_hash_sha512_BYTES crypto_hash_sha512_tweet_BYTES
+#define crypto_hash_sha512_VERSION crypto_hash_sha512_tweet_VERSION
+#define crypto_hash_sha512_IMPLEMENTATION "crypto_hash/sha512/tweet"
+#define crypto_hash_sha256_tweet_BYTES 32
+extern int crypto_hash_sha256_tweet(unsigned char *,const unsigned char *,unsigned long long);
+#define crypto_hash_sha256_tweet_VERSION "-"
+#define crypto_hash_sha256 crypto_hash_sha256_tweet
+#define crypto_hash_sha256_BYTES crypto_hash_sha256_tweet_BYTES
+#define crypto_hash_sha256_VERSION crypto_hash_sha256_tweet_VERSION
+#define crypto_hash_sha256_IMPLEMENTATION "crypto_hash/sha256/tweet"
+#define crypto_onetimeauth_PRIMITIVE "poly1305"
+#define crypto_onetimeauth crypto_onetimeauth_poly1305
+#define crypto_onetimeauth_verify crypto_onetimeauth_poly1305_verify
+#define crypto_onetimeauth_BYTES crypto_onetimeauth_poly1305_BYTES
+#define crypto_onetimeauth_KEYBYTES crypto_onetimeauth_poly1305_KEYBYTES
+#define crypto_onetimeauth_IMPLEMENTATION crypto_onetimeauth_poly1305_IMPLEMENTATION
+#define crypto_onetimeauth_VERSION crypto_onetimeauth_poly1305_VERSION
+#define crypto_onetimeauth_poly1305_tweet_BYTES 16
+#define crypto_onetimeauth_poly1305_tweet_KEYBYTES 32
+extern int crypto_onetimeauth_poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *);
+extern int crypto_onetimeauth_poly1305_tweet_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *);
+#define crypto_onetimeauth_poly1305_tweet_VERSION "-"
+#define crypto_onetimeauth_poly1305 crypto_onetimeauth_poly1305_tweet
+#define crypto_onetimeauth_poly1305_verify crypto_onetimeauth_poly1305_tweet_verify
+#define crypto_onetimeauth_poly1305_BYTES crypto_onetimeauth_poly1305_tweet_BYTES
+#define crypto_onetimeauth_poly1305_KEYBYTES crypto_onetimeauth_poly1305_tweet_KEYBYTES
+#define crypto_onetimeauth_poly1305_VERSION crypto_onetimeauth_poly1305_tweet_VERSION
+#define crypto_onetimeauth_poly1305_IMPLEMENTATION "crypto_onetimeauth/poly1305/tweet"
+#define crypto_scalarmult_PRIMITIVE "curve25519"
+#define crypto_scalarmult crypto_scalarmult_curve25519
+#define crypto_scalarmult_base crypto_scalarmult_curve25519_base
+#define crypto_scalarmult_BYTES crypto_scalarmult_curve25519_BYTES
+#define crypto_scalarmult_SCALARBYTES crypto_scalarmult_curve25519_SCALARBYTES
+#define crypto_scalarmult_IMPLEMENTATION crypto_scalarmult_curve25519_IMPLEMENTATION
+#define crypto_scalarmult_VERSION crypto_scalarmult_curve25519_VERSION
+#define crypto_scalarmult_curve25519_tweet_BYTES 32
+#define crypto_scalarmult_curve25519_tweet_SCALARBYTES 32
+extern int crypto_scalarmult_curve25519_tweet(unsigned char *,const unsigned char *,const unsigned char *);
+extern int crypto_scalarmult_curve25519_tweet_base(unsigned char *,const unsigned char *);
+#define crypto_scalarmult_curve25519_tweet_VERSION "-"
+#define crypto_scalarmult_curve25519 crypto_scalarmult_curve25519_tweet
+#define crypto_scalarmult_curve25519_base crypto_scalarmult_curve25519_tweet_base
+#define crypto_scalarmult_curve25519_BYTES crypto_scalarmult_curve25519_tweet_BYTES
+#define crypto_scalarmult_curve25519_SCALARBYTES crypto_scalarmult_curve25519_tweet_SCALARBYTES
+#define crypto_scalarmult_curve25519_VERSION crypto_scalarmult_curve25519_tweet_VERSION
+#define crypto_scalarmult_curve25519_IMPLEMENTATION "crypto_scalarmult/curve25519/tweet"
+#define crypto_secretbox_PRIMITIVE "xsalsa20poly1305"
+#define crypto_secretbox crypto_secretbox_xsalsa20poly1305
+#define crypto_secretbox_open crypto_secretbox_xsalsa20poly1305_open
+#define crypto_secretbox_KEYBYTES crypto_secretbox_xsalsa20poly1305_KEYBYTES
+#define crypto_secretbox_NONCEBYTES crypto_secretbox_xsalsa20poly1305_NONCEBYTES
+#define crypto_secretbox_ZEROBYTES crypto_secretbox_xsalsa20poly1305_ZEROBYTES
+#define crypto_secretbox_BOXZEROBYTES crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES
+#define crypto_secretbox_IMPLEMENTATION crypto_secretbox_xsalsa20poly1305_IMPLEMENTATION
+#define crypto_secretbox_VERSION crypto_secretbox_xsalsa20poly1305_VERSION
+#define crypto_secretbox_xsalsa20poly1305_tweet_KEYBYTES 32
+#define crypto_secretbox_xsalsa20poly1305_tweet_NONCEBYTES 24
+#define crypto_secretbox_xsalsa20poly1305_tweet_ZEROBYTES 32
+#define crypto_secretbox_xsalsa20poly1305_tweet_BOXZEROBYTES 16
+extern int crypto_secretbox_xsalsa20poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+extern int crypto_secretbox_xsalsa20poly1305_tweet_open(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+#define crypto_secretbox_xsalsa20poly1305_tweet_VERSION "-"
+#define crypto_secretbox_xsalsa20poly1305 crypto_secretbox_xsalsa20poly1305_tweet
+#define crypto_secretbox_xsalsa20poly1305_open crypto_secretbox_xsalsa20poly1305_tweet_open
+#define crypto_secretbox_xsalsa20poly1305_KEYBYTES crypto_secretbox_xsalsa20poly1305_tweet_KEYBYTES
+#define crypto_secretbox_xsalsa20poly1305_NONCEBYTES crypto_secretbox_xsalsa20poly1305_tweet_NONCEBYTES
+#define crypto_secretbox_xsalsa20poly1305_ZEROBYTES crypto_secretbox_xsalsa20poly1305_tweet_ZEROBYTES
+#define crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES crypto_secretbox_xsalsa20poly1305_tweet_BOXZEROBYTES
+#define crypto_secretbox_xsalsa20poly1305_VERSION crypto_secretbox_xsalsa20poly1305_tweet_VERSION
+#define crypto_secretbox_xsalsa20poly1305_IMPLEMENTATION "crypto_secretbox/xsalsa20poly1305/tweet"
+#define crypto_sign_PRIMITIVE "ed25519"
+#define crypto_sign crypto_sign_ed25519
+#define crypto_sign_open crypto_sign_ed25519_open
+#define crypto_sign_keypair crypto_sign_ed25519_keypair
+#define crypto_sign_BYTES crypto_sign_ed25519_BYTES
+#define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES
+#define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES
+#define crypto_sign_IMPLEMENTATION crypto_sign_ed25519_IMPLEMENTATION
+#define crypto_sign_VERSION crypto_sign_ed25519_VERSION
+#define crypto_sign_ed25519_tweet_BYTES 64
+#define crypto_sign_ed25519_tweet_PUBLICKEYBYTES 32
+#define crypto_sign_ed25519_tweet_SECRETKEYBYTES 64
+extern int crypto_sign_ed25519_tweet(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *);
+extern int crypto_sign_ed25519_tweet_open(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *);
+extern int crypto_sign_ed25519_tweet_keypair(unsigned char *,unsigned char *);
+#define crypto_sign_ed25519_tweet_VERSION "-"
+#define crypto_sign_ed25519 crypto_sign_ed25519_tweet
+#define crypto_sign_ed25519_open crypto_sign_ed25519_tweet_open
+#define crypto_sign_ed25519_keypair crypto_sign_ed25519_tweet_keypair
+#define crypto_sign_ed25519_BYTES crypto_sign_ed25519_tweet_BYTES
+#define crypto_sign_ed25519_PUBLICKEYBYTES crypto_sign_ed25519_tweet_PUBLICKEYBYTES
+#define crypto_sign_ed25519_SECRETKEYBYTES crypto_sign_ed25519_tweet_SECRETKEYBYTES
+#define crypto_sign_ed25519_VERSION crypto_sign_ed25519_tweet_VERSION
+#define crypto_sign_ed25519_IMPLEMENTATION "crypto_sign/ed25519/tweet"
+#define crypto_stream_PRIMITIVE "xsalsa20"
+#define crypto_stream crypto_stream_xsalsa20
+#define crypto_stream_xor crypto_stream_xsalsa20_xor
+#define crypto_stream_KEYBYTES crypto_stream_xsalsa20_KEYBYTES
+#define crypto_stream_NONCEBYTES crypto_stream_xsalsa20_NONCEBYTES
+#define crypto_stream_IMPLEMENTATION crypto_stream_xsalsa20_IMPLEMENTATION
+#define crypto_stream_VERSION crypto_stream_xsalsa20_VERSION
+#define crypto_stream_xsalsa20_tweet_KEYBYTES 32
+#define crypto_stream_xsalsa20_tweet_NONCEBYTES 24
+extern int crypto_stream_xsalsa20_tweet(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+extern int crypto_stream_xsalsa20_tweet_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+#define crypto_stream_xsalsa20_tweet_VERSION "-"
+#define crypto_stream_xsalsa20 crypto_stream_xsalsa20_tweet
+#define crypto_stream_xsalsa20_xor crypto_stream_xsalsa20_tweet_xor
+#define crypto_stream_xsalsa20_KEYBYTES crypto_stream_xsalsa20_tweet_KEYBYTES
+#define crypto_stream_xsalsa20_NONCEBYTES crypto_stream_xsalsa20_tweet_NONCEBYTES
+#define crypto_stream_xsalsa20_VERSION crypto_stream_xsalsa20_tweet_VERSION
+#define crypto_stream_xsalsa20_IMPLEMENTATION "crypto_stream/xsalsa20/tweet"
+#define crypto_stream_salsa20_tweet_KEYBYTES 32
+#define crypto_stream_salsa20_tweet_NONCEBYTES 8
+extern int crypto_stream_salsa20_tweet(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+extern int crypto_stream_salsa20_tweet_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *);
+#define crypto_stream_salsa20_tweet_VERSION "-"
+#define crypto_stream_salsa20 crypto_stream_salsa20_tweet
+#define crypto_stream_salsa20_xor crypto_stream_salsa20_tweet_xor
+#define crypto_stream_salsa20_KEYBYTES crypto_stream_salsa20_tweet_KEYBYTES
+#define crypto_stream_salsa20_NONCEBYTES crypto_stream_salsa20_tweet_NONCEBYTES
+#define crypto_stream_salsa20_VERSION crypto_stream_salsa20_tweet_VERSION
+#define crypto_stream_salsa20_IMPLEMENTATION "crypto_stream/salsa20/tweet"
+#define crypto_verify_PRIMITIVE "16"
+#define crypto_verify crypto_verify_16
+#define crypto_verify_BYTES crypto_verify_16_BYTES
+#define crypto_verify_IMPLEMENTATION crypto_verify_16_IMPLEMENTATION
+#define crypto_verify_VERSION crypto_verify_16_VERSION
+#define crypto_verify_16_tweet_BYTES 16
+extern int crypto_verify_16_tweet(const unsigned char *,const unsigned char *);
+#define crypto_verify_16_tweet_VERSION "-"
+#define crypto_verify_16 crypto_verify_16_tweet
+#define crypto_verify_16_BYTES crypto_verify_16_tweet_BYTES
+#define crypto_verify_16_VERSION crypto_verify_16_tweet_VERSION
+#define crypto_verify_16_IMPLEMENTATION "crypto_verify/16/tweet"
+#define crypto_verify_32_tweet_BYTES 32
+extern int crypto_verify_32_tweet(const unsigned char *,const unsigned char *);
+#define crypto_verify_32_tweet_VERSION "-"
+#define crypto_verify_32 crypto_verify_32_tweet
+#define crypto_verify_32_BYTES crypto_verify_32_tweet_BYTES
+#define crypto_verify_32_VERSION crypto_verify_32_tweet_VERSION
+#define crypto_verify_32_IMPLEMENTATION "crypto_verify/32/tweet"
+#endif
author	Sebastien Blot	2017-09-20 10:11:01 +0200
committer	Sebastien Blot	2017-09-20 10:11:01 +0200
commit	868f96c759b6650d88ff9f4fbc5c048302134248 (patch)
tree	c0de0af318bf77a8959164ef11aeeeb2b7bab294