sqlite3-binding.c.diff

diff --git a/sqlite3-binding.c b/sqlite3-binding.c
index a4e32d1..7c35ee9 100644
--- a/sqlite3-binding.c
+++ b/sqlite3-binding.c
@@ -58311,6 +58311,38 @@ SQLITE_PRIVATE int sqlite3PagerWalFramesize(Pager *pPager){
 
 #endif /* SQLITE_OMIT_DISKIO */
 
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+void sqlite3pager_get_codec(Pager *pPager, void **ctx) {
+  *ctx = pPager->pCodec;
+}
+
+int sqlite3pager_is_mj_pgno(Pager *pPager, Pgno pgno) {
+  return (PAGER_MJ_PGNO(pPager) == pgno) ? 1 : 0;
+}
+
+sqlite3_file *sqlite3Pager_get_fd(Pager *pPager) {
+  return (isOpen(pPager->fd)) ? pPager->fd : NULL;
+}
+
+void sqlite3pager_sqlite3PagerSetCodec(
+  Pager *pPager,
+  void *(*xCodec)(void*,void*,Pgno,int),
+  void (*xCodecSizeChng)(void*,int,int),
+  void (*xCodecFree)(void*),
+  void *pCodec
+){
+  sqlite3PagerSetCodec(pPager, xCodec, xCodecSizeChng, xCodecFree, pCodec);
+}
+
+void sqlite3pager_sqlite3PagerSetError( Pager *pPager, int error) {
+  pPager->errCode = error;
+  setGetterMethod(pPager);
+}
+
+#endif
+/* END SQLCIPHER */
+
 /************** End of pager.c ***********************************************/
 /************** Begin file wal.c *********************************************/
 /*
@@ -105977,6 +106009,13 @@ static int resolveAttachExpr(NameContext *pName, Expr *pExpr)
   return rc;
 }
 
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+void sqlite3CodecGetKey(sqlite3*, int, void**, int*);
+int sqlite3CodecAttach(sqlite3*, int, const void*, int);
+#endif
+/* END SQLCIPHER */
+
 /*
 ** An SQL user-function registered to do the work of an ATTACH statement. The
 ** three arguments to the function come directly from an attach statement:
@@ -106120,11 +106159,8 @@ static void attachFunc(
     rc = SQLITE_NOMEM_BKPT;
   }
 
-
 #ifdef SQLITE_HAS_CODEC
   if( rc==SQLITE_OK ){
-    extern int sqlite3CodecAttach(sqlite3*, int, const void*, int);
-    extern void sqlite3CodecGetKey(sqlite3*, int, void**, int*);
     int nKey;
     char *zKey;
     int t = sqlite3_value_type(argv[2]);
@@ -121536,6 +121572,11 @@ SQLITE_PRIVATE void sqlite3Pragma(
   Db *pDb;                     /* The specific database being pragmaed */
   Vdbe *v = sqlite3GetVdbe(pParse);  /* Prepared statement */
   const PragmaName *pPragma;   /* The pragma */
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+  extern int sqlcipher_codec_pragma(sqlite3*, int, Parse *, const char *, const char *);
+#endif
+/* END SQLCIPHER */
 
   if( v==0 ) return;
   sqlite3VdbeRunOnlyOnce(v);
@@ -121606,6 +121647,15 @@ SQLITE_PRIVATE void sqlite3Pragma(
     goto pragma_out;
   }
 
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+  if(sqlcipher_codec_pragma(db, iDb, pParse, zLeft, zRight)) {
+    /* sqlcipher_codec_pragma executes internal */
+    goto pragma_out;
+  }
+#endif
+/* END SQLCIPHER */
+
   /* Locate the pragma in the lookup table */
   pPragma = pragmaLocate(zLeft);
   if( pPragma==0 ) goto pragma_out;
@@ -134118,7 +134168,6 @@ SQLITE_PRIVATE SQLITE_NOINLINE int sqlite3RunVacuum(
   /* A VACUUM cannot change the pagesize of an encrypted database. */
 #ifdef SQLITE_HAS_CODEC
   if( db->nextPagesize ){
-    extern void sqlite3CodecGetKey(sqlite3*, int, void**, int*);
     int nKey;
     char *zKey;
     sqlite3CodecGetKey(db, iDb, (void**)&zKey, &nKey);
@@ -223234,3 +223283,2569 @@ int sqlite3_user_delete(
 }
 
 #endif /* SQLITE_USER_AUTHENTICATION */
+
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+
+#ifndef OMIT_MEMLOCK
+#if defined(__unix__) || defined(__APPLE__) || defined(_AIX)
+#include <errno.h>
+#include <unistd.h>
+#include <sys/resource.h>
+#include <sys/mman.h>
+#elif defined(_WIN32)
+#include <windows.h>
+#endif
+#endif
+
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+#ifndef CRYPTO_H
+#define CRYPTO_H
+
+#if !defined (SQLCIPHER_CRYPTO_CC) \
+   && !defined (SQLCIPHER_CRYPTO_LIBTOMCRYPT) \
+   && !defined (SQLCIPHER_CRYPTO_OPENSSL)
+#define SQLCIPHER_CRYPTO_OPENSSL
+#endif
+
+#define FILE_HEADER_SZ 16
+
+#ifndef CIPHER_VERSION
+#ifdef SQLCIPHER_FIPS
+#define CIPHER_VERSION "3.4.2 FIPS"
+#else
+#define CIPHER_VERSION "3.4.2"
+#endif
+#endif
+
+#ifndef CIPHER
+#define CIPHER "aes-256-cbc"
+#endif
+
+#define CIPHER_DECRYPT 0
+#define CIPHER_ENCRYPT 1
+
+#define CIPHER_READ_CTX 0
+#define CIPHER_WRITE_CTX 1
+#define CIPHER_READWRITE_CTX 2
+
+#ifndef PBKDF2_ITER
+#define PBKDF2_ITER 64000
+#endif
+
+/* possible flags for cipher_ctx->flags */
+#define CIPHER_FLAG_HMAC          0x01
+#define CIPHER_FLAG_LE_PGNO       0x02
+#define CIPHER_FLAG_BE_PGNO       0x04
+
+#ifndef DEFAULT_CIPHER_FLAGS
+#define DEFAULT_CIPHER_FLAGS CIPHER_FLAG_HMAC | CIPHER_FLAG_LE_PGNO
+#endif
+
+
+/* by default, sqlcipher will use a reduced number of iterations to generate
+   the HMAC key / or transform a raw cipher key
+   */
+#ifndef FAST_PBKDF2_ITER
+#define FAST_PBKDF2_ITER 2
+#endif
+
+/* this if a fixed random array that will be xor'd with the database salt to ensure that the
+   salt passed to the HMAC key derivation function is not the same as that used to derive
+   the encryption key. This can be overridden at compile time but it will make the resulting
+   binary incompatible with the default builds when using HMAC. A future version of SQLcipher
+   will likely allow this to be defined at runtime via pragma */
+#ifndef HMAC_SALT_MASK
+#define HMAC_SALT_MASK 0x3a
+#endif
+
+#ifndef CIPHER_MAX_IV_SZ
+#define CIPHER_MAX_IV_SZ 16
+#endif
+
+#ifndef CIPHER_MAX_KEY_SZ
+#define CIPHER_MAX_KEY_SZ 64
+#endif
+
+#ifdef __ANDROID__
+#include <android/log.h>
+#endif
+
+#ifdef CODEC_DEBUG_MUTEX
+#ifdef __ANDROID__
+#define CODEC_TRACE_MUTEX(...) {__android_log_print(ANDROID_LOG_DEBUG, "sqlcipher", __VA_ARGS__);}
+#else
+#define CODEC_TRACE_MUTEX(...)  {fprintf(stderr, __VA_ARGS__);fflush(stderr);}
+#endif
+#else
+#define CODEC_TRACE_MUTEX(...)
+#endif
+
+#ifdef CODEC_DEBUG
+#ifdef __ANDROID__
+#define CODEC_TRACE(...) {__android_log_print(ANDROID_LOG_DEBUG, "sqlcipher", __VA_ARGS__);}
+#else
+#define CODEC_TRACE(...)  {fprintf(stderr, __VA_ARGS__);fflush(stderr);}
+#endif
+#else
+#define CODEC_TRACE(...)
+#endif
+
+#ifdef CODEC_DEBUG_PAGEDATA
+#define CODEC_HEXDUMP(DESC,BUFFER,LEN)  \
+  { \
+    int __pctr; \
+    printf(DESC); \
+    for(__pctr=0; __pctr < LEN; __pctr++) { \
+      if(__pctr % 16 == 0) printf("\n%05x: ",__pctr); \
+      printf("%02x ",((unsigned char*) BUFFER)[__pctr]); \
+    } \
+    printf("\n"); \
+    fflush(stdout); \
+  }
+#else
+#define CODEC_HEXDUMP(DESC,BUFFER,LEN)
+#endif
+
+/* extensions defined in pager.c */
+void sqlite3pager_get_codec(Pager *pPager, void **ctx);
+int sqlite3pager_is_mj_pgno(Pager *pPager, Pgno pgno);
+sqlite3_file *sqlite3Pager_get_fd(Pager *pPager);
+void sqlite3pager_sqlite3PagerSetCodec(
+  Pager *pPager,
+  void *(*xCodec)(void*,void*,Pgno,int),
+  void (*xCodecSizeChng)(void*,int,int),
+  void (*xCodecFree)(void*),
+  void *pCodec
+);
+void sqlite3pager_sqlite3PagerSetError(Pager *pPager, int error);
+/* end extensions defined in pager.c */
+
+/*
+**  Simple shared routines for converting hex char strings to binary data
+ */
+static int cipher_hex2int(char c) {
+  return (c>='0' && c<='9') ? (c)-'0' :
+         (c>='A' && c<='F') ? (c)-'A'+10 :
+         (c>='a' && c<='f') ? (c)-'a'+10 : 0;
+}
+
+static void cipher_hex2bin(const unsigned char *hex, int sz, unsigned char *out){
+  int i;
+  for(i = 0; i < sz; i += 2){
+    out[i/2] = (cipher_hex2int(hex[i])<<4) | cipher_hex2int(hex[i+1]);
+  }
+}
+
+static void cipher_bin2hex(const unsigned char* in, int sz, char *out) {
+    int i;
+    for(i=0; i < sz; i++) {
+      sqlite3_snprintf(3, out + (i*2), "%02x ", in[i]);
+    }
+}
+
+static int cipher_isHex(const unsigned char *hex, int sz){
+  int i;
+  for(i = 0; i < sz; i++) {
+    unsigned char c = hex[i];
+    if ((c < '0' || c > '9') &&
+        (c < 'A' || c > 'F') &&
+        (c < 'a' || c > 'f')) {
+      return 0;
+    }
+  }
+  return 1;
+}
+
+/* extensions defined in crypto_impl.c */
+typedef struct codec_ctx codec_ctx;
+
+/* activation and initialization */
+void sqlcipher_activate();
+void sqlcipher_deactivate();
+int sqlcipher_codec_ctx_init(codec_ctx **, Db *, Pager *, sqlite3_file *, const void *, int);
+void sqlcipher_codec_ctx_free(codec_ctx **);
+int sqlcipher_codec_key_derive(codec_ctx *);
+int sqlcipher_codec_key_copy(codec_ctx *, int);
+
+/* page cipher implementation */
+int sqlcipher_page_cipher(codec_ctx *, int, Pgno, int, int, unsigned char *, unsigned char *);
+
+/* context setters & getters */
+void sqlcipher_codec_ctx_set_error(codec_ctx *, int);
+
+int sqlcipher_codec_ctx_set_pass(codec_ctx *, const void *, int, int);
+void sqlcipher_codec_get_keyspec(codec_ctx *, void **zKey, int *nKey);
+
+int sqlcipher_codec_ctx_set_pagesize(codec_ctx *, int);
+int sqlcipher_codec_ctx_get_pagesize(codec_ctx *);
+int sqlcipher_codec_ctx_get_reservesize(codec_ctx *);
+
+void sqlcipher_set_default_pagesize(int page_size);
+int sqlcipher_get_default_pagesize();
+
+void sqlcipher_set_default_kdf_iter(int iter);
+int sqlcipher_get_default_kdf_iter();
+
+int sqlcipher_codec_ctx_set_kdf_iter(codec_ctx *, int, int);
+int sqlcipher_codec_ctx_get_kdf_iter(codec_ctx *ctx, int);
+
+void* sqlcipher_codec_ctx_get_kdf_salt(codec_ctx *ctx);
+
+int sqlcipher_codec_ctx_set_fast_kdf_iter(codec_ctx *, int, int);
+int sqlcipher_codec_ctx_get_fast_kdf_iter(codec_ctx *, int);
+
+int sqlcipher_codec_ctx_set_cipher(codec_ctx *, const char *, int);
+const char* sqlcipher_codec_ctx_get_cipher(codec_ctx *ctx, int for_ctx);
+
+void* sqlcipher_codec_ctx_get_data(codec_ctx *);
+
+void sqlcipher_exportFunc(sqlite3_context *, int, sqlite3_value **);
+
+void sqlcipher_set_default_use_hmac(int use);
+int sqlcipher_get_default_use_hmac();
+
+void sqlcipher_set_hmac_salt_mask(unsigned char mask);
+unsigned char sqlcipher_get_hmac_salt_mask();
+
+int sqlcipher_codec_ctx_set_use_hmac(codec_ctx *ctx, int use);
+int sqlcipher_codec_ctx_get_use_hmac(codec_ctx *ctx, int for_ctx);
+
+int sqlcipher_codec_ctx_set_flag(codec_ctx *ctx, unsigned int flag);
+int sqlcipher_codec_ctx_unset_flag(codec_ctx *ctx, unsigned int flag);
+int sqlcipher_codec_ctx_get_flag(codec_ctx *ctx, unsigned int flag, int for_ctx);
+
+const char* sqlcipher_codec_get_cipher_provider(codec_ctx *ctx);
+int sqlcipher_codec_ctx_migrate(codec_ctx *ctx);
+int sqlcipher_codec_add_random(codec_ctx *ctx, const char *data, int random_sz);
+int sqlcipher_cipher_profile(sqlite3 *db, const char *destination);
+int sqlcipher_codec_get_store_pass(codec_ctx *ctx);
+void sqlcipher_codec_get_pass(codec_ctx *ctx, void **zKey, int *nKey);
+void sqlcipher_codec_set_store_pass(codec_ctx *ctx, int value);
+int sqlcipher_codec_fips_status(codec_ctx *ctx);
+const char* sqlcipher_codec_get_provider_version(codec_ctx *ctx);
+int sqlcipher_codec_hmac(const codec_ctx *ctx, const unsigned char *hmac_key, int key_sz,
+                         unsigned char* in, int in_sz, unsigned char *in2, int in2_sz,
+                         unsigned char *out);
+#endif
+#endif
+/* END SQLCIPHER */
+
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+#ifndef SQLCIPHER_H
+#define SQLCIPHER_H
+
+
+typedef struct {
+  int (*activate)(void *ctx);
+  int (*deactivate)(void *ctx);
+  const char* (*get_provider_name)(void *ctx);
+  int (*add_random)(void *ctx, void *buffer, int length);
+  int (*random)(void *ctx, void *buffer, int length);
+  int (*hmac)(void *ctx, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out);
+  int (*kdf)(void *ctx, const unsigned char *pass, int pass_sz, unsigned char* salt, int salt_sz, int workfactor, int key_sz, unsigned char *key);
+  int (*cipher)(void *ctx, int mode, unsigned char *key, int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char *out);
+  int (*set_cipher)(void *ctx, const char *cipher_name);
+  const char* (*get_cipher)(void *ctx);
+  int (*get_key_sz)(void *ctx);
+  int (*get_iv_sz)(void *ctx);
+  int (*get_block_sz)(void *ctx);
+  int (*get_hmac_sz)(void *ctx);
+  int (*ctx_copy)(void *target_ctx, void *source_ctx);
+  int (*ctx_cmp)(void *c1, void *c2);
+  int (*ctx_init)(void **ctx);
+  int (*ctx_free)(void **ctx);
+  int (*fips_status)(void *ctx);
+  const char* (*get_provider_version)(void *ctx);
+} sqlcipher_provider;
+
+/* utility functions */
+void sqlcipher_free(void *ptr, int sz);
+void* sqlcipher_malloc(int sz);
+void* sqlcipher_memset(void *v, unsigned char value, int len);
+int sqlcipher_ismemset(const void *v, unsigned char value, int len);
+int sqlcipher_memcmp(const void *v0, const void *v1, int len);
+void sqlcipher_free(void *, int);
+
+/* provider interfaces */
+int sqlcipher_register_provider(sqlcipher_provider *p);
+sqlcipher_provider* sqlcipher_get_provider();
+
+#endif
+#endif
+/* END SQLCIPHER */
+
+/* the default implementation of SQLCipher uses a cipher_ctx
+   to keep track of read / write state separately. The following
+   struct and associated functions are defined here */
+typedef struct {
+  int store_pass;
+  int derive_key;
+  int kdf_iter;
+  int fast_kdf_iter;
+  int key_sz;
+  int iv_sz;
+  int block_sz;
+  int pass_sz;
+  int reserve_sz;
+  int hmac_sz;
+  int keyspec_sz;
+  unsigned int flags;
+  unsigned char *key;
+  unsigned char *hmac_key;
+  unsigned char *pass;
+  char *keyspec;
+  sqlcipher_provider *provider;
+  void *provider_ctx;
+} cipher_ctx;
+
+static unsigned int default_flags = DEFAULT_CIPHER_FLAGS;
+static unsigned char hmac_salt_mask = HMAC_SALT_MASK;
+static int default_kdf_iter = PBKDF2_ITER;
+static int default_page_size = 1024;
+static unsigned int sqlcipher_activate_count = 0;
+static sqlite3_mutex* sqlcipher_provider_mutex = NULL;
+static sqlcipher_provider *default_provider = NULL;
+
+struct codec_ctx {
+  int kdf_salt_sz;
+  int page_sz;
+  unsigned char *kdf_salt;
+  unsigned char *hmac_kdf_salt;
+  unsigned char *buffer;
+  Btree *pBt;
+  cipher_ctx *read_ctx;
+  cipher_ctx *write_ctx;
+  unsigned int skip_read_hmac;
+  unsigned int need_kdf_salt;
+};
+
+int sqlcipher_register_provider(sqlcipher_provider *p) {
+  CODEC_TRACE_MUTEX("sqlcipher_register_provider: entering sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+  sqlite3_mutex_enter(sqlcipher_provider_mutex);
+  CODEC_TRACE_MUTEX("sqlcipher_register_provider: entered sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+
+  if(default_provider != NULL && default_provider != p) {
+    /* only free the current registerd provider if it has been initialized
+       and it isn't a pointer to the same provider passed to the function
+       (i.e. protect against a caller calling register twice for the same provider) */
+    sqlcipher_free(default_provider, sizeof(sqlcipher_provider));
+  }
+  default_provider = p;
+  CODEC_TRACE_MUTEX("sqlcipher_register_provider: leaving sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+  sqlite3_mutex_leave(sqlcipher_provider_mutex);
+  CODEC_TRACE_MUTEX("sqlcipher_register_provider: left sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+
+  return SQLITE_OK;
+}
+
+/* return a pointer to the currently registered provider. This will
+   allow an application to fetch the current registered provider and
+   make minor changes to it */
+sqlcipher_provider* sqlcipher_get_provider() {
+  return default_provider;
+}
+
+void sqlcipher_activate() {
+  CODEC_TRACE_MUTEX("sqlcipher_activate: entering static master mutex\n");
+  sqlite3_mutex_enter(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
+  CODEC_TRACE_MUTEX("sqlcipher_activate: entered static master mutex\n");
+
+  if(sqlcipher_provider_mutex == NULL) {
+    /* allocate a new mutex to guard access to the provider */
+    CODEC_TRACE_MUTEX("sqlcipher_activate: allocating sqlcipher provider mutex\n");
+    sqlcipher_provider_mutex = sqlite3_mutex_alloc(SQLITE_MUTEX_FAST);
+    CODEC_TRACE_MUTEX("sqlcipher_activate: allocated sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+  }
+
+  /* check to see if there is a provider registered at this point
+     if there no provider registered at this point, register the
+     default provider */
+  if(sqlcipher_get_provider() == NULL) {
+    sqlcipher_provider *p = sqlcipher_malloc(sizeof(sqlcipher_provider));
+#if defined (SQLCIPHER_CRYPTO_CC)
+    extern int sqlcipher_cc_setup(sqlcipher_provider *p);
+    sqlcipher_cc_setup(p);
+#elif defined (SQLCIPHER_CRYPTO_LIBTOMCRYPT)
+    extern int sqlcipher_ltc_setup(sqlcipher_provider *p);
+    sqlcipher_ltc_setup(p);
+#elif defined (SQLCIPHER_CRYPTO_OPENSSL)
+    extern int sqlcipher_openssl_setup(sqlcipher_provider *p);
+    sqlcipher_openssl_setup(p);
+#else
+#error "NO DEFAULT SQLCIPHER CRYPTO PROVIDER DEFINED"
+#endif
+    CODEC_TRACE("sqlcipher_activate: calling sqlcipher_register_provider(%p)\n", p);
+    sqlcipher_register_provider(p);
+    CODEC_TRACE("sqlcipher_activate: called sqlcipher_register_provider(%p)\n",p);
+  }
+
+  sqlcipher_activate_count++; /* increment activation count */
+
+  CODEC_TRACE_MUTEX("sqlcipher_activate: leaving static master mutex\n");
+  sqlite3_mutex_leave(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
+  CODEC_TRACE_MUTEX("sqlcipher_activate: left static master mutex\n");
+}
+
+void sqlcipher_deactivate() {
+  CODEC_TRACE_MUTEX("sqlcipher_deactivate: entering static master mutex\n");
+  sqlite3_mutex_enter(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
+  CODEC_TRACE_MUTEX("sqlcipher_deactivate: entered static master mutex\n");
+
+  sqlcipher_activate_count--;
+  /* if no connections are using sqlcipher, cleanup globals */
+  if(sqlcipher_activate_count < 1) {
+    int rc;
+    CODEC_TRACE_MUTEX("sqlcipher_deactivate: entering sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+    sqlite3_mutex_enter(sqlcipher_provider_mutex);
+    CODEC_TRACE_MUTEX("sqlcipher_deactivate: entered sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+
+    if(default_provider != NULL) {
+      sqlcipher_free(default_provider, sizeof(sqlcipher_provider));
+      default_provider = NULL;
+    }
+
+    CODEC_TRACE_MUTEX("sqlcipher_deactivate: leaving sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+    sqlite3_mutex_leave(sqlcipher_provider_mutex);
+    CODEC_TRACE_MUTEX("sqlcipher_deactivate: left sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+
+    /* last connection closed, free provider mutex*/
+    CODEC_TRACE_MUTEX("sqlcipher_deactivate: freeing sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+    sqlite3_mutex_free(sqlcipher_provider_mutex);
+    CODEC_TRACE_MUTEX("sqlcipher_deactivate: freed sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+
+    sqlcipher_provider_mutex = NULL;
+
+    sqlcipher_activate_count = 0; /* reset activation count */
+  }
+
+  CODEC_TRACE_MUTEX("sqlcipher_deactivate: leaving static master mutex\n");
+  sqlite3_mutex_leave(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
+  CODEC_TRACE_MUTEX("sqlcipher_deactivate: left static master mutex\n");
+}
+
+/* constant time memset using volitile to avoid having the memset
+   optimized out by the compiler.
+   Note: As suggested by Joachim Schipper (joachim.schipper@fox-it.com)
+*/
+void* sqlcipher_memset(void *v, unsigned char value, int len) {
+  int i = 0;
+  volatile unsigned char *a = v;
+
+  if (v == NULL) return v;
+
+  CODEC_TRACE("sqlcipher_memset: setting %p[0-%d]=%d)\n", a, len, value);
+  for(i = 0; i < len; i++) {
+    a[i] = value;
+  }
+
+  return v;
+}
+
+/* constant time memory check tests every position of a memory segement
+   matches a single value (i.e. the memory is all zeros)
+   returns 0 if match, 1 of no match */
+int sqlcipher_ismemset(const void *v, unsigned char value, int len) {
+  const unsigned char *a = v;
+  int i = 0, result = 0;
+
+  for(i = 0; i < len; i++) {
+    result |= a[i] ^ value;
+  }
+
+  return (result != 0);
+}
+
+/* constant time memory comparison routine.
+   returns 0 if match, 1 if no match */
+int sqlcipher_memcmp(const void *v0, const void *v1, int len) {
+  const unsigned char *a0 = v0, *a1 = v1;
+  int i = 0, result = 0;
+
+  for(i = 0; i < len; i++) {
+    result |= a0[i] ^ a1[i];
+  }
+
+  return (result != 0);
+}
+
+/**
+  * Free and wipe memory. Uses SQLites internal sqlite3_free so that memory
+  * can be countend and memory leak detection works in the test suite.
+  * If ptr is not null memory will be freed.
+  * If sz is greater than zero, the memory will be overwritten with zero before it is freed
+  * If sz is > 0, and not compiled with OMIT_MEMLOCK, system will attempt to unlock the
+  * memory segment so it can be paged
+  */
+void sqlcipher_free(void *ptr, int sz) {
+  if(ptr) {
+    if(sz > 0) {
+#ifndef OMIT_MEMLOCK
+      int rc;
+#if defined(__unix__) || defined(__APPLE__)
+      unsigned long pagesize = sysconf(_SC_PAGESIZE);
+      unsigned long offset = (unsigned long) ptr % pagesize;
+#endif
+#endif
+      CODEC_TRACE("sqlcipher_free: calling sqlcipher_memset(%p,0,%d)\n", ptr, sz);
+      sqlcipher_memset(ptr, 0, sz);
+#ifndef OMIT_MEMLOCK
+#if defined(__unix__) || defined(__APPLE__)
+      CODEC_TRACE("sqlcipher_free: calling munlock(%p,%lu)\n", ptr - offset, sz + offset);
+      rc = munlock(ptr - offset, sz + offset);
+      if(rc!=0) {
+        CODEC_TRACE("sqlcipher_free: munlock(%p,%lu) returned %d errno=%d\n", ptr - offset, sz + offset, rc, errno);
+      }
+#elif defined(_WIN32)
+#if !(defined(WINAPI_FAMILY) && (WINAPI_FAMILY == WINAPI_FAMILY_PHONE_APP || WINAPI_FAMILY == WINAPI_FAMILY_APP))
+      rc = VirtualUnlock(ptr, sz);
+      if(!rc) {
+        CODEC_TRACE("sqlcipher_free: VirtualUnlock(%p,%d) returned %d LastError=%d\n", ptr, sz, rc, GetLastError());
+      }
+#endif
+#endif
+#endif
+    }
+    sqlite3_free(ptr);
+  }
+}
+
+/**
+  * allocate memory. Uses sqlite's internall malloc wrapper so memory can be
+  * reference counted and leak detection works. Unless compiled with OMIT_MEMLOCK
+  * attempts to lock the memory pages so sensitive information won't be swapped
+  */
+void* sqlcipher_malloc(int sz) {
+  void *ptr;
+  CODEC_TRACE("sqlcipher_malloc: calling sqlite3Malloc(%d)\n", sz);
+  ptr = sqlite3Malloc(sz);
+  CODEC_TRACE("sqlcipher_malloc: calling sqlcipher_memset(%p,0,%d)\n", ptr, sz);
+  sqlcipher_memset(ptr, 0, sz);
+#ifndef OMIT_MEMLOCK
+  if(ptr) {
+    int rc;
+#if defined(__unix__) || defined(__APPLE__)
+    unsigned long pagesize = sysconf(_SC_PAGESIZE);
+    unsigned long offset = (unsigned long) ptr % pagesize;
+    CODEC_TRACE("sqlcipher_malloc: calling mlock(%p,%lu); _SC_PAGESIZE=%lu\n", ptr - offset, sz + offset, pagesize);
+    rc = mlock(ptr - offset, sz + offset);
+    if(rc!=0) {
+      CODEC_TRACE("sqlcipher_malloc: mlock(%p,%lu) returned %d errno=%d\n", ptr - offset, sz + offset, rc, errno);
+    }
+#elif defined(_WIN32)
+#if !(defined(WINAPI_FAMILY) && (WINAPI_FAMILY == WINAPI_FAMILY_PHONE_APP || WINAPI_FAMILY == WINAPI_FAMILY_APP))
+    rc = VirtualLock(ptr, sz);
+    if(rc==0) {
+      CODEC_TRACE("sqlcipher_malloc: VirtualLock(%p,%d) returned %d LastError=%d\n", ptr, sz, rc, GetLastError());
+    }
+#endif
+#endif
+  }
+#endif
+  return ptr;
+}
+
+
+/**
+  * Initialize new cipher_ctx struct. This function will allocate memory
+  * for the cipher context and for the key
+  *
+  * returns SQLITE_OK if initialization was successful
+  * returns SQLITE_NOMEM if an error occured allocating memory
+  */
+static int sqlcipher_cipher_ctx_init(cipher_ctx **iCtx) {
+  int rc;
+  cipher_ctx *ctx;
+  CODEC_TRACE("sqlcipher_cipher_ctx_init: allocating context\n");
+  *iCtx = (cipher_ctx *) sqlcipher_malloc(sizeof(cipher_ctx));
+  ctx = *iCtx;
+  if(ctx == NULL) return SQLITE_NOMEM;
+
+  CODEC_TRACE("sqlcipher_cipher_ctx_init: allocating provider\n");
+  ctx->provider = (sqlcipher_provider *) sqlcipher_malloc(sizeof(sqlcipher_provider));
+  if(ctx->provider == NULL) return SQLITE_NOMEM;
+
+  /* make a copy of the provider to be used for the duration of the context */
+  CODEC_TRACE_MUTEX("sqlcipher_cipher_ctx_init: entering sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+  sqlite3_mutex_enter(sqlcipher_provider_mutex);
+  CODEC_TRACE_MUTEX("sqlcipher_cipher_ctx_init: entered sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+
+  memcpy(ctx->provider, default_provider, sizeof(sqlcipher_provider));
+
+  CODEC_TRACE_MUTEX("sqlcipher_cipher_ctx_init: leaving sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+  sqlite3_mutex_leave(sqlcipher_provider_mutex);
+  CODEC_TRACE_MUTEX("sqlcipher_cipher_ctx_init: left sqlcipher provider mutex %p\n", sqlcipher_provider_mutex);
+
+  CODEC_TRACE("sqlcipher_cipher_ctx_init: calling provider ctx_init\n");
+  if((rc = ctx->provider->ctx_init(&ctx->provider_ctx)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_cipher_ctx_init: allocating key\n");
+  ctx->key = (unsigned char *) sqlcipher_malloc(CIPHER_MAX_KEY_SZ);
+
+  CODEC_TRACE("sqlcipher_cipher_ctx_init: allocating hmac_key\n");
+  ctx->hmac_key = (unsigned char *) sqlcipher_malloc(CIPHER_MAX_KEY_SZ);
+
+  if(ctx->key == NULL) return SQLITE_NOMEM;
+  if(ctx->hmac_key == NULL) return SQLITE_NOMEM;
+
+  /* setup default flags */
+  ctx->flags = default_flags;
+
+  return SQLITE_OK;
+}
+
+/**
+  * Free and wipe memory associated with a cipher_ctx
+  */
+static void sqlcipher_cipher_ctx_free(cipher_ctx **iCtx) {
+  cipher_ctx *ctx = *iCtx;
+  CODEC_TRACE("cipher_ctx_free: entered iCtx=%p\n", iCtx);
+  ctx->provider->ctx_free(&ctx->provider_ctx);
+  sqlcipher_free(ctx->provider, sizeof(sqlcipher_provider));
+  sqlcipher_free(ctx->key, ctx->key_sz);
+  sqlcipher_free(ctx->hmac_key, ctx->key_sz);
+  sqlcipher_free(ctx->pass, ctx->pass_sz);
+  sqlcipher_free(ctx->keyspec, ctx->keyspec_sz);
+  sqlcipher_free(ctx, sizeof(cipher_ctx));
+}
+
+/**
+  * Compare one cipher_ctx to another.
+  *
+  * returns 0 if all the parameters (except the derived key data) are the same
+  * returns 1 otherwise
+  */
+static int sqlcipher_cipher_ctx_cmp(cipher_ctx *c1, cipher_ctx *c2) {
+  int are_equal = (
+    c1->iv_sz == c2->iv_sz
+    && c1->kdf_iter == c2->kdf_iter
+    && c1->fast_kdf_iter == c2->fast_kdf_iter
+    && c1->key_sz == c2->key_sz
+    && c1->pass_sz == c2->pass_sz
+    && c1->flags == c2->flags
+    && c1->hmac_sz == c2->hmac_sz
+    && c1->provider->ctx_cmp(c1->provider_ctx, c2->provider_ctx)
+    && (
+      c1->pass == c2->pass
+      || !sqlcipher_memcmp((const unsigned char*)c1->pass,
+                           (const unsigned char*)c2->pass,
+                           c1->pass_sz)
+    ));
+
+  CODEC_TRACE("sqlcipher_cipher_ctx_cmp: entered \
+                  c1=%p c2=%p \
+                  c1->iv_sz=%d c2->iv_sz=%d \
+                  c1->kdf_iter=%d c2->kdf_iter=%d \
+                  c1->fast_kdf_iter=%d c2->fast_kdf_iter=%d \
+                  c1->key_sz=%d c2->key_sz=%d \
+                  c1->pass_sz=%d c2->pass_sz=%d \
+                  c1->flags=%d c2->flags=%d \
+                  c1->hmac_sz=%d c2->hmac_sz=%d \
+                  c1->provider_ctx=%p c2->provider_ctx=%p \
+                  c1->pass=%p c2->pass=%p \
+                  c1->pass=%s c2->pass=%s \
+                  provider->ctx_cmp=%d \
+                  sqlcipher_memcmp=%d \
+                  are_equal=%d \
+                   \n",
+                  c1, c2,
+                  c1->iv_sz, c2->iv_sz,
+                  c1->kdf_iter, c2->kdf_iter,
+                  c1->fast_kdf_iter, c2->fast_kdf_iter,
+                  c1->key_sz, c2->key_sz,
+                  c1->pass_sz, c2->pass_sz,
+                  c1->flags, c2->flags,
+                  c1->hmac_sz, c2->hmac_sz,
+                  c1->provider_ctx, c2->provider_ctx,
+                  c1->pass, c2->pass,
+                  c1->pass, c2->pass,
+                  c1->provider->ctx_cmp(c1->provider_ctx, c2->provider_ctx),
+                  (c1->pass == NULL || c2->pass == NULL)
+                    ? -1 : sqlcipher_memcmp(
+                      (const unsigned char*)c1->pass,
+                      (const unsigned char*)c2->pass,
+                      c1->pass_sz),
+                  are_equal
+                  );
+
+  return !are_equal; /* return 0 if they are the same, 1 otherwise */
+}
+
+/**
+  * Copy one cipher_ctx to another. For instance, assuming that read_ctx is a
+  * fully initialized context, you could copy it to write_ctx and all yet data
+  * and pass information across
+  *
+  * returns SQLITE_OK if initialization was successful
+  * returns SQLITE_NOMEM if an error occured allocating memory
+  */
+static int sqlcipher_cipher_ctx_copy(cipher_ctx *target, cipher_ctx *source) {
+  void *key = target->key;
+  void *hmac_key = target->hmac_key;
+  void *provider = target->provider;
+  void *provider_ctx = target->provider_ctx;
+
+  CODEC_TRACE("sqlcipher_cipher_ctx_copy: entered target=%p, source=%p\n", target, source);
+  sqlcipher_free(target->pass, target->pass_sz);
+  sqlcipher_free(target->keyspec, target->keyspec_sz);
+  memcpy(target, source, sizeof(cipher_ctx));
+
+  target->key = key; //restore pointer to previously allocated key data
+  memcpy(target->key, source->key, CIPHER_MAX_KEY_SZ);
+
+  target->hmac_key = hmac_key; //restore pointer to previously allocated hmac key data
+  memcpy(target->hmac_key, source->hmac_key, CIPHER_MAX_KEY_SZ);
+
+  target->provider = provider; // restore pointer to previouly allocated provider;
+  memcpy(target->provider, source->provider, sizeof(sqlcipher_provider));
+
+  target->provider_ctx = provider_ctx; // restore pointer to previouly allocated provider context;
+  target->provider->ctx_copy(target->provider_ctx, source->provider_ctx);
+
+  if(source->pass && source->pass_sz) {
+    target->pass = sqlcipher_malloc(source->pass_sz);
+    if(target->pass == NULL) return SQLITE_NOMEM;
+    memcpy(target->pass, source->pass, source->pass_sz);
+  }
+  if(source->keyspec && source->keyspec_sz) {
+    target->keyspec = sqlcipher_malloc(source->keyspec_sz);
+    if(target->keyspec == NULL) return SQLITE_NOMEM;
+    memcpy(target->keyspec, source->keyspec, source->keyspec_sz);
+  }
+  return SQLITE_OK;
+}
+
+/**
+  * Set the keyspec for the cipher_ctx
+  *
+  * returns SQLITE_OK if assignment was successfull
+  * returns SQLITE_NOMEM if an error occured allocating memory
+  */
+static int sqlcipher_cipher_ctx_set_keyspec(cipher_ctx *ctx, const unsigned char *key, int key_sz, const unsigned char *salt, int salt_sz) {
+
+    /* free, zero existing pointers and size */
+  sqlcipher_free(ctx->keyspec, ctx->keyspec_sz);
+  ctx->keyspec = NULL;
+  ctx->keyspec_sz = 0;
+
+  /* establic a hex-formated key specification, containing the raw encryption key and
+     the salt used to generate it */
+  ctx->keyspec_sz = ((key_sz + salt_sz) * 2) + 3;
+  ctx->keyspec = sqlcipher_malloc(ctx->keyspec_sz);
+  if(ctx->keyspec == NULL) return SQLITE_NOMEM;
+
+  ctx->keyspec[0] = 'x';
+  ctx->keyspec[1] = '\'';
+  cipher_bin2hex(key, key_sz, ctx->keyspec + 2);
+  cipher_bin2hex(salt, salt_sz, ctx->keyspec + (key_sz * 2) + 2);
+  ctx->keyspec[ctx->keyspec_sz - 1] = '\'';
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_get_store_pass(codec_ctx *ctx) {
+  return ctx->read_ctx->store_pass;
+}
+
+void sqlcipher_codec_set_store_pass(codec_ctx *ctx, int value) {
+  ctx->read_ctx->store_pass = value;
+}
+
+void sqlcipher_codec_get_pass(codec_ctx *ctx, void **zKey, int *nKey) {
+  *zKey = ctx->read_ctx->pass;
+  *nKey = ctx->read_ctx->pass_sz;
+}
+
+/**
+  * Set the passphrase for the cipher_ctx
+  *
+  * returns SQLITE_OK if assignment was successfull
+  * returns SQLITE_NOMEM if an error occured allocating memory
+  */
+static int sqlcipher_cipher_ctx_set_pass(cipher_ctx *ctx, const void *zKey, int nKey) {
+
+  /* free, zero existing pointers and size */
+  sqlcipher_free(ctx->pass, ctx->pass_sz);
+  ctx->pass = NULL;
+  ctx->pass_sz = 0;
+
+  if(zKey && nKey) { /* if new password is provided, copy it */
+    ctx->pass_sz = nKey;
+    ctx->pass = sqlcipher_malloc(nKey);
+    if(ctx->pass == NULL) return SQLITE_NOMEM;
+    memcpy(ctx->pass, zKey, nKey);
+  }
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_set_pass(codec_ctx *ctx, const void *zKey, int nKey, int for_ctx) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  int rc;
+
+  if((rc = sqlcipher_cipher_ctx_set_pass(c_ctx, zKey, nKey)) != SQLITE_OK) return rc;
+  c_ctx->derive_key = 1;
+
+  if(for_ctx == 2)
+    if((rc = sqlcipher_cipher_ctx_copy( for_ctx ? ctx->read_ctx : ctx->write_ctx, c_ctx)) != SQLITE_OK)
+      return rc;
+
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_set_cipher(codec_ctx *ctx, const char *cipher_name, int for_ctx) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  int rc;
+
+  rc = c_ctx->provider->set_cipher(c_ctx->provider_ctx, cipher_name);
+  if(rc != SQLITE_OK){
+    sqlcipher_codec_ctx_set_error(ctx, rc);
+    return rc;
+  }
+  c_ctx->key_sz = c_ctx->provider->get_key_sz(c_ctx->provider_ctx);
+  c_ctx->iv_sz = c_ctx->provider->get_iv_sz(c_ctx->provider_ctx);
+  c_ctx->block_sz = c_ctx->provider->get_block_sz(c_ctx->provider_ctx);
+  c_ctx->hmac_sz = c_ctx->provider->get_hmac_sz(c_ctx->provider_ctx);
+  c_ctx->derive_key = 1;
+
+  if(for_ctx == 2)
+    if((rc = sqlcipher_cipher_ctx_copy( for_ctx ? ctx->read_ctx : ctx->write_ctx, c_ctx)) != SQLITE_OK)
+      return rc;
+
+  return SQLITE_OK;
+}
+
+const char* sqlcipher_codec_ctx_get_cipher(codec_ctx *ctx, int for_ctx) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  return c_ctx->provider->get_cipher(c_ctx->provider_ctx);
+}
+
+/* set the global default KDF iteration */
+void sqlcipher_set_default_kdf_iter(int iter) {
+  default_kdf_iter = iter;
+}
+
+int sqlcipher_get_default_kdf_iter() {
+  return default_kdf_iter;
+}
+
+int sqlcipher_codec_ctx_set_kdf_iter(codec_ctx *ctx, int kdf_iter, int for_ctx) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  int rc;
+
+  c_ctx->kdf_iter = kdf_iter;
+  c_ctx->derive_key = 1;
+
+  if(for_ctx == 2)
+    if((rc = sqlcipher_cipher_ctx_copy( for_ctx ? ctx->read_ctx : ctx->write_ctx, c_ctx)) != SQLITE_OK)
+      return rc;
+
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_get_kdf_iter(codec_ctx *ctx, int for_ctx) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  return c_ctx->kdf_iter;
+}
+
+int sqlcipher_codec_ctx_set_fast_kdf_iter(codec_ctx *ctx, int fast_kdf_iter, int for_ctx) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  int rc;
+
+  c_ctx->fast_kdf_iter = fast_kdf_iter;
+  c_ctx->derive_key = 1;
+
+  if(for_ctx == 2)
+    if((rc = sqlcipher_cipher_ctx_copy( for_ctx ? ctx->read_ctx : ctx->write_ctx, c_ctx)) != SQLITE_OK)
+      return rc;
+
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_get_fast_kdf_iter(codec_ctx *ctx, int for_ctx) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  return c_ctx->fast_kdf_iter;
+}
+
+/* set the global default flag for HMAC */
+void sqlcipher_set_default_use_hmac(int use) {
+  if(use) default_flags |= CIPHER_FLAG_HMAC;
+  else default_flags &= ~CIPHER_FLAG_HMAC;
+}
+
+int sqlcipher_get_default_use_hmac() {
+  return (default_flags & CIPHER_FLAG_HMAC) != 0;
+}
+
+void sqlcipher_set_hmac_salt_mask(unsigned char mask) {
+  hmac_salt_mask = mask;
+}
+
+unsigned char sqlcipher_get_hmac_salt_mask() {
+  return hmac_salt_mask;
+}
+
+/* set the codec flag for whether this individual database should be using hmac */
+int sqlcipher_codec_ctx_set_use_hmac(codec_ctx *ctx, int use) {
+  int reserve = CIPHER_MAX_IV_SZ; /* base reserve size will be IV only */
+
+  if(use) reserve += ctx->read_ctx->hmac_sz; /* if reserve will include hmac, update that size */
+
+  /* calculate the amount of reserve needed in even increments of the cipher block size */
+
+  reserve = ((reserve % ctx->read_ctx->block_sz) == 0) ? reserve :
+               ((reserve / ctx->read_ctx->block_sz) + 1) * ctx->read_ctx->block_sz;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_set_use_hmac: use=%d block_sz=%d md_size=%d reserve=%d\n",
+                use, ctx->read_ctx->block_sz, ctx->read_ctx->hmac_sz, reserve);
+
+
+  if(use) {
+    sqlcipher_codec_ctx_set_flag(ctx, CIPHER_FLAG_HMAC);
+  } else {
+    sqlcipher_codec_ctx_unset_flag(ctx, CIPHER_FLAG_HMAC);
+  }
+
+  ctx->write_ctx->reserve_sz = ctx->read_ctx->reserve_sz = reserve;
+
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_get_use_hmac(codec_ctx *ctx, int for_ctx) {
+  cipher_ctx * c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  return (c_ctx->flags & CIPHER_FLAG_HMAC) != 0;
+}
+
+int sqlcipher_codec_ctx_set_flag(codec_ctx *ctx, unsigned int flag) {
+  ctx->write_ctx->flags |= flag;
+  ctx->read_ctx->flags |= flag;
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_unset_flag(codec_ctx *ctx, unsigned int flag) {
+  ctx->write_ctx->flags &= ~flag;
+  ctx->read_ctx->flags &= ~flag;
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_get_flag(codec_ctx *ctx, unsigned int flag, int for_ctx) {
+  cipher_ctx * c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  return (c_ctx->flags & flag) != 0;
+}
+
+void sqlcipher_codec_ctx_set_error(codec_ctx *ctx, int error) {
+  CODEC_TRACE("sqlcipher_codec_ctx_set_error: ctx=%p, error=%d\n", ctx, error);
+  sqlite3pager_sqlite3PagerSetError(ctx->pBt->pBt->pPager, error);
+  ctx->pBt->pBt->db->errCode = error;
+}
+
+int sqlcipher_codec_ctx_get_reservesize(codec_ctx *ctx) {
+  return ctx->read_ctx->reserve_sz;
+}
+
+void* sqlcipher_codec_ctx_get_data(codec_ctx *ctx) {
+  return ctx->buffer;
+}
+
+void* sqlcipher_codec_ctx_get_kdf_salt(codec_ctx *ctx) {
+  return ctx->kdf_salt;
+}
+
+void sqlcipher_codec_get_keyspec(codec_ctx *ctx, void **zKey, int *nKey) {
+  *zKey = ctx->read_ctx->keyspec;
+  *nKey = ctx->read_ctx->keyspec_sz;
+}
+
+int sqlcipher_codec_ctx_set_pagesize(codec_ctx *ctx, int size) {
+  if(!((size != 0) && ((size & (size - 1)) == 0)) || size < 512 || size > 65536) {
+    CODEC_TRACE(("cipher_page_size not a power of 2 and between 512 and 65536 inclusive\n"));
+    return SQLITE_ERROR;
+  }
+  /* attempt to free the existing page buffer */
+  sqlcipher_free(ctx->buffer,ctx->page_sz);
+  ctx->page_sz = size;
+
+  /* pre-allocate a page buffer of PageSize bytes. This will
+     be used as a persistent buffer for encryption and decryption
+     operations to avoid overhead of multiple memory allocations*/
+  ctx->buffer = sqlcipher_malloc(size);
+  if(ctx->buffer == NULL) return SQLITE_NOMEM;
+
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_ctx_get_pagesize(codec_ctx *ctx) {
+  return ctx->page_sz;
+}
+
+void sqlcipher_set_default_pagesize(int page_size) {
+  default_page_size = page_size;
+}
+
+int sqlcipher_get_default_pagesize() {
+  return default_page_size;
+}
+
+int sqlcipher_codec_ctx_init(codec_ctx **iCtx, Db *pDb, Pager *pPager, sqlite3_file *fd, const void *zKey, int nKey) {
+  int rc;
+  codec_ctx *ctx;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: allocating context\n");
+
+  *iCtx = sqlcipher_malloc(sizeof(codec_ctx));
+  ctx = *iCtx;
+
+  if(ctx == NULL) return SQLITE_NOMEM;
+
+  ctx->pBt = pDb->pBt; /* assign pointer to database btree structure */
+
+  /* allocate space for salt data. Then read the first 16 bytes
+       directly off the database file. This is the salt for the
+       key derivation function. If we get a short read allocate
+       a new random salt value */
+  CODEC_TRACE("sqlcipher_codec_ctx_init: allocating kdf_salt\n");
+  ctx->kdf_salt_sz = FILE_HEADER_SZ;
+  ctx->kdf_salt = sqlcipher_malloc(ctx->kdf_salt_sz);
+  if(ctx->kdf_salt == NULL) return SQLITE_NOMEM;
+
+  /* allocate space for separate hmac salt data. We want the
+     HMAC derivation salt to be different than the encryption
+     key derivation salt */
+  CODEC_TRACE("sqlcipher_codec_ctx_init: allocating hmac_kdf_salt\n");
+  ctx->hmac_kdf_salt = sqlcipher_malloc(ctx->kdf_salt_sz);
+  if(ctx->hmac_kdf_salt == NULL) return SQLITE_NOMEM;
+
+
+  /*
+     Always overwrite page size and set to the default because the first page of the database
+     in encrypted and thus sqlite can't effectively determine the pagesize. this causes an issue in
+     cases where bytes 16 & 17 of the page header are a power of 2 as reported by John Lehman
+  */
+  CODEC_TRACE("sqlcipher_codec_ctx_init: calling sqlcipher_codec_ctx_set_pagesize with %d\n", default_page_size);
+  if((rc = sqlcipher_codec_ctx_set_pagesize(ctx, default_page_size)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: initializing read_ctx\n");
+  if((rc = sqlcipher_cipher_ctx_init(&ctx->read_ctx)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: initializing write_ctx\n");
+  if((rc = sqlcipher_cipher_ctx_init(&ctx->write_ctx)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: reading file header\n");
+  if(fd == NULL || sqlite3OsRead(fd, ctx->kdf_salt, FILE_HEADER_SZ, 0) != SQLITE_OK) {
+    ctx->need_kdf_salt = 1;
+  }
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: setting cipher\n");
+  if((rc = sqlcipher_codec_ctx_set_cipher(ctx, CIPHER, 0)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: setting default_kdf_iter\n");
+  if((rc = sqlcipher_codec_ctx_set_kdf_iter(ctx, default_kdf_iter, 0)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: setting fast_kdf_iter\n");
+  if((rc = sqlcipher_codec_ctx_set_fast_kdf_iter(ctx, FAST_PBKDF2_ITER, 0)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: setting pass key\n");
+  if((rc = sqlcipher_codec_ctx_set_pass(ctx, zKey, nKey, 0)) != SQLITE_OK) return rc;
+
+  /* Note that use_hmac is a special case that requires recalculation of page size
+     so we call set_use_hmac to perform setup */
+  CODEC_TRACE("sqlcipher_codec_ctx_init: setting use_hmac\n");
+  if((rc = sqlcipher_codec_ctx_set_use_hmac(ctx, default_flags & CIPHER_FLAG_HMAC)) != SQLITE_OK) return rc;
+
+  CODEC_TRACE("sqlcipher_codec_ctx_init: copying write_ctx to read_ctx\n");
+  if((rc = sqlcipher_cipher_ctx_copy(ctx->write_ctx, ctx->read_ctx)) != SQLITE_OK) return rc;
+
+  return SQLITE_OK;
+}
+
+/**
+  * Free and wipe memory associated with a cipher_ctx, including the allocated
+  * read_ctx and write_ctx.
+  */
+void sqlcipher_codec_ctx_free(codec_ctx **iCtx) {
+  codec_ctx *ctx = *iCtx;
+  CODEC_TRACE("codec_ctx_free: entered iCtx=%p\n", iCtx);
+  sqlcipher_free(ctx->kdf_salt, ctx->kdf_salt_sz);
+  sqlcipher_free(ctx->hmac_kdf_salt, ctx->kdf_salt_sz);
+  sqlcipher_free(ctx->buffer, 0);
+  sqlcipher_cipher_ctx_free(&ctx->read_ctx);
+  sqlcipher_cipher_ctx_free(&ctx->write_ctx);
+  sqlcipher_free(ctx, sizeof(codec_ctx));
+}
+
+/** convert a 32bit unsigned integer to little endian byte ordering */
+static void sqlcipher_put4byte_le(unsigned char *p, u32 v) {
+  p[0] = (u8)v;
+  p[1] = (u8)(v>>8);
+  p[2] = (u8)(v>>16);
+  p[3] = (u8)(v>>24);
+}
+
+static int sqlcipher_page_hmac(cipher_ctx *ctx, Pgno pgno, unsigned char *in, int in_sz, unsigned char *out) {
+  unsigned char pgno_raw[sizeof(pgno)];
+  /* we may convert page number to consistent representation before calculating MAC for
+     compatibility across big-endian and little-endian platforms.
+
+     Note: The public release of sqlcipher 2.0.0 to 2.0.6 had a bug where the bytes of pgno
+     were used directly in the MAC. SQLCipher convert's to little endian by default to preserve
+     backwards compatibility on the most popular platforms, but can optionally be configured
+     to use either big endian or native byte ordering via pragma. */
+
+  if(ctx->flags & CIPHER_FLAG_LE_PGNO) { /* compute hmac using little endian pgno*/
+    sqlcipher_put4byte_le(pgno_raw, pgno);
+  } else if(ctx->flags & CIPHER_FLAG_BE_PGNO) { /* compute hmac using big endian pgno */
+    sqlite3Put4byte(pgno_raw, pgno); /* sqlite3Put4byte converts 32bit uint to big endian  */
+  } else { /* use native byte ordering */
+    memcpy(pgno_raw, &pgno, sizeof(pgno));
+  }
+
+  /* include the encrypted page data,  initialization vector, and page number in HMAC. This will
+     prevent both tampering with the ciphertext, manipulation of the IV, or resequencing otherwise
+     valid pages out of order in a database */
+  ctx->provider->hmac(
+    ctx->provider_ctx, ctx->hmac_key,
+    ctx->key_sz, in,
+    in_sz, (unsigned char*) &pgno_raw,
+    sizeof(pgno), out);
+  return SQLITE_OK;
+}
+
+/*
+ * ctx - codec context
+ * pgno - page number in database
+ * size - size in bytes of input and output buffers
+ * mode - 1 to encrypt, 0 to decrypt
+ * in - pointer to input bytes
+ * out - pouter to output bytes
+ */
+int sqlcipher_page_cipher(codec_ctx *ctx, int for_ctx, Pgno pgno, int mode, int page_sz, unsigned char *in, unsigned char *out) {
+  cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
+  unsigned char *iv_in, *iv_out, *hmac_in, *hmac_out, *out_start;
+  int size;
+
+  /* calculate some required positions into various buffers */
+  size = page_sz - c_ctx->reserve_sz; /* adjust size to useable size and memset reserve at end of page */
+  iv_out = out + size;
+  iv_in = in + size;
+
+  /* hmac will be written immediately after the initialization vector. the remainder of the page reserve will contain
+     random bytes. note, these pointers are only valid when using hmac */
+  hmac_in = in + size + c_ctx->iv_sz;
+  hmac_out = out + size + c_ctx->iv_sz;
+  out_start = out; /* note the original position of the output buffer pointer, as out will be rewritten during encryption */
+
+  CODEC_TRACE("codec_cipher:entered pgno=%d, mode=%d, size=%d\n", pgno, mode, size);
+  CODEC_HEXDUMP("codec_cipher: input page data", in, page_sz);
+
+  /* the key size should never be zero. If it is, error out. */
+  if(c_ctx->key_sz == 0) {
+    CODEC_TRACE("codec_cipher: error possible context corruption, key_sz is zero for pgno=%d\n", pgno);
+    sqlcipher_memset(out, 0, page_sz);
+    return SQLITE_ERROR;
+  }
+
+  if(mode == CIPHER_ENCRYPT) {
+    /* start at front of the reserve block, write random data to the end */
+    if(c_ctx->provider->random(c_ctx->provider_ctx, iv_out, c_ctx->reserve_sz) != SQLITE_OK) return SQLITE_ERROR;
+  } else { /* CIPHER_DECRYPT */
+    memcpy(iv_out, iv_in, c_ctx->iv_sz); /* copy the iv from the input to output buffer */
+  }
+
+  if((c_ctx->flags & CIPHER_FLAG_HMAC) && (mode == CIPHER_DECRYPT) && !ctx->skip_read_hmac) {
+    if(sqlcipher_page_hmac(c_ctx, pgno, in, size + c_ctx->iv_sz, hmac_out) != SQLITE_OK) {
+      sqlcipher_memset(out, 0, page_sz);
+      CODEC_TRACE("codec_cipher: hmac operations failed for pgno=%d\n", pgno);
+      return SQLITE_ERROR;
+    }
+
+    CODEC_TRACE("codec_cipher: comparing hmac on in=%p out=%p hmac_sz=%d\n", hmac_in, hmac_out, c_ctx->hmac_sz);
+    if(sqlcipher_memcmp(hmac_in, hmac_out, c_ctx->hmac_sz) != 0) { /* the hmac check failed */
+      if(sqlcipher_ismemset(in, 0, page_sz) == 0) {
+        /* first check if the entire contents of the page is zeros. If so, this page
+           resulted from a short read (i.e. sqlite attempted to pull a page after the end of the file. these
+           short read failures must be ignored for autovaccum mode to work so wipe the output buffer
+           and return SQLITE_OK to skip the decryption step. */
+        CODEC_TRACE("codec_cipher: zeroed page (short read) for pgno %d, encryption but returning SQLITE_OK\n", pgno);
+        sqlcipher_memset(out, 0, page_sz);
+  	return SQLITE_OK;
+      } else {
+	/* if the page memory is not all zeros, it means the there was data and a hmac on the page.
+           since the check failed, the page was either tampered with or corrupted. wipe the output buffer,
+           and return SQLITE_ERROR to the caller */
+      	CODEC_TRACE("codec_cipher: hmac check failed for pgno=%d returning SQLITE_ERROR\n", pgno);
+        sqlcipher_memset(out, 0, page_sz);
+      	return SQLITE_ERROR;
+      }
+    }
+  }
+
+  c_ctx->provider->cipher(c_ctx->provider_ctx, mode, c_ctx->key, c_ctx->key_sz, iv_out, in, size, out);
+
+  if((c_ctx->flags & CIPHER_FLAG_HMAC) && (mode == CIPHER_ENCRYPT)) {
+    sqlcipher_page_hmac(c_ctx, pgno, out_start, size + c_ctx->iv_sz, hmac_out);
+  }
+
+  CODEC_HEXDUMP("codec_cipher: output page data", out_start, page_sz);
+
+  return SQLITE_OK;
+}
+
+/**
+  * Derive an encryption key for a cipher contex key based on the raw password.
+  *
+  * If the raw key data is formated as x'hex' and there are exactly enough hex chars to fill
+  * the key (i.e 64 hex chars for a 256 bit key) then the key data will be used directly.
+
+  * Else, if the raw key data is formated as x'hex' and there are exactly enough hex chars to fill
+  * the key and the salt (i.e 92 hex chars for a 256 bit key and 16 byte salt) then it will be unpacked
+  * as the key followed by the salt.
+  *
+  * Otherwise, a key data will be derived using PBKDF2
+  *
+  * returns SQLITE_OK if initialization was successful
+  * returns SQLITE_ERROR if the key could't be derived (for instance if pass is NULL or pass_sz is 0)
+  */
+static int sqlcipher_cipher_ctx_key_derive(codec_ctx *ctx, cipher_ctx *c_ctx) {
+  int rc;
+  CODEC_TRACE("cipher_ctx_key_derive: entered c_ctx->pass=%s, c_ctx->pass_sz=%d \
+                ctx->kdf_salt=%p ctx->kdf_salt_sz=%d c_ctx->kdf_iter=%d \
+                ctx->hmac_kdf_salt=%p, c_ctx->fast_kdf_iter=%d c_ctx->key_sz=%d\n",
+                c_ctx->pass, c_ctx->pass_sz, ctx->kdf_salt, ctx->kdf_salt_sz, c_ctx->kdf_iter,
+                ctx->hmac_kdf_salt, c_ctx->fast_kdf_iter, c_ctx->key_sz);
+
+
+  if(c_ctx->pass && c_ctx->pass_sz) { // if pass is not null
+
+    if(ctx->need_kdf_salt) {
+      if(ctx->read_ctx->provider->random(ctx->read_ctx->provider_ctx, ctx->kdf_salt, FILE_HEADER_SZ) != SQLITE_OK) return SQLITE_ERROR;
+      ctx->need_kdf_salt = 0;
+    }
+    if (c_ctx->pass_sz == ((c_ctx->key_sz * 2) + 3) && sqlite3StrNICmp((const char *)c_ctx->pass ,"x'", 2) == 0 && cipher_isHex(c_ctx->pass + 2, c_ctx->key_sz * 2)) {
+      int n = c_ctx->pass_sz - 3; /* adjust for leading x' and tailing ' */
+      const unsigned char *z = c_ctx->pass + 2; /* adjust lead offset of x' */
+      CODEC_TRACE("cipher_ctx_key_derive: using raw key from hex\n");
+      cipher_hex2bin(z, n, c_ctx->key);
+    } else if (c_ctx->pass_sz == (((c_ctx->key_sz + ctx->kdf_salt_sz) * 2) + 3) && sqlite3StrNICmp((const char *)c_ctx->pass ,"x'", 2) == 0 && cipher_isHex(c_ctx->pass + 2, (c_ctx->key_sz + ctx->kdf_salt_sz) * 2)) {
+      const unsigned char *z = c_ctx->pass + 2; /* adjust lead offset of x' */
+      CODEC_TRACE("cipher_ctx_key_derive: using raw key from hex\n");
+      cipher_hex2bin(z, (c_ctx->key_sz * 2), c_ctx->key);
+      cipher_hex2bin(z + (c_ctx->key_sz * 2), (ctx->kdf_salt_sz * 2), ctx->kdf_salt);
+    } else {
+      CODEC_TRACE("cipher_ctx_key_derive: deriving key using full PBKDF2 with %d iterations\n", c_ctx->kdf_iter);
+      c_ctx->provider->kdf(c_ctx->provider_ctx, c_ctx->pass, c_ctx->pass_sz,
+                    ctx->kdf_salt, ctx->kdf_salt_sz, c_ctx->kdf_iter,
+                    c_ctx->key_sz, c_ctx->key);
+    }
+
+    /* set the context "keyspec" containing the hex-formatted key and salt to be used when attaching databases */
+    if((rc = sqlcipher_cipher_ctx_set_keyspec(c_ctx, c_ctx->key, c_ctx->key_sz, ctx->kdf_salt, ctx->kdf_salt_sz)) != SQLITE_OK) return rc;
+
+    /* if this context is setup to use hmac checks, generate a seperate and different
+       key for HMAC. In this case, we use the output of the previous KDF as the input to
+       this KDF run. This ensures a distinct but predictable HMAC key. */
+    if(c_ctx->flags & CIPHER_FLAG_HMAC) {
+      int i;
+
+      /* start by copying the kdf key into the hmac salt slot
+         then XOR it with the fixed hmac salt defined at compile time
+         this ensures that the salt passed in to derive the hmac key, while
+         easy to derive and publically known, is not the same as the salt used
+         to generate the encryption key */
+      memcpy(ctx->hmac_kdf_salt, ctx->kdf_salt, ctx->kdf_salt_sz);
+      for(i = 0; i < ctx->kdf_salt_sz; i++) {
+        ctx->hmac_kdf_salt[i] ^= hmac_salt_mask;
+      }
+
+      CODEC_TRACE("cipher_ctx_key_derive: deriving hmac key from encryption key using PBKDF2 with %d iterations\n",
+        c_ctx->fast_kdf_iter);
+
+
+      c_ctx->provider->kdf(c_ctx->provider_ctx, c_ctx->key, c_ctx->key_sz,
+                    ctx->hmac_kdf_salt, ctx->kdf_salt_sz, c_ctx->fast_kdf_iter,
+                    c_ctx->key_sz, c_ctx->hmac_key);
+    }
+
+    c_ctx->derive_key = 0;
+    return SQLITE_OK;
+  };
+  return SQLITE_ERROR;
+}
+
+int sqlcipher_codec_key_derive(codec_ctx *ctx) {
+  /* derive key on first use if necessary */
+  if(ctx->read_ctx->derive_key) {
+    if(sqlcipher_cipher_ctx_key_derive(ctx, ctx->read_ctx) != SQLITE_OK) return SQLITE_ERROR;
+  }
+
+  if(ctx->write_ctx->derive_key) {
+    if(sqlcipher_cipher_ctx_cmp(ctx->write_ctx, ctx->read_ctx) == 0) {
+      /* the relevant parameters are the same, just copy read key */
+      if(sqlcipher_cipher_ctx_copy(ctx->write_ctx, ctx->read_ctx) != SQLITE_OK) return SQLITE_ERROR;
+    } else {
+      if(sqlcipher_cipher_ctx_key_derive(ctx, ctx->write_ctx) != SQLITE_OK) return SQLITE_ERROR;
+    }
+  }
+
+  /* TODO: wipe and free passphrase after key derivation */
+  if(ctx->read_ctx->store_pass  != 1) {
+    sqlcipher_cipher_ctx_set_pass(ctx->read_ctx, NULL, 0);
+    sqlcipher_cipher_ctx_set_pass(ctx->write_ctx, NULL, 0);
+  }
+
+  return SQLITE_OK;
+}
+
+int sqlcipher_codec_key_copy(codec_ctx *ctx, int source) {
+  if(source == CIPHER_READ_CTX) {
+      return sqlcipher_cipher_ctx_copy(ctx->write_ctx, ctx->read_ctx);
+  } else {
+      return sqlcipher_cipher_ctx_copy(ctx->read_ctx, ctx->write_ctx);
+  }
+}
+
+const char* sqlcipher_codec_get_cipher_provider(codec_ctx *ctx) {
+  return ctx->read_ctx->provider->get_provider_name(ctx->read_ctx);
+}
+
+
+static int sqlcipher_check_connection(const char *filename, char *key, int key_sz, char *sql, int *user_version) {
+  int rc;
+  sqlite3 *db = NULL;
+  sqlite3_stmt *statement = NULL;
+  char *query_user_version = "PRAGMA user_version;";
+
+  rc = sqlite3_open(filename, &db);
+  if(rc != SQLITE_OK){
+    goto cleanup;
+  }
+  rc = sqlite3_key(db, key, key_sz);
+  if(rc != SQLITE_OK){
+    goto cleanup;
+  }
+  rc = sqlite3_exec(db, sql, NULL, NULL, NULL);
+  if(rc != SQLITE_OK){
+    goto cleanup;
+  }
+  rc = sqlite3_prepare(db, query_user_version, -1, &statement, NULL);
+  if(rc != SQLITE_OK){
+    goto cleanup;
+  }
+  rc = sqlite3_step(statement);
+  if(rc == SQLITE_ROW){
+    *user_version = sqlite3_column_int(statement, 0);
+    rc = SQLITE_OK;
+  }
+
+cleanup:
+  if(statement){
+    sqlite3_finalize(statement);
+  }
+  if(db){
+    sqlite3_close(db);
+  }
+  return rc;
+}
+
+int sqlcipher_codec_ctx_migrate(codec_ctx *ctx) {
+  u32 meta;
+  int rc = 0;
+  int command_idx = 0;
+  int password_sz;
+  int saved_flags;
+  int saved_nChange;
+  int saved_nTotalChange;
+  u8 saved_mTrace;
+  int (*saved_xTrace)(u32,void*,void*,void*); /* Saved db->xTrace */
+  Db *pDb = 0;
+  sqlite3 *db = ctx->pBt->db;
+  const char *db_filename = sqlite3_db_filename(db, "main");
+  char *migrated_db_filename = sqlite3_mprintf("%s-migrated", db_filename);
+  char *pragma_hmac_off = "PRAGMA cipher_use_hmac = OFF;";
+  char *pragma_4k_kdf_iter = "PRAGMA kdf_iter = 4000;";
+  char *pragma_1x_and_4k;
+  char *set_user_version;
+  char *key;
+  int key_sz;
+  int user_version = 0;
+  int upgrade_1x_format = 0;
+  int upgrade_4k_format = 0;
+  static const unsigned char aCopy[] = {
+    BTREE_SCHEMA_VERSION,     1,  /* Add one to the old schema cookie */
+    BTREE_DEFAULT_CACHE_SIZE, 0,  /* Preserve the default page cache size */
+    BTREE_TEXT_ENCODING,      0,  /* Preserve the text encoding */
+    BTREE_USER_VERSION,       0,  /* Preserve the user version */
+    BTREE_APPLICATION_ID,     0,  /* Preserve the application id */
+  };
+
+
+  key_sz = ctx->read_ctx->pass_sz + 1;
+  key = sqlcipher_malloc(key_sz);
+  memset(key, 0, key_sz);
+  memcpy(key, ctx->read_ctx->pass, ctx->read_ctx->pass_sz);
+
+  if(db_filename){
+    const char* commands[5];
+    char *attach_command = sqlite3_mprintf("ATTACH DATABASE '%s-migrated' as migrate KEY '%q';",
+                                            db_filename, key);
+
+    int rc = sqlcipher_check_connection(db_filename, key, ctx->read_ctx->pass_sz, "", &user_version);
+    if(rc == SQLITE_OK){
+      CODEC_TRACE("No upgrade required - exiting\n");
+      goto exit;
+    }
+
+    // Version 2 - check for 4k with hmac format
+    rc = sqlcipher_check_connection(db_filename, key, ctx->read_ctx->pass_sz, pragma_4k_kdf_iter, &user_version);
+    if(rc == SQLITE_OK) {
+      CODEC_TRACE("Version 2 format found\n");
+      upgrade_4k_format = 1;
+    }
+
+    // Version 1 - check both no hmac and 4k together
+    pragma_1x_and_4k = sqlite3_mprintf("%s%s", pragma_hmac_off,
+                                             pragma_4k_kdf_iter);
+    rc = sqlcipher_check_connection(db_filename, key, ctx->read_ctx->pass_sz, pragma_1x_and_4k, &user_version);
+    sqlite3_free(pragma_1x_and_4k);
+    if(rc == SQLITE_OK) {
+      CODEC_TRACE("Version 1 format found\n");
+      upgrade_1x_format = 1;
+      upgrade_4k_format = 1;
+    }
+
+    if(upgrade_1x_format == 0 && upgrade_4k_format == 0) {
+      CODEC_TRACE("Upgrade format not determined\n");
+      goto handle_error;
+    }
+
+    set_user_version = sqlite3_mprintf("PRAGMA migrate.user_version = %d;", user_version);
+    commands[0] = upgrade_4k_format == 1 ? pragma_4k_kdf_iter : "";
+    commands[1] = upgrade_1x_format == 1 ? pragma_hmac_off : "";
+    commands[2] = attach_command;
+    commands[3] = "SELECT sqlcipher_export('migrate');";
+    commands[4] = set_user_version;
+
+    for(command_idx = 0; command_idx < ArraySize(commands); command_idx++){
+      const char *command = commands[command_idx];
+      if(strcmp(command, "") == 0){
+        continue;
+      }
+      rc = sqlite3_exec(db, command, NULL, NULL, NULL);
+      if(rc != SQLITE_OK){
+        break;
+      }
+    }
+    sqlite3_free(attach_command);
+    sqlite3_free(set_user_version);
+    sqlcipher_free(key, key_sz);
+
+    if(rc == SQLITE_OK){
+      Btree *pDest;
+      Btree *pSrc;
+      int i = 0;
+
+      if( !db->autoCommit ){
+        CODEC_TRACE("cannot migrate from within a transaction");
+        goto handle_error;
+      }
+      if( db->nVdbeActive>1 ){
+        CODEC_TRACE("cannot migrate - SQL statements in progress");
+        goto handle_error;
+      }
+
+      /* Save the current value of the database flags so that it can be
+      ** restored before returning. Then set the writable-schema flag, and
+      ** disable CHECK and foreign key constraints.  */
+      saved_flags = db->flags;
+      saved_nChange = db->nChange;
+      saved_nTotalChange = db->nTotalChange;
+      saved_xTrace = db->xTrace;
+      saved_mTrace = db->mTrace;
+      db->flags |= SQLITE_WriteSchema | SQLITE_IgnoreChecks;
+      db->flags &= ~(SQLITE_ForeignKeys | SQLITE_ReverseOrder);
+      db->xTrace = 0;
+      db->mTrace = 0;
+
+      pDest = db->aDb[0].pBt;
+      pDb = &(db->aDb[db->nDb-1]);
+      pSrc = pDb->pBt;
+
+      rc = sqlite3_exec(db, "BEGIN;", NULL, NULL, NULL);
+      rc = sqlite3BtreeBeginTrans(pSrc, 2, 0);
+      rc = sqlite3BtreeBeginTrans(pDest, 2, 0);
+
+      assert( 1==sqlite3BtreeIsInTrans(pDest) );
+      assert( 1==sqlite3BtreeIsInTrans(pSrc) );
+
+      sqlite3CodecGetKey(db, db->nDb - 1, (void**)&key, &password_sz);
+      sqlite3CodecAttach(db, 0, key, password_sz);
+      sqlite3pager_get_codec(pDest->pBt->pPager, (void**)&ctx);
+
+      ctx->skip_read_hmac = 1;
+      for(i=0; i<ArraySize(aCopy); i+=2){
+        sqlite3BtreeGetMeta(pSrc, aCopy[i], &meta);
+        rc = sqlite3BtreeUpdateMeta(pDest, aCopy[i], meta+aCopy[i+1]);
+        if( NEVER(rc!=SQLITE_OK) ) goto handle_error;
+      }
+      rc = sqlite3BtreeCopyFile(pDest, pSrc);
+      ctx->skip_read_hmac = 0;
+      if( rc!=SQLITE_OK ) goto handle_error;
+      rc = sqlite3BtreeCommit(pDest);
+
+      db->flags = saved_flags;
+      db->nChange = saved_nChange;
+      db->nTotalChange = saved_nTotalChange;
+      db->xTrace = saved_xTrace;
+      db->mTrace = saved_mTrace;
+      db->autoCommit = 1;
+      sqlite3BtreeClose(pDb->pBt);
+      pDb->pBt = 0;
+      pDb->pSchema = 0;
+      sqlite3ResetAllSchemasOfConnection(db);
+      remove(migrated_db_filename);
+      sqlite3_free(migrated_db_filename);
+    } else {
+      CODEC_TRACE("*** migration failure** \n\n");
+    }
+
+  }
+  goto exit;
+
+ handle_error:
+  CODEC_TRACE("An error occurred attempting to migrate the database\n");
+  rc = SQLITE_ERROR;
+
+ exit:
+  return rc;
+}
+
+int sqlcipher_codec_add_random(codec_ctx *ctx, const char *zRight, int random_sz){
+  const char *suffix = &zRight[random_sz-1];
+  int n = random_sz - 3; /* adjust for leading x' and tailing ' */
+  if (n > 0 &&
+      sqlite3StrNICmp((const char *)zRight ,"x'", 2) == 0 &&
+      sqlite3StrNICmp(suffix, "'", 1) == 0 &&
+      n % 2 == 0) {
+    int rc = 0;
+    int buffer_sz = n / 2;
+    unsigned char *random;
+    const unsigned char *z = (const unsigned char *)zRight + 2; /* adjust lead offset of x' */
+    CODEC_TRACE("sqlcipher_codec_add_random: using raw random blob from hex\n");
+    random = sqlcipher_malloc(buffer_sz);
+    memset(random, 0, buffer_sz);
+    cipher_hex2bin(z, n, random);
+    rc = ctx->read_ctx->provider->add_random(ctx->read_ctx->provider_ctx, random, buffer_sz);
+    sqlcipher_free(random, buffer_sz);
+    return rc;
+  }
+  return SQLITE_ERROR;
+}
+
+static void sqlcipher_profile_callback(void *file, const char *sql, sqlite3_uint64 run_time){
+  FILE *f = (FILE*)file;
+  double elapsed = run_time/1000000.0;
+  if(f) fprintf(f, "Elapsed time:%.3f ms - %s\n", elapsed, sql);
+}
+
+int sqlcipher_cipher_profile(sqlite3 *db, const char *destination){
+#if defined(SQLITE_OMIT_TRACE) || defined(SQLITE_OMIT_DEPRECATED)
+  return SQLITE_ERROR;
+#else
+  FILE *f;
+  if(sqlite3StrICmp(destination, "stdout") == 0){
+    f = stdout;
+  }else if(sqlite3StrICmp(destination, "stderr") == 0){
+    f = stderr;
+  }else if(sqlite3StrICmp(destination, "off") == 0){
+    f = 0;
+  }else{
+#if defined(_WIN32) && (__STDC_VERSION__ > 199901L) || defined(SQLITE_OS_WINRT)
+    if(fopen_s(&f, destination, "a") != 0){
+#else
+    f = fopen(destination, "a");
+    if(f == 0){
+#endif
+    return SQLITE_ERROR;
+  }
+
+  }
+  sqlite3_profile(db, sqlcipher_profile_callback, f);
+  return SQLITE_OK;
+#endif
+}
+
+int sqlcipher_codec_fips_status(codec_ctx *ctx) {
+  return ctx->read_ctx->provider->fips_status(ctx->read_ctx);
+}
+
+const char* sqlcipher_codec_get_provider_version(codec_ctx *ctx) {
+  return ctx->read_ctx->provider->get_provider_version(ctx->read_ctx);
+}
+
+int sqlcipher_codec_hmac(const codec_ctx *ctx, const unsigned char *hmac_key, int key_sz,
+                         unsigned char* in, int in_sz, unsigned char *in2, int in2_sz,
+                         unsigned char *out) {
+  ctx->read_ctx->provider->hmac(ctx->read_ctx, (unsigned char *)hmac_key, key_sz, in, in_sz, in2, in2_sz, out);
+  return SQLITE_OK;
+}
+
+
+#endif
+/* END SQLCIPHER */
+
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+#ifdef SQLCIPHER_CRYPTO_LIBTOMCRYPT
+#include <tomcrypt.h>
+
+#define FORTUNA_MAX_SZ 32
+static prng_state prng;
+static unsigned int ltc_init = 0;
+static unsigned int ltc_ref_count = 0;
+static sqlite3_mutex* ltc_rand_mutex = NULL;
+
+static int sqlcipher_ltc_add_random(void *ctx, void *buffer, int length) {
+  int rc = 0;
+  int data_to_read = length;
+  int block_sz = data_to_read < FORTUNA_MAX_SZ ? data_to_read : FORTUNA_MAX_SZ;
+  const unsigned char * data = (const unsigned char *)buffer;
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  sqlite3_mutex_enter(ltc_rand_mutex);
+#endif
+    while(data_to_read > 0){
+      rc = fortuna_add_entropy(data, block_sz, &prng);
+      rc = rc != CRYPT_OK ? SQLITE_ERROR : SQLITE_OK;
+      if(rc != SQLITE_OK){
+        break;
+      }
+      data_to_read -= block_sz;
+      data += block_sz;
+      block_sz = data_to_read < FORTUNA_MAX_SZ ? data_to_read : FORTUNA_MAX_SZ;
+    }
+    fortuna_ready(&prng);
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  sqlite3_mutex_leave(ltc_rand_mutex);
+#endif
+  return rc;
+}
+
+static int sqlcipher_ltc_activate(void *ctx) {
+  unsigned char random_buffer[FORTUNA_MAX_SZ];
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  if(ltc_rand_mutex == NULL){
+    ltc_rand_mutex = sqlite3_mutex_alloc(SQLITE_MUTEX_FAST);
+  }
+  sqlite3_mutex_enter(ltc_rand_mutex);
+#endif
+  sqlcipher_memset(random_buffer, 0, FORTUNA_MAX_SZ);
+  if(ltc_init == 0) {
+    if(register_prng(&fortuna_desc) != CRYPT_OK) return SQLITE_ERROR;
+    if(register_cipher(&rijndael_desc) != CRYPT_OK) return SQLITE_ERROR;
+    if(register_hash(&sha1_desc) != CRYPT_OK) return SQLITE_ERROR;
+    if(fortuna_start(&prng) != CRYPT_OK) {
+      return SQLITE_ERROR;
+    }
+    ltc_init = 1;
+  }
+  ltc_ref_count++;
+#ifndef SQLCIPHER_TEST
+  sqlite3_randomness(FORTUNA_MAX_SZ, random_buffer);
+#endif
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  sqlite3_mutex_leave(ltc_rand_mutex);
+#endif
+  if(sqlcipher_ltc_add_random(ctx, random_buffer, FORTUNA_MAX_SZ) != SQLITE_OK) {
+    return SQLITE_ERROR;
+  }
+  sqlcipher_memset(random_buffer, 0, FORTUNA_MAX_SZ);
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_deactivate(void *ctx) {
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  sqlite3_mutex_enter(ltc_rand_mutex);
+#endif
+  ltc_ref_count--;
+  if(ltc_ref_count == 0){
+    fortuna_done(&prng);
+    sqlcipher_memset((void *)&prng, 0, sizeof(prng));
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+    sqlite3_mutex_leave(ltc_rand_mutex);
+    sqlite3_mutex_free(ltc_rand_mutex);
+    ltc_rand_mutex = NULL;
+#endif
+  }
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  else {
+    sqlite3_mutex_leave(ltc_rand_mutex);
+  }
+#endif    
+  return SQLITE_OK;
+}
+
+static const char* sqlcipher_ltc_get_provider_name(void *ctx) {
+  return "libtomcrypt";
+}
+
+static const char* sqlcipher_ltc_get_provider_version(void *ctx) {
+  return SCRYPT;
+}
+
+static int sqlcipher_ltc_random(void *ctx, void *buffer, int length) {
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  sqlite3_mutex_enter(ltc_rand_mutex);
+#endif
+  fortuna_read(buffer, length, &prng);
+#ifndef SQLCIPHER_LTC_NO_MUTEX_RAND
+  sqlite3_mutex_leave(ltc_rand_mutex);
+#endif
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_hmac(void *ctx, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out) {
+  int rc, hash_idx;
+  hmac_state hmac;
+  unsigned long outlen = key_sz;
+
+  hash_idx = find_hash("sha1");
+  if(in == NULL) return SQLITE_ERROR;
+  if((rc = hmac_init(&hmac, hash_idx, hmac_key, key_sz)) != CRYPT_OK) return SQLITE_ERROR;
+  if((rc = hmac_process(&hmac, in, in_sz)) != CRYPT_OK) return SQLITE_ERROR;
+  if(in2 != NULL && (rc = hmac_process(&hmac, in2, in2_sz)) != CRYPT_OK) return SQLITE_ERROR;
+  if((rc = hmac_done(&hmac, out, &outlen)) != CRYPT_OK) return SQLITE_ERROR;
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_kdf(void *ctx, const unsigned char *pass, int pass_sz, unsigned char* salt, int salt_sz, int workfactor, int key_sz, unsigned char *key) {
+  int rc, hash_idx;
+  unsigned long outlen = key_sz;
+  unsigned long random_buffer_sz = sizeof(char) * 256;
+  unsigned char *random_buffer = sqlcipher_malloc(random_buffer_sz);
+  sqlcipher_memset(random_buffer, 0, random_buffer_sz);
+
+  hash_idx = find_hash("sha1");
+  if((rc = pkcs_5_alg2(pass, pass_sz, salt, salt_sz,
+                       workfactor, hash_idx, key, &outlen)) != CRYPT_OK) {
+    return SQLITE_ERROR;
+  }
+  if((rc = pkcs_5_alg2(key, key_sz, salt, salt_sz,
+                       1, hash_idx, random_buffer, &random_buffer_sz)) != CRYPT_OK) {
+    return SQLITE_ERROR;
+  }
+  sqlcipher_ltc_add_random(ctx, random_buffer, random_buffer_sz);
+  sqlcipher_free(random_buffer, random_buffer_sz);
+  return SQLITE_OK;
+}
+
+static const char* sqlcipher_ltc_get_cipher(void *ctx) {
+  return "rijndael";
+}
+
+static int sqlcipher_ltc_cipher(void *ctx, int mode, unsigned char *key, int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char *out) {
+  int rc, cipher_idx;
+  symmetric_CBC cbc;
+
+  if((cipher_idx = find_cipher(sqlcipher_ltc_get_cipher(ctx))) == -1) return SQLITE_ERROR;
+  if((rc = cbc_start(cipher_idx, iv, key, key_sz, 0, &cbc)) != CRYPT_OK) return SQLITE_ERROR;
+  rc = mode == 1 ? cbc_encrypt(in, out, in_sz, &cbc) : cbc_decrypt(in, out, in_sz, &cbc);
+  if(rc != CRYPT_OK) return SQLITE_ERROR;
+  cbc_done(&cbc);
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_set_cipher(void *ctx, const char *cipher_name) {
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_get_key_sz(void *ctx) {
+  int cipher_idx = find_cipher(sqlcipher_ltc_get_cipher(ctx));
+  return cipher_descriptor[cipher_idx].max_key_length;
+}
+
+static int sqlcipher_ltc_get_iv_sz(void *ctx) {
+  int cipher_idx = find_cipher(sqlcipher_ltc_get_cipher(ctx));
+  return cipher_descriptor[cipher_idx].block_length;
+}
+
+static int sqlcipher_ltc_get_block_sz(void *ctx) {
+  int cipher_idx = find_cipher(sqlcipher_ltc_get_cipher(ctx));
+  return cipher_descriptor[cipher_idx].block_length;
+}
+
+static int sqlcipher_ltc_get_hmac_sz(void *ctx) {
+  int hash_idx = find_hash("sha1");
+  return hash_descriptor[hash_idx].hashsize;
+}
+
+static int sqlcipher_ltc_ctx_copy(void *target_ctx, void *source_ctx) {
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_ctx_cmp(void *c1, void *c2) {
+  return 1;
+}
+
+static int sqlcipher_ltc_ctx_init(void **ctx) {
+  sqlcipher_ltc_activate(NULL);
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_ctx_free(void **ctx) {
+  sqlcipher_ltc_deactivate(&ctx);
+  return SQLITE_OK;
+}
+
+static int sqlcipher_ltc_fips_status(void *ctx) {
+  return 0;
+}
+
+int sqlcipher_ltc_setup(sqlcipher_provider *p) {
+  p->activate = sqlcipher_ltc_activate;
+  p->deactivate = sqlcipher_ltc_deactivate;
+  p->get_provider_name = sqlcipher_ltc_get_provider_name;
+  p->random = sqlcipher_ltc_random;
+  p->hmac = sqlcipher_ltc_hmac;
+  p->kdf = sqlcipher_ltc_kdf;
+  p->cipher = sqlcipher_ltc_cipher;
+  p->set_cipher = sqlcipher_ltc_set_cipher;
+  p->get_cipher = sqlcipher_ltc_get_cipher;
+  p->get_key_sz = sqlcipher_ltc_get_key_sz;
+  p->get_iv_sz = sqlcipher_ltc_get_iv_sz;
+  p->get_block_sz = sqlcipher_ltc_get_block_sz;
+  p->get_hmac_sz = sqlcipher_ltc_get_hmac_sz;
+  p->ctx_copy = sqlcipher_ltc_ctx_copy;
+  p->ctx_cmp = sqlcipher_ltc_ctx_cmp;
+  p->ctx_init = sqlcipher_ltc_ctx_init;
+  p->ctx_free = sqlcipher_ltc_ctx_free;
+  p->add_random = sqlcipher_ltc_add_random;
+  p->fips_status = sqlcipher_ltc_fips_status;
+  p->get_provider_version = sqlcipher_ltc_get_provider_version;
+  return SQLITE_OK;
+}
+
+#endif
+#endif
+/* END SQLCIPHER */
+
+/* BEGIN SQLCIPHER */
+#ifdef SQLITE_HAS_CODEC
+
+#include <assert.h>
+
+static const char* codec_get_cipher_version() {
+  return CIPHER_VERSION;
+}
+
+/* Generate code to return a string value */
+static void codec_vdbe_return_static_string(Parse *pParse, const char *zLabel, const char *value){
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  sqlite3VdbeSetNumCols(v, 1);
+  sqlite3VdbeSetColName(v, 0, COLNAME_NAME, zLabel, SQLITE_STATIC);
+  sqlite3VdbeAddOp4(v, OP_String8, 0, 1, 0, value, 0);
+  sqlite3VdbeAddOp2(v, OP_ResultRow, 1, 1);
+}
+
+static int codec_set_btree_to_codec_pagesize(sqlite3 *db, Db *pDb, codec_ctx *ctx) {
+  int rc, page_sz, reserve_sz;
+
+  page_sz = sqlcipher_codec_ctx_get_pagesize(ctx);
+  reserve_sz = sqlcipher_codec_ctx_get_reservesize(ctx);
+
+  CODEC_TRACE("codec_set_btree_to_codec_pagesize: sqlite3BtreeSetPageSize() size=%d reserve=%d\n", page_sz, reserve_sz);
+
+  CODEC_TRACE_MUTEX("codec_set_btree_to_codec_pagesize: entering database mutex %p\n", db->mutex);
+  sqlite3_mutex_enter(db->mutex);
+  CODEC_TRACE_MUTEX("codec_set_btree_to_codec_pagesize: entered database mutex %p\n", db->mutex);
+  db->nextPagesize = page_sz;
+
+  /* before forcing the page size we need to unset the BTS_PAGESIZE_FIXED flag, else
+     sqliteBtreeSetPageSize will block the change  */
+  pDb->pBt->pBt->btsFlags &= ~BTS_PAGESIZE_FIXED;
+  rc = sqlite3BtreeSetPageSize(pDb->pBt, page_sz, reserve_sz, 0);
+
+  CODEC_TRACE("codec_set_btree_to_codec_pagesize: sqlite3BtreeSetPageSize returned %d\n", rc);
+
+  CODEC_TRACE_MUTEX("codec_set_btree_to_codec_pagesize: leaving database mutex %p\n", db->mutex);
+  sqlite3_mutex_leave(db->mutex);
+  CODEC_TRACE_MUTEX("codec_set_btree_to_codec_pagesize: left database mutex %p\n", db->mutex);
+
+  return rc;
+}
+
+static int codec_set_pass_key(sqlite3* db, int nDb, const void *zKey, int nKey, int for_ctx) {
+  struct Db *pDb = &db->aDb[nDb];
+  CODEC_TRACE("codec_set_pass_key: entered db=%p nDb=%d zKey=%s nKey=%d for_ctx=%d\n", db, nDb, (char *)zKey, nKey, for_ctx);
+  if(pDb->pBt) {
+    codec_ctx *ctx;
+    sqlite3pager_get_codec(pDb->pBt->pBt->pPager, (void **) &ctx);
+    if(ctx) return sqlcipher_codec_ctx_set_pass(ctx, zKey, nKey, for_ctx);
+  }
+  return SQLITE_ERROR;
+}
+
+int sqlcipher_codec_pragma(sqlite3* db, int iDb, Parse *pParse, const char *zLeft, const char *zRight) {
+  char *pragma_cipher_deprecated_msg = "PRAGMA cipher command is deprecated, please remove from usage.";
+  struct Db *pDb = &db->aDb[iDb];
+  codec_ctx *ctx = NULL;
+  int rc;
+
+  if(pDb->pBt) {
+    sqlite3pager_get_codec(pDb->pBt->pBt->pPager, (void **) &ctx);
+  }
+
+  CODEC_TRACE("sqlcipher_codec_pragma: entered db=%p iDb=%d pParse=%p zLeft=%s zRight=%s ctx=%p\n", db, iDb, pParse, zLeft, zRight, ctx);
+
+  if( sqlite3StrICmp(zLeft, "cipher_fips_status")== 0 && !zRight ){
+    if(ctx) {
+      char *fips_mode_status = sqlite3_mprintf("%d", sqlcipher_codec_fips_status(ctx));
+      codec_vdbe_return_static_string(pParse, "cipher_fips_status", fips_mode_status);
+      sqlite3_free(fips_mode_status);
+    }
+  } else
+  if( sqlite3StrICmp(zLeft, "cipher_store_pass")==0 && zRight ) {
+    if(ctx) {
+      sqlcipher_codec_set_store_pass(ctx, sqlite3GetBoolean(zRight, 1));
+    }
+  } else
+  if( sqlite3StrICmp(zLeft, "cipher_store_pass")==0 && !zRight ) {
+    if(ctx){
+      char *store_pass_value = sqlite3_mprintf("%d", sqlcipher_codec_get_store_pass(ctx));
+      codec_vdbe_return_static_string(pParse, "cipher_store_pass", store_pass_value);
+      sqlite3_free(store_pass_value);
+    }
+  }
+  if( sqlite3StrICmp(zLeft, "cipher_profile")== 0 && zRight ){
+      char *profile_status = sqlite3_mprintf("%d", sqlcipher_cipher_profile(db, zRight));
+      codec_vdbe_return_static_string(pParse, "cipher_profile", profile_status);
+      sqlite3_free(profile_status);
+  } else
+  if( sqlite3StrICmp(zLeft, "cipher_add_random")==0 && zRight ){
+    if(ctx) {
+      char *add_random_status = sqlite3_mprintf("%d", sqlcipher_codec_add_random(ctx, zRight, sqlite3Strlen30(zRight)));
+      codec_vdbe_return_static_string(pParse, "cipher_add_random", add_random_status);
+      sqlite3_free(add_random_status);
+    }
+  } else
+  if( sqlite3StrICmp(zLeft, "cipher_migrate")==0 && !zRight ){
+    if(ctx){
+      char *migrate_status = sqlite3_mprintf("%d", sqlcipher_codec_ctx_migrate(ctx));
+      codec_vdbe_return_static_string(pParse, "cipher_migrate", migrate_status);
+      sqlite3_free(migrate_status);
+    }
+  } else
+  if( sqlite3StrICmp(zLeft, "cipher_provider")==0 && !zRight ){
+    if(ctx) { codec_vdbe_return_static_string(pParse, "cipher_provider",
+                                              sqlcipher_codec_get_cipher_provider(ctx));
+    }
+  } else
+  if( sqlite3StrICmp(zLeft, "cipher_provider_version")==0 && !zRight){
+    if(ctx) { codec_vdbe_return_static_string(pParse, "cipher_provider_version",
+                                              sqlcipher_codec_get_provider_version(ctx));
+    }
+  } else
+  if( sqlite3StrICmp(zLeft, "cipher_version")==0 && !zRight ){
+    codec_vdbe_return_static_string(pParse, "cipher_version", codec_get_cipher_version());
+  }else
+  if( sqlite3StrICmp(zLeft, "cipher")==0 ){
+    if(ctx) {
+      if( zRight ) {
+        rc = sqlcipher_codec_ctx_set_cipher(ctx, zRight, 2); // change cipher for both
+        codec_vdbe_return_static_string(pParse, "cipher", pragma_cipher_deprecated_msg);
+        sqlite3_log(SQLITE_WARNING, pragma_cipher_deprecated_msg);
+        return rc;
+      }else {
+        codec_vdbe_return_static_string(pParse, "cipher",
+          sqlcipher_codec_ctx_get_cipher(ctx, 2));
+      }
+    }
+  }else
+  if( sqlite3StrICmp(zLeft, "rekey_cipher")==0 && zRight ){
+    if(ctx) sqlcipher_codec_ctx_set_cipher(ctx, zRight, 1); // change write cipher only
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_default_kdf_iter")==0 ){
+    if( zRight ) {
+      sqlcipher_set_default_kdf_iter(atoi(zRight)); // change default KDF iterations
+    } else {
+      char *kdf_iter = sqlite3_mprintf("%d", sqlcipher_get_default_kdf_iter());
+      codec_vdbe_return_static_string(pParse, "cipher_default_kdf_iter", kdf_iter);
+      sqlite3_free(kdf_iter);
+    }
+  }else
+  if( sqlite3StrICmp(zLeft, "kdf_iter")==0 ){
+    if(ctx) {
+      if( zRight ) {
+        sqlcipher_codec_ctx_set_kdf_iter(ctx, atoi(zRight), 2); // change of RW PBKDF2 iteration
+      } else {
+        char *kdf_iter = sqlite3_mprintf("%d", sqlcipher_codec_ctx_get_kdf_iter(ctx, 2));
+        codec_vdbe_return_static_string(pParse, "kdf_iter", kdf_iter);
+        sqlite3_free(kdf_iter);
+      }
+    }
+  }else
+  if( sqlite3StrICmp(zLeft, "fast_kdf_iter")==0){
+    if(ctx) {
+      if( zRight ) {
+        sqlcipher_codec_ctx_set_fast_kdf_iter(ctx, atoi(zRight), 2); // change of RW PBKDF2 iteration
+      } else {
+        char *fast_kdf_iter = sqlite3_mprintf("%d", sqlcipher_codec_ctx_get_fast_kdf_iter(ctx, 2));
+        codec_vdbe_return_static_string(pParse, "fast_kdf_iter", fast_kdf_iter);
+        sqlite3_free(fast_kdf_iter);
+      }
+    }
+  }else
+  if( sqlite3StrICmp(zLeft, "rekey_kdf_iter")==0 && zRight ){
+    if(ctx) sqlcipher_codec_ctx_set_kdf_iter(ctx, atoi(zRight), 1); // write iterations only
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_page_size")==0 ){
+    if(ctx) {
+      if( zRight ) {
+        int size = atoi(zRight);
+        rc = sqlcipher_codec_ctx_set_pagesize(ctx, size);
+        if(rc != SQLITE_OK) sqlcipher_codec_ctx_set_error(ctx, rc);
+        rc = codec_set_btree_to_codec_pagesize(db, pDb, ctx);
+        if(rc != SQLITE_OK) sqlcipher_codec_ctx_set_error(ctx, rc);
+      } else {
+        char * page_size = sqlite3_mprintf("%d", sqlcipher_codec_ctx_get_pagesize(ctx));
+        codec_vdbe_return_static_string(pParse, "cipher_page_size", page_size);
+        sqlite3_free(page_size);
+      }
+    }
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_default_page_size")==0 ){
+    if( zRight ) {
+      sqlcipher_set_default_pagesize(atoi(zRight));
+    } else {
+      char *default_page_size = sqlite3_mprintf("%d", sqlcipher_get_default_pagesize());
+      codec_vdbe_return_static_string(pParse, "cipher_default_page_size", default_page_size);
+      sqlite3_free(default_page_size);
+    }
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_default_use_hmac")==0 ){
+    if( zRight ) {
+      sqlcipher_set_default_use_hmac(sqlite3GetBoolean(zRight,1));
+    } else {
+      char *default_use_hmac = sqlite3_mprintf("%d", sqlcipher_get_default_use_hmac());
+      codec_vdbe_return_static_string(pParse, "cipher_default_use_hmac", default_use_hmac);
+      sqlite3_free(default_use_hmac);
+    }
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_use_hmac")==0 ){
+    if(ctx) {
+      if( zRight ) {
+        rc = sqlcipher_codec_ctx_set_use_hmac(ctx, sqlite3GetBoolean(zRight,1));
+        if(rc != SQLITE_OK) sqlcipher_codec_ctx_set_error(ctx, rc);
+        /* since the use of hmac has changed, the page size may also change */
+        rc = codec_set_btree_to_codec_pagesize(db, pDb, ctx);
+        if(rc != SQLITE_OK) sqlcipher_codec_ctx_set_error(ctx, rc);
+      } else {
+        char *hmac_flag = sqlite3_mprintf("%d", sqlcipher_codec_ctx_get_use_hmac(ctx, 2));
+        codec_vdbe_return_static_string(pParse, "cipher_use_hmac", hmac_flag);
+        sqlite3_free(hmac_flag);
+      }
+    }
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_hmac_pgno")==0 ){
+    if(ctx) {
+      if(zRight) {
+        // clear both pgno endian flags
+        if(sqlite3StrICmp(zRight, "le") == 0) {
+          sqlcipher_codec_ctx_unset_flag(ctx, CIPHER_FLAG_BE_PGNO);
+          sqlcipher_codec_ctx_set_flag(ctx, CIPHER_FLAG_LE_PGNO);
+        } else if(sqlite3StrICmp(zRight, "be") == 0) {
+          sqlcipher_codec_ctx_unset_flag(ctx, CIPHER_FLAG_LE_PGNO);
+          sqlcipher_codec_ctx_set_flag(ctx, CIPHER_FLAG_BE_PGNO);
+        } else if(sqlite3StrICmp(zRight, "native") == 0) {
+          sqlcipher_codec_ctx_unset_flag(ctx, CIPHER_FLAG_LE_PGNO);
+          sqlcipher_codec_ctx_unset_flag(ctx, CIPHER_FLAG_BE_PGNO);
+        }
+      } else {
+        if(sqlcipher_codec_ctx_get_flag(ctx, CIPHER_FLAG_LE_PGNO, 2)) {
+          codec_vdbe_return_static_string(pParse, "cipher_hmac_pgno", "le");
+        } else if(sqlcipher_codec_ctx_get_flag(ctx, CIPHER_FLAG_BE_PGNO, 2)) {
+          codec_vdbe_return_static_string(pParse, "cipher_hmac_pgno", "be");
+        } else {
+          codec_vdbe_return_static_string(pParse, "cipher_hmac_pgno", "native");
+        }
+      }
+    }
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_hmac_salt_mask")==0 ){
+    if(ctx) {
+      if(zRight) {
+        if (sqlite3StrNICmp(zRight ,"x'", 2) == 0 && sqlite3Strlen30(zRight) == 5) {
+          unsigned char mask = 0;
+          const unsigned char *hex = (const unsigned char *)zRight+2;
+          cipher_hex2bin(hex,2,&mask);
+          sqlcipher_set_hmac_salt_mask(mask);
+        }
+      } else {
+          char *hmac_salt_mask = sqlite3_mprintf("%02x", sqlcipher_get_hmac_salt_mask());
+          codec_vdbe_return_static_string(pParse, "cipher_hmac_salt_mask", hmac_salt_mask);
+          sqlite3_free(hmac_salt_mask);
+      }
+    }
+  }else {
+    return 0;
+  }
+  return 1;
+}
+
+
+/*
+ * sqlite3Codec can be called in multiple modes.
+ * encrypt mode - expected to return a pointer to the
+ *   encrypted data without altering pData.
+ * decrypt mode - expected to return a pointer to pData, with
+ *   the data decrypted in the input buffer
+ */
+void* sqlite3Codec(void *iCtx, void *data, Pgno pgno, int mode) {
+  codec_ctx *ctx = (codec_ctx *) iCtx;
+  int offset = 0, rc = 0;
+  int page_sz = sqlcipher_codec_ctx_get_pagesize(ctx);
+  unsigned char *pData = (unsigned char *) data;
+  void *buffer = sqlcipher_codec_ctx_get_data(ctx);
+  void *kdf_salt = sqlcipher_codec_ctx_get_kdf_salt(ctx);
+  CODEC_TRACE("sqlite3Codec: entered pgno=%d, mode=%d, page_sz=%d\n", pgno, mode, page_sz);
+
+  /* call to derive keys if not present yet */
+  if((rc = sqlcipher_codec_key_derive(ctx)) != SQLITE_OK) {
+   sqlcipher_codec_ctx_set_error(ctx, rc);
+   return NULL;
+  }
+
+  if(pgno == 1) offset = FILE_HEADER_SZ; /* adjust starting pointers in data page for header offset on first page*/
+
+  CODEC_TRACE("sqlite3Codec: switch mode=%d offset=%d\n",  mode, offset);
+  switch(mode) {
+    case 0: /* decrypt */
+    case 2:
+    case 3:
+      if(pgno == 1) memcpy(buffer, SQLITE_FILE_HEADER, FILE_HEADER_SZ); /* copy file header to the first 16 bytes of the page */
+      rc = sqlcipher_page_cipher(ctx, CIPHER_READ_CTX, pgno, CIPHER_DECRYPT, page_sz - offset, pData + offset, (unsigned char*)buffer + offset);
+      if(rc != SQLITE_OK) sqlcipher_codec_ctx_set_error(ctx, rc);
+      memcpy(pData, buffer, page_sz); /* copy buffer data back to pData and return */
+      return pData;
+      break;
+    case 6: /* encrypt */
+      if(pgno == 1) memcpy(buffer, kdf_salt, FILE_HEADER_SZ); /* copy salt to output buffer */
+      rc = sqlcipher_page_cipher(ctx, CIPHER_WRITE_CTX, pgno, CIPHER_ENCRYPT, page_sz - offset, pData + offset, (unsigned char*)buffer + offset);
+      if(rc != SQLITE_OK) sqlcipher_codec_ctx_set_error(ctx, rc);
+      return buffer; /* return persistent buffer data, pData remains intact */
+      break;
+    case 7:
+      if(pgno == 1) memcpy(buffer, kdf_salt, FILE_HEADER_SZ); /* copy salt to output buffer */
+      rc = sqlcipher_page_cipher(ctx, CIPHER_READ_CTX, pgno, CIPHER_ENCRYPT, page_sz - offset, pData + offset, (unsigned char*)buffer + offset);
+      if(rc != SQLITE_OK) sqlcipher_codec_ctx_set_error(ctx, rc);
+      return buffer; /* return persistent buffer data, pData remains intact */
+      break;
+    default:
+      return pData;
+      break;
+  }
+}
+
+void sqlite3FreeCodecArg(void *pCodecArg) {
+  codec_ctx *ctx = (codec_ctx *) pCodecArg;
+  if(pCodecArg == NULL) return;
+  sqlcipher_codec_ctx_free(&ctx); // wipe and free allocated memory for the context
+  sqlcipher_deactivate(); /* cleanup related structures, OpenSSL etc, when codec is detatched */
+}
+
+int sqlite3CodecAttach(sqlite3* db, int nDb, const void *zKey, int nKey) {
+  struct Db *pDb = &db->aDb[nDb];
+
+  CODEC_TRACE("sqlite3CodecAttach: entered db=%p, nDb=%d zKey=%s, nKey=%d\n", db, nDb, (char *)zKey, nKey);
+
+
+  if(nKey && zKey && pDb->pBt) {
+    int rc;
+    Pager *pPager = pDb->pBt->pBt->pPager;
+    sqlite3_file *fd = sqlite3Pager_get_fd(pPager);
+    codec_ctx *ctx;
+
+    CODEC_TRACE("sqlite3CodecAttach: calling sqlcipher_activate()\n");
+    sqlcipher_activate(); /* perform internal initialization for sqlcipher */
+
+    CODEC_TRACE_MUTEX("sqlite3CodecAttach: entering database mutex %p\n", db->mutex);
+    sqlite3_mutex_enter(db->mutex);
+    CODEC_TRACE_MUTEX("sqlite3CodecAttach: entered database mutex %p\n", db->mutex);
+
+    /* point the internal codec argument against the contet to be prepared */
+    CODEC_TRACE("sqlite3CodecAttach: calling sqlcipher_codec_ctx_init()\n");
+    rc = sqlcipher_codec_ctx_init(&ctx, pDb, pDb->pBt->pBt->pPager, fd, zKey, nKey);
+
+    if(rc != SQLITE_OK) {
+      /* initialization failed, do not attach potentially corrupted context */
+      CODEC_TRACE("sqlite3CodecAttach: context initialization failed with rc=%d\n", rc);
+      CODEC_TRACE_MUTEX("sqlite3CodecAttach: leaving database mutex %p (early return on rc=%d)\n", db->mutex, rc);
+      sqlite3_mutex_leave(db->mutex);
+      CODEC_TRACE_MUTEX("sqlite3CodecAttach: left database mutex %p (early return on rc=%d)\n", db->mutex, rc);
+      return rc;
+    }
+
+    CODEC_TRACE("sqlite3CodecAttach: calling sqlite3pager_sqlite3PagerSetCodec()\n");
+    sqlite3pager_sqlite3PagerSetCodec(sqlite3BtreePager(pDb->pBt), sqlite3Codec, NULL, sqlite3FreeCodecArg, (void *) ctx);
+
+    CODEC_TRACE("sqlite3CodecAttach: calling codec_set_btree_to_codec_pagesize()\n");
+    codec_set_btree_to_codec_pagesize(db, pDb, ctx);
+
+    /* force secure delete. This has the benefit of wiping internal data when deleted
+       and also ensures that all pages are written to disk (i.e. not skipped by
+       sqlite3PagerDontWrite optimizations) */
+    CODEC_TRACE("sqlite3CodecAttach: calling sqlite3BtreeSecureDelete()\n");
+    sqlite3BtreeSecureDelete(pDb->pBt, 1);
+
+    /* if fd is null, then this is an in-memory database and
+       we dont' want to overwrite the AutoVacuum settings
+       if not null, then set to the default */
+    if(fd != NULL) {
+      CODEC_TRACE("sqlite3CodecAttach: calling sqlite3BtreeSetAutoVacuum()\n");
+      sqlite3BtreeSetAutoVacuum(pDb->pBt, SQLITE_DEFAULT_AUTOVACUUM);
+    }
+    CODEC_TRACE_MUTEX("sqlite3CodecAttach: leaving database mutex %p\n", db->mutex);
+    sqlite3_mutex_leave(db->mutex);
+    CODEC_TRACE_MUTEX("sqlite3CodecAttach: left database mutex %p\n", db->mutex);
+  }
+  return SQLITE_OK;
+}
+
+void sqlite3_activate_see(const char* in) {
+  /* do nothing, security enhancements are always active */
+}
+
+static int sqlcipher_find_db_index(sqlite3 *db, const char *zDb) {
+  int db_index;
+  if(zDb == NULL){
+    return 0;
+  }
+  for(db_index = 0; db_index < db->nDb; db_index++) {
+    struct Db *pDb = &db->aDb[db_index];
+    if(strcmp(pDb->zDbSName, zDb) == 0) {
+      return db_index;
+    }
+  }
+  return 0;
+}
+
+int sqlite3_key(sqlite3 *db, const void *pKey, int nKey) {
+  CODEC_TRACE("sqlite3_key entered: db=%p pKey=%s nKey=%d\n", db, (char *)pKey, nKey);
+  return sqlite3_key_v2(db, "main", pKey, nKey);
+}
+
+int sqlite3_key_v2(sqlite3 *db, const char *zDb, const void *pKey, int nKey) {
+  CODEC_TRACE("sqlite3_key_v2: entered db=%p zDb=%s pKey=%s nKey=%d\n", db, zDb, (char *)pKey, nKey);
+  /* attach key if db and pKey are not null and nKey is > 0 */
+  if(db && pKey && nKey) {
+    int db_index = sqlcipher_find_db_index(db, zDb);
+    return sqlite3CodecAttach(db, db_index, pKey, nKey);
+  }
+  return SQLITE_ERROR;
+}
+
+int sqlite3_rekey(sqlite3 *db, const void *pKey, int nKey) {
+  CODEC_TRACE("sqlite3_rekey entered: db=%p pKey=%s nKey=%d\n", db, (char *)pKey, nKey);
+  return sqlite3_rekey_v2(db, "main", pKey, nKey);
+}
+
+/* sqlite3_rekey_v2
+** Given a database, this will reencrypt the database using a new key.
+** There is only one possible modes of operation - to encrypt a database
+** that is already encrpyted. If the database is not already encrypted
+** this should do nothing
+** The proposed logic for this function follows:
+** 1. Determine if the database is already encryptped
+** 2. If there is NOT already a key present do nothing
+** 3. If there is a key present, re-encrypt the database with the new key
+*/
+int sqlite3_rekey_v2(sqlite3 *db, const char *zDb, const void *pKey, int nKey) {
+  CODEC_TRACE("sqlite3_rekey_v2: entered db=%p zDb=%s pKey=%s, nKey=%d\n", db, zDb, (char *)pKey, nKey);
+  if(db && pKey && nKey) {
+    int db_index = sqlcipher_find_db_index(db, zDb);
+    struct Db *pDb = &db->aDb[db_index];
+    CODEC_TRACE("sqlite3_rekey_v2: database pDb=%p db_index:%d\n", pDb, db_index);
+    if(pDb->pBt) {
+      codec_ctx *ctx;
+      int rc, page_count;
+      Pgno pgno;
+      PgHdr *page;
+      Pager *pPager = pDb->pBt->pBt->pPager;
+
+      sqlite3pager_get_codec(pDb->pBt->pBt->pPager, (void **) &ctx);
+
+      if(ctx == NULL) {
+        /* there was no codec attached to this database, so this should do nothing! */
+        CODEC_TRACE("sqlite3_rekey_v2: no codec attached to db, exiting\n");
+        return SQLITE_OK;
+      }
+
+      CODEC_TRACE_MUTEX("sqlite3_rekey_v2: entering database mutex %p\n", db->mutex);
+      sqlite3_mutex_enter(db->mutex);
+      CODEC_TRACE_MUTEX("sqlite3_rekey_v2: entered database mutex %p\n", db->mutex);
+
+      codec_set_pass_key(db, db_index, pKey, nKey, CIPHER_WRITE_CTX);
+
+      /* do stuff here to rewrite the database
+      ** 1. Create a transaction on the database
+      ** 2. Iterate through each page, reading it and then writing it.
+      ** 3. If that goes ok then commit and put ctx->rekey into ctx->key
+      **    note: don't deallocate rekey since it may be used in a subsequent iteration
+      */
+      rc = sqlite3BtreeBeginTrans(pDb->pBt, 1, 0); /* begin write transaction */
+      sqlite3PagerPagecount(pPager, &page_count);
+      for(pgno = 1; rc == SQLITE_OK && pgno <= (unsigned int)page_count; pgno++) { /* pgno's start at 1 see pager.c:pagerAcquire */
+        if(!sqlite3pager_is_mj_pgno(pPager, pgno)) { /* skip this page (see pager.c:pagerAcquire for reasoning) */
+          rc = sqlite3PagerGet(pPager, pgno, &page, 0);
+          if(rc == SQLITE_OK) { /* write page see pager_incr_changecounter for example */
+            rc = sqlite3PagerWrite(page);
+            if(rc == SQLITE_OK) {
+              sqlite3PagerUnref(page);
+            } else {
+             CODEC_TRACE("sqlite3_rekey_v2: error %d occurred writing page %d\n", rc, pgno);
+            }
+          } else {
+             CODEC_TRACE("sqlite3_rekey_v2: error %d occurred getting page %d\n", rc, pgno);
+          }
+        }
+      }
+
+      /* if commit was successful commit and copy the rekey data to current key, else rollback to release locks */
+      if(rc == SQLITE_OK) {
+        CODEC_TRACE("sqlite3_rekey_v2: committing\n");
+        rc = sqlite3BtreeCommit(pDb->pBt);
+        sqlcipher_codec_key_copy(ctx, CIPHER_WRITE_CTX);
+      } else {
+        CODEC_TRACE("sqlite3_rekey_v2: rollback\n");
+        sqlite3BtreeRollback(pDb->pBt, SQLITE_ABORT_ROLLBACK, 0);
+      }
+
+      CODEC_TRACE_MUTEX("sqlite3_rekey_v2: leaving database mutex %p\n", db->mutex);
+      sqlite3_mutex_leave(db->mutex);
+      CODEC_TRACE_MUTEX("sqlite3_rekey_v2: left database mutex %p\n", db->mutex);
+    }
+    return SQLITE_OK;
+  }
+  return SQLITE_ERROR;
+}
+
+void sqlite3CodecGetKey(sqlite3* db, int nDb, void **zKey, int *nKey) {
+  struct Db *pDb = &db->aDb[nDb];
+  CODEC_TRACE("sqlite3CodecGetKey: entered db=%p, nDb=%d\n", db, nDb);
+  if( pDb->pBt ) {
+    codec_ctx *ctx;
+    sqlite3pager_get_codec(pDb->pBt->pBt->pPager, (void **) &ctx);
+    if(ctx) {
+      if(sqlcipher_codec_get_store_pass(ctx) == 1) {
+        sqlcipher_codec_get_pass(ctx, zKey, nKey);
+      } else {
+        sqlcipher_codec_get_keyspec(ctx, zKey, nKey);
+      }
+    } else {
+      *zKey = NULL;
+      *nKey = 0;
+    }
+  }
+}
+
+#ifndef OMIT_EXPORT
+
+/*
+ * Implementation of an "export" function that allows a caller
+ * to duplicate the main database to an attached database. This is intended
+ * as a conveneince for users who need to:
+ *
+ *   1. migrate from an non-encrypted database to an encrypted database
+ *   2. move from an encrypted database to a non-encrypted database
+ *   3. convert beween the various flavors of encrypted databases.
+ *
+ * This implementation is based heavily on the procedure and code used
+ * in vacuum.c, but is exposed as a function that allows export to any
+ * named attached database.
+ */
+
+/*
+** Finalize a prepared statement.  If there was an error, store the
+** text of the error message in *pzErrMsg.  Return the result code.
+**
+** Based on vacuumFinalize from vacuum.c
+*/
+static int sqlcipher_finalize(sqlite3 *db, sqlite3_stmt *pStmt, char **pzErrMsg){
+  int rc;
+  rc = sqlite3VdbeFinalize((Vdbe*)pStmt);
+  if( rc ){
+    sqlite3SetString(pzErrMsg, db, sqlite3_errmsg(db));
+  }
+  return rc;
+}
+
+/*
+** Execute zSql on database db. Return an error code.
+**
+** Based on execSql from vacuum.c
+*/
+static int sqlcipher_execSql(sqlite3 *db, char **pzErrMsg, const char *zSql){
+  sqlite3_stmt *pStmt;
+  VVA_ONLY( int rc; )
+  if( !zSql ){
+    return SQLITE_NOMEM;
+  }
+  if( SQLITE_OK!=sqlite3_prepare(db, zSql, -1, &pStmt, 0) ){
+    sqlite3SetString(pzErrMsg, db, sqlite3_errmsg(db));
+    return sqlite3_errcode(db);
+  }
+  VVA_ONLY( rc = ) sqlite3_step(pStmt);
+  assert( rc!=SQLITE_ROW );
+  return sqlcipher_finalize(db, pStmt, pzErrMsg);
+}
+
+/*
+** Execute zSql on database db. The statement returns exactly
+** one column. Execute this as SQL on the same database.
+**
+** Based on execExecSql from vacuum.c
+*/
+static int sqlcipher_execExecSql(sqlite3 *db, char **pzErrMsg, const char *zSql){
+  sqlite3_stmt *pStmt;
+  int rc;
+
+  rc = sqlite3_prepare(db, zSql, -1, &pStmt, 0);
+  if( rc!=SQLITE_OK ) return rc;
+
+  while( SQLITE_ROW==sqlite3_step(pStmt) ){
+    rc = sqlcipher_execSql(db, pzErrMsg, (char*)sqlite3_column_text(pStmt, 0));
+    if( rc!=SQLITE_OK ){
+      sqlcipher_finalize(db, pStmt, pzErrMsg);
+      return rc;
+    }
+  }
+
+  return sqlcipher_finalize(db, pStmt, pzErrMsg);
+}
+
+/*
+ * copy database and schema from the main database to an attached database
+ *
+ * Based on sqlite3RunVacuum from vacuum.c
+*/
+void sqlcipher_exportFunc(sqlite3_context *context, int argc, sqlite3_value **argv) {
+  sqlite3 *db = sqlite3_context_db_handle(context);
+  const char* attachedDb = (const char*) sqlite3_value_text(argv[0]);
+  int saved_flags;        /* Saved value of the db->flags */
+  int saved_nChange;      /* Saved value of db->nChange */
+  int saved_nTotalChange; /* Saved value of db->nTotalChange */
+  u8 saved_mTrace;        /* Saved value of db->mTrace */
+  int (*saved_xTrace)(u32,void*,void*,void*); /* Saved db->xTrace */
+  int rc = SQLITE_OK;     /* Return code from service routines */
+  char *zSql = NULL;         /* SQL statements */
+  char *pzErrMsg = NULL;
+
+  saved_flags = db->flags;
+  saved_nChange = db->nChange;
+  saved_nTotalChange = db->nTotalChange;
+  saved_xTrace = db->xTrace;
+  saved_mTrace = db->mTrace;
+  db->flags |= SQLITE_WriteSchema | SQLITE_IgnoreChecks;
+  db->flags &= ~(SQLITE_ForeignKeys | SQLITE_ReverseOrder);
+  db->xTrace = 0;
+  db->mTrace = 0;
+
+  /* Query the schema of the main database. Create a mirror schema
+  ** in the temporary database.
+  */
+  zSql = sqlite3_mprintf(
+    "SELECT 'CREATE TABLE %s.' || substr(sql,14) "
+    "  FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'"
+    "   AND rootpage>0"
+  , attachedDb);
+  rc = (zSql == NULL) ? SQLITE_NOMEM : sqlcipher_execExecSql(db, &pzErrMsg, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_export;
+  sqlite3_free(zSql);
+
+  zSql = sqlite3_mprintf(
+    "SELECT 'CREATE INDEX %s.' || substr(sql,14)"
+    "  FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %%' "
+  , attachedDb);
+  rc = (zSql == NULL) ? SQLITE_NOMEM : sqlcipher_execExecSql(db, &pzErrMsg, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_export;
+  sqlite3_free(zSql);
+
+  zSql = sqlite3_mprintf(
+    "SELECT 'CREATE UNIQUE INDEX %s.' || substr(sql,21) "
+    "  FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %%'"
+  , attachedDb);
+  rc = (zSql == NULL) ? SQLITE_NOMEM : sqlcipher_execExecSql(db, &pzErrMsg, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_export;
+  sqlite3_free(zSql);
+
+  /* Loop through the tables in the main database. For each, do
+  ** an "INSERT INTO rekey_db.xxx SELECT * FROM main.xxx;" to copy
+  ** the contents to the temporary database.
+  */
+  zSql = sqlite3_mprintf(
+    "SELECT 'INSERT INTO %s.' || quote(name) "
+    "|| ' SELECT * FROM main.' || quote(name) || ';'"
+    "FROM main.sqlite_master "
+    "WHERE type = 'table' AND name!='sqlite_sequence' "
+    "  AND rootpage>0"
+  , attachedDb);
+  rc = (zSql == NULL) ? SQLITE_NOMEM : sqlcipher_execExecSql(db, &pzErrMsg, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_export;
+  sqlite3_free(zSql);
+
+  /* Copy over the sequence table
+  */
+  zSql = sqlite3_mprintf(
+    "SELECT 'DELETE FROM %s.' || quote(name) || ';' "
+    "FROM %s.sqlite_master WHERE name='sqlite_sequence' "
+  , attachedDb, attachedDb);
+  rc = (zSql == NULL) ? SQLITE_NOMEM : sqlcipher_execExecSql(db, &pzErrMsg, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_export;
+  sqlite3_free(zSql);
+
+  zSql = sqlite3_mprintf(
+    "SELECT 'INSERT INTO %s.' || quote(name) "
+    "|| ' SELECT * FROM main.' || quote(name) || ';' "
+    "FROM %s.sqlite_master WHERE name=='sqlite_sequence';"
+  , attachedDb, attachedDb);
+  rc = (zSql == NULL) ? SQLITE_NOMEM : sqlcipher_execExecSql(db, &pzErrMsg, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_export;
+  sqlite3_free(zSql);
+
+  /* Copy the triggers, views, and virtual tables from the main database
+  ** over to the temporary database.  None of these objects has any
+  ** associated storage, so all we have to do is copy their entries
+  ** from the SQLITE_MASTER table.
+  */
+  zSql = sqlite3_mprintf(
+    "INSERT INTO %s.sqlite_master "
+    "  SELECT type, name, tbl_name, rootpage, sql"
+    "    FROM main.sqlite_master"
+    "   WHERE type='view' OR type='trigger'"
+    "      OR (type='table' AND rootpage=0)"
+  , attachedDb);
+  rc = (zSql == NULL) ? SQLITE_NOMEM : sqlcipher_execSql(db, &pzErrMsg, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_export;
+  sqlite3_free(zSql);
+
+  zSql = NULL;
+end_of_export:
+  db->flags = saved_flags;
+  db->nChange = saved_nChange;
+  db->nTotalChange = saved_nTotalChange;
+  db->xTrace = saved_xTrace;
+  db->mTrace = saved_mTrace;
+
+  sqlite3_free(zSql);
+
+  if(rc) {
+    if(pzErrMsg != NULL) {
+      sqlite3_result_error(context, pzErrMsg, -1);
+      sqlite3DbFree(db, pzErrMsg);
+    } else {
+      sqlite3_result_error(context, sqlite3ErrStr(rc), -1);
+    }
+  }
+}
+
+#endif
+
+/* END SQLCIPHER */
+#endif