Merge branch 'busybox' into merge

46 files changed, 523 insertions, 296 deletions

diff --git a/networking/Config.src b/networking/Config.src
index 2ce5287de..04d644bc9 100644
--- a/networking/Config.src
+++ b/networking/Config.src
@@ -46,6 +46,17 @@ config VERBOSE_RESOLUTION_ERRORS
         "can't resolve 'hostname.com'" and want to know more.
         This may increase size of your executable a bit.
 
+config FEATURE_TLS_SHA1
+        bool "In TLS code, support ciphers which use deprecated SHA1"
+        depends on TLS
+        default n
+        help
+        Selecting this option increases interoperability with very old
+        servers, but slightly increases code size.
+
+        Most TLS servers support SHA256 today (2018), since SHA1 is
+        considered possibly insecure (although not yet definitely broken).
+
 INSERT
 
 source networking/udhcp/Config.in
diff --git a/networking/arp.c b/networking/arp.c
index 177ab1571..71bfe3cbf 100644
--- a/networking/arp.c
+++ b/networking/arp.c
@@ -13,7 +13,7 @@
  * modified for getopt32 by Arne Bernin <arne [at] alamut.de>
  */
 //config:config ARP
-//config:       bool "arp (11 kb)"
+//config:       bool "arp (10 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/arping.c b/networking/arping.c
index 788fded3c..901578b68 100644
--- a/networking/arping.c
+++ b/networking/arping.c
@@ -6,7 +6,7 @@
  * Busybox port: Nick Fedchik <nick@fedchik.org.ua>
  */
 //config:config ARPING
-//config:       bool "arping (9.3 kb)"
+//config:       bool "arping (9 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/ether-wake.c b/networking/ether-wake.c
index 6677f07d5..acaac16f8 100644
--- a/networking/ether-wake.c
+++ b/networking/ether-wake.c
@@ -64,7 +64,7 @@
  *   filter.  That configuration consumes more power.
  */
 //config:config ETHER_WAKE
-//config:       bool "ether-wake (6.6 kb)"
+//config:       bool "ether-wake (4.9 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/ftpgetput.c b/networking/ftpgetput.c
index 84ca547ff..bff90538f 100644
--- a/networking/ftpgetput.c
+++ b/networking/ftpgetput.c
@@ -13,13 +13,13 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config FTPGET
-//config:       bool "ftpget (8 kb)"
+//config:       bool "ftpget (7.8 kb)"
 //config:       default y
 //config:       help
 //config:       Retrieve a remote file via FTP.
 //config:
 //config:config FTPPUT
-//config:       bool "ftpput (7.7 kb)"
+//config:       bool "ftpput (7.5 kb)"
 //config:       default y
 //config:       help
 //config:       Store a remote file via FTP.
diff --git a/networking/hostname.c b/networking/hostname.c
index 8e3238d99..248d8b65a 100644
--- a/networking/hostname.c
+++ b/networking/hostname.c
@@ -10,7 +10,7 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config HOSTNAME
-//config:       bool "hostname (5.6 kb)"
+//config:       bool "hostname (5.5 kb)"
 //config:       default y
 //config:       help
 //config:       Show or set the system's host name.
diff --git a/networking/ifplugd.c b/networking/ifplugd.c
index 9a67d24d8..026ff1cc8 100644
--- a/networking/ifplugd.c
+++ b/networking/ifplugd.c
@@ -7,7 +7,7 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config IFPLUGD
-//config:       bool "ifplugd (9.9 kb)"
+//config:       bool "ifplugd (10 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/ifupdown.c b/networking/ifupdown.c
index 80fce87a6..8a6efc976 100644
--- a/networking/ifupdown.c
+++ b/networking/ifupdown.c
@@ -17,7 +17,7 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config IFUP
-//config:       bool "ifup (17 kb)"
+//config:       bool "ifup (14 kb)"
 //config:       default y
 //config:       help
 //config:       Activate the specified interfaces. This applet makes use
@@ -33,7 +33,7 @@
 //config:       via busybox or via standalone utilities.
 //config:
 //config:config IFDOWN
-//config:       bool "ifdown (15 kb)"
+//config:       bool "ifdown (13 kb)"
 //config:       default y
 //config:       help
 //config:       Deactivate the specified interfaces.
diff --git a/networking/inetd.c b/networking/inetd.c
index ca1a97268..8f871ee12 100644
--- a/networking/inetd.c
+++ b/networking/inetd.c
@@ -488,7 +488,7 @@ static void block_CHLD_HUP_ALRM(sigset_t *m)
         sigaddset(m, SIGCHLD);
         sigaddset(m, SIGHUP);
         sigaddset(m, SIGALRM);
-        sigprocmask(SIG_BLOCK, m, m); /* old sigmask is stored in m */
+        sigprocmask2(SIG_BLOCK, m); /* old sigmask is stored in m */
 }
 
 static void restore_sigmask(sigset_t *m)
diff --git a/networking/ip.c b/networking/ip.c
index 97d618cd9..034ee4fc8 100644
--- a/networking/ip.c
+++ b/networking/ip.c
@@ -9,7 +9,7 @@
  * Bernhard Reutner-Fischer rewrote to use index_in_substr_array
  */
 //config:config IP
-//config:       bool "ip (34 kb)"
+//config:       bool "ip (35 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
@@ -28,7 +28,7 @@
 //config:       Short form of "ip addr"
 //config:
 //config:config IPLINK
-//config:       bool "iplink (16 kb)"
+//config:       bool "iplink (17 kb)"
 //config:       default y
 //config:       select FEATURE_IP_LINK
 //config:       select PLATFORM_LINUX
diff --git a/networking/ipcalc.c b/networking/ipcalc.c
index cdae8eea8..67f768836 100644
--- a/networking/ipcalc.c
+++ b/networking/ipcalc.c
@@ -12,7 +12,7 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config IPCALC
-//config:       bool "ipcalc (4.3 kb)"
+//config:       bool "ipcalc (4.4 kb)"
 //config:       default y
 //config:       help
 //config:       ipcalc takes an IP address and netmask and calculates the
diff --git a/networking/isrv_identd.c b/networking/isrv_identd.c
index 0c33dde4f..f564d604a 100644
--- a/networking/isrv_identd.c
+++ b/networking/isrv_identd.c
@@ -7,7 +7,7 @@
  * Licensed under GPLv2, see file LICENSE in this source tree.
  */
 //config:config FAKEIDENTD
-//config:       bool "fakeidentd (8.9 kb)"
+//config:       bool "fakeidentd (8.7 kb)"
 //config:       default y
 //config:       select FEATURE_SYSLOG
 //config:       help
diff --git a/networking/libiproute/ipaddress.c b/networking/libiproute/ipaddress.c
index 9ec665b69..d088caf4c 100644
--- a/networking/libiproute/ipaddress.c
+++ b/networking/libiproute/ipaddress.c
@@ -327,6 +327,10 @@ static int FAST_FUNC print_addrinfo(const struct sockaddr_nl *who UNUSED_PARAM,
                 ifa->ifa_flags &= ~IFA_F_TENTATIVE;
                 printf("tentative ");
         }
+        if (ifa->ifa_flags & IFA_F_DADFAILED) {
+                ifa->ifa_flags &= ~IFA_F_DADFAILED;
+                printf("dadfailed ");
+        }
         if (ifa->ifa_flags & IFA_F_DEPRECATED) {
                 ifa->ifa_flags &= ~IFA_F_DEPRECATED;
                 printf("deprecated ");
diff --git a/networking/nbd-client.c b/networking/nbd-client.c
index 103756b59..0dc8d0c43 100644
--- a/networking/nbd-client.c
+++ b/networking/nbd-client.c
@@ -4,7 +4,7 @@
  * Licensed under GPLv2, see file LICENSE in this source tree.
  */
 //config:config NBDCLIENT
-//config:       bool "nbd-client (4.6 kb)"
+//config:       bool "nbd-client (6 kb)"
 //config:       default y
 //config:       help
 //config:       Network block device client
@@ -163,7 +163,9 @@ int nbdclient_main(int argc, char **argv)
                 int sock, nbd;
                 int ro;
                 int proto_new; // 0 for old, 1 for new
+#if BB_MMU
                 char *data;
+#endif
 
                 // Make sure BLOCKDEV exists
                 nbd = xopen(device, O_RDWR);
@@ -200,7 +202,9 @@ int nbdclient_main(int argc, char **argv)
                         ioctl(nbd, NBD_SET_SIZE_BLOCKS, size_blocks);
                         ioctl(nbd, NBD_CLEAR_SOCK);
                         ro = !!(old_nbd_header.flags & htons(2));
+#if BB_MMU
                         data = old_nbd_header.data;
+#endif
                 } else {
                         unsigned namelen;
                         uint16_t handshake_flags;
@@ -230,7 +234,9 @@ int nbdclient_main(int argc, char **argv)
                         ioctl(nbd, NBD_SET_FLAGS,
                                         ntohs(new_nbd_header.transmission_flags));
                         ro = !!(new_nbd_header.transmission_flags & htons(2));
+#if BB_MMU
                         data = new_nbd_header.data;
+#endif
                 }
 
                 if (ioctl(nbd, BLKROSET, &ro) < 0) {
diff --git a/networking/nslookup.c b/networking/nslookup.c
index e153eb585..24e09d4f0 100644
--- a/networking/nslookup.c
+++ b/networking/nslookup.c
@@ -1,7 +1,7 @@
 /* vi: set sw=4 ts=4: */
 
 //config:config NSLOOKUP
-//config:       bool "nslookup (4.5 kb)"
+//config:       bool "nslookup (9.7 kb)"
 //config:       default y
 //config:       help
 //config:       nslookup is a tool to query Internet name servers.
@@ -257,7 +257,7 @@ int nslookup_main(int argc, char **argv)
 struct ns {
         const char *name;
         len_and_sockaddr *lsa;
-        int failures;
+        //UNUSED: int failures;
         int replies;
 };
 
@@ -320,6 +320,7 @@ struct globals {
         struct query *query;
         char *search;
         smalluint have_search_directive;
+        smalluint exitcode;
 } FIX_ALIASING;
 #define G (*(struct globals*)bb_common_bufsiz1)
 #define INIT_G() do { \
@@ -593,7 +594,7 @@ static int send_queries(struct ns *ns)
 
                 /* Retry immediately on SERVFAIL */
                 if (rcode == 2) {
-                        ns->failures++;
+                        //UNUSED: ns->failures++;
                         if (servfail_retry) {
                                 servfail_retry--;
                                 write(pfd.fd, G.query[qn].query, G.query[qn].qlen);
@@ -612,9 +613,12 @@ static int send_queries(struct ns *ns)
                 if (rcode != 0) {
                         printf("** server can't find %s: %s\n",
                                         G.query[qn].name, rcodes[rcode]);
+                        G.exitcode = EXIT_FAILURE;
                 } else {
-                        if (parse_reply(reply, recvlen) < 0)
+                        if (parse_reply(reply, recvlen) < 0) {
                                 printf("*** Can't find %s: Parse error\n", G.query[qn].name);
+                                G.exitcode = EXIT_FAILURE;
+                        }
                 }
                 bb_putchar('\n');
                 n_replies++;
@@ -988,7 +992,7 @@ int nslookup_main(int argc UNUSED_PARAM, char **argv)
                 free(G.query);
         }
 
-        return EXIT_SUCCESS;
+        return G.exitcode;
 }
 
 #endif
diff --git a/networking/ntpd.c b/networking/ntpd.c
index 041cac762..855815ece 100644
--- a/networking/ntpd.c
+++ b/networking/ntpd.c
@@ -41,7 +41,7 @@
  ***********************************************************************
  */
 //config:config NTPD
-//config:       bool "ntpd (17 kb)"
+//config:       bool "ntpd (22 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/ping.c b/networking/ping.c
index 570184fee..b534c74c7 100644
--- a/networking/ping.c
+++ b/networking/ping.c
@@ -25,7 +25,7 @@
  * The code was modified by Bart Visscher <magick@linux-fan.com>
  */
 //config:config PING
-//config:       bool "ping (9.5 kb)"
+//config:       bool "ping (10 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
@@ -33,7 +33,7 @@
 //config:       elicit an ICMP ECHO_RESPONSE from a host or gateway.
 //config:
 //config:config PING6
-//config:       bool "ping6 (10 kb)"
+//config:       bool "ping6 (11 kb)"
 //config:       default y
 //config:       depends on FEATURE_IPV6
 //config:       help
diff --git a/networking/pscan.c b/networking/pscan.c
index 95b0a937d..2715ef2df 100644
--- a/networking/pscan.c
+++ b/networking/pscan.c
@@ -6,7 +6,7 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config PSCAN
-//config:       bool "pscan (6.6 kb)"
+//config:       bool "pscan (6 kb)"
 //config:       default y
 //config:       help
 //config:       Simple network port scanner.
diff --git a/networking/route.c b/networking/route.c
index 8387ce1bb..ac1d94c28 100644
--- a/networking/route.c
+++ b/networking/route.c
@@ -25,7 +25,7 @@
  * remove ridiculous amounts of bloat.
  */
 //config:config ROUTE
-//config:       bool "route (8.9 kb)"
+//config:       bool "route (8.7 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/slattach.c b/networking/slattach.c
index e0a388926..c6feca248 100644
--- a/networking/slattach.c
+++ b/networking/slattach.c
@@ -13,7 +13,7 @@
  * - The -F options allows disabling of RTS/CTS flow control.
  */
 //config:config SLATTACH
-//config:       bool "slattach (6.1 kb)"
+//config:       bool "slattach (6.2 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/ssl_client.c b/networking/ssl_client.c
index 49aec6b99..cd0ee5722 100644
--- a/networking/ssl_client.c
+++ b/networking/ssl_client.c
@@ -4,7 +4,7 @@
  * Licensed under GPLv2, see file LICENSE in this source tree.
  */
 //config:config SSL_CLIENT
-//config:       bool "ssl_client (23 kb)"
+//config:       bool "ssl_client (25 kb)"
 //config:       default y
 //config:       select TLS
 //config:       help
diff --git a/networking/tc.c b/networking/tc.c
index 4fa3e47bf..3e9808328 100644
--- a/networking/tc.c
+++ b/networking/tc.c
@@ -7,7 +7,7 @@
  * Bernhard Reutner-Fischer adjusted for busybox
  */
 //config:config TC
-//config:       bool "tc (3.1 kb)"
+//config:       bool "tc (8.3 kb)"
 //config:       default y
 //config:       help
 //config:       Show / manipulate traffic control settings
diff --git a/networking/tcpudp.c b/networking/tcpudp.c
index c914221ae..a0af64981 100644
--- a/networking/tcpudp.c
+++ b/networking/tcpudp.c
@@ -29,7 +29,7 @@
  * - don't know how to retrieve ORIGDST for udp.
  */
 //config:config TCPSVD
-//config:       bool "tcpsvd (13 kb)"
+//config:       bool "tcpsvd (14 kb)"
 //config:       default y
 //config:       help
 //config:       tcpsvd listens on a TCP port and runs a program for each new
diff --git a/networking/telnet.c b/networking/telnet.c
index 1e6be85bd..fa1628723 100644
--- a/networking/telnet.c
+++ b/networking/telnet.c
@@ -20,7 +20,7 @@
  * by Fernando Silveira <swrh@gmx.net>
  */
 //config:config TELNET
-//config:       bool "telnet (8.7 kb)"
+//config:       bool "telnet (8.8 kb)"
 //config:       default y
 //config:       help
 //config:       Telnet is an interface to the TELNET protocol, but is also commonly
@@ -94,19 +94,19 @@ enum {
         IACBUFSIZE  = 128,
 
         CHM_TRY = 0,
-        CHM_ON = 1,
+        CHM_ON  = 1,
         CHM_OFF = 2,
 
         UF_ECHO = 0x01,
-        UF_SGA = 0x02,
+        UF_SGA  = 0x02,
 
         TS_NORMAL = 0,
         TS_COPY = 1,
-        TS_IAC = 2,
-        TS_OPT = 3,
+        TS_IAC  = 2,
+        TS_OPT  = 3,
         TS_SUB1 = 4,
         TS_SUB2 = 5,
-        TS_CR = 6,
+        TS_CR   = 6,
 };
 
 typedef unsigned char byte;
@@ -152,8 +152,10 @@ static void subneg(byte c);
 
 static void iac_flush(void)
 {
-        full_write(netfd, G.iacbuf, G.iaclen);
-        G.iaclen = 0;
+        if (G.iaclen != 0) {
+                full_write(netfd, G.iacbuf, G.iaclen);
+                G.iaclen = 0;
+        }
 }
 
 static void doexit(int ev) NORETURN;
@@ -244,25 +246,34 @@ static void handle_net_output(int len)
 
 static void handle_net_input(int len)
 {
+        byte c;
         int i;
-        int cstart = 0;
-
-        for (i = 0; i < len; i++) {
-                byte c = G.buf[i];
-
-                if (G.telstate == TS_NORMAL) { /* most typical state */
-                        if (c == IAC) {
-                                cstart = i;
-                                G.telstate = TS_IAC;
-                        }
-                        else if (c == '\r') {
-                                cstart = i + 1;
-                                G.telstate = TS_CR;
-                        }
-                        /* No IACs were seen so far, no need to copy
-                         * bytes within G.buf: */
-                        continue;
+        int cstart = cstart; /* for compiler */
+
+        i = 0;
+        //bb_error_msg("[%u,'%.*s']", G.telstate, len, G.buf);
+        if (G.telstate == TS_NORMAL) { /* most typical state */
+                while (i < len) {
+                        c = G.buf[i];
+                        i++;
+                        if (c == IAC) /* unlikely */
+                                goto got_IAC;
+                        if (c != '\r') /* likely */
+                                continue;
+                        G.telstate = TS_CR;
+                        cstart = i;
+                        goto got_special;
                 }
+                full_write(STDOUT_FILENO, G.buf, len);
+                return;
+ got_IAC:
+                G.telstate = TS_IAC;
+                cstart = i - 1;
+ got_special: ;
+        }
+
+        for (; i < len; i++) {
+                c = G.buf[i];
 
                 switch (G.telstate) {
                 case TS_CR:
@@ -278,20 +289,19 @@ static void handle_net_input(int len)
                         /* Similar to NORMAL, but in TS_COPY we need to copy bytes */
                         if (c == IAC)
                                 G.telstate = TS_IAC;
-                        else
+                        else {
                                 G.buf[cstart++] = c;
-                        if (c == '\r')
-                                G.telstate = TS_CR;
+                                if (c == '\r')
+                                        G.telstate = TS_CR;
+                        }
                         break;
 
                 case TS_IAC: /* Prev char was IAC */
-                        if (c == IAC) { /* IAC IAC -> one IAC */
+                        switch (c) {
+                        case IAC: /* IAC IAC -> one IAC */
                                 G.buf[cstart++] = c;
                                 G.telstate = TS_COPY;
                                 break;
-                        }
-                        /* else */
-                        switch (c) {
                         case SB:
                                 G.telstate = TS_SUB1;
                                 break;
@@ -320,103 +330,83 @@ static void handle_net_input(int len)
                 }
         }
 
-        if (G.telstate != TS_NORMAL) {
-                /* We had some IACs, or CR */
-                if (G.iaclen)
-                        iac_flush();
-                if (G.telstate == TS_COPY) /* we aren't in the middle of IAC */
-                        G.telstate = TS_NORMAL;
-                len = cstart;
-        }
-
-        if (len)
-                full_write(STDOUT_FILENO, G.buf, len);
+        /* We had some IACs, or CR */
+        iac_flush();
+        if (G.telstate == TS_COPY) /* we aren't in the middle of IAC */
+                G.telstate = TS_NORMAL;
+        if (cstart != 0)
+                full_write(STDOUT_FILENO, G.buf, cstart);
 }
 
 static void put_iac(int c)
 {
-        G.iacbuf[G.iaclen++] = c;
+        int iaclen = G.iaclen;
+        if (iaclen >= IACBUFSIZE) {
+                iac_flush();
+                iaclen = 0;
+        }
+        G.iacbuf[iaclen] = c; /* "... & 0xff" is implicit */
+        G.iaclen = iaclen + 1;
 }
 
-static void put_iac2_merged(unsigned wwdd_and_c)
+static void put_iac2_msb_lsb(unsigned x_y)
 {
-        if (G.iaclen + 3 > IACBUFSIZE)
-                iac_flush();
+        put_iac(x_y >> 8);  /* "... & 0xff" is implicit */
+        put_iac(x_y);  /* "... & 0xff" is implicit */
+}
+#define put_iac2_x_y(x,y) put_iac2_msb_lsb(((x)<<8) + (y))
+
+static void put_iac4_msb_lsb(unsigned x_y_z_t)
+{
+        put_iac2_msb_lsb(x_y_z_t >> 16);
+        put_iac2_msb_lsb(x_y_z_t);  /* "... & 0xffff" is implicit */
+}
+#define put_iac4_x_y_z_t(x,y,z,t) put_iac4_msb_lsb(((x)<<24) + ((y)<<16) + ((z)<<8) + (t))
 
+static void put_iac3_IAC_x_y_merged(unsigned wwdd_and_c)
+{
         put_iac(IAC);
-        put_iac(wwdd_and_c >> 8);
-        put_iac(wwdd_and_c & 0xff);
+        put_iac2_msb_lsb(wwdd_and_c);
 }
-#define put_iac2(wwdd,c) put_iac2_merged(((wwdd)<<8) + (c))
+#define put_iac3_IAC_x_y(wwdd,c) put_iac3_IAC_x_y_merged(((wwdd)<<8) + (c))
 
 #if ENABLE_FEATURE_TELNET_TTYPE
 static void put_iac_subopt(byte c, char *str)
 {
-        int len = strlen(str) + 6;   // ( 2 + 1 + 1 + strlen + 2 )
-
-        if (G.iaclen + len > IACBUFSIZE)
-                iac_flush();
-
-        put_iac(IAC);
-        put_iac(SB);
-        put_iac(c);
-        put_iac(0);
+        put_iac4_x_y_z_t(IAC, SB, c, 0);
 
         while (*str)
                 put_iac(*str++);
 
-        put_iac(IAC);
-        put_iac(SE);
+        put_iac2_x_y(IAC, SE);
 }
 #endif
 
 #if ENABLE_FEATURE_TELNET_AUTOLOGIN
 static void put_iac_subopt_autologin(void)
 {
-        int len = strlen(G.autologin) + 6;      // (2 + 1 + 1 + strlen + 2)
-        const char *p = "USER";
-
-        if (G.iaclen + len > IACBUFSIZE)
-                iac_flush();
-
-        put_iac(IAC);
-        put_iac(SB);
-        put_iac(TELOPT_NEW_ENVIRON);
-        put_iac(TELQUAL_IS);
-        put_iac(NEW_ENV_VAR);
-
-        while (*p)
-                put_iac(*p++);
+        const char *p;
 
-        put_iac(NEW_ENV_VALUE);
+        put_iac4_x_y_z_t(IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_IS);
+        put_iac4_x_y_z_t(NEW_ENV_VAR, 'U', 'S', 'E'); /* "USER" */
+        put_iac2_x_y('R', NEW_ENV_VALUE);
 
         p = G.autologin;
         while (*p)
                 put_iac(*p++);
 
-        put_iac(IAC);
-        put_iac(SE);
+        put_iac2_x_y(IAC, SE);
 }
 #endif
 
 #if ENABLE_FEATURE_TELNET_WIDTH
 static void put_iac_naws(byte c, int x, int y)
 {
-        if (G.iaclen + 9 > IACBUFSIZE)
-                iac_flush();
+        put_iac3_IAC_x_y(SB, c);
 
-        put_iac(IAC);
-        put_iac(SB);
-        put_iac(c);
+        put_iac4_msb_lsb((x << 16) + y);
 
-        /* "... & 0xff" implicitly done below */
-        put_iac(x >> 8);
-        put_iac(x);
-        put_iac(y >> 8);
-        put_iac(y);
-
-        put_iac(IAC);
-        put_iac(SE);
+        put_iac2_x_y(IAC, SE);
 }
 #endif
 
@@ -445,8 +435,8 @@ static void will_charmode(void)
         G.telflags |= (UF_ECHO | UF_SGA);
         setConMode();
 
-        put_iac2(DO, TELOPT_ECHO);
-        put_iac2(DO, TELOPT_SGA);
+        put_iac3_IAC_x_y(DO, TELOPT_ECHO);
+        put_iac3_IAC_x_y(DO, TELOPT_SGA);
         iac_flush();
 }
 
@@ -456,24 +446,24 @@ static void do_linemode(void)
         G.telflags &= ~(UF_ECHO | UF_SGA);
         setConMode();
 
-        put_iac2(DONT, TELOPT_ECHO);
-        put_iac2(DONT, TELOPT_SGA);
+        put_iac3_IAC_x_y(DONT, TELOPT_ECHO);
+        put_iac3_IAC_x_y(DONT, TELOPT_SGA);
         iac_flush();
 }
 
 static void to_notsup(char c)
 {
         if (G.telwish == WILL)
-                put_iac2(DONT, c);
+                put_iac3_IAC_x_y(DONT, c);
         else if (G.telwish == DO)
-                put_iac2(WONT, c);
+                put_iac3_IAC_x_y(WONT, c);
 }
 
 static void to_echo(void)
 {
         /* if server requests ECHO, don't agree */
         if (G.telwish == DO) {
-                put_iac2(WONT, TELOPT_ECHO);
+                put_iac3_IAC_x_y(WONT, TELOPT_ECHO);
                 return;
         }
         if (G.telwish == DONT)
@@ -489,9 +479,9 @@ static void to_echo(void)
                 G.telflags ^= UF_ECHO;
 
         if (G.telflags & UF_ECHO)
-                put_iac2(DO, TELOPT_ECHO);
+                put_iac3_IAC_x_y(DO, TELOPT_ECHO);
         else
-                put_iac2(DONT, TELOPT_ECHO);
+                put_iac3_IAC_x_y(DONT, TELOPT_ECHO);
 
         setConMode();
         full_write1_str("\r\n");  /* sudden modec */
@@ -509,9 +499,9 @@ static void to_sga(void)
 
         G.telflags ^= UF_SGA; /* toggle */
         if (G.telflags & UF_SGA)
-                put_iac2(DO, TELOPT_SGA);
+                put_iac3_IAC_x_y(DO, TELOPT_SGA);
         else
-                put_iac2(DONT, TELOPT_SGA);
+                put_iac3_IAC_x_y(DONT, TELOPT_SGA);
 }
 
 #if ENABLE_FEATURE_TELNET_TTYPE
@@ -519,9 +509,9 @@ static void to_ttype(void)
 {
         /* Tell server we will (or won't) do TTYPE */
         if (G.ttype)
-                put_iac2(WILL, TELOPT_TTYPE);
+                put_iac3_IAC_x_y(WILL, TELOPT_TTYPE);
         else
-                put_iac2(WONT, TELOPT_TTYPE);
+                put_iac3_IAC_x_y(WONT, TELOPT_TTYPE);
 }
 #endif
 
@@ -530,9 +520,9 @@ static void to_new_environ(void)
 {
         /* Tell server we will (or will not) do AUTOLOGIN */
         if (G.autologin)
-                put_iac2(WILL, TELOPT_NEW_ENVIRON);
+                put_iac3_IAC_x_y(WILL, TELOPT_NEW_ENVIRON);
         else
-                put_iac2(WONT, TELOPT_NEW_ENVIRON);
+                put_iac3_IAC_x_y(WONT, TELOPT_NEW_ENVIRON);
 }
 #endif
 
@@ -540,7 +530,7 @@ static void to_new_environ(void)
 static void to_naws(void)
 {
         /* Tell server we will do NAWS */
-        put_iac2(WILL, TELOPT_NAWS);
+        put_iac3_IAC_x_y(WILL, TELOPT_NAWS);
 }
 #endif
 
@@ -649,6 +639,7 @@ int telnet_main(int argc UNUSED_PARAM, char **argv)
                 bb_show_usage();
 
         xmove_fd(create_and_connect_stream_or_die(host, port), netfd);
+        printf("Connected to %s\n", host);
 
         setsockopt_keepalive(netfd);
 
diff --git a/networking/telnetd.c b/networking/telnetd.c
index a6bafa21d..caef15181 100644
--- a/networking/telnetd.c
+++ b/networking/telnetd.c
@@ -865,11 +865,25 @@ int telnetd_main(int argc UNUSED_PARAM, char **argv)
  skip3:
                 if (/*ts->size2 < BUFSIZE &&*/ FD_ISSET(ts->ptyfd, &rdfdset)) {
                         /* Read from pty to buffer 2 */
+                        int eio = 0;
+ read_pty:
                         count = MIN(BUFSIZE - ts->rdidx2, BUFSIZE - ts->size2);
                         count = safe_read(ts->ptyfd, TS_BUF2(ts) + ts->rdidx2, count);
                         if (count <= 0) {
-                                if (count < 0 && errno == EAGAIN)
-                                        goto skip4;
+                                if (count < 0) {
+                                        if (errno == EAGAIN)
+                                                goto skip4;
+                                        /* login process might call vhangup(),
+                                         * which causes intermittent EIOs on read above
+                                         * (observed on kernel 4.12.0). Try up to 10 ms.
+                                         */
+                                        if (errno == EIO && eio < 10) {
+                                                eio++;
+                                                //bb_error_msg("EIO pty %u", eio);
+                                                usleep(1000);
+                                                goto read_pty;
+                                        }
+                                }
                                 goto kill_session;
                         }
                         ts->size2 += count;
diff --git a/networking/tftp.c b/networking/tftp.c
index 4cd39186a..d20d4ca4b 100644
--- a/networking/tftp.c
+++ b/networking/tftp.c
@@ -19,7 +19,7 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config TFTP
-//config:       bool "tftp (12 kb)"
+//config:       bool "tftp (11 kb)"
 //config:       default y
 //config:       help
 //config:       Trivial File Transfer Protocol client. TFTP is usually used
@@ -41,9 +41,6 @@
 //config:       In other words: it should be run from inetd in nowait mode,
 //config:       or from udpsvd. Example: "udpsvd -E 0 69 tftpd DIR"
 //config:
-//config:comment "Common options for tftp/tftpd"
-//config:       depends on TFTP || TFTPD
-//config:
 //config:config FEATURE_TFTP_GET
 //config:       bool "Enable 'tftp get' and/or tftpd upload code"
 //config:       default y
diff --git a/networking/tls.c b/networking/tls.c
index 38eb79798..d2385efe8 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -6,6 +6,8 @@
 //config:config TLS
 //config:       bool #No description makes it a hidden option
 //config:       default n
+//Note:
+//Config.src also defines FEATURE_TLS_SHA1 option
 
 //kbuild:lib-$(CONFIG_TLS) += tls.o
 //kbuild:lib-$(CONFIG_TLS) += tls_pstm.o
@@ -400,7 +402,7 @@ static void hash_handshake(tls_state_t *tls, const char *fmt, const void *buffer
                 dump_hex(fmt, buffer, len);
                 dbg(" (%u bytes) ", (int)len);
                 len = sha_peek(&tls->hsd->handshake_hash_ctx, h);
-                if (len == SHA1_OUTSIZE)
+                if (ENABLE_FEATURE_TLS_SHA1 && len == SHA1_OUTSIZE)
                         dump_hex("sha1:%s\n", h, len);
                 else
                 if (len == SHA256_OUTSIZE)
@@ -411,6 +413,12 @@ static void hash_handshake(tls_state_t *tls, const char *fmt, const void *buffer
 #endif
 }
 
+#if !ENABLE_FEATURE_TLS_SHA1
+# define TLS_MAC_SIZE(tls) SHA256_OUTSIZE
+#else
+# define TLS_MAC_SIZE(tls) (tls)->MAC_size
+#endif
+
 // RFC 2104:
 // HMAC(key, text) based on a hash H (say, sha256) is:
 // ipad = [0x36 x INSIZE]
@@ -427,6 +435,11 @@ typedef struct hmac_precomputed {
 } hmac_precomputed_t;
 
 typedef void md5sha_begin_func(md5sha_ctx_t *ctx) FAST_FUNC;
+#if !ENABLE_FEATURE_TLS_SHA1
+#define hmac_begin(pre,key,key_size,begin) \
+        hmac_begin(pre,key,key_size)
+#define begin sha256_begin
+#endif
 static void hmac_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size, md5sha_begin_func *begin)
 {
         uint8_t key_xor_ipad[SHA_INSIZE];
@@ -467,6 +480,7 @@ static void hmac_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size,
         md5sha_hash(&pre->hashed_key_xor_ipad, key_xor_ipad, SHA_INSIZE);
         md5sha_hash(&pre->hashed_key_xor_opad, key_xor_opad, SHA_INSIZE);
 }
+#undef begin
 
 static unsigned hmac_sha_precomputed_v(
                 hmac_precomputed_t *pre,
@@ -504,6 +518,10 @@ static unsigned hmac_sha_precomputed(hmac_precomputed_t *pre_init, uint8_t *out,
         return len;
 }
 
+#if !ENABLE_FEATURE_TLS_SHA1
+#define hmac(tls,out,key,key_size,...) \
+        hmac(out,key,key_size, __VA_ARGS__)
+#endif
 static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_size, ...)
 {
         hmac_precomputed_t pre;
@@ -513,9 +531,9 @@ static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_
         va_start(va, key_size);
 
         hmac_begin(&pre, key, key_size,
-                        (tls->MAC_size == SHA256_OUTSIZE)
-                                ? sha256_begin
-                                : sha1_begin
+                        (ENABLE_FEATURE_TLS_SHA1 && tls->MAC_size == SHA1_OUTSIZE)
+                                ? sha1_begin
+                                : sha256_begin
         );
         len = hmac_sha_precomputed_v(&pre, out, va);
 
@@ -685,7 +703,7 @@ static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, un
 
         /* Calculate MAC signature */
         hmac(tls, buf + size, /* result */
-                tls->client_write_MAC_key, tls->MAC_size,
+                tls->client_write_MAC_key, TLS_MAC_SIZE(tls),
                 &tls->write_seq64_be, sizeof(tls->write_seq64_be),
                 xhdr, RECHDR_LEN,
                 buf, size,
@@ -693,7 +711,7 @@ static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, un
         );
         tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(tls->write_seq64_be));
 
-        size += tls->MAC_size;
+        size += TLS_MAC_SIZE(tls);
 
         // RFC 5246:
         // 6.2.3.1.  Null or Standard Stream Cipher
@@ -778,7 +796,7 @@ static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, un
 
         tls_get_random(buf - AES_BLOCK_SIZE, AES_BLOCK_SIZE); /* IV */
         dbg("before crypt: 5 hdr + %u data + %u hash bytes\n",
-                        size - tls->MAC_size, tls->MAC_size);
+                        size - TLS_MAC_SIZE(tls), TLS_MAC_SIZE(tls));
 
         /* Fill IV and padding in outbuf */
         // RFC is talking nonsense:
@@ -1093,7 +1111,7 @@ static int tls_xread_record(tls_state_t *tls, const char *expected)
                         tls_aesgcm_decrypt(tls, p, sz);
                         dbg("encrypted size:%u\n", sz);
                 } else
-                if (tls->min_encrypted_len_on_read > tls->MAC_size) {
+                if (tls->min_encrypted_len_on_read > TLS_MAC_SIZE(tls)) {
                         /* AES+SHA */
                         uint8_t *p = tls->inbuf + RECHDR_LEN;
                         int padding_len;
@@ -1112,7 +1130,7 @@ static int tls_xread_record(tls_state_t *tls, const char *expected)
                         padding_len = p[sz - 1];
                         dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len);
                         padding_len++;
-                        sz -= tls->MAC_size + padding_len; /* drop MAC and padding */
+                        sz -= TLS_MAC_SIZE(tls) + padding_len; /* drop MAC and padding */
                 } else {
                         /* if nonzero, then it's TLS_RSA_WITH_NULL_SHA256: drop MAC */
                         /* else: no encryption yet on input, subtract zero = NOP */
@@ -1472,15 +1490,19 @@ static ALWAYS_INLINE void fill_handshake_record_hdr(void *buf, unsigned type, un
 
 static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
 {
-#define NUM_CIPHERS (13 + ALLOW_RSA_NULL_SHA256)
+#define NUM_CIPHERS (7 + 6 * ENABLE_FEATURE_TLS_SHA1 + ALLOW_RSA_NULL_SHA256)
         static const uint8_t ciphers[] = {
-                0x00,(1 + NUM_CIPHERS) * 2, //len16_be
+                0x00,2 + NUM_CIPHERS*2, //len16_be
                 0x00,0xFF, //not a cipher - TLS_EMPTY_RENEGOTIATION_INFO_SCSV
                 /* ^^^^^^ RFC 5746 Renegotiation Indication Extension - some servers will refuse to work with us otherwise */
+#if ENABLE_FEATURE_TLS_SHA1
                 0xC0,0x09, // 1 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ok: wget https://is.gd/
                 0xC0,0x0A, // 2 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ok: wget https://is.gd/
                 0xC0,0x13, // 3 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ok: openssl s_server ... -cipher ECDHE-RSA-AES128-SHA
                 0xC0,0x14, // 4 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ok: openssl s_server ... -cipher ECDHE-RSA-AES256-SHA (might fail with older openssl)
+        //      0xC0,0x18, //   TLS_ECDH_anon_WITH_AES_128_CBC_SHA
+        //      0xC0,0x19, //   TLS_ECDH_anon_WITH_AES_256_CBC_SHA
+#endif
                 0xC0,0x23, // 5 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - ok: wget https://is.gd/
         //      0xC0,0x24, //   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - can't do SHA384 yet
                 0xC0,0x27, // 6 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - ok: openssl s_server ... -cipher ECDHE-RSA-AES128-SHA256
@@ -1491,12 +1513,16 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
                 0xC0,0x2F, // 8 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ok: openssl s_server ... -cipher ECDHE-RSA-AES128-GCM-SHA256
         //      0xC0,0x30, //   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - openssl s_server ... -cipher ECDHE-RSA-AES256-GCM-SHA384: "decryption failed or bad record mac"
         //possibly these too:
+#if ENABLE_FEATURE_TLS_SHA1
         //      0xC0,0x35, //   TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
         //      0xC0,0x36, //   TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+#endif
         //      0xC0,0x37, //   TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
         //      0xC0,0x38, //   TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 - can't do SHA384 yet
+#if ENABLE_FEATURE_TLS_SHA1
                 0x00,0x2F, // 9 TLS_RSA_WITH_AES_128_CBC_SHA - ok: openssl s_server ... -cipher AES128-SHA
                 0x00,0x35, //10 TLS_RSA_WITH_AES_256_CBC_SHA - ok: openssl s_server ... -cipher AES256-SHA
+#endif
                 0x00,0x3C, //11 TLS_RSA_WITH_AES_128_CBC_SHA256 - ok: openssl s_server ... -cipher AES128-SHA256
                 0x00,0x3D, //12 TLS_RSA_WITH_AES_256_CBC_SHA256 - ok: openssl s_server ... -cipher AES256-SHA256
                 0x00,0x9C, //13 TLS_RSA_WITH_AES_128_GCM_SHA256 - ok: openssl s_server ... -cipher AES128-GCM-SHA256
@@ -1511,9 +1537,17 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
                 0x00,0x04, //ext len
                 0x00,0x02, //list len
                 0x00,0x1d, //curve_x25519 (RFC 7748)
+                //0x00,0x1e, //curve_x448 (RFC 7748)
                 //0x00,0x17, //curve_secp256r1
                 //0x00,0x18, //curve_secp384r1
                 //0x00,0x19, //curve_secp521r1
+//TODO: implement secp256r1 (at least): dl.fedoraproject.org immediately aborts
+//if only x25519/x448 are advertised, seems to support only secpNNNr1 curves:
+// openssl s_client -connect dl.fedoraproject.org:443 -debug -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
+//Peer signing digest: SHA512
+//Peer signature type: RSA
+//Server Temp Key: ECDH, P-256, 256 bits
+//TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
         };
         //static const uint8_t signature_algorithms[] = {
         //      000d
@@ -1530,7 +1564,7 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
                 uint8_t session_id_len;
                 /* uint8_t session_id[]; */
                 uint8_t cipherid_len16_hi, cipherid_len16_lo;
-                uint8_t cipherid[(1 + NUM_CIPHERS) * 2]; /* actually variable */
+                uint8_t cipherid[2 + NUM_CIPHERS*2]; /* actually variable */
                 uint8_t comprtypes_len;
                 uint8_t comprtypes[1]; /* actually variable */
                 /* Extensions (SNI shown):
@@ -1578,7 +1612,7 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
                 memset(record->rand32, 0x11, sizeof(record->rand32));
         /* record->session_id_len = 0; - already is */
 
-        BUILD_BUG_ON(sizeof(ciphers) != 2 + (1 + NUM_CIPHERS) * 2 + 2);
+        BUILD_BUG_ON(sizeof(ciphers) != 2 + 2 + NUM_CIPHERS*2 + 2);
         memcpy(&record->cipherid_len16_hi, ciphers, sizeof(ciphers));
 
         ptr = (void*)(record + 1);
@@ -1675,31 +1709,42 @@ static void get_server_hello(tls_state_t *tls)
 
         /* Set up encryption params based on selected cipher */
 #if 0
+#if ENABLE_FEATURE_TLS_SHA1
                 0xC0,0x09, // 1 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ok: wget https://is.gd/
                 0xC0,0x0A, // 2 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ok: wget https://is.gd/
                 0xC0,0x13, // 3 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ok: openssl s_server ... -cipher ECDHE-RSA-AES128-SHA
                 0xC0,0x14, // 4 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ok: openssl s_server ... -cipher ECDHE-RSA-AES256-SHA (might fail with older openssl)
+        //      0xC0,0x18, //   TLS_ECDH_anon_WITH_AES_128_CBC_SHA
+        //      0xC0,0x19, //   TLS_ECDH_anon_WITH_AES_256_CBC_SHA
+#endif
                 0xC0,0x23, // 5 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - ok: wget https://is.gd/
         //      0xC0,0x24, //   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - can't do SHA384 yet
                 0xC0,0x27, // 6 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - ok: openssl s_server ... -cipher ECDHE-RSA-AES128-SHA256
         //      0xC0,0x28, //   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - can't do SHA384 yet
                 0xC0,0x2B, // 7 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - ok: wget https://is.gd/
         //      0xC0,0x2C, //   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - wget https://is.gd/: "TLS error from peer (alert code 20): bad MAC"
+//TODO: GCM_SHA384 ciphers can be supported, only need sha384-based PRF?
                 0xC0,0x2F, // 8 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ok: openssl s_server ... -cipher ECDHE-RSA-AES128-GCM-SHA256
         //      0xC0,0x30, //   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - openssl s_server ... -cipher ECDHE-RSA-AES256-GCM-SHA384: "decryption failed or bad record mac"
         //possibly these too:
+#if ENABLE_FEATURE_TLS_SHA1
         //      0xC0,0x35, //   TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
         //      0xC0,0x36, //   TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+#endif
         //      0xC0,0x37, //   TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
         //      0xC0,0x38, //   TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 - can't do SHA384 yet
+#if ENABLE_FEATURE_TLS_SHA1
                 0x00,0x2F, // 9 TLS_RSA_WITH_AES_128_CBC_SHA - ok: openssl s_server ... -cipher AES128-SHA
                 0x00,0x35, //10 TLS_RSA_WITH_AES_256_CBC_SHA - ok: openssl s_server ... -cipher AES256-SHA
+#endif
                 0x00,0x3C, //11 TLS_RSA_WITH_AES_128_CBC_SHA256 - ok: openssl s_server ... -cipher AES128-SHA256
                 0x00,0x3D, //12 TLS_RSA_WITH_AES_256_CBC_SHA256 - ok: openssl s_server ... -cipher AES256-SHA256
                 0x00,0x9C, //13 TLS_RSA_WITH_AES_128_GCM_SHA256 - ok: openssl s_server ... -cipher AES128-GCM-SHA256
         //      0x00,0x9D, //   TLS_RSA_WITH_AES_256_GCM_SHA384 - openssl s_server ... -cipher AES256-GCM-SHA384: "decryption failed or bad record mac"
+#if ALLOW_RSA_NULL_SHA256
                 0x00,0x3B, //   TLS_RSA_WITH_NULL_SHA256
 #endif
+#endif
         cipherid1 = cipherid[1];
         tls->cipher_id = 0x100 * cipherid[0] + cipherid1;
         tls->key_size = AES256_KEYSIZE;
@@ -1712,7 +1757,7 @@ static void get_server_hello(tls_state_t *tls)
                         /* Odd numbered C0xx use AES128 (even ones use AES256) */
                         tls->key_size = AES128_KEYSIZE;
                 }
-                if (cipherid1 <= 0x14) {
+                if (ENABLE_FEATURE_TLS_SHA1 && cipherid1 <= 0x19) {
                         tls->MAC_size = SHA1_OUTSIZE;
                 } else
                 if (cipherid1 >= 0x2B && cipherid1 <= 0x30) {
@@ -1723,13 +1768,13 @@ static void get_server_hello(tls_state_t *tls)
                 }
         } else {
                 /* All 00xx are RSA */
-                if (cipherid1 == 0x2F
+                if ((ENABLE_FEATURE_TLS_SHA1 && cipherid1 == 0x2F)
                  || cipherid1 == 0x3C
                  || cipherid1 == 0x9C
                 ) {
                         tls->key_size = AES128_KEYSIZE;
                 }
-                if (cipherid1 <= 0x35) {
+                if (ENABLE_FEATURE_TLS_SHA1 && cipherid1 <= 0x35) {
                         tls->MAC_size = SHA1_OUTSIZE;
                 } else
                 if (cipherid1 == 0x9C /*|| cipherid1 == 0x9D*/) {
@@ -2227,7 +2272,7 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
                 tls->min_encrypted_len_on_read = tls->MAC_size;
         } else
         if (!(tls->flags & ENCRYPTION_AESGCM)) {
-                unsigned mac_blocks = (unsigned)(tls->MAC_size + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
+                unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
                 /* all incoming packets now should be encrypted and have
                  * at least IV + (MAC padded to blocksize):
                  */
diff --git a/networking/tls_aesgcm.c b/networking/tls_aesgcm.c
index 688df85fb..a4663cd79 100644
--- a/networking/tls_aesgcm.c
+++ b/networking/tls_aesgcm.c
@@ -35,38 +35,87 @@ static ALWAYS_INLINE void FlattenSzInBits(byte* buf, word32 sz)
 
 static void RIGHTSHIFTX(byte* x)
 {
-    int i;
-    int carryOut = 0;
-    int carryIn = 0;
-    int borrow = x[15] & 0x01;
+#define l ((unsigned long*)x)
+#if 0
 
+    // Generic byte-at-a-time algorithm
+    int i;
+    byte carryIn = (x[15] & 0x01) ? 0xE1 : 0;
     for (i = 0; i < AES_BLOCK_SIZE; i++) {
-        carryOut = x[i] & 0x01;
-        x[i] = (x[i] >> 1) | (carryIn ? 0x80 : 0);
+        byte carryOut = (x[i] << 7); // zero, or 0x80
+        x[i] = (x[i] >> 1) ^ carryIn;
+        carryIn = carryOut;
+    }
+
+#elif BB_BIG_ENDIAN
+
+    // Big-endian can shift-right in larger than byte chunks
+    // (we use the fact that 'x' is long-aligned)
+    unsigned long carryIn = (x[15] & 0x01)
+        ? ((unsigned long)0xE1 << (LONG_BIT-8))
+        : 0;
+# if ULONG_MAX <= 0xffffffff
+    int i;
+    for (i = 0; i < AES_BLOCK_SIZE/sizeof(long); i++) {
+        unsigned long carryOut = l[i] << (LONG_BIT-1); // zero, or 0x800..00
+        l[i] = (l[i] >> 1) ^ carryIn;
         carryIn = carryOut;
     }
-    if (borrow) x[0] ^= 0xE1;
+# else
+    // 64-bit code: need to process only 2 words
+    unsigned long carryOut = l[0] << (LONG_BIT-1); // zero, or 0x800..00
+    l[0] = (l[0] >> 1) ^ carryIn;
+    l[1] = (l[1] >> 1) ^ carryOut;
+# endif
+
+#else /* LITTLE_ENDIAN */
+
+    // In order to use word-sized ops, little-endian needs to byteswap.
+    // On x86, code size increase is ~10 bytes compared to byte-by-byte.
+    unsigned long carryIn = (x[15] & 0x01)
+        ? ((unsigned long)0xE1 << (LONG_BIT-8))
+        : 0;
+# if ULONG_MAX <= 0xffffffff
+    int i;
+    for (i = 0; i < AES_BLOCK_SIZE/sizeof(long); i++) {
+        unsigned long ti = SWAP_BE32(l[i]);
+        unsigned long carryOut = ti << (LONG_BIT-1); // zero, or 0x800..00
+        ti = (ti >> 1) ^ carryIn;
+        l[i] = SWAP_BE32(ti);
+        carryIn = carryOut;
+    }
+# else
+    // 64-bit code: need to process only 2 words
+    unsigned long tt = SWAP_BE64(l[0]);
+    unsigned long carryOut = tt << (LONG_BIT-1); // zero, or 0x800..00
+    tt = (tt >> 1) ^ carryIn; l[0] = SWAP_BE64(tt);
+    tt = SWAP_BE64(l[1]);
+    tt = (tt >> 1) ^ carryOut; l[1] = SWAP_BE64(tt);
+# endif
+
+#endif /* LITTLE_ENDIAN */
+#undef l
 }
 
+// Caller guarantees X is aligned
 static void GMULT(byte* X, byte* Y)
 {
     byte Z[AES_BLOCK_SIZE] ALIGNED_long;
-    byte V[AES_BLOCK_SIZE] ALIGNED_long;
-    int i, j;
+    //byte V[AES_BLOCK_SIZE] ALIGNED_long;
+    int i;
 
     XMEMSET(Z, 0, AES_BLOCK_SIZE);
-    XMEMCPY(V, X, AES_BLOCK_SIZE);
-    for (i = 0; i < AES_BLOCK_SIZE; i++)
-    {
-        byte y = Y[i];
-        for (j = 0; j < 8; j++)
-        {
+    //XMEMCPY(V, X, AES_BLOCK_SIZE);
+    for (i = 0; i < AES_BLOCK_SIZE; i++) {
+        uint32_t y = 0x800000 | Y[i];
+        for (;;) { // for every bit in Y[i], from msb to lsb
             if (y & 0x80) {
-                xorbuf_aligned_AES_BLOCK_SIZE(Z, V);
+                xorbuf_aligned_AES_BLOCK_SIZE(Z, X); // was V, not X
             }
-
-            RIGHTSHIFTX(V);
+            RIGHTSHIFTX(X); // was V, not X
             y = y << 1;
+            if ((int32_t)y < 0) // if bit 0x80000000 set = if 8 iterations done
+                break;
         }
     }
     XMEMCPY(X, Z, AES_BLOCK_SIZE);
diff --git a/networking/tls_pstm.c b/networking/tls_pstm.c
index e12e6c9d4..e5544ab11 100644
--- a/networking/tls_pstm.c
+++ b/networking/tls_pstm.c
@@ -47,13 +47,18 @@
 //#include "../cryptoApi.h"
 #ifndef DISABLE_PSTM
 
+#undef pstm_mul_2d
 static int32 pstm_mul_2d(pstm_int *a, int b, pstm_int *c); //bbox: was int16 b
+#define pstm_mul_2d(a, b, c) (pstm_mul_2d(a, b, c), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         init an pstm_int for a given size
  */
-int32 pstm_init_size(psPool_t *pool, pstm_int * a, uint32 size)
+#undef pstm_init_size
+#define pstm_init_size(pool, a, size) \
+        pstm_init_size(      a, size)
+int32 FAST_FUNC pstm_init_size(psPool_t *pool, pstm_int * a, uint32 size)
 {
 //bbox
 //      uint16          x;
@@ -75,12 +80,17 @@ int32 pstm_init_size(psPool_t *pool, pstm_int * a, uint32 size)
 //      }
         return PSTM_OKAY;
 }
+#undef pstm_init_size
+#define pstm_init_size(pool, a, size) (pstm_init_size(a, size), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         Init a new pstm_int.
 */
-int32 pstm_init(psPool_t *pool, pstm_int * a)
+#undef pstm_init
+#define pstm_init(pool, a) \
+        pstm_init(      a)
+static int32 pstm_init(psPool_t *pool, pstm_int * a)
 {
 //bbox
 //      int32           i;
@@ -106,12 +116,15 @@ int32 pstm_init(psPool_t *pool, pstm_int * a)
 
         return PSTM_OKAY;
 }
+#undef pstm_init
+#define pstm_init(pool, a) (pstm_init(a), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         Grow as required
  */
-int32 pstm_grow(pstm_int * a, int size)
+#undef pstm_grow
+int32 FAST_FUNC pstm_grow(pstm_int * a, int size)
 {
         int                     i; //bbox: was int16
         pstm_digit              *tmp;
@@ -142,11 +155,13 @@ int32 pstm_grow(pstm_int * a, int size)
         }
         return PSTM_OKAY;
 }
+#define pstm_grow(a, size) (pstm_grow(a, size), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         copy, b = a (b must be pre-allocated)
  */
+#undef pstm_copy
 int32 pstm_copy(pstm_int * a, pstm_int * b)
 {
         int32   res, n;
@@ -195,6 +210,7 @@ int32 pstm_copy(pstm_int * a, pstm_int * b)
         b->sign = a->sign;
         return PSTM_OKAY;
 }
+#define pstm_copy(a, b) (pstm_copy(a, b), PSTM_OKAY)
 
 /******************************************************************************/
 /*
@@ -204,7 +220,7 @@ int32 pstm_copy(pstm_int * a, pstm_int * b)
         leading "used" digit will be non-zero. Typically very fast.  Also fixes
         the sign if there are no more leading digits
 */
-void pstm_clamp(pstm_int * a)
+void FAST_FUNC pstm_clamp(pstm_int * a)
 {
 /*      decrease used while the most significant digit is zero. */
         while (a->used > 0 && a->dp[a->used - 1] == 0) {
@@ -220,7 +236,7 @@ void pstm_clamp(pstm_int * a)
 /*
         clear one (frees).
  */
-void pstm_clear(pstm_int * a)
+void FAST_FUNC pstm_clear(pstm_int * a)
 {
         int32           i;
 /*
@@ -248,6 +264,7 @@ void pstm_clear(pstm_int * a)
 /*
         clear many (frees).
  */
+#if 0 //UNUSED
 void pstm_clear_multi(pstm_int *mp0, pstm_int *mp1, pstm_int *mp2,
                                         pstm_int *mp3, pstm_int *mp4, pstm_int *mp5,
                                         pstm_int *mp6, pstm_int *mp7)
@@ -272,12 +289,13 @@ void pstm_clear_multi(pstm_int *mp0, pstm_int *mp1, pstm_int *mp2,
                 }
         }
 }
+#endif
 
 /******************************************************************************/
 /*
         Set to zero.
  */
-void pstm_zero(pstm_int * a)
+static void pstm_zero(pstm_int * a)
 {
         int32           n;
         pstm_digit      *tmp;
@@ -296,7 +314,7 @@ void pstm_zero(pstm_int * a)
 /*
         Compare maginitude of two ints (unsigned).
  */
-int32 pstm_cmp_mag(pstm_int * a, pstm_int * b)
+int32 FAST_FUNC pstm_cmp_mag(pstm_int * a, pstm_int * b)
 {
         int             n; //bbox: was int16
         pstm_digit      *tmpa, *tmpb;
@@ -336,7 +354,7 @@ int32 pstm_cmp_mag(pstm_int * a, pstm_int * b)
 /*
         Compare two ints (signed)
  */
-int32 pstm_cmp(pstm_int * a, pstm_int * b)
+int32 FAST_FUNC pstm_cmp(pstm_int * a, pstm_int * b)
 {
 /*
         compare based on sign
@@ -364,7 +382,7 @@ int32 pstm_cmp(pstm_int * a, pstm_int * b)
         pstm_ints can be initialized more precisely when they will populated
         using pstm_read_unsigned_bin since the length of the byte stream is known
 */
-int32 pstm_init_for_read_unsigned_bin(psPool_t *pool, pstm_int *a, uint32 len)
+int32 FAST_FUNC pstm_init_for_read_unsigned_bin(psPool_t *pool, pstm_int *a, uint32 len)
 {
         int32 size;
 /*
@@ -385,7 +403,7 @@ int32 pstm_init_for_read_unsigned_bin(psPool_t *pool, pstm_int *a, uint32 len)
         called pstm_init_for_read_unsigned_bin first.  There is some grow logic
         here if the default pstm_init was used but we don't really want to hit it.
 */
-int32 pstm_read_unsigned_bin(pstm_int *a, unsigned char *b, int32 c)
+int32 FAST_FUNC pstm_read_unsigned_bin(pstm_int *a, unsigned char *b, int32 c)
 {
         /* zero the int */
         pstm_zero (a);
@@ -460,7 +478,7 @@ int32 pstm_read_unsigned_bin(pstm_int *a, unsigned char *b, int32 c)
 /******************************************************************************/
 /*
 */
-int pstm_count_bits (pstm_int * a)
+static int pstm_count_bits(pstm_int * a)
 {
         int     r; //bbox: was int16
         pstm_digit q;
@@ -482,14 +500,14 @@ int pstm_count_bits (pstm_int * a)
 }
 
 /******************************************************************************/
-int32 pstm_unsigned_bin_size(pstm_int *a)
+int32 FAST_FUNC pstm_unsigned_bin_size(pstm_int *a)
 {
         int32     size = pstm_count_bits (a);
         return (size / 8 + ((size & 7) != 0 ? 1 : 0));
 }
 
 /******************************************************************************/
-void pstm_set(pstm_int *a, pstm_digit b)
+static void pstm_set(pstm_int *a, pstm_digit b)
 {
    pstm_zero(a);
    a->dp[0] = b;
@@ -500,7 +518,7 @@ void pstm_set(pstm_int *a, pstm_digit b)
 /*
         Right shift
 */
-void pstm_rshd(pstm_int *a, int x)
+static void pstm_rshd(pstm_int *a, int x)
 {
         int y; //bbox: was int16
 
@@ -529,7 +547,8 @@ void pstm_rshd(pstm_int *a, int x)
 /*
         Shift left a certain amount of digits.
  */
-int32 pstm_lshd(pstm_int * a, int b)
+#undef pstm_lshd
+static int32 pstm_lshd(pstm_int * a, int b)
 {
         int     x; //bbox: was int16
         int32   res;
@@ -577,12 +596,13 @@ int32 pstm_lshd(pstm_int * a, int b)
         }
         return PSTM_OKAY;
 }
+#define pstm_lshd(a, b) (pstm_lshd(a, b), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         computes a = 2**b
 */
-int32 pstm_2expt(pstm_int *a, int b)
+static int32 pstm_2expt(pstm_int *a, int b)
 {
         int     z; //bbox: was int16
 
@@ -616,7 +636,7 @@ int32 pstm_2expt(pstm_int *a, int b)
 /*
 
 */
-int32 pstm_mul_2(pstm_int * a, pstm_int * b)
+int32 FAST_FUNC pstm_mul_2(pstm_int * a, pstm_int * b)
 {
         int32   res;
         int     x, oldused; //bbox: was int16
@@ -682,7 +702,7 @@ int32 pstm_mul_2(pstm_int * a, pstm_int * b)
 /*
         unsigned subtraction ||a|| >= ||b|| ALWAYS!
 */
-int32 s_pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c)
+int32 FAST_FUNC s_pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c)
 {
         int             oldbused, oldused; //bbox: was int16
         int32           x;
@@ -779,7 +799,7 @@ static int32 s_pstm_add(pstm_int *a, pstm_int *b, pstm_int *c)
 /*
 
 */
-int32 pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c)
+int32 FAST_FUNC pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c)
 {
         int32   res;
         int     sa, sb; //bbox: was int16
@@ -824,6 +844,7 @@ int32 pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c)
 /*
         c = a - b
 */
+#if 0 //UNUSED
 int32 pstm_sub_d(psPool_t *pool, pstm_int *a, pstm_digit b, pstm_int *c)
 {
         pstm_int        tmp;
@@ -837,12 +858,13 @@ int32 pstm_sub_d(psPool_t *pool, pstm_int *a, pstm_digit b, pstm_int *c)
         pstm_clear(&tmp);
         return res;
 }
+#endif
 
 /******************************************************************************/
 /*
         setups the montgomery reduction
 */
-int32 pstm_montgomery_setup(pstm_int *a, pstm_digit *rho)
+static int32 pstm_montgomery_setup(pstm_int *a, pstm_digit *rho)
 {
         pstm_digit x, b;
 
@@ -878,7 +900,7 @@ int32 pstm_montgomery_setup(pstm_int *a, pstm_digit *rho)
  *      computes a = B**n mod b without division or multiplication useful for
  *      normalizing numbers in a Montgomery system.
  */
-int32 pstm_montgomery_calc_normalization(pstm_int *a, pstm_int *b)
+static int32 pstm_montgomery_calc_normalization(pstm_int *a, pstm_int *b)
 {
         int32     x;
         int     bits; //bbox: was int16
@@ -916,6 +938,7 @@ int32 pstm_montgomery_calc_normalization(pstm_int *a, pstm_int *b)
 /*
         c = a * 2**d
 */
+#undef pstm_mul_2d
 static int32 pstm_mul_2d(pstm_int *a, int b, pstm_int *c)
 {
         pstm_digit      carry, carrytmp, shift;
@@ -956,11 +979,13 @@ static int32 pstm_mul_2d(pstm_int *a, int b, pstm_int *c)
         pstm_clamp(c);
         return PSTM_OKAY;
 }
+#define pstm_mul_2d(a, b, c) (pstm_mul_2d(a, b, c), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         c = a mod 2**d
 */
+#undef pstm_mod_2d
 static int32 pstm_mod_2d(pstm_int *a, int b, pstm_int *c) //bbox: was int16 b
 {
         int     x; //bbox: was int16
@@ -991,13 +1016,15 @@ static int32 pstm_mod_2d(pstm_int *a, int b, pstm_int *c) //bbox: was int16 b
         pstm_clamp (c);
         return PSTM_OKAY;
 }
+#define pstm_mod_2d(a, b, c) (pstm_mod_2d(a, b, c), PSTM_OKAY)
 
 
 /******************************************************************************/
 /*
         c = a * b
 */
-int32 pstm_mul_d(pstm_int *a, pstm_digit b, pstm_int *c)
+#undef pstm_mul_d
+static int32 pstm_mul_d(pstm_int *a, pstm_digit b, pstm_int *c)
 {
         pstm_word       w;
         int32           res;
@@ -1027,12 +1054,16 @@ int32 pstm_mul_d(pstm_int *a, pstm_digit b, pstm_int *c)
         pstm_clamp(c);
         return PSTM_OKAY;
 }
+#define pstm_mul_d(a, b, c) (pstm_mul_d(a, b, c), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         c = a / 2**b
 */
-int32 pstm_div_2d(psPool_t *pool, pstm_int *a, int b, pstm_int *c,
+#undef pstm_div_2d
+#define pstm_div_2d(pool, a, b, c, d) \
+        pstm_div_2d(      a, b, c, d)
+static int32 pstm_div_2d(psPool_t *pool, pstm_int *a, int b, pstm_int *c,
                                         pstm_int *d)
 {
         pstm_digit      D, r, rr;
@@ -1113,11 +1144,14 @@ LBL_DONE:
         }
         return res;
 }
+#undef pstm_div_2d
+#define pstm_div_2d(pool, a, b, c, d) (pstm_div_2d(a, b, c, d), PSTM_OKAY)
 
 /******************************************************************************/
 /*
         b = a/2
 */
+#if 0 //UNUSED
 int32 pstm_div_2(pstm_int * a, pstm_int * b)
 {
         int     x, oldused; //bbox: was int16
@@ -1161,12 +1195,16 @@ int32 pstm_div_2(pstm_int * a, pstm_int * b)
         pstm_clamp (b);
         return PSTM_OKAY;
 }
+#endif
 
 /******************************************************************************/
 /*
         Creates "a" then copies b into it
  */
-int32 pstm_init_copy(psPool_t *pool, pstm_int * a, pstm_int * b, int toSqr)
+#undef pstm_init_copy
+#define pstm_init_copy(pool, a, b, toSqr) \
+        pstm_init_copy(      a, b, toSqr)
+static int32 pstm_init_copy(psPool_t *pool, pstm_int * a, pstm_int * b, int toSqr)
 {
         int     x; //bbox: was int16
         int32   res;
@@ -1191,6 +1229,8 @@ int32 pstm_init_copy(psPool_t *pool, pstm_int * a, pstm_int * b, int toSqr)
         }
         return pstm_copy(b, a);
 }
+#undef pstm_init_copy
+#define pstm_init_copy(pool, a, b, toSqr) (pstm_init_copy(a, b, toSqr), PSTM_OKAY)
 
 /******************************************************************************/
 /*
@@ -1274,7 +1314,7 @@ static uint64 psDiv128(uint128 *numerator, uint64 denominator)
 /*
         a/b => cb + d == a
 */
-int32 pstm_div(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
+static int32 pstm_div(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
                                 pstm_int *d)
 {
         pstm_int        q, x, y, t1, t2;
@@ -1487,7 +1527,7 @@ LBL_T1:pstm_clear (&t1);
         Swap the elements of two integers, for cases where you can't simply swap
         the pstm_int pointers around
 */
-void pstm_exch(pstm_int * a, pstm_int * b)
+static void pstm_exch(pstm_int * a, pstm_int * b)
 {
         pstm_int                t;
 
@@ -1500,7 +1540,7 @@ void pstm_exch(pstm_int * a, pstm_int * b)
 /*
         c = a mod b, 0 <= c < b
 */
-int32 pstm_mod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c)
+static int32 pstm_mod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c)
 {
         pstm_int        t;
         int32           err;
@@ -1527,7 +1567,7 @@ int32 pstm_mod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c)
 /*
         d = a * b (mod c)
 */
-int32 pstm_mulmod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
+int32 FAST_FUNC pstm_mulmod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
                         pstm_int *d)
 {
         int32           res;
@@ -1560,7 +1600,7 @@ int32 pstm_mulmod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
  *      y = g**x (mod b)
  *      Some restrictions... x must be positive and < b
  */
-int32 pstm_exptmod(psPool_t *pool, pstm_int *G, pstm_int *X, pstm_int *P,
+int32 FAST_FUNC pstm_exptmod(psPool_t *pool, pstm_int *G, pstm_int *X, pstm_int *P,
                         pstm_int *Y)
 {
         pstm_int        M[32], res; /* Keep this winsize based: (1 << max_winsize) */
@@ -1801,7 +1841,7 @@ LBL_RES:pstm_clear(&res);
 /*
 
 */
-int32 pstm_add(pstm_int *a, pstm_int *b, pstm_int *c)
+int32 FAST_FUNC pstm_add(pstm_int *a, pstm_int *b, pstm_int *c)
 {
         int32   res;
         int     sa, sb; //bbox: was int16
@@ -1862,6 +1902,7 @@ static void pstm_reverse (unsigned char *s, int len) //bbox: was int16 len
         No reverse.  Useful in some of the EIP-154 PKA stuff where special byte
         order seems to come into play more often
 */
+#if 0 //UNUSED
 int32 pstm_to_unsigned_bin_nr(psPool_t *pool, pstm_int *a, unsigned char *b)
 {
         int32     res;
@@ -1883,11 +1924,12 @@ int32 pstm_to_unsigned_bin_nr(psPool_t *pool, pstm_int *a, unsigned char *b)
         pstm_clear(&t);
         return PS_SUCCESS;
 }
+#endif
 /******************************************************************************/
 /*
 
 */
-int32 pstm_to_unsigned_bin(psPool_t *pool, pstm_int *a, unsigned char *b)
+int32 FAST_FUNC pstm_to_unsigned_bin(psPool_t *pool, pstm_int *a, unsigned char *b)
 {
         int32     res;
         int     x; //bbox: was int16
@@ -1910,11 +1952,12 @@ int32 pstm_to_unsigned_bin(psPool_t *pool, pstm_int *a, unsigned char *b)
         return PS_SUCCESS;
 }
 
+#if 0 //UNUSED
 /******************************************************************************/
 /*
         compare against a single digit
 */
-int32 pstm_cmp_d(pstm_int *a, pstm_digit b)
+static int32 pstm_cmp_d(pstm_int *a, pstm_digit b)
 {
         /* compare based on sign */
         if ((b && a->used == 0) || a->sign == PSTM_NEG) {
@@ -2259,5 +2302,7 @@ LBL_Y: pstm_clear(&y);
 LBL_X: pstm_clear(&x);
         return res;
 }
+#endif //UNUSED
+
 #endif /* !DISABLE_PSTM */
 /******************************************************************************/
diff --git a/networking/tls_pstm.h b/networking/tls_pstm.h
index df705adce..bc7a0119a 100644
--- a/networking/tls_pstm.h
+++ b/networking/tls_pstm.h
@@ -136,148 +136,148 @@ typedef struct  {
 #define pstm_isodd(a)  (((a)->used > 0 && (((a)->dp[0] & 1) == 1)) ? PS_TRUE : PS_FALSE)
 #define pstm_abs(a, b)  { pstm_copy(a, b); (b)->sign  = 0; }
 
-extern void pstm_set(pstm_int *a, pstm_digit b);
+//made static:extern void pstm_set(pstm_int *a, pstm_digit b);
 
-extern void pstm_zero(pstm_int * a);
+//made static:extern void pstm_zero(pstm_int * a);
 
 //bbox: pool unused
 #define pstm_init(pool, a) \
         pstm_init(      a)
-extern int32 pstm_init(psPool_t *pool, pstm_int * a);
+//made static:extern int32 pstm_init(psPool_t *pool, pstm_int * a);
 
 //bbox: pool unused
 #define pstm_init_size(pool, a, size) \
         pstm_init_size(      a, size)
-extern int32 pstm_init_size(psPool_t *pool, pstm_int * a, uint32 size);
+extern int32 pstm_init_size(psPool_t *pool, pstm_int * a, uint32 size) FAST_FUNC;
 
 //bbox: pool unused
 #define pstm_init_copy(pool, a, b, toSqr) \
         pstm_init_copy(      a, b, toSqr)
-extern int32 pstm_init_copy(psPool_t *pool, pstm_int * a, pstm_int * b,
-                                int toSqr); //bbox: was int16 toSqr
+//made static:extern int32 pstm_init_copy(psPool_t *pool, pstm_int * a, pstm_int * b,
+//made static:                          int toSqr); //bbox: was int16 toSqr
 
-extern int pstm_count_bits (pstm_int * a); //bbox: was returning int16
+//made static:extern int pstm_count_bits (pstm_int * a) FAST_FUNC; //bbox: was returning int16
 
 //bbox: pool unused
 #define pstm_init_for_read_unsigned_bin(pool, a, len) \
         pstm_init_for_read_unsigned_bin(      a, len)
 extern int32 pstm_init_for_read_unsigned_bin(psPool_t *pool, pstm_int *a,
-                                uint32 len);
+                                uint32 len) FAST_FUNC;
 
-extern int32 pstm_read_unsigned_bin(pstm_int *a, unsigned char *b, int32 c);
+extern int32 pstm_read_unsigned_bin(pstm_int *a, unsigned char *b, int32 c) FAST_FUNC;
 
-extern int32 pstm_unsigned_bin_size(pstm_int *a);
+extern int32 pstm_unsigned_bin_size(pstm_int *a) FAST_FUNC;
 
 extern int32 pstm_copy(pstm_int * a, pstm_int * b);
 
-extern void pstm_exch(pstm_int * a, pstm_int * b);
+//made static:extern void pstm_exch(pstm_int * a, pstm_int * b);
 
-extern void pstm_clear(pstm_int * a);
+extern void pstm_clear(pstm_int * a) FAST_FUNC;
 
 extern void pstm_clear_multi(pstm_int *mp0, pstm_int *mp1, pstm_int *mp2,
                                 pstm_int *mp3, pstm_int *mp4, pstm_int *mp5, pstm_int *mp6,
-                                pstm_int *mp7);
+                                pstm_int *mp7) FAST_FUNC;
 
-extern int32 pstm_grow(pstm_int * a, int size); //bbox: was int16 size
+extern int32 pstm_grow(pstm_int * a, int size) FAST_FUNC; //bbox: was int16 size
 
-extern void pstm_clamp(pstm_int * a);
+extern void pstm_clamp(pstm_int * a) FAST_FUNC;
 
-extern int32 pstm_cmp(pstm_int * a, pstm_int * b);
+extern int32 pstm_cmp(pstm_int * a, pstm_int * b) FAST_FUNC;
 
-extern int32 pstm_cmp_mag(pstm_int * a, pstm_int * b);
+extern int32 pstm_cmp_mag(pstm_int * a, pstm_int * b) FAST_FUNC;
 
-extern void pstm_rshd(pstm_int *a, int x); //bbox: was int16 x
+//made static:extern void pstm_rshd(pstm_int *a, int x); //bbox: was int16 x
 
-extern int32 pstm_lshd(pstm_int * a, int b); //bbox: was int16 b
+//made static:extern int32 pstm_lshd(pstm_int * a, int b); //bbox: was int16 b
 
 //bbox: pool unused
 #define pstm_div(pool, a, b, c, d) \
         pstm_div(      a, b, c, d)
-extern int32 pstm_div(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
-                                pstm_int *d);
+//made static:extern int32 pstm_div(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
+//made static:                          pstm_int *d);
 
 //bbox: pool unused
 #define pstm_div_2d(pool, a, b, c, d) \
         pstm_div_2d(      a, b, c, d)
-extern int32 pstm_div_2d(psPool_t *pool, pstm_int *a, int b, pstm_int *c,
-                                pstm_int *d); //bbox: was int16 b
+//made static:extern int32 pstm_div_2d(psPool_t *pool, pstm_int *a, int b, pstm_int *c,
+//made static:                          pstm_int *d); //bbox: was int16 b
 
-extern int32 pstm_div_2(pstm_int * a, pstm_int * b);
+extern int32 pstm_div_2(pstm_int * a, pstm_int * b) FAST_FUNC;
 
-extern int32 s_pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c);
+extern int32 s_pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c) FAST_FUNC;
 
-extern int32 pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c);
+extern int32 pstm_sub(pstm_int *a, pstm_int *b, pstm_int *c) FAST_FUNC;
 
 //bbox: pool unused
 #define pstm_sub_d(pool, a, b, c) \
         pstm_sub_d(      a, b, c)
-extern int32 pstm_sub_d(psPool_t *pool, pstm_int *a, pstm_digit b, pstm_int *c);
+extern int32 pstm_sub_d(psPool_t *pool, pstm_int *a, pstm_digit b, pstm_int *c) FAST_FUNC;
 
-extern int32 pstm_mul_2(pstm_int * a, pstm_int * b);
+extern int32 pstm_mul_2(pstm_int * a, pstm_int * b) FAST_FUNC;
 
 //bbox: pool unused
 #define pstm_mod(pool, a, b, c) \
         pstm_mod(      a, b, c)
-extern int32 pstm_mod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c);
+//made static:extern int32 pstm_mod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c);
 
 //bbox: pool unused
 #define pstm_mulmod(pool, a, b, c, d) \
         pstm_mulmod(      a, b, c, d)
 extern int32 pstm_mulmod(psPool_t *pool, pstm_int *a, pstm_int *b, pstm_int *c,
-                                pstm_int *d);
+                                pstm_int *d) FAST_FUNC;
 
 //bbox: pool unused
 #define pstm_exptmod(pool, G, X, P, Y) \
         pstm_exptmod(      G, X, P, Y)
 extern int32 pstm_exptmod(psPool_t *pool, pstm_int *G, pstm_int *X, pstm_int *P,
-                                pstm_int *Y);
+                                pstm_int *Y) FAST_FUNC;
 
-extern int32 pstm_2expt(pstm_int *a, int b); //bbox: was int16 b
+//made static:extern int32 pstm_2expt(pstm_int *a, int b); //bbox: was int16 b
 
-extern int32 pstm_add(pstm_int *a, pstm_int *b, pstm_int *c);
+extern int32 pstm_add(pstm_int *a, pstm_int *b, pstm_int *c) FAST_FUNC;
 
 //bbox: pool unused
 #define pstm_to_unsigned_bin(pool, a, b) \
         pstm_to_unsigned_bin(      a, b)
 extern int32 pstm_to_unsigned_bin(psPool_t *pool, pstm_int *a,
-                                unsigned char *b);
+                                unsigned char *b) FAST_FUNC;
 
 //bbox: pool unused
 #define pstm_to_unsigned_bin_nr(pool, a, b) \
         pstm_to_unsigned_bin_nr(      a, b)
 extern int32 pstm_to_unsigned_bin_nr(psPool_t *pool, pstm_int *a,
-                                unsigned char *b);
+                                unsigned char *b) FAST_FUNC;
 
-extern int32 pstm_montgomery_setup(pstm_int *a, pstm_digit *rho);
+//made static:extern int32 pstm_montgomery_setup(pstm_int *a, pstm_digit *rho);
 
 //bbox: pool unused
 #define pstm_montgomery_reduce(pool, a, m, mp, paD, paDlen) \
         pstm_montgomery_reduce(      a, m, mp, paD, paDlen)
 extern int32 pstm_montgomery_reduce(psPool_t *pool, pstm_int *a, pstm_int *m,
-                                pstm_digit mp, pstm_digit *paD, uint32 paDlen);
+                                pstm_digit mp, pstm_digit *paD, uint32 paDlen) FAST_FUNC;
 
 #define pstm_mul_comba(pool, A, B, C, paD, paDlen) \
         pstm_mul_comba(      A, B, C, paD, paDlen)
 extern int32 pstm_mul_comba(psPool_t *pool, pstm_int *A, pstm_int *B,
-                                pstm_int *C, pstm_digit *paD, uint32 paDlen);
+                                pstm_int *C, pstm_digit *paD, uint32 paDlen) FAST_FUNC;
 
 //bbox: pool unused
 #define pstm_sqr_comba(pool, A, B, paD, paDlen) \
         pstm_sqr_comba(      A, B, paD, paDlen)
 extern int32 pstm_sqr_comba(psPool_t *pool, pstm_int *A, pstm_int *B,
-                                pstm_digit *paD, uint32 paDlen);
+                                pstm_digit *paD, uint32 paDlen) FAST_FUNC;
 
-extern int32 pstm_cmp_d(pstm_int *a, pstm_digit b);
+//made static:extern int32 pstm_cmp_d(pstm_int *a, pstm_digit b);
 
-extern int32 pstm_montgomery_calc_normalization(pstm_int *a, pstm_int *b);
+//made static:extern int32 pstm_montgomery_calc_normalization(pstm_int *a, pstm_int *b);
 
-extern int32 pstm_mul_d(pstm_int *a, pstm_digit b, pstm_int *c);
+//made static:extern int32 pstm_mul_d(pstm_int *a, pstm_digit b, pstm_int *c);
 
 //bbox: pool unused
 #define pstm_invmod(pool, a, b, c) \
         pstm_invmod(      a, b, c)
 extern int32 pstm_invmod(psPool_t *pool, pstm_int * a, pstm_int * b,
-                                pstm_int * c);
+                                pstm_int * c) FAST_FUNC;
 
 #else /* DISABLE_PSTM */
         typedef int32 pstm_int;
diff --git a/networking/tls_pstm_montgomery_reduce.c b/networking/tls_pstm_montgomery_reduce.c
index 3391755e1..d46e2aa2b 100644
--- a/networking/tls_pstm_montgomery_reduce.c
+++ b/networking/tls_pstm_montgomery_reduce.c
@@ -340,7 +340,7 @@ asm(                                  \
 #define LO 0
 
 /* computes x/R == x (mod N) via Montgomery Reduction */
-int32 pstm_montgomery_reduce(psPool_t *pool, pstm_int *a, pstm_int *m,
+int32 FAST_FUNC pstm_montgomery_reduce(psPool_t *pool, pstm_int *a, pstm_int *m,
                 pstm_digit mp, pstm_digit *paD, uint32 paDlen)
 {
         pstm_digit      *c, *_c, *tmpm, mu;
diff --git a/networking/tls_pstm_mul_comba.c b/networking/tls_pstm_mul_comba.c
index 6ba152bc1..ac4fcc3ef 100644
--- a/networking/tls_pstm_mul_comba.c
+++ b/networking/tls_pstm_mul_comba.c
@@ -754,7 +754,7 @@ static int32 pstm_mul_comba32(pstm_int *A, pstm_int *B, pstm_int *C)
 
 /******************************************************************************/
 
-int32 pstm_mul_comba(psPool_t *pool, pstm_int *A, pstm_int *B, pstm_int *C,
+int32 FAST_FUNC pstm_mul_comba(psPool_t *pool, pstm_int *A, pstm_int *B, pstm_int *C,
                         pstm_digit *paD, uint32 paDlen)
 {
 #ifdef USE_1024_KEY_SPEED_OPTIMIZATIONS
diff --git a/networking/tls_pstm_sqr_comba.c b/networking/tls_pstm_sqr_comba.c
index d5c74d2f0..8604132d6 100644
--- a/networking/tls_pstm_sqr_comba.c
+++ b/networking/tls_pstm_sqr_comba.c
@@ -1085,7 +1085,7 @@ static int32 pstm_sqr_comba32(pstm_int *A, pstm_int *B)
 /******************************************************************************/
 /*
  */
-int32 pstm_sqr_comba(psPool_t *pool, pstm_int *A, pstm_int *B, pstm_digit *paD,
+int32 FAST_FUNC pstm_sqr_comba(psPool_t *pool, pstm_int *A, pstm_int *B, pstm_digit *paD,
                 uint32 paDlen)
 {
 #ifdef USE_1024_KEY_SPEED_OPTIMIZATIONS
diff --git a/networking/tls_rsa.c b/networking/tls_rsa.c
index 631397e4d..5fda1cb49 100644
--- a/networking/tls_rsa.c
+++ b/networking/tls_rsa.c
@@ -173,7 +173,9 @@ error:
         res = PS_FAILURE;
 done:
         if (type == PRIVKEY_TYPE && key->optimized) {
-                pstm_clear_multi(&tmpa, &tmpb, NULL, NULL, NULL, NULL, NULL, NULL);
+                //pstm_clear_multi(&tmpa, &tmpb, NULL, NULL, NULL, NULL, NULL, NULL);
+                pstm_clear(&tmpa);
+                pstm_clear(&tmpb);
         }
         pstm_clear(&tmp);
         return res;
diff --git a/networking/traceroute.c b/networking/traceroute.c
index a027b928a..bdf451186 100644
--- a/networking/traceroute.c
+++ b/networking/traceroute.c
@@ -217,7 +217,7 @@
 //config:       Utility to trace the route of IP packets.
 //config:
 //config:config TRACEROUTE6
-//config:       bool "traceroute6 (12 kb)"
+//config:       bool "traceroute6 (13 kb)"
 //config:       default y
 //config:       depends on FEATURE_IPV6
 //config:       help
diff --git a/networking/tunctl.c b/networking/tunctl.c
index f2dc645a1..a0e3926e9 100644
--- a/networking/tunctl.c
+++ b/networking/tunctl.c
@@ -10,7 +10,7 @@
  * Licensed under GPLv2, see file LICENSE in this source tree.
  */
 //config:config TUNCTL
-//config:       bool "tunctl (6.4 kb)"
+//config:       bool "tunctl (6.2 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/udhcp/Config.src b/networking/udhcp/Config.src
index e5958804b..f16fc0a4f 100644
--- a/networking/udhcp/Config.src
+++ b/networking/udhcp/Config.src
@@ -4,7 +4,7 @@
 #
 
 config UDHCPD
-        bool "udhcpd"
+        bool "udhcpd (21 kb)"
         default y
         select PLATFORM_LINUX
         help
@@ -44,7 +44,7 @@ config DHCPD_LEASES_FILE
         of the file. Normally it is safe to leave it untouched.
 
 config DUMPLEASES
-        bool "dumpleases (6.4 kb)"
+        bool "dumpleases (5.1 kb)"
         default y
         help
         dumpleases displays the leases written out by the udhcpd.
@@ -52,7 +52,7 @@ config DUMPLEASES
         by the absolute time that it expires in seconds from epoch.
 
 config DHCPRELAY
-        bool "dhcprelay (5.8 kb)"
+        bool "dhcprelay (5.2 kb)"
         default y
         help
         dhcprelay listens for DHCP requests on one or more interfaces
@@ -60,7 +60,7 @@ config DHCPRELAY
         server.
 
 config UDHCPC
-        bool "udhcpc"
+        bool "udhcpc (24 kb)"
         default y
         select PLATFORM_LINUX
         help
diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
index e5fd74f91..fc4de5716 100644
--- a/networking/udhcp/common.c
+++ b/networking/udhcp/common.c
@@ -272,6 +272,15 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
                         goto complain; /* complain and return NULL */
 
                 if (optionptr[OPT_CODE] == code) {
+                        if (optionptr[OPT_LEN] == 0) {
+                                /* So far no valid option with length 0 known.
+                                 * Having this check means that searching
+                                 * for DHCP_MESSAGE_TYPE need not worry
+                                 * that returned pointer might be unsafe
+                                 * to dereference.
+                                 */
+                                goto complain; /* complain and return NULL */
+                        }
                         log_option("option found", optionptr);
                         return optionptr + OPT_DATA;
                 }
@@ -289,6 +298,16 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
         return NULL;
 }
 
+uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code)
+{
+        uint8_t *r = udhcp_get_option(packet, code);
+        if (r) {
+                if (r[-OPT_DATA + OPT_LEN] != 4)
+                        r = NULL;
+        }
+        return r;
+}
+
 /* Return the position of the 'end' option (no bounds checking) */
 int FAST_FUNC udhcp_end_option(uint8_t *optionptr)
 {
@@ -403,6 +422,7 @@ static NOINLINE void attach_option(
                 if (errno)
                         bb_error_msg_and_die("malformed hex string '%s'", buffer);
                 length = end - allocated;
+                buffer = allocated;
         }
 #if ENABLE_FEATURE_UDHCP_RFC3397
         if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_DNS_STRING) {
@@ -422,15 +442,14 @@ static NOINLINE void attach_option(
                         new->data = xmalloc(length + OPT_DATA);
                         new->data[OPT_CODE] = optflag->code;
                         new->data[OPT_LEN] = length;
-                        memcpy(new->data + OPT_DATA, (allocated ? allocated : buffer),
-                                        length);
+                        memcpy(new->data + OPT_DATA, buffer, length);
                 } else {
                         new->data = xmalloc(length + D6_OPT_DATA);
                         new->data[D6_OPT_CODE] = optflag->code >> 8;
                         new->data[D6_OPT_CODE + 1] = optflag->code & 0xff;
                         new->data[D6_OPT_LEN] = length >> 8;
                         new->data[D6_OPT_LEN + 1] = length & 0xff;
-                        memcpy(new->data + D6_OPT_DATA, (allocated ? allocated : buffer),
+                        memcpy(new->data + D6_OPT_DATA, buffer,
                                         length);
                 }
 
@@ -453,6 +472,8 @@ static NOINLINE void attach_option(
                         /* actually 255 is ok too, but adding a space can overlow it */
 
                         existing->data = xrealloc(existing->data, OPT_DATA + 1 + old_len + length);
+// So far dhcp_optflags[] has no OPTION_STRING[_HOST] | OPTION_LIST items
+#if 0
                         if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING
                          || (optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING_HOST
                         ) {
@@ -460,7 +481,9 @@ static NOINLINE void attach_option(
                                 existing->data[OPT_DATA + old_len] = ' ';
                                 old_len++;
                         }
-                        memcpy(existing->data + OPT_DATA + old_len, (allocated ? allocated : buffer), length);
+#endif
+
+                        memcpy(existing->data + OPT_DATA + old_len, buffer, length);
                         existing->data[OPT_LEN] = old_len + length;
                 } /* else, ignore the data, we could put this in a second option in the future */
         } /* else, ignore the new data */
@@ -534,7 +557,7 @@ int FAST_FUNC udhcp_str2optset(const char *const_str, void *arg,
                         if (retval)
                                 retval = udhcp_str2nip(val, buffer + 4);
                         break;
-case_OPTION_STRING:
+ case_OPTION_STRING:
                 case OPTION_STRING:
                 case OPTION_STRING_HOST:
 #if ENABLE_FEATURE_UDHCP_RFC3397
diff --git a/networking/udhcp/common.h b/networking/udhcp/common.h
index 7ad603d33..62f9a2a4a 100644
--- a/networking/udhcp/common.h
+++ b/networking/udhcp/common.h
@@ -119,7 +119,7 @@ enum {
 //#define DHCP_TIME_SERVER      0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */
 //#define DHCP_NAME_SERVER      0x05 /* IEN 116 _really_ ancient kind of NS */
 //#define DHCP_DNS_SERVER       0x06
-//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog)
+//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog) */
 //#define DHCP_COOKIE_SERVER    0x08 /* "quote of the day" server */
 //#define DHCP_LPR_SERVER       0x09
 #define DHCP_HOST_NAME          0x0c /* 12: either client informs server or server gives name to client */
@@ -205,6 +205,10 @@ extern const uint8_t dhcp_option_lengths[] ALIGN1;
 unsigned FAST_FUNC udhcp_option_idx(const char *name, const char *option_strings);
 
 uint8_t *udhcp_get_option(struct dhcp_packet *packet, int code) FAST_FUNC;
+/* Same as above + ensures that option length is 4 bytes
+ * (returns NULL if size is different)
+ */
+uint8_t *udhcp_get_option32(struct dhcp_packet *packet, int code) FAST_FUNC;
 int udhcp_end_option(uint8_t *optionptr) FAST_FUNC;
 void udhcp_add_binary_option(struct dhcp_packet *packet, uint8_t *addopt) FAST_FUNC;
 #if ENABLE_UDHCPC || ENABLE_UDHCPD
diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
index 3c6129249..38c91cbb4 100644
--- a/networking/udhcp/d6_dhcpc.c
+++ b/networking/udhcp/d6_dhcpc.c
@@ -9,7 +9,7 @@
  * Licensed under GPLv2, see file LICENSE in this source tree.
  */
 //config:config UDHCPC6
-//config:       bool "udhcpc6"
+//config:       bool "udhcpc6 (21 kb)"
 //config:       default n  # not yet ready
 //config:       depends on FEATURE_IPV6
 //config:       help
diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
index 4b23e4d39..dcec8cdfd 100644
--- a/networking/udhcp/dhcpc.c
+++ b/networking/udhcp/dhcpc.c
@@ -531,7 +531,7 @@ static char **fill_envp(struct dhcp_packet *packet)
                 temp = udhcp_get_option(packet, code);
                 *curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
                 putenv(*curr++);
-                if (code == DHCP_SUBNET) {
+                if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) {
                         /* Subnet option: make things like "$ip/$mask" possible */
                         uint32_t subnet;
                         move_from_unaligned32(subnet, temp);
@@ -1691,7 +1691,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
  * They say ISC DHCP client supports this case.
  */
                                 server_addr = 0;
-                                temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
+                                temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
                                 if (!temp) {
                                         bb_error_msg("no server ID, using 0.0.0.0");
                                 } else {
@@ -1718,7 +1718,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
                                 struct in_addr temp_addr;
                                 uint8_t *temp;
 
-                                temp = udhcp_get_option(&packet, DHCP_LEASE_TIME);
+                                temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME);
                                 if (!temp) {
                                         bb_error_msg("no lease time with ACK, using 1 hour lease");
                                         lease_seconds = 60 * 60;
@@ -1813,7 +1813,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
                                         uint32_t svid;
                                         uint8_t *temp;
 
-                                        temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
+                                        temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
                                         if (!temp) {
  non_matching_svid:
                                                 log1("received DHCP NAK with wrong"
diff --git a/networking/udhcp/dhcpd.c b/networking/udhcp/dhcpd.c
index a8cd3f03b..0c55fa5e4 100644
--- a/networking/udhcp/dhcpd.c
+++ b/networking/udhcp/dhcpd.c
@@ -378,7 +378,7 @@ struct config_keyword {
 #define OFS(field) offsetof(struct server_config_t, field)
 
 static const struct config_keyword keywords[] = {
-        /* keyword        handler           variable address               default */
+        /* keyword        handler           variable address    default */
         {"start"        , udhcp_str2nip   , OFS(start_ip     ), "192.168.0.20"},
         {"end"          , udhcp_str2nip   , OFS(end_ip       ), "192.168.0.254"},
         {"interface"    , read_str        , OFS(interface    ), "eth0"},
@@ -640,7 +640,7 @@ static void add_server_options(struct dhcp_packet *packet)
 static uint32_t select_lease_time(struct dhcp_packet *packet)
 {
         uint32_t lease_time_sec = server_config.max_lease_sec;
-        uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME);
+        uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME);
         if (lease_time_opt) {
                 move_from_unaligned32(lease_time_sec, lease_time_opt);
                 lease_time_sec = ntohl(lease_time_sec);
@@ -987,7 +987,7 @@ int udhcpd_main(int argc UNUSED_PARAM, char **argv)
                 }
 
                 /* Get SERVER_ID if present */
-                server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID);
+                server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID);
                 if (server_id_opt) {
                         uint32_t server_id_network_order;
                         move_from_unaligned32(server_id_network_order, server_id_opt);
@@ -1011,7 +1011,7 @@ int udhcpd_main(int argc UNUSED_PARAM, char **argv)
                 }
 
                 /* Get REQUESTED_IP if present */
-                requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP);
+                requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP);
                 if (requested_ip_opt) {
                         move_from_unaligned32(requested_nip, requested_ip_opt);
                 }
diff --git a/networking/vconfig.c b/networking/vconfig.c
index 8548c8c3b..3cc5f2460 100644
--- a/networking/vconfig.c
+++ b/networking/vconfig.c
@@ -7,7 +7,7 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
 //config:config VCONFIG
-//config:       bool "vconfig (2.5 kb)"
+//config:       bool "vconfig (2.3 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       help
diff --git a/networking/wget.c b/networking/wget.c
index ae5c945d0..3cae1192c 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -9,7 +9,7 @@
  * Kuhn's copyrights are licensed GPLv2-or-later.  File as a whole remains GPLv2.
  */
 //config:config WGET
-//config:       bool "wget (35 kb)"
+//config:       bool "wget (38 kb)"
 //config:       default y
 //config:       help
 //config:       wget is a utility for non-interactive download of files from HTTP
@@ -123,14 +123,14 @@
 //usage:#define wget_trivial_usage
 //usage:        IF_FEATURE_WGET_LONG_OPTIONS(
 //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
-//usage:       "        [--header 'header: value'] [-Y|--proxy on/off] [-P DIR]\n"
+//usage:       "        [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
 /* Since we ignore these opts, we don't show them in --help */
 /* //usage:    "        [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
 /* //usage:    "        [-nv] [-nc] [-nH] [-np]" */
-//usage:       "        [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
+//usage:       "        [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
 //usage:        )
 //usage:        IF_NOT_FEATURE_WGET_LONG_OPTIONS(
-//usage:       "[-cq] [-O FILE] [-Y on/off] [-P DIR] [-S] [-U AGENT]"
+//usage:       "[-cq] [-O FILE] [-o FILE] [-Y on/off] [-P DIR] [-S] [-U AGENT]"
 //usage:                        IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
 //usage:        )
 //usage:#define wget_full_usage "\n\n"
@@ -147,6 +147,7 @@
 //usage:     "\n        -T SEC          Network read timeout is SEC seconds"
 //usage:        )
 //usage:     "\n        -O FILE         Save to FILE ('-' for stdout)"
+//usage:     "\n        -o FILE         Log messages to FILE"
 //usage:     "\n        -U STR          Use STR for User-Agent header"
 //usage:     "\n        -Y on/off       Use proxy"
 
@@ -231,9 +232,11 @@ struct globals {
         unsigned char user_headers; /* Headers mentioned by the user */
 #endif
         char *fname_out;        /* where to direct output (-O) */
+        char *fname_log;        /* where to direct log (-o) */
         const char *proxy_flag; /* Use proxies if env vars are set */
         const char *user_agent; /* "User-Agent" header field */
         int output_fd;
+        int log_fd;
         int o_flags;
 #if ENABLE_FEATURE_WGET_TIMEOUT
         unsigned timeout_seconds;
@@ -262,16 +265,17 @@ enum {
         WGET_OPT_QUIET      = (1 << 1),
         WGET_OPT_SERVER_RESPONSE = (1 << 2),
         WGET_OPT_OUTNAME    = (1 << 3),
-        WGET_OPT_PREFIX     = (1 << 4),
-        WGET_OPT_PROXY      = (1 << 5),
-        WGET_OPT_USER_AGENT = (1 << 6),
-        WGET_OPT_NETWORK_READ_TIMEOUT = (1 << 7),
-        WGET_OPT_RETRIES    = (1 << 8),
-        WGET_OPT_nsomething = (1 << 9),
-        WGET_OPT_HEADER     = (1 << 10) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
-        WGET_OPT_POST_DATA  = (1 << 11) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
-        WGET_OPT_SPIDER     = (1 << 12) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
-        WGET_OPT_NO_CHECK_CERT = (1 << 13) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+        WGET_OPT_LOGNAME    = (1 << 4),
+        WGET_OPT_PREFIX     = (1 << 5),
+        WGET_OPT_PROXY      = (1 << 6),
+        WGET_OPT_USER_AGENT = (1 << 7),
+        WGET_OPT_NETWORK_READ_TIMEOUT = (1 << 8),
+        WGET_OPT_RETRIES    = (1 << 9),
+        WGET_OPT_nsomething = (1 << 10),
+        WGET_OPT_HEADER     = (1 << 11) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+        WGET_OPT_POST_DATA  = (1 << 12) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+        WGET_OPT_SPIDER     = (1 << 13) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+        WGET_OPT_NO_CHECK_CERT = (1 << 14) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
 };
 
 enum {
@@ -287,6 +291,10 @@ static void progress_meter(int flag)
         if (option_mask32 & WGET_OPT_QUIET)
                 return;
 
+        /* Don't save progress to log file */
+        if (G.log_fd >= 0)
+                return;
+
         if (flag == PROGRESS_START)
                 bb_progress_init(&G.pmt, G.curfile);
 
@@ -900,6 +908,10 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
         polldata.fd = fileno(dfp);
         polldata.events = POLLIN | POLLPRI;
 #endif
+        if (G.output_fd == 1)
+                fprintf(stderr, "writing to stdout\n");
+        else
+                fprintf(stderr, "saving to '%s'\n", G.fname_out);
         progress_meter(PROGRESS_START);
 
         if (G.chunked)
@@ -1045,6 +1057,10 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
         G.chunked = 0;  /* makes it show 100% even for chunked download */
         G.got_clen = 1; /* makes it show 100% even for download of (formerly) unknown size */
         progress_meter(PROGRESS_END);
+        if (G.output_fd == 1)
+                fprintf(stderr, "written to stdout\n");
+        else
+                fprintf(stderr, "'%s' saved\n", G.fname_out);
 }
 
 static void download_one_url(const char *url)
@@ -1404,6 +1420,8 @@ However, in real world it was observed that some web servers
                         xclose(G.output_fd);
                         G.output_fd = -1;
                 }
+        } else {
+                fprintf(stderr, "remote file exists\n");
         }
 
         if (dfp != sfp) {
@@ -1433,6 +1451,7 @@ int wget_main(int argc UNUSED_PARAM, char **argv)
                 "quiet\0"            No_argument       "q"
                 "server-response\0"  No_argument       "S"
                 "output-document\0"  Required_argument "O"
+                "output-file\0"      Required_argument "o"
                 "directory-prefix\0" Required_argument "P"
                 "proxy\0"            Required_argument "Y"
                 "user-agent\0"       Required_argument "U"
@@ -1476,7 +1495,7 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
 #if ENABLE_FEATURE_WGET_LONG_OPTIONS
 #endif
         GETOPT32(argv, "^"
-                "cqSO:P:Y:U:T:+"
+                "cqSO:o:P:Y:U:T:+"
                 /*ignored:*/ "t:"
                 /*ignored:*/ "n::"
                 /* wget has exactly four -n<letter> opts, all of which we can ignore:
@@ -1491,7 +1510,7 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
                 "-1" /* at least one URL */
                 IF_FEATURE_WGET_LONG_OPTIONS(":\xff::") /* --header is a list */
                 LONGOPTS
-                , &G.fname_out, &G.dir_prefix,
+                , &G.fname_out, &G.fname_log, &G.dir_prefix,
                 &G.proxy_flag, &G.user_agent,
                 IF_FEATURE_WGET_TIMEOUT(&G.timeout_seconds) IF_NOT_FEATURE_WGET_TIMEOUT(NULL),
                 NULL, /* -t RETRIES */
@@ -1553,12 +1572,25 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
                 G.o_flags = O_WRONLY | O_CREAT | O_TRUNC;
         }
 
+        G.log_fd = -1;
+        if (G.fname_log) { /* -o FILE ? */
+                if (!LONE_DASH(G.fname_log)) { /* not -o - ? */
+                        /* compat with wget: -o FILE can overwrite */
+                        G.log_fd = xopen(G.fname_log, O_WRONLY | O_CREAT | O_TRUNC);
+                        /* Redirect only stderr to log file, so -O - will work */
+                        xdup2(G.log_fd, STDERR_FILENO);
+                }
+        }
+
         while (*argv)
                 download_one_url(*argv++);
 
         if (G.output_fd >= 0)
                 xclose(G.output_fd);
 
+        if (G.log_fd >= 0)
+                xclose(G.log_fd);
+
 #if ENABLE_FEATURE_CLEAN_UP && ENABLE_FEATURE_WGET_LONG_OPTIONS
         free(G.extra_headers);
 #endif
diff --git a/networking/whois.c b/networking/whois.c
index f3da32b4e..55e1de964 100644
--- a/networking/whois.c
+++ b/networking/whois.c
@@ -10,7 +10,7 @@
  * Add proxy support
  */
 //config:config WHOIS
-//config:       bool "whois (6.6 kb)"
+//config:       bool "whois (6.3 kb)"
 //config:       default y
 //config:       help
 //config:       whois is a client for the whois directory service
diff --git a/networking/zcip.c b/networking/zcip.c
index 94e49adcb..434762f12 100644
--- a/networking/zcip.c
+++ b/networking/zcip.c
@@ -14,7 +14,7 @@
  * certainly be used.  Its naming is built over multicast DNS.
  */
 //config:config ZCIP
-//config:       bool "zcip (7.8 kb)"
+//config:       bool "zcip (8.4 kb)"
 //config:       default y
 //config:       select PLATFORM_LINUX
 //config:       select FEATURE_SYSLOG