Merge remote-tracking branch 'origin/stable/10' into devel

author: Renato Botelho <renato@netgate.com> 2016-01-25 08:56:15 -0200
committer: Renato Botelho <renato@netgate.com> 2016-01-25 08:56:15 -0200
commit: eb84e0723f3b4bc5e40024f66fe21c14b09e9ec4 (patch)
tree: fec6b99d018e13f1fccbe31478aaf29a28a55642 /contrib
parent: c50df8e1b90c4f9b8bbffa592477c129854776ce (diff)
parent: 94b1bbbd44bd88b6db1c00d795cdf7675b3ae254 (diff)
download: FreeBSD-src-eb84e0723f3b4bc5e40024f66fe21c14b09e9ec4.zip
FreeBSD-src-eb84e0723f3b4bc5e40024f66fe21c14b09e9ec4.tar.gz
347 files changed, 10659 insertions, 5145 deletions
diff --git a/contrib/less/LICENSE b/contrib/less/LICENSE
index 3fe715f..376b8c8 100644
--- a/contrib/less/LICENSE
+++ b/contrib/less/LICENSE
@@ -2,7 +2,7 @@
                           ------------
 
 Less
-Copyright (C) 1984-2012  Mark Nudelman
+Copyright (C) 1984-2015  Mark Nudelman
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
diff --git a/contrib/less/NEWS b/contrib/less/NEWS
index e03f35a..43f1247 100644
--- a/contrib/less/NEWS
+++ b/contrib/less/NEWS
@@ -7,7 +7,44 @@
       http://www.greenwoodsoftware.com/less
   You can also download the latest version of less from there.
 
-  To report bugs, suggestions or comments, send email to bug-less@gnu.org.
+  To report bugs, suggestions or comments, send email to bug-less@gnu.org
+
+======================================================================
+
+	Major changes between "less" versions 458 and 481
+
+* Don't overwrite history file; just append to it.
+
+* New command ESC-G goes to end of currently buffered data in a pipe.
+
+* Disable history feature when compiled with LESSHISTFILE set to "-".
+
+* In more-compatible mode, make the -p option apply to every file opened,
+  not just the first one.
+
+* In more-compatible mode, change the -e option to work like -E, not -EF.
+
+* Treat multiple CRs before LF are like one CR (all the CRs are hidden).
+
+* Allow "extra" string in lesskey file to append to a multi-char command
+  (like a search pattern), without executing the command.
+
+* Ignore -u/-U setting while viewing help file, so that 
+  underline and bold chars are displayed correctly.
+
+* Improve detection of "binary" files in UTF-8 mode.
+
+* Fix bug with ++ commands.
+
+* Fix bug where prompt was sometimes not displayed with +G.
+
+* Fix possible memory corruption 
+
+* Fix bugs and improve performance in ampersand filtering.
+
+* Automate construction of Unicode tables from Unicode database.
+
+* Allow %% escape sequence in LESSOPEN variable.
 
 ======================================================================
 
diff --git a/contrib/less/README b/contrib/less/README
index 807749a..1088431 100644
--- a/contrib/less/README
+++ b/contrib/less/README
@@ -7,9 +7,9 @@
 **************************************************************************
 **************************************************************************
 
-                            Less, version 458
+                            Less, version 481
 
-    This is the distribution of less, version 458, released 04 Apr 2013.
+    This is the distribution of less, version 481, released 31 Aug 2015.
     This program is part of the GNU project (http://www.gnu.org).
 
     This program is free software.  You may redistribute it and/or
@@ -53,8 +53,9 @@ INSTALLATION (Unix systems only):
      Specifies the regular expression library used by less for pattern
      matching.  The default is "auto", which means the configure program 
      finds a regular expression library automatically.  Other values are:
-        posix          Use the POSIX-compatible regcomp.
+        gnu            Use the GNU regex library.
         pcre           Use the PCRE library.
+        posix          Use the POSIX-compatible regcomp.
         regcmp         Use the regcmp library.
         re_comp        Use the re_comp library.
         regcomp        Use the V8-compatible regcomp.
diff --git a/contrib/less/brac.c b/contrib/less/brac.c
index 70a7771..10a0843 100644
--- a/contrib/less/brac.c
+++ b/contrib/less/brac.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/ch.c b/contrib/less/ch.c
index 2e2ded7..da729c5 100644
--- a/contrib/less/ch.c
+++ b/contrib/less/ch.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -54,7 +54,7 @@ struct buf {
  * The file state is maintained in a filestate structure.
  * A pointer to the filestate is kept in the ifile structure.
  */
-#define	BUFHASH_SIZE	64
+#define	BUFHASH_SIZE	1024
 struct filestate {
 	struct bufnode buflist;
 	struct bufnode hashtbl[BUFHASH_SIZE];
@@ -323,13 +323,16 @@ ch_get()
 #if HAVE_STAT_INO
 			if (follow_mode == FOLLOW_NAME)
 			{
-				/* See whether the file's i-number has changed.
+				/* See whether the file's i-number has changed,
+				 * or the file has shrunk.
 				 * If so, force the file to be closed and
 				 * reopened. */
 				struct stat st;
+				POSITION curr_pos = ch_tell();
 				int r = stat(get_filename(curr_ifile), &st);
 				if (r == 0 && (st.st_ino != curr_ino ||
-					st.st_dev != curr_dev))
+					st.st_dev != curr_dev ||
+					(curr_pos != NULL_POSITION && st.st_size < curr_pos)))
 				{
 					/* screen_trashed=2 causes
 					 * make_display to reopen the file. */
@@ -536,6 +539,32 @@ ch_end_seek()
 }
 
 /*
+ * Seek to the last position in the file that is currently buffered.
+ */
+	public int
+ch_end_buffer_seek()
+{
+	register struct buf *bp;
+	register struct bufnode *bn;
+	POSITION buf_pos;
+	POSITION end_pos;
+
+	if (thisfile == NULL || (ch_flags & CH_CANSEEK))
+		return (ch_end_seek());
+
+	end_pos = 0;
+	FOR_BUFS(bn)
+	{
+		bp = bufnode_buf(bn);
+		buf_pos = (bp->block * LBUFSIZE) + bp->datasize;
+		if (buf_pos > end_pos)
+			end_pos = buf_pos;
+	}
+
+	return (ch_seek(end_pos));
+}
+
+/*
  * Seek to the beginning of the file, or as close to it as we can get.
  * We may not be able to seek there if input is a pipe and the
  * beginning of the pipe is no longer buffered.
diff --git a/contrib/less/charset.c b/contrib/less/charset.c
index 03b38e0..4c62664 100644
--- a/contrib/less/charset.c
+++ b/contrib/less/charset.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -466,36 +466,15 @@ prutfchar(ch)
 		else
 			SNPRINTF1(buf, sizeof(buf), binfmt, (char) ch);
 	} else if (is_ubin_char(ch))
+	{
 		SNPRINTF1(buf, sizeof(buf), utfbinfmt, ch);
-	else
+	} else
 	{
-		int len;
+		char *p = buf;
 		if (ch >= 0x80000000)
-		{
-			len = 3;
-			ch = 0xFFFD;
-		} else
-		{
-			len =   (ch < 0x80) ? 1
-			      : (ch < 0x800) ? 2
-			      : (ch < 0x10000) ? 3
-			      : (ch < 0x200000) ? 4
-			      : (ch < 0x4000000) ? 5
-			      : 6;
-		}
-		buf[len] = '\0';
-		if (len == 1)
-			*buf = (char) ch;
-		else
-		{
-			*buf = ((1 << len) - 1) << (8 - len);
-			while (--len > 0)
-			{
-				buf[len] = (char) (0x80 | (ch & 0x3F));
-				ch >>= 6;
-			}
-			*buf |= ch;
-		}
+			ch = 0xFFFD; /* REPLACEMENT CHARACTER */
+		put_wchar(&p, ch);
+		*p = '\0';
 	}
 	return (buf);
 }
@@ -524,11 +503,12 @@ utf_len(ch)
 }
 
 /*
- * Is a UTF-8 character well-formed?
+ * Does the parameter point to the lead byte of a well-formed UTF-8 character?
  */
 	public int
-is_utf8_well_formed(s)
+is_utf8_well_formed(s, slen)
 	unsigned char *s;
+	int slen;
 {
 	int i;
 	int len;
@@ -537,6 +517,8 @@ is_utf8_well_formed(s)
 		return (0);
 
 	len = utf_len((char) s[0]);
+	if (len > slen)
+		return (0);
 	if (len == 1)
 		return (1);
 	if (len == 2)
@@ -558,6 +540,35 @@ is_utf8_well_formed(s)
 }
 
 /*
+ * Return number of invalid UTF-8 sequences found in a buffer.
+ */
+	public int
+utf_bin_count(data, len)
+	unsigned char *data;
+	int len;
+{
+	int bin_count = 0;
+	while (len > 0)
+	{
+		if (is_utf8_well_formed(data, len))
+		{
+			int clen = utf_len(*data);
+			data += clen;
+			len -= clen;
+		} else
+		{
+			/* Skip to next lead byte. */
+			bin_count++;
+			do {
+				++data;
+				--len;
+			} while (len > 0 && !IS_UTF8_LEAD(*data));
+		}
+	}
+	return (bin_count);
+}
+
+/*
  * Get the value of a UTF-8 character.
  */
 	public LWCHAR
@@ -706,411 +717,51 @@ step_char(pp, dir, limit)
 
 /*
  * Unicode characters data
+ * Actual data is in the generated *.uni files.
  */
-struct wchar_range { LWCHAR first, last; };
 
-/*
- * Characters with general category values
- *	Mn: Mark, Nonspacing
- *	Me: Mark, Enclosing
- * Last synched with
- *	<http://www.unicode.org/Public/5.0.0/ucd/UnicodeData-5.0.0d7.txt>
- *	dated 2005-11-30T00:58:48Z
- */
-static struct wchar_range comp_table[] = {
-	{  0x0300,  0x036F} /* Mn */, {  0x0483,  0x0486} /* Mn */,
-	{  0x0488,  0x0489} /* Me */,
-	{  0x0591,  0x05BD} /* Mn */, {  0x05BF,  0x05BF} /* Mn */,
-	{  0x05C1,  0x05C2} /* Mn */, {  0x05C4,  0x05C5} /* Mn */,
-	{  0x05C7,  0x05C7} /* Mn */, {  0x0610,  0x0615} /* Mn */,
-	{  0x064B,  0x065E} /* Mn */, {  0x0670,  0x0670} /* Mn */,
-	{  0x06D6,  0x06DC} /* Mn */,
-	{  0x06DE,  0x06DE} /* Me */,
-	{  0x06DF,  0x06E4} /* Mn */, {  0x06E7,  0x06E8} /* Mn */,
-	{  0x06EA,  0x06ED} /* Mn */, {  0x0711,  0x0711} /* Mn */,
-	{  0x0730,  0x074A} /* Mn */, {  0x07A6,  0x07B0} /* Mn */,
-	{  0x07EB,  0x07F3} /* Mn */, {  0x0901,  0x0902} /* Mn */,
-	{  0x093C,  0x093C} /* Mn */, {  0x0941,  0x0948} /* Mn */,
-	{  0x094D,  0x094D} /* Mn */, {  0x0951,  0x0954} /* Mn */,
-	{  0x0962,  0x0963} /* Mn */, {  0x0981,  0x0981} /* Mn */,
-	{  0x09BC,  0x09BC} /* Mn */, {  0x09C1,  0x09C4} /* Mn */,
-	{  0x09CD,  0x09CD} /* Mn */, {  0x09E2,  0x09E3} /* Mn */,
-	{  0x0A01,  0x0A02} /* Mn */, {  0x0A3C,  0x0A3C} /* Mn */,
-	{  0x0A41,  0x0A42} /* Mn */, {  0x0A47,  0x0A48} /* Mn */,
-	{  0x0A4B,  0x0A4D} /* Mn */, {  0x0A70,  0x0A71} /* Mn */,
-	{  0x0A81,  0x0A82} /* Mn */, {  0x0ABC,  0x0ABC} /* Mn */,
-	{  0x0AC1,  0x0AC5} /* Mn */, {  0x0AC7,  0x0AC8} /* Mn */,
-	{  0x0ACD,  0x0ACD} /* Mn */, {  0x0AE2,  0x0AE3} /* Mn */,
-	{  0x0B01,  0x0B01} /* Mn */, {  0x0B3C,  0x0B3C} /* Mn */,
-	{  0x0B3F,  0x0B3F} /* Mn */, {  0x0B41,  0x0B43} /* Mn */,
-	{  0x0B4D,  0x0B4D} /* Mn */, {  0x0B56,  0x0B56} /* Mn */,
-	{  0x0B82,  0x0B82} /* Mn */, {  0x0BC0,  0x0BC0} /* Mn */,
-	{  0x0BCD,  0x0BCD} /* Mn */, {  0x0C3E,  0x0C40} /* Mn */,
-	{  0x0C46,  0x0C48} /* Mn */, {  0x0C4A,  0x0C4D} /* Mn */,
-	{  0x0C55,  0x0C56} /* Mn */, {  0x0CBC,  0x0CBC} /* Mn */,
-	{  0x0CBF,  0x0CBF} /* Mn */, {  0x0CC6,  0x0CC6} /* Mn */,
-	{  0x0CCC,  0x0CCD} /* Mn */, {  0x0CE2,  0x0CE3} /* Mn */,
-	{  0x0D41,  0x0D43} /* Mn */, {  0x0D4D,  0x0D4D} /* Mn */,
-	{  0x0DCA,  0x0DCA} /* Mn */, {  0x0DD2,  0x0DD4} /* Mn */,
-	{  0x0DD6,  0x0DD6} /* Mn */, {  0x0E31,  0x0E31} /* Mn */,
-	{  0x0E34,  0x0E3A} /* Mn */, {  0x0E47,  0x0E4E} /* Mn */,
-	{  0x0EB1,  0x0EB1} /* Mn */, {  0x0EB4,  0x0EB9} /* Mn */,
-	{  0x0EBB,  0x0EBC} /* Mn */, {  0x0EC8,  0x0ECD} /* Mn */,
-	{  0x0F18,  0x0F19} /* Mn */, {  0x0F35,  0x0F35} /* Mn */,
-	{  0x0F37,  0x0F37} /* Mn */, {  0x0F39,  0x0F39} /* Mn */,
-	{  0x0F71,  0x0F7E} /* Mn */, {  0x0F80,  0x0F84} /* Mn */,
-	{  0x0F86,  0x0F87} /* Mn */, {  0x0F90,  0x0F97} /* Mn */,
-	{  0x0F99,  0x0FBC} /* Mn */, {  0x0FC6,  0x0FC6} /* Mn */,
-	{  0x102D,  0x1030} /* Mn */, {  0x1032,  0x1032} /* Mn */,
-	{  0x1036,  0x1037} /* Mn */, {  0x1039,  0x1039} /* Mn */,
-	{  0x1058,  0x1059} /* Mn */, {  0x135F,  0x135F} /* Mn */,
-	{  0x1712,  0x1714} /* Mn */, {  0x1732,  0x1734} /* Mn */,
-	{  0x1752,  0x1753} /* Mn */, {  0x1772,  0x1773} /* Mn */,
-	{  0x17B7,  0x17BD} /* Mn */, {  0x17C6,  0x17C6} /* Mn */,
-	{  0x17C9,  0x17D3} /* Mn */, {  0x17DD,  0x17DD} /* Mn */,
-	{  0x180B,  0x180D} /* Mn */, {  0x18A9,  0x18A9} /* Mn */,
-	{  0x1920,  0x1922} /* Mn */, {  0x1927,  0x1928} /* Mn */,
-	{  0x1932,  0x1932} /* Mn */, {  0x1939,  0x193B} /* Mn */,
-	{  0x1A17,  0x1A18} /* Mn */, {  0x1B00,  0x1B03} /* Mn */,
-	{  0x1B34,  0x1B34} /* Mn */, {  0x1B36,  0x1B3A} /* Mn */,
-	{  0x1B3C,  0x1B3C} /* Mn */, {  0x1B42,  0x1B42} /* Mn */,
-	{  0x1B6B,  0x1B73} /* Mn */, {  0x1DC0,  0x1DCA} /* Mn */,
-	{  0x1DFE,  0x1DFF} /* Mn */, {  0x20D0,  0x20DC} /* Mn */,
-	{  0x20DD,  0x20E0} /* Me */,
-	{  0x20E1,  0x20E1} /* Mn */,
-	{  0x20E2,  0x20E4} /* Me */,
-	{  0x20E5,  0x20EF} /* Mn */, {  0x302A,  0x302F} /* Mn */,
-	{  0x3099,  0x309A} /* Mn */, {  0xA806,  0xA806} /* Mn */,
-	{  0xA80B,  0xA80B} /* Mn */, {  0xA825,  0xA826} /* Mn */,
-	{  0xFB1E,  0xFB1E} /* Mn */, {  0xFE00,  0xFE0F} /* Mn */,
-	{  0xFE20,  0xFE23} /* Mn */, { 0x10A01, 0x10A03} /* Mn */,
-	{ 0x10A05, 0x10A06} /* Mn */, { 0x10A0C, 0x10A0F} /* Mn */,
-	{ 0x10A38, 0x10A3A} /* Mn */, { 0x10A3F, 0x10A3F} /* Mn */,
-	{ 0x1D167, 0x1D169} /* Mn */, { 0x1D17B, 0x1D182} /* Mn */,
-	{ 0x1D185, 0x1D18B} /* Mn */, { 0x1D1AA, 0x1D1AD} /* Mn */,
-	{ 0x1D242, 0x1D244} /* Mn */, { 0xE0100, 0xE01EF} /* Mn */,
-};
+#define DECLARE_RANGE_TABLE_START(name) \
+    static struct wchar_range name##_array[] = {
+#define DECLARE_RANGE_TABLE_END(name) \
+    }; struct wchar_range_table name##_table = { name##_array, sizeof(name##_array)/sizeof(*name##_array) };
 
-/*
- * Special pairs, not ranges.
- */
+DECLARE_RANGE_TABLE_START(compose)
+#include "compose.uni"
+DECLARE_RANGE_TABLE_END(compose)
+
+DECLARE_RANGE_TABLE_START(ubin)
+#include "ubin.uni"
+DECLARE_RANGE_TABLE_END(ubin)
+
+DECLARE_RANGE_TABLE_START(wide)
+#include "wide.uni"
+DECLARE_RANGE_TABLE_END(wide)
+
+/* comb_table is special pairs, not ranges. */
 static struct wchar_range comb_table[] = {
 	{0x0644,0x0622}, {0x0644,0x0623}, {0x0644,0x0625}, {0x0644,0x0627},
 };
 
-/*
- * Characters with general category values
- *	Cc: Other, Control
- *	Cf: Other, Format
- *	Cs: Other, Surrogate
- *	Co: Other, Private Use
- *	Cn: Other, Not Assigned
- *	Zl: Separator, Line
- *	Zp: Separator, Paragraph
- * Last synched with
- *	<http://www.unicode.org/Public/5.0.0/ucd/UnicodeData-5.0.0d7.txt>
- *	dated 2005-11-30T00:58:48Z
- */
-static struct wchar_range ubin_table[] = {
-	{  0x0000,  0x0007} /* Cc */, 
-	{  0x000B,  0x000C} /* Cc */, 
-	{  0x000E,  0x001A} /* Cc */, 
-	{  0x001C,  0x001F} /* Cc */, 
-	{  0x007F,  0x009F} /* Cc */,
-#if 0
-	{  0x00AD,  0x00AD} /* Cf */,
-#endif
-	{  0x0370,  0x0373} /* Cn */, {  0x0376,  0x0379} /* Cn */,
-	{  0x037F,  0x0383} /* Cn */, {  0x038B,  0x038B} /* Cn */,
-	{  0x038D,  0x038D} /* Cn */, {  0x03A2,  0x03A2} /* Cn */,
-	{  0x03CF,  0x03CF} /* Cn */, {  0x0487,  0x0487} /* Cn */,
-	{  0x0514,  0x0530} /* Cn */, {  0x0557,  0x0558} /* Cn */,
-	{  0x0560,  0x0560} /* Cn */, {  0x0588,  0x0588} /* Cn */,
-	{  0x058B,  0x0590} /* Cn */, {  0x05C8,  0x05CF} /* Cn */,
-	{  0x05EB,  0x05EF} /* Cn */, {  0x05F5,  0x05FF} /* Cn */,
-#if 0
-	{  0x0600,  0x0603} /* Cf */,
-#endif
-	{  0x0604,  0x060A} /* Cn */, {  0x0616,  0x061A} /* Cn */,
-	{  0x061C,  0x061D} /* Cn */, {  0x0620,  0x0620} /* Cn */,
-	{  0x063B,  0x063F} /* Cn */, {  0x065F,  0x065F} /* Cn */,
-#if 0
-	{  0x06DD,  0x06DD} /* Cf */,
-#endif
-	{  0x070E,  0x070E} /* Cn */,
-#if 0
-	{  0x070F,  0x070F} /* Cf */,
-#endif
-	{  0x074B,  0x074C} /* Cn */, {  0x076E,  0x077F} /* Cn */,
-	{  0x07B2,  0x07BF} /* Cn */, {  0x07FB,  0x0900} /* Cn */,
-	{  0x093A,  0x093B} /* Cn */, {  0x094E,  0x094F} /* Cn */,
-	{  0x0955,  0x0957} /* Cn */, {  0x0971,  0x097A} /* Cn */,
-	{  0x0980,  0x0980} /* Cn */, {  0x0984,  0x0984} /* Cn */,
-	{  0x098D,  0x098E} /* Cn */, {  0x0991,  0x0992} /* Cn */,
-	{  0x09A9,  0x09A9} /* Cn */, {  0x09B1,  0x09B1} /* Cn */,
-	{  0x09B3,  0x09B5} /* Cn */, {  0x09BA,  0x09BB} /* Cn */,
-	{  0x09C5,  0x09C6} /* Cn */, {  0x09C9,  0x09CA} /* Cn */,
-	{  0x09CF,  0x09D6} /* Cn */, {  0x09D8,  0x09DB} /* Cn */,
-	{  0x09DE,  0x09DE} /* Cn */, {  0x09E4,  0x09E5} /* Cn */,
-	{  0x09FB,  0x0A00} /* Cn */, {  0x0A04,  0x0A04} /* Cn */,
-	{  0x0A0B,  0x0A0E} /* Cn */, {  0x0A11,  0x0A12} /* Cn */,
-	{  0x0A29,  0x0A29} /* Cn */, {  0x0A31,  0x0A31} /* Cn */,
-	{  0x0A34,  0x0A34} /* Cn */, {  0x0A37,  0x0A37} /* Cn */,
-	{  0x0A3A,  0x0A3B} /* Cn */, {  0x0A3D,  0x0A3D} /* Cn */,
-	{  0x0A43,  0x0A46} /* Cn */, {  0x0A49,  0x0A4A} /* Cn */,
-	{  0x0A4E,  0x0A58} /* Cn */, {  0x0A5D,  0x0A5D} /* Cn */,
-	{  0x0A5F,  0x0A65} /* Cn */, {  0x0A75,  0x0A80} /* Cn */,
-	{  0x0A84,  0x0A84} /* Cn */, {  0x0A8E,  0x0A8E} /* Cn */,
-	{  0x0A92,  0x0A92} /* Cn */, {  0x0AA9,  0x0AA9} /* Cn */,
-	{  0x0AB1,  0x0AB1} /* Cn */, {  0x0AB4,  0x0AB4} /* Cn */,
-	{  0x0ABA,  0x0ABB} /* Cn */, {  0x0AC6,  0x0AC6} /* Cn */,
-	{  0x0ACA,  0x0ACA} /* Cn */, {  0x0ACE,  0x0ACF} /* Cn */,
-	{  0x0AD1,  0x0ADF} /* Cn */, {  0x0AE4,  0x0AE5} /* Cn */,
-	{  0x0AF0,  0x0AF0} /* Cn */, {  0x0AF2,  0x0B00} /* Cn */,
-	{  0x0B04,  0x0B04} /* Cn */, {  0x0B0D,  0x0B0E} /* Cn */,
-	{  0x0B11,  0x0B12} /* Cn */, {  0x0B29,  0x0B29} /* Cn */,
-	{  0x0B31,  0x0B31} /* Cn */, {  0x0B34,  0x0B34} /* Cn */,
-	{  0x0B3A,  0x0B3B} /* Cn */, {  0x0B44,  0x0B46} /* Cn */,
-	{  0x0B49,  0x0B4A} /* Cn */, {  0x0B4E,  0x0B55} /* Cn */,
-	{  0x0B58,  0x0B5B} /* Cn */, {  0x0B5E,  0x0B5E} /* Cn */,
-	{  0x0B62,  0x0B65} /* Cn */, {  0x0B72,  0x0B81} /* Cn */,
-	{  0x0B84,  0x0B84} /* Cn */, {  0x0B8B,  0x0B8D} /* Cn */,
-	{  0x0B91,  0x0B91} /* Cn */, {  0x0B96,  0x0B98} /* Cn */,
-	{  0x0B9B,  0x0B9B} /* Cn */, {  0x0B9D,  0x0B9D} /* Cn */,
-	{  0x0BA0,  0x0BA2} /* Cn */, {  0x0BA5,  0x0BA7} /* Cn */,
-	{  0x0BAB,  0x0BAD} /* Cn */, {  0x0BBA,  0x0BBD} /* Cn */,
-	{  0x0BC3,  0x0BC5} /* Cn */, {  0x0BC9,  0x0BC9} /* Cn */,
-	{  0x0BCE,  0x0BD6} /* Cn */, {  0x0BD8,  0x0BE5} /* Cn */,
-	{  0x0BFB,  0x0C00} /* Cn */, {  0x0C04,  0x0C04} /* Cn */,
-	{  0x0C0D,  0x0C0D} /* Cn */, {  0x0C11,  0x0C11} /* Cn */,
-	{  0x0C29,  0x0C29} /* Cn */, {  0x0C34,  0x0C34} /* Cn */,
-	{  0x0C3A,  0x0C3D} /* Cn */, {  0x0C45,  0x0C45} /* Cn */,
-	{  0x0C49,  0x0C49} /* Cn */, {  0x0C4E,  0x0C54} /* Cn */,
-	{  0x0C57,  0x0C5F} /* Cn */, {  0x0C62,  0x0C65} /* Cn */,
-	{  0x0C70,  0x0C81} /* Cn */, {  0x0C84,  0x0C84} /* Cn */,
-	{  0x0C8D,  0x0C8D} /* Cn */, {  0x0C91,  0x0C91} /* Cn */,
-	{  0x0CA9,  0x0CA9} /* Cn */, {  0x0CB4,  0x0CB4} /* Cn */,
-	{  0x0CBA,  0x0CBB} /* Cn */, {  0x0CC5,  0x0CC5} /* Cn */,
-	{  0x0CC9,  0x0CC9} /* Cn */, {  0x0CCE,  0x0CD4} /* Cn */,
-	{  0x0CD7,  0x0CDD} /* Cn */, {  0x0CDF,  0x0CDF} /* Cn */,
-	{  0x0CE4,  0x0CE5} /* Cn */, {  0x0CF0,  0x0CF0} /* Cn */,
-	{  0x0CF3,  0x0D01} /* Cn */, {  0x0D04,  0x0D04} /* Cn */,
-	{  0x0D0D,  0x0D0D} /* Cn */, {  0x0D11,  0x0D11} /* Cn */,
-	{  0x0D29,  0x0D29} /* Cn */, {  0x0D3A,  0x0D3D} /* Cn */,
-	{  0x0D44,  0x0D45} /* Cn */, {  0x0D49,  0x0D49} /* Cn */,
-	{  0x0D4E,  0x0D56} /* Cn */, {  0x0D58,  0x0D5F} /* Cn */,
-	{  0x0D62,  0x0D65} /* Cn */, {  0x0D70,  0x0D81} /* Cn */,
-	{  0x0D84,  0x0D84} /* Cn */, {  0x0D97,  0x0D99} /* Cn */,
-	{  0x0DB2,  0x0DB2} /* Cn */, {  0x0DBC,  0x0DBC} /* Cn */,
-	{  0x0DBE,  0x0DBF} /* Cn */, {  0x0DC7,  0x0DC9} /* Cn */,
-	{  0x0DCB,  0x0DCE} /* Cn */, {  0x0DD5,  0x0DD5} /* Cn */,
-	{  0x0DD7,  0x0DD7} /* Cn */, {  0x0DE0,  0x0DF1} /* Cn */,
-	{  0x0DF5,  0x0E00} /* Cn */, {  0x0E3B,  0x0E3E} /* Cn */,
-	{  0x0E5C,  0x0E80} /* Cn */, {  0x0E83,  0x0E83} /* Cn */,
-	{  0x0E85,  0x0E86} /* Cn */, {  0x0E89,  0x0E89} /* Cn */,
-	{  0x0E8B,  0x0E8C} /* Cn */, {  0x0E8E,  0x0E93} /* Cn */,
-	{  0x0E98,  0x0E98} /* Cn */, {  0x0EA0,  0x0EA0} /* Cn */,
-	{  0x0EA4,  0x0EA4} /* Cn */, {  0x0EA6,  0x0EA6} /* Cn */,
-	{  0x0EA8,  0x0EA9} /* Cn */, {  0x0EAC,  0x0EAC} /* Cn */,
-	{  0x0EBA,  0x0EBA} /* Cn */, {  0x0EBE,  0x0EBF} /* Cn */,
-	{  0x0EC5,  0x0EC5} /* Cn */, {  0x0EC7,  0x0EC7} /* Cn */,
-	{  0x0ECE,  0x0ECF} /* Cn */, {  0x0EDA,  0x0EDB} /* Cn */,
-	{  0x0EDE,  0x0EFF} /* Cn */, {  0x0F48,  0x0F48} /* Cn */,
-	{  0x0F6B,  0x0F70} /* Cn */, {  0x0F8C,  0x0F8F} /* Cn */,
-	{  0x0F98,  0x0F98} /* Cn */, {  0x0FBD,  0x0FBD} /* Cn */,
-	{  0x0FCD,  0x0FCE} /* Cn */, {  0x0FD2,  0x0FFF} /* Cn */,
-	{  0x1022,  0x1022} /* Cn */, {  0x1028,  0x1028} /* Cn */,
-	{  0x102B,  0x102B} /* Cn */, {  0x1033,  0x1035} /* Cn */,
-	{  0x103A,  0x103F} /* Cn */, {  0x105A,  0x109F} /* Cn */,
-	{  0x10C6,  0x10CF} /* Cn */, {  0x10FD,  0x10FF} /* Cn */,
-	{  0x115A,  0x115E} /* Cn */, {  0x11A3,  0x11A7} /* Cn */,
-	{  0x11FA,  0x11FF} /* Cn */, {  0x1249,  0x1249} /* Cn */,
-	{  0x124E,  0x124F} /* Cn */, {  0x1257,  0x1257} /* Cn */,
-	{  0x1259,  0x1259} /* Cn */, {  0x125E,  0x125F} /* Cn */,
-	{  0x1289,  0x1289} /* Cn */, {  0x128E,  0x128F} /* Cn */,
-	{  0x12B1,  0x12B1} /* Cn */, {  0x12B6,  0x12B7} /* Cn */,
-	{  0x12BF,  0x12BF} /* Cn */, {  0x12C1,  0x12C1} /* Cn */,
-	{  0x12C6,  0x12C7} /* Cn */, {  0x12D7,  0x12D7} /* Cn */,
-	{  0x1311,  0x1311} /* Cn */, {  0x1316,  0x1317} /* Cn */,
-	{  0x135B,  0x135E} /* Cn */, {  0x137D,  0x137F} /* Cn */,
-	{  0x139A,  0x139F} /* Cn */, {  0x13F5,  0x1400} /* Cn */,
-	{  0x1677,  0x167F} /* Cn */, {  0x169D,  0x169F} /* Cn */,
-	{  0x16F1,  0x16FF} /* Cn */, {  0x170D,  0x170D} /* Cn */,
-	{  0x1715,  0x171F} /* Cn */, {  0x1737,  0x173F} /* Cn */,
-	{  0x1754,  0x175F} /* Cn */, {  0x176D,  0x176D} /* Cn */,
-	{  0x1771,  0x1771} /* Cn */, {  0x1774,  0x177F} /* Cn */,
-#if 0
-	{  0x17B4,  0x17B5} /* Cf */,
-#endif
-	{  0x17DE,  0x17DF} /* Cn */, {  0x17EA,  0x17EF} /* Cn */,
-	{  0x17FA,  0x17FF} /* Cn */, {  0x180F,  0x180F} /* Cn */,
-	{  0x181A,  0x181F} /* Cn */, {  0x1878,  0x187F} /* Cn */,
-	{  0x18AA,  0x18FF} /* Cn */, {  0x191D,  0x191F} /* Cn */,
-	{  0x192C,  0x192F} /* Cn */, {  0x193C,  0x193F} /* Cn */,
-	{  0x1941,  0x1943} /* Cn */, {  0x196E,  0x196F} /* Cn */,
-	{  0x1975,  0x197F} /* Cn */, {  0x19AA,  0x19AF} /* Cn */,
-	{  0x19CA,  0x19CF} /* Cn */, {  0x19DA,  0x19DD} /* Cn */,
-	{  0x1A1C,  0x1A1D} /* Cn */, {  0x1A20,  0x1AFF} /* Cn */,
-	{  0x1B4C,  0x1B4F} /* Cn */, {  0x1B7D,  0x1CFF} /* Cn */,
-	{  0x1DCB,  0x1DFD} /* Cn */, {  0x1E9C,  0x1E9F} /* Cn */,
-	{  0x1EFA,  0x1EFF} /* Cn */, {  0x1F16,  0x1F17} /* Cn */,
-	{  0x1F1E,  0x1F1F} /* Cn */, {  0x1F46,  0x1F47} /* Cn */,
-	{  0x1F4E,  0x1F4F} /* Cn */, {  0x1F58,  0x1F58} /* Cn */,
-	{  0x1F5A,  0x1F5A} /* Cn */, {  0x1F5C,  0x1F5C} /* Cn */,
-	{  0x1F5E,  0x1F5E} /* Cn */, {  0x1F7E,  0x1F7F} /* Cn */,
-	{  0x1FB5,  0x1FB5} /* Cn */, {  0x1FC5,  0x1FC5} /* Cn */,
-	{  0x1FD4,  0x1FD5} /* Cn */, {  0x1FDC,  0x1FDC} /* Cn */,
-	{  0x1FF0,  0x1FF1} /* Cn */, {  0x1FF5,  0x1FF5} /* Cn */,
-	{  0x1FFF,  0x1FFF} /* Cn */,
-	{  0x200B,  0x200F} /* Cf */,
-	{  0x2028,  0x2028} /* Zl */,
-	{  0x2029,  0x2029} /* Zp */,
-	{  0x202A,  0x202E} /* Cf */,
-	{  0x2060,  0x2063} /* Cf */,
-	{  0x2064,  0x2069} /* Cn */,
-	{  0x206A,  0x206F} /* Cf */,
-	{  0x2072,  0x2073} /* Cn */, {  0x208F,  0x208F} /* Cn */,
-	{  0x2095,  0x209F} /* Cn */, {  0x20B6,  0x20CF} /* Cn */,
-	{  0x20F0,  0x20FF} /* Cn */, {  0x214F,  0x2152} /* Cn */,
-	{  0x2185,  0x218F} /* Cn */, {  0x23E8,  0x23FF} /* Cn */,
-	{  0x2427,  0x243F} /* Cn */, {  0x244B,  0x245F} /* Cn */,
-	{  0x269D,  0x269F} /* Cn */, {  0x26B3,  0x2700} /* Cn */,
-	{  0x2705,  0x2705} /* Cn */, {  0x270A,  0x270B} /* Cn */,
-	{  0x2728,  0x2728} /* Cn */, {  0x274C,  0x274C} /* Cn */,
-	{  0x274E,  0x274E} /* Cn */, {  0x2753,  0x2755} /* Cn */,
-	{  0x2757,  0x2757} /* Cn */, {  0x275F,  0x2760} /* Cn */,
-	{  0x2795,  0x2797} /* Cn */, {  0x27B0,  0x27B0} /* Cn */,
-	{  0x27BF,  0x27BF} /* Cn */, {  0x27CB,  0x27CF} /* Cn */,
-	{  0x27EC,  0x27EF} /* Cn */, {  0x2B1B,  0x2B1F} /* Cn */,
-	{  0x2B24,  0x2BFF} /* Cn */, {  0x2C2F,  0x2C2F} /* Cn */,
-	{  0x2C5F,  0x2C5F} /* Cn */, {  0x2C6D,  0x2C73} /* Cn */,
-	{  0x2C78,  0x2C7F} /* Cn */, {  0x2CEB,  0x2CF8} /* Cn */,
-	{  0x2D26,  0x2D2F} /* Cn */, {  0x2D66,  0x2D6E} /* Cn */,
-	{  0x2D70,  0x2D7F} /* Cn */, {  0x2D97,  0x2D9F} /* Cn */,
-	{  0x2DA7,  0x2DA7} /* Cn */, {  0x2DAF,  0x2DAF} /* Cn */,
-	{  0x2DB7,  0x2DB7} /* Cn */, {  0x2DBF,  0x2DBF} /* Cn */,
-	{  0x2DC7,  0x2DC7} /* Cn */, {  0x2DCF,  0x2DCF} /* Cn */,
-	{  0x2DD7,  0x2DD7} /* Cn */, {  0x2DDF,  0x2DFF} /* Cn */,
-	{  0x2E18,  0x2E1B} /* Cn */, {  0x2E1E,  0x2E7F} /* Cn */,
-	{  0x2E9A,  0x2E9A} /* Cn */, {  0x2EF4,  0x2EFF} /* Cn */,
-	{  0x2FD6,  0x2FEF} /* Cn */, {  0x2FFC,  0x2FFF} /* Cn */,
-	{  0x3040,  0x3040} /* Cn */, {  0x3097,  0x3098} /* Cn */,
-	{  0x3100,  0x3104} /* Cn */, {  0x312D,  0x3130} /* Cn */,
-	{  0x318F,  0x318F} /* Cn */, {  0x31B8,  0x31BF} /* Cn */,
-	{  0x31D0,  0x31EF} /* Cn */, {  0x321F,  0x321F} /* Cn */,
-	{  0x3244,  0x324F} /* Cn */, {  0x32FF,  0x32FF} /* Cn */,
-	{  0x4DB6,  0x4DBF} /* Cn */, {  0x9FBC,  0x9FFF} /* Cn */,
-	{  0xA48D,  0xA48F} /* Cn */, {  0xA4C7,  0xA6FF} /* Cn */,
-	{  0xA71B,  0xA71F} /* Cn */, {  0xA722,  0xA7FF} /* Cn */,
-	{  0xA82C,  0xA83F} /* Cn */, {  0xA878,  0xABFF} /* Cn */,
-	{  0xD7A4,  0xD7FF} /* Cn */,
-	{  0xD800,  0xDFFF} /* Cs */,
-	{  0xE000,  0xF8FF} /* Co */,
-	{  0xFA2E,  0xFA2F} /* Cn */, {  0xFA6B,  0xFA6F} /* Cn */,
-	{  0xFADA,  0xFAFF} /* Cn */, {  0xFB07,  0xFB12} /* Cn */,
-	{  0xFB18,  0xFB1C} /* Cn */, {  0xFB37,  0xFB37} /* Cn */,
-	{  0xFB3D,  0xFB3D} /* Cn */, {  0xFB3F,  0xFB3F} /* Cn */,
-	{  0xFB42,  0xFB42} /* Cn */, {  0xFB45,  0xFB45} /* Cn */,
-	{  0xFBB2,  0xFBD2} /* Cn */, {  0xFD40,  0xFD4F} /* Cn */,
-	{  0xFD90,  0xFD91} /* Cn */, {  0xFDC8,  0xFDEF} /* Cn */,
-	{  0xFDFE,  0xFDFF} /* Cn */, {  0xFE1A,  0xFE1F} /* Cn */,
-	{  0xFE24,  0xFE2F} /* Cn */, {  0xFE53,  0xFE53} /* Cn */,
-	{  0xFE67,  0xFE67} /* Cn */, {  0xFE6C,  0xFE6F} /* Cn */,
-	{  0xFE75,  0xFE75} /* Cn */, {  0xFEFD,  0xFEFE} /* Cn */,
-	{  0xFEFF,  0xFEFF} /* Cf */,
-	{  0xFF00,  0xFF00} /* Cn */, {  0xFFBF,  0xFFC1} /* Cn */,
-	{  0xFFC8,  0xFFC9} /* Cn */, {  0xFFD0,  0xFFD1} /* Cn */,
-	{  0xFFD8,  0xFFD9} /* Cn */, {  0xFFDD,  0xFFDF} /* Cn */,
-	{  0xFFE7,  0xFFE7} /* Cn */, {  0xFFEF,  0xFFF8} /* Cn */,
-	{  0xFFF9,  0xFFFB} /* Cf */,
-	{  0xFFFE,  0xFFFF} /* Cn */, { 0x1000C, 0x1000C} /* Cn */,
-	{ 0x10027, 0x10027} /* Cn */, { 0x1003B, 0x1003B} /* Cn */,
-	{ 0x1003E, 0x1003E} /* Cn */, { 0x1004E, 0x1004F} /* Cn */,
-	{ 0x1005E, 0x1007F} /* Cn */, { 0x100FB, 0x100FF} /* Cn */,
-	{ 0x10103, 0x10106} /* Cn */, { 0x10134, 0x10136} /* Cn */,
-	{ 0x1018B, 0x102FF} /* Cn */, { 0x1031F, 0x1031F} /* Cn */,
-	{ 0x10324, 0x1032F} /* Cn */, { 0x1034B, 0x1037F} /* Cn */,
-	{ 0x1039E, 0x1039E} /* Cn */, { 0x103C4, 0x103C7} /* Cn */,
-	{ 0x103D6, 0x103FF} /* Cn */,
-	{ 0x1049E, 0x1049F} /* Cn */, { 0x104AA, 0x107FF} /* Cn */,
-	{ 0x10806, 0x10807} /* Cn */, { 0x10809, 0x10809} /* Cn */,
-	{ 0x10836, 0x10836} /* Cn */, { 0x10839, 0x1083B} /* Cn */,
-	{ 0x1083D, 0x1083E} /* Cn */, { 0x10840, 0x108FF} /* Cn */,
-	{ 0x1091A, 0x1091E} /* Cn */, { 0x10920, 0x109FF} /* Cn */,
-	{ 0x10A04, 0x10A04} /* Cn */, { 0x10A07, 0x10A0B} /* Cn */,
-	{ 0x10A14, 0x10A14} /* Cn */, { 0x10A18, 0x10A18} /* Cn */,
-	{ 0x10A34, 0x10A37} /* Cn */, { 0x10A3B, 0x10A3E} /* Cn */,
-	{ 0x10A48, 0x10A4F} /* Cn */, { 0x10A59, 0x11FFF} /* Cn */,
-	{ 0x1236F, 0x123FF} /* Cn */, { 0x12463, 0x1246F} /* Cn */,
-	{ 0x12474, 0x1CFFF} /* Cn */, { 0x1D0F6, 0x1D0FF} /* Cn */,
-	{ 0x1D127, 0x1D129} /* Cn */,
-	{ 0x1D173, 0x1D17A} /* Cf */,
-	{ 0x1D1DE, 0x1D1FF} /* Cn */, { 0x1D246, 0x1D2FF} /* Cn */,
-	{ 0x1D357, 0x1D35F} /* Cn */, { 0x1D372, 0x1D3FF} /* Cn */,
-	{ 0x1D455, 0x1D455} /* Cn */, { 0x1D49D, 0x1D49D} /* Cn */,
-	{ 0x1D4A0, 0x1D4A1} /* Cn */, { 0x1D4A3, 0x1D4A4} /* Cn */,
-	{ 0x1D4A7, 0x1D4A8} /* Cn */, { 0x1D4AD, 0x1D4AD} /* Cn */,
-	{ 0x1D4BA, 0x1D4BA} /* Cn */, { 0x1D4BC, 0x1D4BC} /* Cn */,
-	{ 0x1D4C4, 0x1D4C4} /* Cn */, { 0x1D506, 0x1D506} /* Cn */,
-	{ 0x1D50B, 0x1D50C} /* Cn */, { 0x1D515, 0x1D515} /* Cn */,
-	{ 0x1D51D, 0x1D51D} /* Cn */, { 0x1D53A, 0x1D53A} /* Cn */,
-	{ 0x1D53F, 0x1D53F} /* Cn */, { 0x1D545, 0x1D545} /* Cn */,
-	{ 0x1D547, 0x1D549} /* Cn */, { 0x1D551, 0x1D551} /* Cn */,
-	{ 0x1D6A6, 0x1D6A7} /* Cn */, { 0x1D7CC, 0x1D7CD} /* Cn */,
-	{ 0x1D800, 0x1FFFF} /* Cn */, { 0x2A6D7, 0x2F7FF} /* Cn */,
-	{ 0x2FA1E, 0xE0000} /* Cn */,
-	{ 0xE0001, 0xE0001} /* Cf */,
-	{ 0xE0002, 0xE001F} /* Cn */,
-	{ 0xE0020, 0xE007F} /* Cf */,
-	{ 0xE0080, 0xE00FF} /* Cn */, { 0xE01F0, 0xEFFFF} /* Cn */,
-	{ 0xF0000, 0xFFFFD} /* Co */,
-	{ 0xFFFFE, 0xFFFFF} /* Cn */,
-	{0x100000,0x10FFFD} /* Co */,
-	{0x10FFFE,0x10FFFF} /* Cn */,
-	{0x110000,0x7FFFFFFF} /* ISO 10646?? */
-};
-
-/*
- * Double width characters
- *	W: East Asian Wide
- *	F: East Asian Full-width
- * Unassigned code points may be included when they allow ranges to be merged.
- * Last synched with
- *	<http://www.unicode.org/Public/5.0.0/ucd/EastAsianWidth-5.0.0d2.txt>
- *	dated 2005-11-08T01:32:56Z
- */
-static struct wchar_range wide_table[] = {
-	{  0x1100,  0x115F} /* W */, {  0x2329,  0x232A} /* W */,
-	{  0x2E80,  0x2FFB} /* W */,
-	{  0x3000,  0x3000} /* F */,
-	{  0x3001,  0x303E} /* W */, {  0x3041,  0x4DB5} /* W */,
-	{  0x4E00,  0x9FBB} /* W */, {  0xA000,  0xA4C6} /* W */,
-	{  0xAC00,  0xD7A3} /* W */, {  0xF900,  0xFAD9} /* W */,
-	{  0xFE10,  0xFE19} /* W */, {  0xFE30,  0xFE6B} /* W */,
-	{  0xFF01,  0xFF60} /* F */, {  0xFFE0,  0xFFE6} /* F */,
-	{ 0x20000, 0x2FFFD} /* W */, { 0x30000, 0x3FFFD} /* W */,
-};
 
 	static int
-is_in_table(ch, table, tsize)
+is_in_table(ch, table)
 	LWCHAR ch;
-	struct wchar_range table[];
-	int tsize;
+	struct wchar_range_table *table;
 {
 	int hi;
 	int lo;
 
 	/* Binary search in the table. */
-	if (ch < table[0].first)
+	if (ch < table->table[0].first)
 		return 0;
 	lo = 0;
-	hi = tsize - 1;
+	hi = table->count - 1;
 	while (lo <= hi)
 	{
 		int mid = (lo + hi) / 2;
-		if (ch > table[mid].last)
+		if (ch > table->table[mid].last)
 			lo = mid + 1;
-		else if (ch < table[mid].first)
+		else if (ch < table->table[mid].first)
 			hi = mid - 1;
 		else
 			return 1;
@@ -1126,7 +777,7 @@ is_in_table(ch, table, tsize)
 is_composing_char(ch)
 	LWCHAR ch;
 {
-	return is_in_table(ch, comp_table, (sizeof(comp_table) / sizeof(*comp_table)));
+	return is_in_table(ch, &compose_table);
 }
 
 /*
@@ -1136,7 +787,7 @@ is_composing_char(ch)
 is_ubin_char(ch)
 	LWCHAR ch;
 {
-	return is_in_table(ch, ubin_table, (sizeof(ubin_table) / sizeof(*ubin_table)));
+	return is_in_table(ch, &ubin_table);
 }
 
 /*
@@ -1146,7 +797,7 @@ is_ubin_char(ch)
 is_wide_char(ch)
 	LWCHAR ch;
 {
-	return is_in_table(ch, wide_table, (sizeof(wide_table) / sizeof(*wide_table)));
+	return is_in_table(ch, &wide_table);
 }
 
 /*
diff --git a/contrib/less/charset.h b/contrib/less/charset.h
index 7df4df6..bb1e437 100644
--- a/contrib/less/charset.h
+++ b/contrib/less/charset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/cmd.h b/contrib/less/cmd.h
index 9a72160..8a943d1 100644
--- a/contrib/less/cmd.h
+++ b/contrib/less/cmd.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -66,6 +66,7 @@
 #define	A_PREV_TAG		54
 #define	A_FILTER		55
 #define	A_F_UNTIL_HILITE	56
+#define	A_GOEND_BUF		57
 
 #define	A_INVALID		100
 #define	A_NOACTION		101
diff --git a/contrib/less/cmdbuf.c b/contrib/less/cmdbuf.c
index e387ccc..69d7414 100644
--- a/contrib/less/cmdbuf.c
+++ b/contrib/less/cmdbuf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -203,7 +203,7 @@ cmd_step_common(p, ch, len, pwidth, bswidth)
 		pr = prchar((int) ch);
 		if (pwidth != NULL || bswidth != NULL)
 		{
-			int len = strlen(pr);
+			int len = (int) strlen(pr);
 			if (pwidth != NULL)
 				*pwidth = len;
 			if (bswidth != NULL)
@@ -222,7 +222,7 @@ cmd_step_common(p, ch, len, pwidth, bswidth)
 					*bswidth = 0;
 			} else if (is_ubin_char(ch))
 			{
-				int len = strlen(pr);
+				int len = (int) strlen(pr);
 				if (pwidth != NULL)
 					*pwidth = len;
 				if (bswidth != NULL)
@@ -375,7 +375,7 @@ cmd_lshift()
 		s = ns;
 	}
 
-	cmd_offset = s - cmdbuf;
+	cmd_offset = (int) (s - cmdbuf);
 	save_cp = cp;
 	cmd_home();
 	cmd_repaint(save_cp);
@@ -405,7 +405,7 @@ cmd_rshift()
 		cols += width;
 	}
 
-	cmd_offset = s - cmdbuf;
+	cmd_offset = (int) (s - cmdbuf);
 	save_cp = cp;
 	cmd_home();
 	cmd_repaint(save_cp);
@@ -535,7 +535,7 @@ cmd_erase()
 	 */
 	s = cp;
 	cmd_left();
-	clen = s - cp;
+	clen = (int) (s - cp);
 
 	/*
 	 * Remove the char from the buffer (shift the buffer left).
@@ -701,7 +701,7 @@ cmd_updown(action)
 
 	if (updown_match < 0)
 	{
-		updown_match = cp - cmdbuf;
+		updown_match = (int) (cp - cmdbuf);
 	}
 
 	/*
@@ -744,12 +744,13 @@ cmd_updown(action)
 #endif
 
 /*
- * Add a string to a history list.
+ * Add a string to an mlist.
  */
 	public void
-cmd_addhist(mlist, cmd)
+cmd_addhist(mlist, cmd, modified)
 	struct mlist *mlist;
 	char *cmd;
+	int modified;
 {
 #if CMD_HISTORY
 	struct mlist *ml;
@@ -773,6 +774,7 @@ cmd_addhist(mlist, cmd)
 		 */
 		ml = (struct mlist *) ecalloc(1, sizeof(struct mlist));
 		ml->string = save(cmd);
+		ml->modified = modified;
 		ml->next = mlist;
 		ml->prev = mlist->prev;
 		mlist->prev->next = ml;
@@ -799,7 +801,7 @@ cmd_accept()
 	 */
 	if (curr_mlist == NULL)
 		return;
-	cmd_addhist(curr_mlist, cmdbuf);
+	cmd_addhist(curr_mlist, cmdbuf, 1);
 	curr_mlist->modified = 1;
 #endif
 }
@@ -965,7 +967,7 @@ delimit_word()
 	int delim_quoted = 0;
 	int meta_quoted = 0;
 	char *esc = get_meta_escape();
-	int esclen = strlen(esc);
+	int esclen = (int) strlen(esc);
 #endif
 	
 	/*
@@ -1262,7 +1264,7 @@ cmd_char(c)
 			cmd_mbc_buf[cmd_mbc_buf_index++] = c;
 			if (cmd_mbc_buf_index < cmd_mbc_buf_len)
 				return (CC_OK);
-			if (!is_utf8_well_formed(cmd_mbc_buf))
+			if (!is_utf8_well_formed(cmd_mbc_buf, cmd_mbc_buf_index))
 			{
 				/* complete, but not well formed (non-shortest form), sequence */
 				cmd_mbc_buf_len = 0;
@@ -1359,6 +1361,18 @@ cmd_lastpattern()
 
 #if CMD_HISTORY
 /*
+ */
+	static int
+mlist_size(ml)
+	struct mlist *ml;
+{
+	int size = 0;
+	for (ml = ml->next;  ml->string != NULL;  ml = ml->next)
+		++size;
+	return size;
+}
+
+/*
  * Get the name of the history file.
  */
 	static char *
@@ -1378,6 +1392,10 @@ histfile_name()
 		return (save(name));
 	}
 
+	/* See if history file is disabled in the build. */
+	if (strcmp(LESSHISTFILE, "") == 0 || strcmp(LESSHISTFILE, "-") == 0)
+		return (NULL);
+
 	/* Otherwise, file is in $HOME. */
 	home = lgetenv("HOME");
 	if (home == NULL || *home == '\0')
@@ -1388,25 +1406,28 @@ histfile_name()
 #endif
 			return (NULL);
 	}
-	len = strlen(home) + strlen(LESSHISTFILE) + 2;
+	len = (int) (strlen(home) + strlen(LESSHISTFILE) + 2);
 	name = (char *) ecalloc(len, sizeof(char));
 	SNPRINTF2(name, len, "%s/%s", home, LESSHISTFILE);
 	return (name);
 }
-#endif /* CMD_HISTORY */
 
 /*
- * Initialize history from a .lesshist file.
+ * Read a .lesshst file and call a callback for each line in the file.
  */
-	public void
-init_cmdhist()
+	static void
+read_cmdhist2(action, uparam, skip_search, skip_shell)
+	void (*action)(void*,struct mlist*,char*);
+	void *uparam;
+	int skip_search;
+	int skip_shell;
 {
-#if CMD_HISTORY
 	struct mlist *ml = NULL;
 	char line[CMDBUF_SIZE];
 	char *filename;
 	FILE *f;
 	char *p;
+	int *skip = NULL;
 
 	filename = histfile_name();
 	if (filename == NULL)
@@ -1432,84 +1453,170 @@ init_cmdhist()
 			}
 		}
 		if (strcmp(line, HISTFILE_SEARCH_SECTION) == 0)
+		{
 			ml = &mlist_search;
-		else if (strcmp(line, HISTFILE_SHELL_SECTION) == 0)
+			skip = &skip_search;
+		} else if (strcmp(line, HISTFILE_SHELL_SECTION) == 0)
 		{
 #if SHELL_ESCAPE || PIPEC
 			ml = &mlist_shell;
+			skip = &skip_shell;
 #else
 			ml = NULL;
+			skip = NULL;
 #endif
 		} else if (*line == '"')
 		{
 			if (ml != NULL)
-				cmd_addhist(ml, line+1);
+			{
+				if (skip != NULL && *skip > 0)
+					--(*skip);
+				else
+					(*action)(uparam, ml, line+1);
+			}
 		}
 	}
 	fclose(f);
+}
+
+	static void
+read_cmdhist(action, uparam, skip_search, skip_shell)
+	void (*action)(void*,struct mlist*,char*);
+	void *uparam;
+	int skip_search;
+	int skip_shell;
+{
+	read_cmdhist2(action, uparam, skip_search, skip_shell);
+	(*action)(uparam, NULL, NULL); /* signal end of file */
+}
+
+	static void
+addhist_init(void *uparam, struct mlist *ml, char *string)
+{
+	if (ml == NULL || string == NULL)
+		return;
+	cmd_addhist(ml, string, 0);
+}
+#endif /* CMD_HISTORY */
+
+/*
+ * Initialize history from a .lesshist file.
+ */
+	public void
+init_cmdhist()
+{
+#if CMD_HISTORY
+	read_cmdhist(&addhist_init, NULL, 0, 0);
 #endif /* CMD_HISTORY */
 }
 
 /*
- *
+ * Write the header for a section of the history file.
  */
 #if CMD_HISTORY
 	static void
-save_mlist(ml, f)
+write_mlist_header(ml, f)
 	struct mlist *ml;
 	FILE *f;
 {
-	int histsize = 0;
-	int n;
-	char *s;
-
-	s = lgetenv("LESSHISTSIZE");
-	if (s != NULL)
-		histsize = atoi(s);
-	if (histsize == 0)
-		histsize = 100;
+	if (ml == &mlist_search)
+		fprintf(f, "%s\n", HISTFILE_SEARCH_SECTION);
+#if SHELL_ESCAPE || PIPEC
+	else if (ml == &mlist_shell)
+		fprintf(f, "%s\n", HISTFILE_SHELL_SECTION);
+#endif
+}
 
-	ml = ml->prev;
-	for (n = 0;  n < histsize;  n++)
-	{
-		if (ml->string == NULL)
-			break;
-		ml = ml->prev;
-	}
+/*
+ * Write all modified entries in an mlist to the history file.
+ */
+	static void
+write_mlist(ml, f)
+	struct mlist *ml;
+	FILE *f;
+{
 	for (ml = ml->next;  ml->string != NULL;  ml = ml->next)
+	{
+		if (!ml->modified)
+			continue;
 		fprintf(f, "\"%s\n", ml->string);
+		ml->modified = 0;
+	}
+	ml->modified = 0; /* entire mlist is now unmodified */
 }
-#endif /* CMD_HISTORY */
 
 /*
- *
+ * Make a temp name in the same directory as filename.
  */
-	public void
-save_cmdhist()
-{
-#if CMD_HISTORY
+	static char *
+make_tempname(filename)
 	char *filename;
-	FILE *f;
-	int modified = 0;
+{
+	char lastch;
+	char *tempname = ecalloc(1, strlen(filename)+1);
+	strcpy(tempname, filename);
+	lastch = tempname[strlen(tempname)-1];
+	tempname[strlen(tempname)-1] = (lastch == 'Q') ? 'Z' : 'Q';
+	return tempname;
+}
 
-	if (mlist_search.modified)
-		modified = 1;
+struct save_ctx
+{
+	struct mlist *mlist;
+	FILE *fout;
+};
+
+/*
+ * Copy entries from the saved history file to a new file.
+ * At the end of each mlist, append any new entries
+ * created during this session.
+ */
+	static void
+copy_hist(void *uparam, struct mlist *ml, char *string)
+{
+	struct save_ctx *ctx = (struct save_ctx *) uparam;
+
+	if (ml != ctx->mlist) {
+		/* We're changing mlists. */
+		if (ctx->mlist)
+			/* Append any new entries to the end of the current mlist. */
+			write_mlist(ctx->mlist, ctx->fout);
+		/* Write the header for the new mlist. */
+		ctx->mlist = ml;
+		write_mlist_header(ctx->mlist, ctx->fout);
+	}
+	if (string != NULL)
+	{
+		/* Copy the entry. */
+		fprintf(ctx->fout, "\"%s\n", string);
+	}
+	if (ml == NULL) /* End of file */
+	{
+		/* Write any sections that were not in the original file. */
+		if (mlist_search.modified)
+		{
+			write_mlist_header(&mlist_search, ctx->fout);
+			write_mlist(&mlist_search, ctx->fout);
+		}
 #if SHELL_ESCAPE || PIPEC
-	if (mlist_shell.modified)
-		modified = 1;
+		if (mlist_shell.modified)
+		{
+			write_mlist_header(&mlist_shell, ctx->fout);
+			write_mlist(&mlist_shell, ctx->fout);
+		}
 #endif
-	if (!modified)
-		return;
-	filename = histfile_name();
-	if (filename == NULL)
-		return;
-	f = fopen(filename, "w");
-	free(filename);
-	if (f == NULL)
-		return;
-#if HAVE_FCHMOD
+	}
+}
+#endif /* CMD_HISTORY */
+
+/*
+ * Make a file readable only by its owner.
+ */
+	static void
+make_file_private(f)
+	FILE *f;
 {
-	/* Make history file readable only by owner. */
+#if HAVE_FCHMOD
 	int do_chmod = 1;
 #if HAVE_STAT
 	struct stat statbuf;
@@ -1520,19 +1627,74 @@ save_cmdhist()
 #endif
 	if (do_chmod)
 		fchmod(fileno(f), 0600);
-}
 #endif
+}
 
-	fprintf(f, "%s\n", HISTFILE_FIRST_LINE);
+/*
+ * Does the history file need to be updated?
+ */
+	static int
+histfile_modified()
+{
+	if (mlist_search.modified)
+		return 1;
+#if SHELL_ESCAPE || PIPEC
+	if (mlist_shell.modified)
+		return 1;
+#endif
+	return 0;
+}
 
-	fprintf(f, "%s\n", HISTFILE_SEARCH_SECTION);
-	save_mlist(&mlist_search, f);
+/*
+ * Update the .lesshst file.
+ */
+	public void
+save_cmdhist()
+{
+#if CMD_HISTORY
+	char *histname;
+	char *tempname;
+	int skip_search;
+	int skip_shell;
+	struct save_ctx ctx;
+	char *s;
+	FILE *fout = NULL;
+	int histsize = 0;
 
+	if (!histfile_modified())
+		return;
+	histname = histfile_name();
+	if (histname == NULL)
+		return;
+	tempname = make_tempname(histname);
+	fout = fopen(tempname, "w");
+	if (fout != NULL)
+	{
+		make_file_private(fout);
+		s = lgetenv("LESSHISTSIZE");
+		if (s != NULL)
+			histsize = atoi(s);
+		if (histsize <= 0)
+			histsize = 100;
+		skip_search = mlist_size(&mlist_search) - histsize;
 #if SHELL_ESCAPE || PIPEC
-	fprintf(f, "%s\n", HISTFILE_SHELL_SECTION);
-	save_mlist(&mlist_shell, f);
+		skip_shell = mlist_size(&mlist_shell) - histsize;
 #endif
-
-	fclose(f);
+		fprintf(fout, "%s\n", HISTFILE_FIRST_LINE);
+		ctx.fout = fout;
+		ctx.mlist = NULL;
+		read_cmdhist(copy_hist, &ctx, skip_search, skip_shell);
+		fclose(fout);
+#if MSDOS_COMPILER==WIN32C
+		/*
+		 * Windows rename doesn't remove an existing file,
+		 * making it useless for atomic operations. Sigh.
+		 */
+		remove(histname);
+#endif
+		rename(tempname, histname);
+	}
+	free(tempname);
+	free(histname);
 #endif /* CMD_HISTORY */
 }
diff --git a/contrib/less/command.c b/contrib/less/command.c
index 5cbab00..ddcddd4 100644
--- a/contrib/less/command.c
+++ b/contrib/less/command.c
@@ -1,6 +1,6 @@
 /* $FreeBSD$ */
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -35,6 +35,7 @@ extern int top_scroll;
 extern int ignore_eoi;
 extern int secure;
 extern int hshift;
+extern int bs_mode;
 extern int show_attn;
 extern int less_is_more;
 extern POSITION highest_hilite;
@@ -56,6 +57,7 @@ extern int screen_trashed;	/* The screen has been overwritten */
 extern int shift_count;
 extern int oldbot;
 extern int forw_prompt;
+extern int same_pos_bell;
 
 #if SHELL_ESCAPE
 static char *shellcmd = NULL;	/* For holding last shell command for "!!" */
@@ -70,6 +72,7 @@ static int optflag;
 static int optgetname;
 static POSITION bottompos;
 static int save_hshift;
+static int save_bs_mode;
 #if PIPEC
 static char pipec;
 #endif
@@ -77,9 +80,9 @@ static char pipec;
 struct ungot {
 	struct ungot *ug_next;
 	char ug_char;
+	char ug_end_command;
 };
 static struct ungot* ungot = NULL;
-static int unget_end = 0;
 
 static void multi_search();
 
@@ -160,6 +163,7 @@ mca_search()
 		cmd_putstr("/");
 	else
 		cmd_putstr("?");
+	forw_prompt = 0;
 	set_mlist(ml_search, 0);
 }
 
@@ -194,6 +198,7 @@ mca_opt_toggle()
 		cmd_putstr("!");
 		break;
 	}
+	forw_prompt = 0;
 	set_mlist(NULL, 0);
 }
 
@@ -212,7 +217,7 @@ exec_mca()
 	{
 	case A_F_SEARCH:
 	case A_B_SEARCH:
-		multi_search(cbuf, (int) number);
+		multi_search(cbuf, (int) number, 0);
 		break;
 #if HILITE_SEARCH
 	case A_FILTER:
@@ -688,7 +693,7 @@ prompt()
 {
 	register constant char *p;
 
-	if (ungot != NULL)
+	if (ungot != NULL && !ungot->ug_end_command)
 	{
 		/*
 		 * No prompt necessary if commands are from 
@@ -778,40 +783,6 @@ dispversion()
 	public int
 getcc()
 {
-	if (unget_end) 
-	{
-		/*
-		 * We have just run out of ungotten chars.
-		 */
-		unget_end = 0;
-		if (len_cmdbuf() == 0 || !empty_screen())
-			return (getchr());
-		/*
-		 * Command is incomplete, so try to complete it.
-		 */
-		switch (mca)
-		{
-		case A_DIGIT:
-			/*
-			 * We have a number but no command.  Treat as #g.
-			 */
-			return ('g');
-
-		case A_F_SEARCH:
-		case A_B_SEARCH:
-			/*
-			 * We have "/string" but no newline.  Add the \n.
-			 */
-			return ('\n'); 
-
-		default:
-			/*
-			 * Some other incomplete command.  Let user complete it.
-			 */
-			return (getchr());
-		}
-	}
-
 	if (ungot == NULL)
 	{
 		/*
@@ -826,9 +797,36 @@ getcc()
 	{
 		struct ungot *ug = ungot;
 		char c = ug->ug_char;
+		int end_command = ug->ug_end_command;
 		ungot = ug->ug_next;
 		free(ug);
-		unget_end = (ungot == NULL);
+		if (end_command)
+		{
+			/*
+			 * Command is incomplete, so try to complete it.
+			 */
+			switch (mca)
+			{
+			case A_DIGIT:
+				/*
+				 * We have a number but no command.  Treat as #g.
+				 */
+				return ('g');
+
+			case A_F_SEARCH:
+			case A_B_SEARCH:
+				/*
+				 * We have "/string" but no newline.  Add the \n.
+				 */
+				return ('\n'); 
+
+			default:
+				/*
+				 * Some other incomplete command.  Let user complete it.
+				 */
+				return (getchr());
+			}
+		}
 		return (c);
 	}
 }
@@ -843,10 +841,10 @@ ungetcc(c)
 {
 	struct ungot *ug = (struct ungot *) ecalloc(1, sizeof(struct ungot));
 
-	ug->ug_char = c;
+	ug->ug_char = (char) c;
+	ug->ug_end_command = (c == CHAR_END_COMMAND);
 	ug->ug_next = ungot;
 	ungot = ug;
-	unget_end = 0;
 }
 
 /*
@@ -869,9 +867,10 @@ ungetsc(s)
  * If SRCH_PAST_EOF is set, continue the search thru multiple files.
  */
 	static void
-multi_search(pattern, n)
+multi_search(pattern, n, silent)
 	char *pattern;
 	int n;
+	int silent;
 {
 	register int nomore;
 	IFILE save_ifile;
@@ -946,7 +945,7 @@ multi_search(pattern, n)
 	 * Didn't find it.
 	 * Print an error message if we haven't already.
 	 */
-	if (n > 0)
+	if (n > 0 && !silent)
 		error("Pattern not found", NULL_PARG);
 
 	if (changed_file)
@@ -974,7 +973,7 @@ forw_loop(until_hilite)
 		return (A_NOACTION);
 
 	cmd_exec();
-	jump_forw();
+	jump_forw_buffered();
 	curr_len = ch_length();
 	highest_hilite = until_hilite ? curr_len : NULL_POSITION;
 	ignore_eoi = 1;
@@ -1019,7 +1018,6 @@ commands()
 	IFILE old_ifile;
 	IFILE new_ifile;
 	char *tagfile;
-	int until_hilite = 0;
 
 	search_type = SRCH_FORW;
 	wscroll = (sc_height + 1) / 2;
@@ -1247,6 +1245,8 @@ commands()
 			/*
 			 * Forward forever, ignoring EOF.
 			 */
+			if (show_attn)
+				set_attnpos(bottompos);
 			newaction = forw_loop(0);
 			break;
 
@@ -1332,6 +1332,17 @@ commands()
 				jump_back(number);
 			break;
 
+		case A_GOEND_BUF:
+			/*
+			 * Go to line N, default last buffered byte.
+			 */
+			cmd_exec();
+			if (number <= 0)
+				jump_forw_buffered();
+			else
+				jump_back(number);
+			break;
+
 		case A_GOPOS:
 			/*
 			 * Go to a specified byte position in the file.
@@ -1374,6 +1385,7 @@ commands()
 				 * previous file.
 				 */
 				hshift = save_hshift;
+				bs_mode = save_bs_mode;
 				if (edit_prev(1) == 0)
 					break;
 			}
@@ -1389,7 +1401,7 @@ commands()
 			if (number <= 0) number = 1;	\
 			mca_search();			\
 			cmd_exec();			\
-			multi_search((char *)NULL, (int) number);
+			multi_search((char *)NULL, (int) number, 0);
 
 
 		case A_F_SEARCH:
@@ -1477,6 +1489,8 @@ commands()
 			cmd_exec();
 			save_hshift = hshift;
 			hshift = 0;
+			save_bs_mode = bs_mode;
+			bs_mode = BS_SPECIAL;
 			(void) edit(FAKE_HELPFILE);
 			break;
 
diff --git a/contrib/less/compose.uni b/contrib/less/compose.uni
new file mode 100644
index 0000000..b814ce9
--- /dev/null
+++ b/contrib/less/compose.uni
@@ -0,0 +1,261 @@
+/* Generated by "./mkutable -f2 Mn Me -- unicode/UnicodeData.txt" on Mon Jul 14 16:21:21 PDT 2014 */
+	{ 0x0300, 0x036f }, /* Mn */
+	{ 0x0483, 0x0487 }, /* Mn */
+	{ 0x0488, 0x0489 }, /* Me */
+	{ 0x0591, 0x05bd }, /* Mn */
+	{ 0x05bf, 0x05bf }, /* Mn */
+	{ 0x05c1, 0x05c2 }, /* Mn */
+	{ 0x05c4, 0x05c5 }, /* Mn */
+	{ 0x05c7, 0x05c7 }, /* Mn */
+	{ 0x0610, 0x061a }, /* Mn */
+	{ 0x064b, 0x065f }, /* Mn */
+	{ 0x0670, 0x0670 }, /* Mn */
+	{ 0x06d6, 0x06dc }, /* Mn */
+	{ 0x06df, 0x06e4 }, /* Mn */
+	{ 0x06e7, 0x06e8 }, /* Mn */
+	{ 0x06ea, 0x06ed }, /* Mn */
+	{ 0x0711, 0x0711 }, /* Mn */
+	{ 0x0730, 0x074a }, /* Mn */
+	{ 0x07a6, 0x07b0 }, /* Mn */
+	{ 0x07eb, 0x07f3 }, /* Mn */
+	{ 0x0816, 0x0819 }, /* Mn */
+	{ 0x081b, 0x0823 }, /* Mn */
+	{ 0x0825, 0x0827 }, /* Mn */
+	{ 0x0829, 0x082d }, /* Mn */
+	{ 0x0859, 0x085b }, /* Mn */
+	{ 0x08e4, 0x0902 }, /* Mn */
+	{ 0x093a, 0x093a }, /* Mn */
+	{ 0x093c, 0x093c }, /* Mn */
+	{ 0x0941, 0x0948 }, /* Mn */
+	{ 0x094d, 0x094d }, /* Mn */
+	{ 0x0951, 0x0957 }, /* Mn */
+	{ 0x0962, 0x0963 }, /* Mn */
+	{ 0x0981, 0x0981 }, /* Mn */
+	{ 0x09bc, 0x09bc }, /* Mn */
+	{ 0x09c1, 0x09c4 }, /* Mn */
+	{ 0x09cd, 0x09cd }, /* Mn */
+	{ 0x09e2, 0x09e3 }, /* Mn */
+	{ 0x0a01, 0x0a02 }, /* Mn */
+	{ 0x0a3c, 0x0a3c }, /* Mn */
+	{ 0x0a41, 0x0a42 }, /* Mn */
+	{ 0x0a47, 0x0a48 }, /* Mn */
+	{ 0x0a4b, 0x0a4d }, /* Mn */
+	{ 0x0a51, 0x0a51 }, /* Mn */
+	{ 0x0a70, 0x0a71 }, /* Mn */
+	{ 0x0a75, 0x0a75 }, /* Mn */
+	{ 0x0a81, 0x0a82 }, /* Mn */
+	{ 0x0abc, 0x0abc }, /* Mn */
+	{ 0x0ac1, 0x0ac5 }, /* Mn */
+	{ 0x0ac7, 0x0ac8 }, /* Mn */
+	{ 0x0acd, 0x0acd }, /* Mn */
+	{ 0x0ae2, 0x0ae3 }, /* Mn */
+	{ 0x0b01, 0x0b01 }, /* Mn */
+	{ 0x0b3c, 0x0b3c }, /* Mn */
+	{ 0x0b3f, 0x0b3f }, /* Mn */
+	{ 0x0b41, 0x0b44 }, /* Mn */
+	{ 0x0b4d, 0x0b4d }, /* Mn */
+	{ 0x0b56, 0x0b56 }, /* Mn */
+	{ 0x0b62, 0x0b63 }, /* Mn */
+	{ 0x0b82, 0x0b82 }, /* Mn */
+	{ 0x0bc0, 0x0bc0 }, /* Mn */
+	{ 0x0bcd, 0x0bcd }, /* Mn */
+	{ 0x0c00, 0x0c00 }, /* Mn */
+	{ 0x0c3e, 0x0c40 }, /* Mn */
+	{ 0x0c46, 0x0c48 }, /* Mn */
+	{ 0x0c4a, 0x0c4d }, /* Mn */
+	{ 0x0c55, 0x0c56 }, /* Mn */
+	{ 0x0c62, 0x0c63 }, /* Mn */
+	{ 0x0c81, 0x0c81 }, /* Mn */
+	{ 0x0cbc, 0x0cbc }, /* Mn */
+	{ 0x0cbf, 0x0cbf }, /* Mn */
+	{ 0x0cc6, 0x0cc6 }, /* Mn */
+	{ 0x0ccc, 0x0ccd }, /* Mn */
+	{ 0x0ce2, 0x0ce3 }, /* Mn */
+	{ 0x0d01, 0x0d01 }, /* Mn */
+	{ 0x0d41, 0x0d44 }, /* Mn */
+	{ 0x0d4d, 0x0d4d }, /* Mn */
+	{ 0x0d62, 0x0d63 }, /* Mn */
+	{ 0x0dca, 0x0dca }, /* Mn */
+	{ 0x0dd2, 0x0dd4 }, /* Mn */
+	{ 0x0dd6, 0x0dd6 }, /* Mn */
+	{ 0x0e31, 0x0e31 }, /* Mn */
+	{ 0x0e34, 0x0e3a }, /* Mn */
+	{ 0x0e47, 0x0e4e }, /* Mn */
+	{ 0x0eb1, 0x0eb1 }, /* Mn */
+	{ 0x0eb4, 0x0eb9 }, /* Mn */
+	{ 0x0ebb, 0x0ebc }, /* Mn */
+	{ 0x0ec8, 0x0ecd }, /* Mn */
+	{ 0x0f18, 0x0f19 }, /* Mn */
+	{ 0x0f35, 0x0f35 }, /* Mn */
+	{ 0x0f37, 0x0f37 }, /* Mn */
+	{ 0x0f39, 0x0f39 }, /* Mn */
+	{ 0x0f71, 0x0f7e }, /* Mn */
+	{ 0x0f80, 0x0f84 }, /* Mn */
+	{ 0x0f86, 0x0f87 }, /* Mn */
+	{ 0x0f8d, 0x0f97 }, /* Mn */
+	{ 0x0f99, 0x0fbc }, /* Mn */
+	{ 0x0fc6, 0x0fc6 }, /* Mn */
+	{ 0x102d, 0x1030 }, /* Mn */
+	{ 0x1032, 0x1037 }, /* Mn */
+	{ 0x1039, 0x103a }, /* Mn */
+	{ 0x103d, 0x103e }, /* Mn */
+	{ 0x1058, 0x1059 }, /* Mn */
+	{ 0x105e, 0x1060 }, /* Mn */
+	{ 0x1071, 0x1074 }, /* Mn */
+	{ 0x1082, 0x1082 }, /* Mn */
+	{ 0x1085, 0x1086 }, /* Mn */
+	{ 0x108d, 0x108d }, /* Mn */
+	{ 0x109d, 0x109d }, /* Mn */
+	{ 0x135d, 0x135f }, /* Mn */
+	{ 0x1712, 0x1714 }, /* Mn */
+	{ 0x1732, 0x1734 }, /* Mn */
+	{ 0x1752, 0x1753 }, /* Mn */
+	{ 0x1772, 0x1773 }, /* Mn */
+	{ 0x17b4, 0x17b5 }, /* Mn */
+	{ 0x17b7, 0x17bd }, /* Mn */
+	{ 0x17c6, 0x17c6 }, /* Mn */
+	{ 0x17c9, 0x17d3 }, /* Mn */
+	{ 0x17dd, 0x17dd }, /* Mn */
+	{ 0x180b, 0x180d }, /* Mn */
+	{ 0x18a9, 0x18a9 }, /* Mn */
+	{ 0x1920, 0x1922 }, /* Mn */
+	{ 0x1927, 0x1928 }, /* Mn */
+	{ 0x1932, 0x1932 }, /* Mn */
+	{ 0x1939, 0x193b }, /* Mn */
+	{ 0x1a17, 0x1a18 }, /* Mn */
+	{ 0x1a1b, 0x1a1b }, /* Mn */
+	{ 0x1a56, 0x1a56 }, /* Mn */
+	{ 0x1a58, 0x1a5e }, /* Mn */
+	{ 0x1a60, 0x1a60 }, /* Mn */
+	{ 0x1a62, 0x1a62 }, /* Mn */
+	{ 0x1a65, 0x1a6c }, /* Mn */
+	{ 0x1a73, 0x1a7c }, /* Mn */
+	{ 0x1a7f, 0x1a7f }, /* Mn */
+	{ 0x1ab0, 0x1abd }, /* Mn */
+	{ 0x1abe, 0x1abe }, /* Me */
+	{ 0x1b00, 0x1b03 }, /* Mn */
+	{ 0x1b34, 0x1b34 }, /* Mn */
+	{ 0x1b36, 0x1b3a }, /* Mn */
+	{ 0x1b3c, 0x1b3c }, /* Mn */
+	{ 0x1b42, 0x1b42 }, /* Mn */
+	{ 0x1b6b, 0x1b73 }, /* Mn */
+	{ 0x1b80, 0x1b81 }, /* Mn */
+	{ 0x1ba2, 0x1ba5 }, /* Mn */
+	{ 0x1ba8, 0x1ba9 }, /* Mn */
+	{ 0x1bab, 0x1bad }, /* Mn */
+	{ 0x1be6, 0x1be6 }, /* Mn */
+	{ 0x1be8, 0x1be9 }, /* Mn */
+	{ 0x1bed, 0x1bed }, /* Mn */
+	{ 0x1bef, 0x1bf1 }, /* Mn */
+	{ 0x1c2c, 0x1c33 }, /* Mn */
+	{ 0x1c36, 0x1c37 }, /* Mn */
+	{ 0x1cd0, 0x1cd2 }, /* Mn */
+	{ 0x1cd4, 0x1ce0 }, /* Mn */
+	{ 0x1ce2, 0x1ce8 }, /* Mn */
+	{ 0x1ced, 0x1ced }, /* Mn */
+	{ 0x1cf4, 0x1cf4 }, /* Mn */
+	{ 0x1cf8, 0x1cf9 }, /* Mn */
+	{ 0x1dc0, 0x1df5 }, /* Mn */
+	{ 0x1dfc, 0x1dff }, /* Mn */
+	{ 0x20d0, 0x20dc }, /* Mn */
+	{ 0x20dd, 0x20e0 }, /* Me */
+	{ 0x20e1, 0x20e1 }, /* Mn */
+	{ 0x20e2, 0x20e4 }, /* Me */
+	{ 0x20e5, 0x20f0 }, /* Mn */
+	{ 0x2cef, 0x2cf1 }, /* Mn */
+	{ 0x2d7f, 0x2d7f }, /* Mn */
+	{ 0x2de0, 0x2dff }, /* Mn */
+	{ 0x302a, 0x302d }, /* Mn */
+	{ 0x3099, 0x309a }, /* Mn */
+	{ 0xa66f, 0xa66f }, /* Mn */
+	{ 0xa670, 0xa672 }, /* Me */
+	{ 0xa674, 0xa67d }, /* Mn */
+	{ 0xa69f, 0xa69f }, /* Mn */
+	{ 0xa6f0, 0xa6f1 }, /* Mn */
+	{ 0xa802, 0xa802 }, /* Mn */
+	{ 0xa806, 0xa806 }, /* Mn */
+	{ 0xa80b, 0xa80b }, /* Mn */
+	{ 0xa825, 0xa826 }, /* Mn */
+	{ 0xa8c4, 0xa8c4 }, /* Mn */
+	{ 0xa8e0, 0xa8f1 }, /* Mn */
+	{ 0xa926, 0xa92d }, /* Mn */
+	{ 0xa947, 0xa951 }, /* Mn */
+	{ 0xa980, 0xa982 }, /* Mn */
+	{ 0xa9b3, 0xa9b3 }, /* Mn */
+	{ 0xa9b6, 0xa9b9 }, /* Mn */
+	{ 0xa9bc, 0xa9bc }, /* Mn */
+	{ 0xa9e5, 0xa9e5 }, /* Mn */
+	{ 0xaa29, 0xaa2e }, /* Mn */
+	{ 0xaa31, 0xaa32 }, /* Mn */
+	{ 0xaa35, 0xaa36 }, /* Mn */
+	{ 0xaa43, 0xaa43 }, /* Mn */
+	{ 0xaa4c, 0xaa4c }, /* Mn */
+	{ 0xaa7c, 0xaa7c }, /* Mn */
+	{ 0xaab0, 0xaab0 }, /* Mn */
+	{ 0xaab2, 0xaab4 }, /* Mn */
+	{ 0xaab7, 0xaab8 }, /* Mn */
+	{ 0xaabe, 0xaabf }, /* Mn */
+	{ 0xaac1, 0xaac1 }, /* Mn */
+	{ 0xaaec, 0xaaed }, /* Mn */
+	{ 0xaaf6, 0xaaf6 }, /* Mn */
+	{ 0xabe5, 0xabe5 }, /* Mn */
+	{ 0xabe8, 0xabe8 }, /* Mn */
+	{ 0xabed, 0xabed }, /* Mn */
+	{ 0xfb1e, 0xfb1e }, /* Mn */
+	{ 0xfe00, 0xfe0f }, /* Mn */
+	{ 0xfe20, 0xfe2d }, /* Mn */
+	{ 0x101fd, 0x101fd }, /* Mn */
+	{ 0x102e0, 0x102e0 }, /* Mn */
+	{ 0x10376, 0x1037a }, /* Mn */
+	{ 0x10a01, 0x10a03 }, /* Mn */
+	{ 0x10a05, 0x10a06 }, /* Mn */
+	{ 0x10a0c, 0x10a0f }, /* Mn */
+	{ 0x10a38, 0x10a3a }, /* Mn */
+	{ 0x10a3f, 0x10a3f }, /* Mn */
+	{ 0x10ae5, 0x10ae6 }, /* Mn */
+	{ 0x11001, 0x11001 }, /* Mn */
+	{ 0x11038, 0x11046 }, /* Mn */
+	{ 0x1107f, 0x11081 }, /* Mn */
+	{ 0x110b3, 0x110b6 }, /* Mn */
+	{ 0x110b9, 0x110ba }, /* Mn */
+	{ 0x11100, 0x11102 }, /* Mn */
+	{ 0x11127, 0x1112b }, /* Mn */
+	{ 0x1112d, 0x11134 }, /* Mn */
+	{ 0x11173, 0x11173 }, /* Mn */
+	{ 0x11180, 0x11181 }, /* Mn */
+	{ 0x111b6, 0x111be }, /* Mn */
+	{ 0x1122f, 0x11231 }, /* Mn */
+	{ 0x11234, 0x11234 }, /* Mn */
+	{ 0x11236, 0x11237 }, /* Mn */
+	{ 0x112df, 0x112df }, /* Mn */
+	{ 0x112e3, 0x112ea }, /* Mn */
+	{ 0x11301, 0x11301 }, /* Mn */
+	{ 0x1133c, 0x1133c }, /* Mn */
+	{ 0x11340, 0x11340 }, /* Mn */
+	{ 0x11366, 0x1136c }, /* Mn */
+	{ 0x11370, 0x11374 }, /* Mn */
+	{ 0x114b3, 0x114b8 }, /* Mn */
+	{ 0x114ba, 0x114ba }, /* Mn */
+	{ 0x114bf, 0x114c0 }, /* Mn */
+	{ 0x114c2, 0x114c3 }, /* Mn */
+	{ 0x115b2, 0x115b5 }, /* Mn */
+	{ 0x115bc, 0x115bd }, /* Mn */
+	{ 0x115bf, 0x115c0 }, /* Mn */
+	{ 0x11633, 0x1163a }, /* Mn */
+	{ 0x1163d, 0x1163d }, /* Mn */
+	{ 0x1163f, 0x11640 }, /* Mn */
+	{ 0x116ab, 0x116ab }, /* Mn */
+	{ 0x116ad, 0x116ad }, /* Mn */
+	{ 0x116b0, 0x116b5 }, /* Mn */
+	{ 0x116b7, 0x116b7 }, /* Mn */
+	{ 0x16af0, 0x16af4 }, /* Mn */
+	{ 0x16b30, 0x16b36 }, /* Mn */
+	{ 0x16f8f, 0x16f92 }, /* Mn */
+	{ 0x1bc9d, 0x1bc9e }, /* Mn */
+	{ 0x1d167, 0x1d169 }, /* Mn */
+	{ 0x1d17b, 0x1d182 }, /* Mn */
+	{ 0x1d185, 0x1d18b }, /* Mn */
+	{ 0x1d1aa, 0x1d1ad }, /* Mn */
+	{ 0x1d242, 0x1d244 }, /* Mn */
+	{ 0x1e8d0, 0x1e8d6 }, /* Mn */
+	{ 0xe0100, 0xe01ef }, /* Mn */
diff --git a/contrib/less/cvt.c b/contrib/less/cvt.c
index c3b3e6e..d983641 100644
--- a/contrib/less/cvt.c
+++ b/contrib/less/cvt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -75,8 +75,8 @@ cvt_text(odst, osrc, chpos, lenp, ops)
 
 	for (src = osrc, dst = odst;  src < src_end;  )
 	{
-		int src_pos = src - osrc;
-		int dst_pos = dst - odst;
+		int src_pos = (int) (src - osrc);
+		int dst_pos = (int) (dst - odst);
 		ch = step_char(&src, +1, src_end);
 		if ((ops & CVT_BS) && ch == '\b' && dst > odst)
 		{
@@ -109,6 +109,6 @@ cvt_text(odst, osrc, chpos, lenp, ops)
 		edst--;
 	*edst = '\0';
 	if (lenp != NULL)
-		*lenp = edst - odst;
+		*lenp = (int) (edst - odst);
 	/* FIXME: why was this here?  if (chpos != NULL) chpos[dst - odst] = src - osrc; */
 }
diff --git a/contrib/less/decode.c b/contrib/less/decode.c
index 6d0312d..1cd1599 100644
--- a/contrib/less/decode.c
+++ b/contrib/less/decode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -105,6 +105,7 @@ static unsigned char cmdtable[] =
 	ESC,CONTROL('F'),0,		A_F_BRACKET,
 	ESC,CONTROL('B'),0,		A_B_BRACKET,
 	'G',0,				A_GOEND,
+	ESC,'G',0,			A_GOEND_BUF,
 	ESC,'>',0,			A_GOEND,
 	'>',0,				A_GOEND,
 	SK(SK_END),0,			A_GOEND,
diff --git a/contrib/less/edit.c b/contrib/less/edit.c
index 5f4e679..2a35ade 100644
--- a/contrib/less/edit.c
+++ b/contrib/less/edit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -64,7 +64,7 @@ init_textlist(tlist, str)
 	int meta_quoted = 0;
 	int delim_quoted = 0;
 	char *esc = get_meta_escape();
-	int esclen = strlen(esc);
+	int esclen = (int) strlen(esc);
 #endif
 	
 	tlist->string = skipsp(str);
@@ -411,7 +411,10 @@ edit_ifile(ifile)
 		}
 #endif
 		if (every_first_cmd != NULL)
+		{
+			ungetcc(CHAR_END_COMMAND);
 			ungetsc(every_first_cmd);
+		}
 	}
 
 	free(qopen_filename);
@@ -433,7 +436,8 @@ edit_ifile(ifile)
 #if HILITE_SEARCH
 		clr_hilite();
 #endif
-		cmd_addhist(ml_examine, filename);
+		if (strcmp(filename, FAKE_HELPFILE) && strcmp(filename, FAKE_EMPTYFILE))
+			cmd_addhist(ml_examine, filename, 1);
 		if (no_display && errmsgs > 0)
 		{
 			/*
@@ -745,7 +749,8 @@ use_logfile(filename)
 	 */
 	filename = shell_unquote(filename);
 	exists = open(filename, OPEN_READ);
-	close(exists);
+	if (exists >= 0)
+		close(exists);
 	exists = (exists >= 0);
 
 	/*
diff --git a/contrib/less/filename.c b/contrib/less/filename.c
index 14e85e3..9631f1c 100644
--- a/contrib/less/filename.c
+++ b/contrib/less/filename.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -86,7 +86,7 @@ shell_unquote(str)
 	} else
 	{
 		char *esc = get_meta_escape();
-		int esclen = strlen(esc);
+		int esclen = (int) strlen(esc);
 		while (*str != '\0')
 		{
 			if (esclen > 0 && strncmp(str, esc, esclen) == 0)
@@ -150,7 +150,7 @@ shell_quote(s)
 	char *newstr;
 	int len;
 	char *esc = get_meta_escape();
-	int esclen = strlen(esc);
+	int esclen = (int) strlen(esc);
 	int use_quotes = 0;
 	int have_quotes = 0;
 
@@ -188,7 +188,7 @@ shell_quote(s)
 			 * We can't quote a string that contains quotes.
 			 */
 			return (NULL);
-		len = strlen(s) + 3;
+		len = (int) strlen(s) + 3;
 	}
 	/*
 	 * Allocate and construct the new string.
@@ -235,7 +235,7 @@ dirfile(dirname, filename)
 	/*
 	 * Construct the full pathname.
 	 */
-	len= strlen(dirname) + strlen(filename) + 2;
+	len = (int) (strlen(dirname) + strlen(filename) + 2);
 	pathname = (char *) calloc(len, sizeof(char));
 	if (pathname == NULL)
 		return (NULL);
@@ -350,7 +350,7 @@ fexpand(s)
 				if (ifile == NULL_IFILE)
 					n++;
 				else
-					n += strlen(get_filename(ifile));
+					n += (int) strlen(get_filename(ifile));
 			}
 			/*
 			 * Else it is the first char in a string of
@@ -432,7 +432,7 @@ fcomplete(s)
 		for (slash = s+strlen(s)-1;  slash > s;  slash--)
 			if (*slash == *PATHNAME_SEP || *slash == '/')
 				break;
-		len = strlen(s) + 4;
+		len = (int) strlen(s) + 4;
 		fpat = (char *) ecalloc(len, sizeof(char));
 		if (strchr(slash, '.') == NULL)
 			SNPRINTF1(fpat, len, "%s*.*", s);
@@ -441,7 +441,7 @@ fcomplete(s)
 	}
 #else
 	{
-	int len = strlen(s) + 2;
+	int len = (int) strlen(s) + 2;
 	fpat = (char *) ecalloc(len, sizeof(char));
 	SNPRINTF1(fpat, len, "%s*", s);
 	}
@@ -481,17 +481,25 @@ bin_file(f)
 	if (lseek(f, (off_t)0, SEEK_SET) == BAD_LSEEK)
 		return (0);
 	n = read(f, data, sizeof(data));
-	pend = &data[n];
-	for (p = data;  p < pend;  )
+	if (n <= 0)
+		return (0);
+	if (utf_mode)
+	{
+		bin_count = utf_bin_count(data, n);
+	} else
 	{
-		LWCHAR c = step_char(&p, +1, pend);
-		if (ctldisp == OPT_ONPLUS && IS_CSI_START(c))
+		pend = &data[n];
+		for (p = data;  p < pend;  )
 		{
-			do {
-				c = step_char(&p, +1, pend);
-			} while (p < pend && is_ansi_middle(c));
-		} else if (binary_char(c))
-			bin_count++;
+			LWCHAR c = step_char(&p, +1, pend);
+			if (ctldisp == OPT_ONPLUS && IS_CSI_START(c))
+			{
+				do {
+					c = step_char(&p, +1, pend);
+				} while (p < pend && is_ansi_middle(c));
+			} else if (binary_char(c))
+				bin_count++;
+		}
 	}
 	/*
 	 * Call it a binary file if there are more than 5 binary characters
@@ -593,7 +601,7 @@ shellcmd(cmd)
 			fd = popen(cmd, "r");
 		} else
 		{
-			int len = strlen(shell) + strlen(esccmd) + 5;
+			int len = (int) (strlen(shell) + strlen(esccmd) + 5);
 			scmd = (char *) ecalloc(len, sizeof(char));
 			SNPRINTF3(scmd, len, "%s %s %s", shell, shell_coption(), esccmd);
 			free(esccmd);
@@ -701,14 +709,14 @@ lglob(filename)
 	gfilename = (char *) ecalloc(len, sizeof(char));
 	p = gfilename;
 	do {
-		n = strlen(drive) + strlen(dir) + strlen(fnd.GLOB_NAME) + 1;
+		n = (int) (strlen(drive) + strlen(dir) + strlen(fnd.GLOB_NAME) + 1);
 		pathname = (char *) ecalloc(n, sizeof(char));
 		SNPRINTF3(pathname, n, "%s%s%s", drive, dir, fnd.GLOB_NAME);
 		qpathname = shell_quote(pathname);
 		free(pathname);
 		if (qpathname != NULL)
 		{
-			n = strlen(qpathname);
+			n = (int) strlen(qpathname);
 			while (p - gfilename + n + 2 >= len)
 			{
 				/*
@@ -765,7 +773,7 @@ lglob(filename)
 	/*
 	 * Invoke lessecho, and read its output (a globbed list of filenames).
 	 */
-	len = strlen(lessecho) + strlen(ofilename) + (7*strlen(metachars())) + 24;
+	len = (int) (strlen(lessecho) + strlen(ofilename) + (7*strlen(metachars())) + 24);
 	cmd = (char *) ecalloc(len, sizeof(char));
 	SNPRINTF4(cmd, len, "%s -p0x%x -d0x%x -e%s ", lessecho, openquote, closequote, esc);
 	free(esc);
@@ -813,15 +821,20 @@ lglob(filename)
 num_pct_s(lessopen)
 	char *lessopen;
 {
-	int num;
+	int num = 0;
 
-	for (num = 0;; num++)
+	while (*lessopen != '\0')
 	{
-		lessopen = strchr(lessopen, '%');
-		if (lessopen == NULL)
-			break;
-		if (*++lessopen != 's')
-			return (999);
+		if (*lessopen == '%')
+		{
+			if (lessopen[1] == '%')
+				++lessopen;
+			else if (lessopen[1] == 's')
+				++num;
+			else
+				return (999);
+		}
+		++lessopen;
 	}
 	return (num);
 }
@@ -881,7 +894,7 @@ open_altfile(filename, pf, pfd)
 		return (NULL);
 	}
 
-	len = strlen(lessopen) + strlen(filename) + 2;
+	len = (int) (strlen(lessopen) + strlen(filename) + 2);
 	cmd = (char *) ecalloc(len, sizeof(char));
 	SNPRINTF1(cmd, len, lessopen, filename);
 	fd = shellcmd(cmd);
@@ -971,10 +984,10 @@ close_altfile(altfilename, filename, pipefd)
 	     	return;
 	if (num_pct_s(lessclose) > 2) 
 	{
-		error("Invalid LESSCLOSE variable");
+		error("Invalid LESSCLOSE variable", NULL_PARG);
 		return;
 	}
-	len = strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2;
+	len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
 	cmd = (char *) ecalloc(len, sizeof(char));
 	SNPRINTF2(cmd, len, lessclose, filename, altfilename);
 	fd = shellcmd(cmd);
diff --git a/contrib/less/forwback.c b/contrib/less/forwback.c
index 0166266..9626dc1 100644
--- a/contrib/less/forwback.c
+++ b/contrib/less/forwback.c
@@ -1,6 +1,6 @@
 /* $FreeBSD$ */
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -21,6 +21,7 @@ public int screen_trashed;
 public int squished;
 public int no_back_scroll = 0;
 public int forw_prompt;
+public int same_pos_bell = 1;
 
 extern int sigs;
 extern int top_scroll;
@@ -34,6 +35,11 @@ extern int ignore_eoi;
 extern int clear_bg;
 extern int final_attr;
 extern int oldbot;
+#if HILITE_SEARCH
+extern int size_linebuf;
+extern int hilite_search;
+extern int status_col;
+#endif
 #if TAGS
 extern char *tagoption;
 #endif
@@ -126,7 +132,6 @@ forw(n, pos, force, only_last, nblank)
 	int only_last;
 	int nblank;
 {
-	int eof = 0;
 	int nlines = 0;
 	int do_repaint;
 	static int first_time = 1;
@@ -145,6 +150,13 @@ forw(n, pos, force, only_last, nblank)
 	do_repaint = (only_last && n > sc_height-1) || 
 		(forw_scroll >= 0 && n > forw_scroll && n != sc_height-1);
 
+#if HILITE_SEARCH
+	if (hilite_search == OPT_ONPLUS || is_filtering() || status_col) {
+		prep_hilite(pos, pos + 4*size_linebuf, ignore_eoi ? 1 : -1);
+		pos = next_unfiltered(pos);
+	}
+#endif
+
 	if (!do_repaint)
 	{
 		if (top_scroll && n >= sc_height - 1 && pos != ch_length())
@@ -206,6 +218,9 @@ forw(n, pos, force, only_last, nblank)
 			 * Get the next line from the file.
 			 */
 			pos = forw_line(pos);
+#if HILITE_SEARCH
+			pos = next_unfiltered(pos);
+#endif
 			if (pos == NULL_POSITION)
 			{
 				/*
@@ -214,7 +229,6 @@ forw(n, pos, force, only_last, nblank)
 				 * Even if force is true, stop when the last
 				 * line in the file reaches the top of screen.
 				 */
-				eof = 1;
 				if (!force && position(TOP) != NULL_POSITION)
 					break;
 				if (!empty_lines(0, 0) && 
@@ -276,7 +290,7 @@ forw(n, pos, force, only_last, nblank)
 		forw_prompt = 1;
 	}
 
-	if (nlines == 0)
+	if (nlines == 0 && same_pos_bell)
 		eof_bell();
 	else if (do_repaint)
 		repaint();
@@ -299,11 +313,20 @@ back(n, pos, force, only_last)
 
 	squish_check();
 	do_repaint = (n > get_back_scroll() || (only_last && n > sc_height-1));
+#if HILITE_SEARCH
+	if (hilite_search == OPT_ONPLUS || is_filtering() || status_col) {
+		prep_hilite((pos < 3*size_linebuf) ?  0 : pos - 3*size_linebuf, pos, -1);
+	}
+#endif
 	while (--n >= 0)
 	{
 		/*
 		 * Get the previous line of input.
 		 */
+#if HILITE_SEARCH
+		pos = prev_unfiltered(pos);
+#endif
+
 		pos = back_line(pos);
 		if (pos == NULL_POSITION)
 		{
@@ -327,7 +350,7 @@ back(n, pos, force, only_last)
 		}
 	}
 
-	if (nlines == 0)
+	if (nlines == 0 && same_pos_bell)
 		eof_bell();
 	else if (do_repaint)
 		repaint();
diff --git a/contrib/less/funcs.h b/contrib/less/funcs.h
index 325ba0e..53550f0 100644
--- a/contrib/less/funcs.h
+++ b/contrib/less/funcs.h
@@ -38,6 +38,7 @@
 	public void sync_logfile ();
 	public int ch_seek ();
 	public int ch_end_seek ();
+	public int ch_end_buffer_seek ();
 	public int ch_beg_seek ();
 	public POSITION ch_length ();
 	public POSITION ch_tell ();
@@ -58,6 +59,7 @@
 	public char * prutfchar ();
 	public int utf_len ();
 	public int is_utf8_well_formed ();
+	public int utf_bin_count ();
 	public LWCHAR get_wchar ();
 	public void put_wchar ();
 	public LWCHAR step_char ();
@@ -158,6 +160,7 @@
 	public POSITION back_line ();
 	public void set_attnpos ();
 	public void jump_forw ();
+	public void jump_forw_buffered ();
 	public void jump_back ();
 	public void repaint ();
 	public void jump_percent ();
@@ -227,7 +230,7 @@
 	public struct loption * findopt_name ();
 	public int iread ();
 	public void intread ();
-	public long get_time ();
+	public time_type get_time ();
 	public char * errno_message ();
 	public int percentage ();
 	public POSITION percent_pos ();
@@ -242,6 +245,7 @@
 	public int query ();
 	public int compile_pattern ();
 	public void uncompile_pattern ();
+	public int valid_pattern ();
 	public int is_null_pattern ();
 	public int match_pattern ();
 	public POSITION position ();
@@ -267,6 +271,8 @@
 	public void clr_hilite ();
 	public void clr_filter ();
 	public int is_filtered ();
+	public POSITION next_unfiltered ();
+	public POSITION prev_unfiltered ();
 	public int is_hilited ();
 	public void chg_caseless ();
 	public void chg_hilite ();
diff --git a/contrib/less/help.c b/contrib/less/help.c
index 46b8ff1..aba7116 100644
--- a/contrib/less/help.c
+++ b/contrib/less/help.c
@@ -26,6 +26,7 @@ constant char helpdata[] = {
 ' ',' ','E','S','C','-',')',' ',' ','R','i','g','h','t','A','r','r','o','w',' ','*',' ',' ','L','e','f','t',' ',' ','o','n','e',' ','h','a','l','f',' ','s','c','r','e','e','n',' ','w','i','d','t','h',' ','(','o','r',' ','_','\b','N',' ','p','o','s','i','t','i','o','n','s',')','.','\n',
 ' ',' ','E','S','C','-','(',' ',' ','L','e','f','t','A','r','r','o','w',' ',' ','*',' ',' ','R','i','g','h','t',' ','o','n','e',' ','h','a','l','f',' ','s','c','r','e','e','n',' ','w','i','d','t','h',' ','(','o','r',' ','_','\b','N',' ','p','o','s','i','t','i','o','n','s',')','.','\n',
 ' ',' ','F',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','F','o','r','w','a','r','d',' ','f','o','r','e','v','e','r',';',' ','l','i','k','e',' ','"','t','a','i','l',' ','-','f','"','.','\n',
+' ',' ','E','S','C','-','F',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','L','i','k','e',' ','F',' ','b','u','t',' ','s','t','o','p',' ','w','h','e','n',' ','s','e','a','r','c','h',' ','p','a','t','t','e','r','n',' ','i','s',' ','f','o','u','n','d','.','\n',
 ' ',' ','r',' ',' ','^','R',' ',' ','^','L',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','R','e','p','a','i','n','t',' ','s','c','r','e','e','n','.','\n',
 ' ',' ','R',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','R','e','p','a','i','n','t',' ','s','c','r','e','e','n',',',' ','d','i','s','c','a','r','d','i','n','g',' ','b','u','f','f','e','r','e','d',' ','i','n','p','u','t','.','\n',
 ' ',' ',' ',' ',' ',' ',' ',' ','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','\n',
@@ -204,6 +205,8 @@ constant char helpdata[] = {
 ' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','D','o','n','\'','t',' ','s','e','n','d',' ','t','e','r','m','c','a','p',' ','k','e','y','p','a','d',' ','i','n','i','t','/','d','e','i','n','i','t',' ','s','t','r','i','n','g','s','.','\n',
 ' ',' ',' ',' ',' ',' ','.','.','.','.','.','.','.','.',' ',' ','-','-','f','o','l','l','o','w','-','n','a','m','e','\n',
 ' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','T','h','e',' ','F',' ','c','o','m','m','a','n','d',' ','c','h','a','n','g','e','s',' ','f','i','l','e','s',' ','i','f',' ','t','h','e',' ','i','n','p','u','t',' ','f','i','l','e',' ','i','s',' ','r','e','n','a','m','e','d','.','\n',
+' ',' ',' ',' ',' ',' ','.','.','.','.','.','.','.','.',' ',' ','-','-','u','s','e','-','b','a','c','k','s','l','a','s','h','\n',
+' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','S','u','b','s','e','q','u','e','n','t',' ','o','p','t','i','o','n','s',' ','u','s','e',' ','b','a','c','k','s','l','a','s','h',' ','a','s',' ','e','s','c','a','p','e',' ','c','h','a','r','.','\n',
 '\n',
 '\n',
 ' ','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','-','\n',
@@ -213,22 +216,22 @@ constant char helpdata[] = {
 ' ',' ',' ',' ',' ',' ',' ',' ','T','h','e','s','e',' ','k','e','y','s',' ','c','a','n',' ','b','e',' ','u','s','e','d',' ','t','o',' ','e','d','i','t',' ','t','e','x','t',' ','b','e','i','n','g',' ','e','n','t','e','r','e','d',' ','\n',
 ' ',' ',' ',' ',' ',' ',' ',' ','o','n',' ','t','h','e',' ','"','c','o','m','m','a','n','d',' ','l','i','n','e','"',' ','a','t',' ','t','h','e',' ','b','o','t','t','o','m',' ','o','f',' ','t','h','e',' ','s','c','r','e','e','n','.','\n',
 '\n',
-' ','R','i','g','h','t','A','r','r','o','w',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','l',' ',' ',' ',' ',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','r','i','g','h','t',' ','o','n','e',' ','c','h','a','r','a','c','t','e','r','.','\n',
-' ','L','e','f','t','A','r','r','o','w',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','h',' ',' ',' ',' ',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','l','e','f','t',' ','o','n','e',' ','c','h','a','r','a','c','t','e','r','.','\n',
-' ','c','t','r','l','-','R','i','g','h','t','A','r','r','o','w',' ',' ','E','S','C','-','R','i','g','h','t','A','r','r','o','w',' ',' ','E','S','C','-','w',' ',' ',' ',' ',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','r','i','g','h','t',' ','o','n','e',' ','w','o','r','d','.','\n',
-' ','c','t','r','l','-','L','e','f','t','A','r','r','o','w',' ',' ',' ','E','S','C','-','L','e','f','t','A','r','r','o','w',' ',' ',' ','E','S','C','-','b',' ',' ',' ',' ',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','l','e','f','t',' ','o','n','e',' ','w','o','r','d','.','\n',
-' ','H','O','M','E',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','0',' ',' ',' ',' ',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','t','o',' ','s','t','a','r','t',' ','o','f',' ','l','i','n','e','.','\n',
-' ','E','N','D',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','$',' ',' ',' ',' ',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','t','o',' ','e','n','d',' ','o','f',' ','l','i','n','e','.','\n',
-' ','B','A','C','K','S','P','A','C','E',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','D','e','l','e','t','e',' ','c','h','a','r',' ','t','o',' ','l','e','f','t',' ','o','f',' ','c','u','r','s','o','r','.','\n',
-' ','D','E','L','E','T','E',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','x',' ',' ',' ',' ',' ','D','e','l','e','t','e',' ','c','h','a','r',' ','u','n','d','e','r',' ','c','u','r','s','o','r','.','\n',
-' ','c','t','r','l','-','B','A','C','K','S','P','A','C','E',' ',' ',' ','E','S','C','-','B','A','C','K','S','P','A','C','E',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','D','e','l','e','t','e',' ','w','o','r','d',' ','t','o',' ','l','e','f','t',' ','o','f',' ','c','u','r','s','o','r','.','\n',
-' ','c','t','r','l','-','D','E','L','E','T','E',' ',' ',' ',' ',' ',' ','E','S','C','-','D','E','L','E','T','E',' ',' ',' ',' ',' ',' ','E','S','C','-','X',' ',' ',' ',' ',' ','D','e','l','e','t','e',' ','w','o','r','d',' ','u','n','d','e','r',' ','c','u','r','s','o','r','.','\n',
-' ','c','t','r','l','-','U',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C',' ','(','M','S','-','D','O','S',' ','o','n','l','y',')',' ',' ',' ',' ',' ',' ',' ',' ',' ','D','e','l','e','t','e',' ','e','n','t','i','r','e',' ','l','i','n','e','.','\n',
-' ','U','p','A','r','r','o','w',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','k',' ',' ',' ',' ',' ','R','e','t','r','i','e','v','e',' ','p','r','e','v','i','o','u','s',' ','c','o','m','m','a','n','d',' ','l','i','n','e','.','\n',
-' ','D','o','w','n','A','r','r','o','w',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','j',' ',' ',' ',' ',' ','R','e','t','r','i','e','v','e',' ','n','e','x','t',' ','c','o','m','m','a','n','d',' ','l','i','n','e','.','\n',
-' ','T','A','B',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','C','o','m','p','l','e','t','e',' ','f','i','l','e','n','a','m','e',' ','&',' ','c','y','c','l','e','.','\n',
-' ','S','H','I','F','T','-','T','A','B',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','E','S','C','-','T','A','B',' ',' ',' ','C','o','m','p','l','e','t','e',' ','f','i','l','e','n','a','m','e',' ','&',' ','r','e','v','e','r','s','e',' ','c','y','c','l','e','.','\n',
-' ','c','t','r','l','-','L',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','C','o','m','p','l','e','t','e',' ','f','i','l','e','n','a','m','e',',',' ','l','i','s','t',' ','a','l','l','.','\n',
+' ','R','i','g','h','t','A','r','r','o','w',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','l',' ','.','.','.',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','r','i','g','h','t',' ','o','n','e',' ','c','h','a','r','a','c','t','e','r','.','\n',
+' ','L','e','f','t','A','r','r','o','w',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','h',' ','.','.','.',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','l','e','f','t',' ','o','n','e',' ','c','h','a','r','a','c','t','e','r','.','\n',
+' ','c','t','r','l','-','R','i','g','h','t','A','r','r','o','w',' ',' ','E','S','C','-','R','i','g','h','t','A','r','r','o','w',' ',' ','E','S','C','-','w',' ','.','.','.',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','r','i','g','h','t',' ','o','n','e',' ','w','o','r','d','.','\n',
+' ','c','t','r','l','-','L','e','f','t','A','r','r','o','w',' ',' ',' ','E','S','C','-','L','e','f','t','A','r','r','o','w',' ',' ',' ','E','S','C','-','b',' ','.','.','.',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','l','e','f','t',' ','o','n','e',' ','w','o','r','d','.','\n',
+' ','H','O','M','E',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','0',' ','.','.','.',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','t','o',' ','s','t','a','r','t',' ','o','f',' ','l','i','n','e','.','\n',
+' ','E','N','D',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','$',' ','.','.','.',' ','M','o','v','e',' ','c','u','r','s','o','r',' ','t','o',' ','e','n','d',' ','o','f',' ','l','i','n','e','.','\n',
+' ','B','A','C','K','S','P','A','C','E',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','D','e','l','e','t','e',' ','c','h','a','r',' ','t','o',' ','l','e','f','t',' ','o','f',' ','c','u','r','s','o','r','.','\n',
+' ','D','E','L','E','T','E',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','x',' ','.','.','.',' ','D','e','l','e','t','e',' ','c','h','a','r',' ','u','n','d','e','r',' ','c','u','r','s','o','r','.','\n',
+' ','c','t','r','l','-','B','A','C','K','S','P','A','C','E',' ',' ',' ','E','S','C','-','B','A','C','K','S','P','A','C','E',' ','.','.','.','.','.','.','.','.','.','.','.',' ','D','e','l','e','t','e',' ','w','o','r','d',' ','t','o',' ','l','e','f','t',' ','o','f',' ','c','u','r','s','o','r','.','\n',
+' ','c','t','r','l','-','D','E','L','E','T','E',' ','.','.','.','.',' ','E','S','C','-','D','E','L','E','T','E',' ','.','.','.','.',' ','E','S','C','-','X',' ','.','.','.',' ','D','e','l','e','t','e',' ','w','o','r','d',' ','u','n','d','e','r',' ','c','u','r','s','o','r','.','\n',
+' ','c','t','r','l','-','U',' ','.','.','.','.','.','.','.','.','.',' ','E','S','C',' ','(','M','S','-','D','O','S',' ','o','n','l','y',')',' ','.','.','.','.','.','.','.',' ','D','e','l','e','t','e',' ','e','n','t','i','r','e',' ','l','i','n','e','.','\n',
+' ','U','p','A','r','r','o','w',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','k',' ','.','.','.',' ','R','e','t','r','i','e','v','e',' ','p','r','e','v','i','o','u','s',' ','c','o','m','m','a','n','d',' ','l','i','n','e','.','\n',
+' ','D','o','w','n','A','r','r','o','w',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','j',' ','.','.','.',' ','R','e','t','r','i','e','v','e',' ','n','e','x','t',' ','c','o','m','m','a','n','d',' ','l','i','n','e','.','\n',
+' ','T','A','B',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','C','o','m','p','l','e','t','e',' ','f','i','l','e','n','a','m','e',' ','&',' ','c','y','c','l','e','.','\n',
+' ','S','H','I','F','T','-','T','A','B',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','E','S','C','-','T','A','B',' ',' ',' ','C','o','m','p','l','e','t','e',' ','f','i','l','e','n','a','m','e',' ','&',' ','r','e','v','e','r','s','e',' ','c','y','c','l','e','.','\n',
+' ','c','t','r','l','-','L',' ','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.','.',' ','C','o','m','p','l','e','t','e',' ','f','i','l','e','n','a','m','e',',',' ','l','i','s','t',' ','a','l','l','.','\n',
 '\n',
 '\n',
  0 };
diff --git a/contrib/less/ifile.c b/contrib/less/ifile.c
index 3e5e855..fea2ea1 100644
--- a/contrib/less/ifile.c
+++ b/contrib/less/ifile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/input.c b/contrib/less/input.c
index b211323..9419a02 100644
--- a/contrib/less/input.c
+++ b/contrib/less/input.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -60,6 +60,7 @@ get_forw_line:
 	}
 #if HILITE_SEARCH
 	if (hilite_search == OPT_ONPLUS || is_filtering() || status_col)
+	{
 		/*
 		 * If we are ignoring EOI (command F), only prepare
 		 * one line ahead, to avoid getting stuck waiting for
@@ -69,6 +70,8 @@ get_forw_line:
 		 */
 		prep_hilite(curr_pos, curr_pos + 3*size_linebuf, 
 				ignore_eoi ? 1 : -1);
+		curr_pos = next_unfiltered(curr_pos);
+	}
 #endif
 	if (ch_seek(curr_pos))
 	{
@@ -439,19 +442,22 @@ set_attnpos(pos)
 		{
 			c = ch_forw_get();
 			if (c == EOI)
-				return;
-			if (c != '\n' && c != '\r')
 				break;
+			if (c == '\n' || c == '\r')
+			{
+				(void) ch_back_get();
+				break;
+			}
 			pos++;
 		}
+		end_attnpos = pos;
+		for (;;)
+		{
+			c = ch_back_get();
+			if (c == EOI || c == '\n' || c == '\r')
+				break;
+			pos--;
+		}
 	}
 	start_attnpos = pos;
-	for (;;)
-	{
-		c = ch_forw_get();
-		pos++;
-		if (c == EOI || c == '\n' || c == '\r')
-			break;
-	}
-	end_attnpos = pos;
 }
diff --git a/contrib/less/jump.c b/contrib/less/jump.c
index 075aa64..8373d8b 100644
--- a/contrib/less/jump.c
+++ b/contrib/less/jump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -61,6 +61,24 @@ jump_forw()
 }
 
 /*
+ * Jump to the last buffered line in the file.
+ */
+	public void
+jump_forw_buffered()
+{
+	POSITION end;
+
+	if (ch_end_buffer_seek())
+	{
+		error("Cannot seek to end of buffers", NULL_PARG);
+		return;
+	}
+	end = ch_tell();
+	if (end != NULL_POSITION && end > 0)
+		jump_line_loc(end-1, sc_height-1);
+}
+
+/*
  * Jump to line n in the file.
  */
 	public void
@@ -281,6 +299,9 @@ jump_loc(pos, sline)
 				 */
 				break;
 			}
+#if HILITE_SEARCH
+			pos = next_unfiltered(pos);
+#endif
 			if (pos >= tpos)
 			{
 				/* 
diff --git a/contrib/less/less.h b/contrib/less/less.h
index fada513..f57fb1e 100644
--- a/contrib/less/less.h
+++ b/contrib/less/less.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -295,6 +295,15 @@ struct scrpos
 	int ln;
 };
 
+/*
+ * A mark is an ifile (input file) plus a position within the file.
+ */
+struct mark 
+{
+	IFILE m_ifile;
+	struct scrpos m_scrpos;
+};
+
 typedef union parg
 {
 	char *p_string;
@@ -310,6 +319,17 @@ struct textlist
 	char *endstring;
 };
 
+struct wchar_range
+{
+	LWCHAR first, last;
+};
+
+struct wchar_range_table 
+{
+	struct wchar_range *table;
+	int count;
+};
+
 #define	EOI		(-1)
 
 #define	READ_INTR	(-2)
@@ -445,6 +465,7 @@ struct textlist
 
 #define	ESC		CONTROL('[')
 #define	CSI		((unsigned char)'\233')
+#define	CHAR_END_COMMAND 0x40000000
 
 #if _OSK_MWC32
 #define	LSIGNAL(sig,func)	os9_signal(sig,func)
@@ -498,6 +519,12 @@ struct textlist
 #define	CVT_CRLF	04	/* Remove CR after LF */
 #define	CVT_ANSI	010	/* Remove ANSI escape sequences */
 
+#if HAVE_TIME_T
+#define time_type	time_t
+#else
+#define	time_type	long
+#endif
+
 #include "funcs.h"
 
 /* Functions not included in funcs.h */
diff --git a/contrib/less/less.hlp b/contrib/less/less.hlp
index 45a7fe5..2a8e3e7 100644
--- a/contrib/less/less.hlp
+++ b/contrib/less/less.hlp
@@ -23,6 +23,7 @@
   ESC-)  RightArrow *  Left  one half screen width (or _N positions).
   ESC-(  LeftArrow  *  Right one half screen width (or _N positions).
   F                    Forward forever; like "tail -f".
+  ESC-F                Like F but stop when search pattern is found.
   r  ^R  ^L            Repaint screen.
   R                    Repaint screen, discarding buffered input.
         ---------------------------------------------------
@@ -201,6 +202,8 @@
                   Don't send termcap keypad init/deinit strings.
       ........  --follow-name
                   The F command changes files if the input file is renamed.
+      ........  --use-backslash
+                  Subsequent options use backslash as escape char.
 
 
  ---------------------------------------------------------------------------
@@ -210,21 +213,21 @@
         These keys can be used to edit text being entered 
         on the "command line" at the bottom of the screen.
 
- RightArrow                       ESC-l     Move cursor right one character.
- LeftArrow                        ESC-h     Move cursor left one character.
- ctrl-RightArrow  ESC-RightArrow  ESC-w     Move cursor right one word.
- ctrl-LeftArrow   ESC-LeftArrow   ESC-b     Move cursor left one word.
- HOME                             ESC-0     Move cursor to start of line.
- END                              ESC-$     Move cursor to end of line.
- BACKSPACE                                  Delete char to left of cursor.
- DELETE                           ESC-x     Delete char under cursor.
- ctrl-BACKSPACE   ESC-BACKSPACE             Delete word to left of cursor.
- ctrl-DELETE      ESC-DELETE      ESC-X     Delete word under cursor.
- ctrl-U           ESC (MS-DOS only)         Delete entire line.
- UpArrow                          ESC-k     Retrieve previous command line.
- DownArrow                        ESC-j     Retrieve next command line.
- TAB                                        Complete filename & cycle.
- SHIFT-TAB                        ESC-TAB   Complete filename & reverse cycle.
- ctrl-L                                     Complete filename, list all.
+ RightArrow ..................... ESC-l ... Move cursor right one character.
+ LeftArrow ...................... ESC-h ... Move cursor left one character.
+ ctrl-RightArrow  ESC-RightArrow  ESC-w ... Move cursor right one word.
+ ctrl-LeftArrow   ESC-LeftArrow   ESC-b ... Move cursor left one word.
+ HOME ........................... ESC-0 ... Move cursor to start of line.
+ END ............................ ESC-$ ... Move cursor to end of line.
+ BACKSPACE ................................ Delete char to left of cursor.
+ DELETE ......................... ESC-x ... Delete char under cursor.
+ ctrl-BACKSPACE   ESC-BACKSPACE ........... Delete word to left of cursor.
+ ctrl-DELETE .... ESC-DELETE .... ESC-X ... Delete word under cursor.
+ ctrl-U ......... ESC (MS-DOS only) ....... Delete entire line.
+ UpArrow ........................ ESC-k ... Retrieve previous command line.
+ DownArrow ...................... ESC-j ... Retrieve next command line.
+ TAB ...................................... Complete filename & cycle.
+ SHIFT-TAB ...................... ESC-TAB   Complete filename & reverse cycle.
+ ctrl-L ................................... Complete filename, list all.
 
 
diff --git a/contrib/less/less.nro b/contrib/less/less.nro
index eba98ee..b3d9874 100644
--- a/contrib/less/less.nro
+++ b/contrib/less/less.nro
@@ -1,4 +1,4 @@
-.TH LESS 1 "Version 458: 04 Apr 2013"
+.TH LESS 1 "Version 481: 31 Aug 2015"
 .SH NAME
 less \- opposite of more
 .SH SYNOPSIS
@@ -12,19 +12,19 @@ less \- opposite of more
 .br
 .B "less [\-[+]aABcCdeEfFgGiIJKLmMnNqQrRsSuUVwWX~]"
 .br
-.B "     [\-b \fIspace\fP] [\-h \fIlines\fP] [\-j \fIline\fP] [\-k \fIkeyfile\fP]"
+.B "     [\-b \fIspace\/\fP] [\-h \fIlines\/\fP] [\-j \fIline\/\fP] [\-k \fIkeyfile\/\fP]"
 .br
-.B "     [\-{oO} \fIlogfile\fP] [\-p \fIpattern\fP] [\-P \fIprompt\fP] [\-t \fItag\fP]"
+.B "     [\-{oO} \fIlogfile\/\fP] [\-p \fIpattern\/\fP] [\-P \fIprompt\/\fP] [\-t \fItag\/\fP]"
 .br
-.B "     [\-T \fItagsfile\fP] [\-x \fItab\fP,...] [\-y \fIlines\fP] [\-[z] \fIlines\fP]"
+.B "     [\-T \fItagsfile\/\fP] [\-x \fItab\/\fP,...] [\-y \fIlines\/\fP] [\-[z] \fIlines\/\fP]"
 .br
-.B "     [\-# \fIshift\fP] [+[+]\fIcmd\fP] [\-\-] [\fIfilename\fP]..."
+.B "     [\-# \fIshift\/\fP] [+[+]\fIcmd\/\fP] [\-\-] [\fIfilename\/\fP]..."
 .br
 (See the OPTIONS section for alternate option syntax with long option names.)
 
 .SH DESCRIPTION
 .I Less
-is a program similar to 
+is a program similar to
 .I more
 (1), but which allows backward movement
 in the file as well as forward movement.
@@ -45,7 +45,7 @@ Commands are based on both
 .I more
 and
 .I vi.
-Commands may be preceded by a decimal number, 
+Commands may be preceded by a decimal number,
 called N in the descriptions below.
 The number is used by some commands, as indicated.
 
@@ -70,7 +70,7 @@ Scroll forward N lines, default 1.
 The entire N lines are displayed, even if N is more than the screen size.
 .IP "d or ^D"
 Scroll forward N lines, default one half of the screen size.
-If N is specified, it becomes the new default for 
+If N is specified, it becomes the new default for
 subsequent d and u commands.
 .IP "b or ^B or ESC-v"
 Scroll backward N lines, default one window (see option \-z below).
@@ -83,8 +83,12 @@ The entire N lines are displayed, even if N is more than the screen size.
 Warning: some systems use ^Y as a special job control character.
 .IP "u or ^U"
 Scroll backward N lines, default one half of the screen size.
-If N is specified, it becomes the new default for 
+If N is specified, it becomes the new default for
 subsequent d and u commands.
+.IP "J"
+Like j, but continues to scroll beyond the end of the file.
+.IP "K or Y"
+Like k, but continues to scroll beyond the beginning of the file.
 .IP "ESC-) or RIGHTARROW"
 Scroll horizontally right N characters, default half the screen width
 (see the \-# option).
@@ -111,7 +115,7 @@ while it is being viewed.
 (The behavior is similar to the "tail \-f" command.)
 .IP "ESC-F"
 Like F, but as soon as a line is found which matches
-the last search pattern, the terminal bell is rung 
+the last search pattern, the terminal bell is rung
 and forward scrolling stops.
 .IP "g or < or ESC-<"
 Go to line N in the file, default 1 (beginning of file).
@@ -121,6 +125,9 @@ Go to line N in the file, default the end of the file.
 (Warning: this may be slow if N is large,
 or if N is not specified and
 standard input, rather than a file, is being read.)
+.IP "ESC-G"
+Same as G, except if no number N is specified and the input is standard input,
+goes to the last line which is currently buffered.
 .IP "p or %"
 Go to a position N percent into the file.
 N should be between 0 and 100, and may contain a decimal point.
@@ -154,16 +161,16 @@ Like }, but applies to square brackets rather than curly brackets.
 Followed by two characters,
 acts like {, but uses the two characters as open and close brackets,
 respectively.
-For example, "ESC ^F < >" could be used to 
+For example, "ESC ^F < >" could be used to
 go forward to the > which matches the < in the top displayed line.
 .IP "ESC-^B"
 Followed by two characters,
 acts like }, but uses the two characters as open and close brackets,
 respectively.
-For example, "ESC ^B < >" could be used to 
+For example, "ESC ^B < >" could be used to
 go backward to the < which matches the > in the bottom displayed line.
 .IP m
-Followed by any lowercase letter, 
+Followed by any lowercase letter,
 marks the current position with that letter.
 .IP "'"
 (Single quote.)
@@ -193,7 +200,7 @@ they modify the type of search rather than become part of the pattern:
 Search for lines which do NOT match the pattern.
 .IP "^E or *"
 Search multiple files.
-That is, if the search reaches the END of the current file 
+That is, if the search reaches the END of the current file
 without finding a match,
 the search continues in the next file in the command line list.
 .IP "^F or @"
@@ -202,7 +209,7 @@ in the command line list,
 regardless of what is currently displayed on the screen
 or the settings of the \-a or \-j options.
 .IP "^K"
-Highlight any text which matches the pattern on the current screen, 
+Highlight any text which matches the pattern on the current screen,
 but don't move to the first match (KEEP current position).
 .IP "^R"
 Don't interpret regular expression metacharacters;
@@ -210,7 +217,8 @@ that is, do a simple textual comparison.
 .RE
 .IP ?pattern
 Search backward in the file for the N-th line containing the pattern.
-The search starts at the line immediately before the top line displayed.
+The search starts at the last line displayed 
+(but see the \-a and \-j options, which change this).
 .sp
 Certain characters are special as in the / command:
 .RS
@@ -218,7 +226,7 @@ Certain characters are special as in the / command:
 Search for lines which do NOT match the pattern.
 .IP "^E or *"
 Search multiple files.
-That is, if the search reaches the beginning of the current file 
+That is, if the search reaches the beginning of the current file
 without finding a match,
 the search continues in the previous file in the command line list.
 .IP "^F or @"
@@ -254,7 +262,7 @@ Repeat previous search, but in the reverse direction
 and crossing file boundaries.
 .IP "ESC-u"
 Undo search highlighting.
-Turn off highlighting of strings matching the current search pattern. 
+Turn off highlighting of strings matching the current search pattern.
 If highlighting is already off because of a previous ESC-u command,
 turn highlighting back on.
 Any search command will also turn highlighting back on.
@@ -282,10 +290,10 @@ Examine a new file.
 If the filename is missing, the "current" file (see the :n and :p commands
 below) from the list of files in the command line is re-examined.
 A percent sign (%) in the filename is replaced by the name of the
-current file.  
+current file.
 A pound sign (#) is replaced by the name of the previously examined file.
-However, two consecutive percent signs are simply 
-replaced with a single percent sign.  
+However, two consecutive percent signs are simply
+replaced with a single percent sign.
 This allows you to enter a filename that contains a percent sign
 in the name.
 Similarly, two consecutive pound signs are replaced with a single pound sign.
@@ -338,7 +346,7 @@ the current setting is printed and nothing is changed.
 Like the \- command, but takes a long option name (see OPTIONS below)
 rather than a single option letter.
 You must press ENTER or RETURN after typing the option name.
-A ^P immediately after the second dash suppresses printing of a 
+A ^P immediately after the second dash suppresses printing of a
 message describing the new setting, as in the \- command.
 .IP \-+
 Followed by one of the command line option letters
@@ -370,19 +378,19 @@ rather than a single option letter.
 You must press ENTER or RETURN after typing the option name.
 .IP +cmd
 Causes the specified cmd to be executed each time a new file is examined.
-For example, +G causes 
+For example, +G causes
 .I less
-to initially display each file starting at the end 
+to initially display each file starting at the end
 rather than the beginning.
 .IP V
-Prints the version number of 
-.I less 
+Prints the version number of
+.I less
 being run.
 .IP "q or Q or :q or :Q or ZZ"
 Exits
 .I less.
 .PP
-The following 
+The following
 four
 commands may or may not be valid, depending on your particular installation.
 .PP
@@ -395,7 +403,7 @@ See also the discussion of LESSEDIT under the section on PROMPTS below.
 .IP "! shell-command"
 Invokes a shell to run the shell-command given.
 A percent sign (%) in the command is replaced by the name of the
-current file.  
+current file.
 A pound sign (#) is replaced by the name of the previously examined file.
 "!!" repeats the last shell command.
 "!" with no shell command simply invokes a shell.
@@ -408,7 +416,7 @@ Pipes a section of the input file to the given shell command.
 The section of the file to be piped is between the first line on
 the current screen and the position marked by the letter.
 <m> may also be ^ or $ to indicate beginning or end of file respectively.
-If <m> is . or newline, the current screen is piped.
+If <m> is \&.\& or newline, the current screen is piped.
 .IP "s filename"
 Save the input to a file.
 This only works if the input is a pipe, not an ordinary file.
@@ -416,16 +424,16 @@ This only works if the input is a pipe, not an ordinary file.
 .SH OPTIONS
 Command line options are described below.
 Most options may be changed while
-.I less 
+.I less
 is running, via the "\-" command.
 .PP
-Most options may be given in one of two forms: 
+Most options may be given in one of two forms:
 either a dash followed by a single letter,
 or two dashes followed by a long option name.
 A long option name may be abbreviated as long as
 the abbreviation is unambiguous.
 For example, \-\-quit-at-eof may be abbreviated \-\-quit, but not
---qui, since both \-\-quit-at-eof and \-\-quiet begin with \-\-qui.
+\-\-qui, since both \-\-quit-at-eof and \-\-quiet begin with \-\-qui.
 Some long option names are in uppercase, such as \-\-QUIT-AT-EOF, as
 distinct from \-\-quit-at-eof.
 Such option names need only have their first letter capitalized;
@@ -433,20 +441,20 @@ the remainder of the name may be in either case.
 For example, \-\-Quit-at-eof is equivalent to \-\-QUIT-AT-EOF.
 .PP
 Options are also taken from the environment variable "LESS".
-For example, 
-to avoid typing "less \-options ..." each time 
-.I less 
-is invoked, you might tell 
+For example,
+to avoid typing "less \-options \&...\&" each time
+.I less
+is invoked, you might tell
 .I csh:
 .sp
-setenv LESS "-options"
+setenv LESS "\-options"
 .sp
-or if you use 
+or if you use
 .I sh:
 .sp
-LESS="-options"; export LESS
+LESS="\-options"; export LESS
 .sp
-On MS-DOS, you don't need the quotes, but you should replace any 
+On MS-DOS, you don't need the quotes, but you should replace any
 percent signs in the options string by double percent signs.
 .sp
 The environment variable is parsed before the command line,
@@ -461,11 +469,11 @@ For example, you can set two \-D options on MS-DOS like this:
 .sp
 LESS="Dn9.1$Ds4.1"
 .sp
-If the --use-backslash option appears earlier in the options, then
+If the \-\-use-backslash option appears earlier in the options, then
 a dollar sign or backslash may be included literally in an option string
 by preceding it with a backslash.
-If the --use-backslash option is not in effect, then backslashes are
-not treated specially, and there is no way to include a dollar sign 
+If the \-\-use-backslash option is not in effect, then backslashes are
+not treated specially, and there is no way to include a dollar sign
 in the option string.
 .IP "\-? or \-\-help"
 This option displays a summary of the commands accepted by
@@ -484,8 +492,8 @@ the bottom of the screen
 and backward searches to start at the top of the screen,
 thus skipping all lines displayed on the screen.
 .IP "\-A or \-\-SEARCH-SKIP-SCREEN"
-Causes all forward searches (not just non-repeated searches) 
-to start just after the target line, and all backward searches 
+Causes all forward searches (not just non-repeated searches)
+to start just after the target line, and all backward searches
 to start just before the target line.
 Thus, forward searches will skip part of the displayed screen
 (from the first line up to and including the target line).
@@ -496,9 +504,9 @@ This was the default behavior in less versions prior to 441.
 Specifies the amount of buffer space
 .I less
 will use for each file, in units of kilobytes (1024 bytes).
-By default 64K of buffer space is used for each file
+By default 64\ K of buffer space is used for each file
 (unless the file is a pipe; see the \-B option).
-The \-b option specifies instead that \fIn\fP kilobytes of 
+The \-b option specifies instead that \fIn\fP kilobytes of
 buffer space should be used for each file.
 If \fIn\fP is \-1, buffer space is unlimited; that is,
 the entire file can be read into memory.
@@ -508,18 +516,18 @@ buffers are allocated automatically as needed.
 If a large amount of data is read from the pipe, this can cause
 a large amount of memory to be allocated.
 The \-B option disables this automatic allocation of buffers for pipes,
-so that only 64K 
+so that only 64\ K
 (or the amount of space specified by the \-b option)
 is used for the pipe.
 Warning: use of \-B can result in erroneous display, since only the
-most recently viewed part of the piped data is kept in memory; 
+most recently viewed part of the piped data is kept in memory;
 any earlier data is lost.
 .IP "\-c or \-\-clear-screen"
 Causes full screen repaints to be painted from the top line down.
 By default,
 full screen repaints are done by scrolling from the bottom of the screen.
 .IP "\-C or \-\-CLEAR-SCREEN"
-Same as \-c, for compatibility with older versions of 
+Same as \-c, for compatibility with older versions of
 .I less.
 .IP "\-d or \-\-dumb"
 The \-d option suppresses the error message
@@ -532,24 +540,24 @@ on a dumb terminal.
 .IP "\-D\fBx\fP\fIcolor\fP or \-\-color=\fBx\fP\fIcolor\fP"
 [MS-DOS only]
 Sets the color of the text displayed.
-\fBx\fP is a single character which selects the type of text whose color is 
+\fBx\fP is a single character which selects the type of text whose color is
 being set: n=normal, s=standout, d=bold, u=underlined, k=blink.
-\fIcolor\fP is a pair of numbers separated by a period.  
-The first number selects the foreground color and the second selects 
+\fIcolor\fP is a pair of numbers separated by a period.
+The first number selects the foreground color and the second selects
 the background color of the text.
 A single number \fIN\fP is the same as \fIN.M\fP,
 where \fIM\fP is the normal background color.
 
 .IP "\-e or \-\-quit-at-eof"
-Causes 
-.I less 
+Causes
+.I less
 to automatically exit
 the second time it reaches end-of-file.
-By default, the only way to exit 
+By default, the only way to exit
 .I less
 is via the "q" command.
 .IP "\-E or \-\-QUIT-AT-EOF"
-Causes 
+Causes
 .I less
 to automatically exit the first time it reaches end-of-file.
 .IP "\-f or \-\-force"
@@ -567,13 +575,13 @@ Causes
 to automatically exit
 if the entire file can be displayed on the first screen.
 .IP "\-g or \-\-hilite-search"
-Normally, 
-.I less 
+Normally,
+.I less
 will highlight ALL strings which match the last search command.
-The \-g option changes this behavior to highlight only the particular string 
+The \-g option changes this behavior to highlight only the particular string
 which was found by the last search command.
-This can cause 
-.I less 
+This can cause
+.I less
 to run somewhat faster than the default.
 .IP "\-G or \-\-HILITE-SEARCH"
 The \-G option suppresses all highlighting of strings found by search commands.
@@ -587,11 +595,11 @@ backward, \-h0 is implied.)
 Causes searches to ignore case; that is,
 uppercase and lowercase are considered identical.
 This option is ignored if any uppercase letters
-appear in the search pattern; 
+appear in the search pattern;
 in other words,
 if a pattern contains uppercase letters, then that search does not ignore case.
 .IP "\-I or \-\-IGNORE-CASE"
-Like \-i, but searches ignore case even if 
+Like \-i, but searches ignore case even if
 the pattern contains uppercase letters.
 .IP "\-j\fIn\fP or \-\-jump-target=\fIn\fP"
 Specifies a line on the screen where the "target" line
@@ -605,18 +613,21 @@ The number may be negative to specify a line relative to the bottom
 of the screen: the bottom line on the screen is \-1, the second
 to the bottom is \-2, and so on.
 Alternately, the screen line may be specified as a fraction of the height
-of the screen, starting with a decimal point: .5 is in the middle of the
-screen, .3 is three tenths down from the first line, and so on.
+of the screen, starting with a decimal point: \&.5 is in the middle of the
+screen, \&.3 is three tenths down from the first line, and so on.
 If the line is specified as a fraction, the actual line number
 is recalculated if the terminal window is resized, so that the
 target line remains at the specified fraction of the screen height.
-If any form of the \-j option is used, 
-forward searches begin at the line immediately after the target line,
-and backward searches begin at the target line,
+If any form of the \-j option is used,
+repeated forward searches (invoked with "n" or "N")
+begin at the line immediately after the target line,
+and repeated backward searches begin at the target line,
 unless changed by \-a or \-A.
 For example, if "\-j4" is used, the target line is the
 fourth line on the screen, so forward searches begin at the fifth line
 on the screen.
+However nonrepeated searches (invoked with "/" or "?")
+always begin at the start or end of the current screen respectively.
 .IP "\-J or \-\-status-column"
 Displays a status column at the left edge of the screen.
 The status column shows the lines that matched the current search.
@@ -630,7 +641,7 @@ to open and interpret the named file as a
 Multiple \-k options may be specified.
 If the LESSKEY or LESSKEY_SYSTEM environment variable is set, or
 if a lesskey file is found in a standard place (see KEY BINDINGS),
-it is also used as a 
+it is also used as a
 .I lesskey
 file.
 .IP "\-K or \-\-quit-on-intr"
@@ -641,16 +652,16 @@ when an interrupt character (usually ^C) is typed.
 Normally, an interrupt character causes
 .I less
 to stop whatever it is doing and return to its command prompt.
-Note that use of this option makes it impossible to return to the 
+Note that use of this option makes it impossible to return to the
 command prompt from the "F" command.
 .IP "\-L or \-\-no-lessopen"
 Ignore the LESSOPEN environment variable
 (see the INPUT PREPROCESSOR section below).
-This option can be set from within \fIless\fP, 
-but it will apply only to files opened subsequently, not to the 
+This option can be set from within \fIless\fP,
+but it will apply only to files opened subsequently, not to the
 file which is currently open.
 .IP "\-m or \-\-long-prompt"
-Causes 
+Causes
 .I less
 to prompt verbosely (like \fImore\fP),
 with the percent into the file.
@@ -658,9 +669,9 @@ By default,
 .I less
 prompts with a colon.
 .IP "\-M or \-\-LONG-PROMPT"
-Causes 
+Causes
 .I less
-to prompt even more verbosely than 
+to prompt even more verbosely than
 .I more.
 .IP "\-n or \-\-line-numbers"
 Suppresses line numbers.
@@ -681,7 +692,7 @@ Causes
 to copy its input to the named file as it is being viewed.
 This applies only when the input file is a pipe,
 not an ordinary file.
-If the file already exists, 
+If the file already exists,
 .I less
 will ask for confirmation before overwriting it.
 .IP "\-O\fIfilename\fP or \-\-LOG-FILE=\fIfilename\fP"
@@ -689,14 +700,14 @@ The \-O option is like \-o, but it will overwrite an existing
 file without asking for confirmation.
 .sp
 If no log file has been specified,
-the \-o and \-O options can be used from within 
+the \-o and \-O options can be used from within
 .I less
 to specify a log file.
 Without a file name, they will simply report the name of the log file.
 The "s" command is equivalent to specifying \-o from within
 .I less.
 .IP "\-p\fIpattern\fP or \-\-pattern=\fIpattern\fP"
-The \-p option on the command line is equivalent to 
+The \-p option on the command line is equivalent to
 specifying +/\fIpattern\fP;
 that is, it tells
 .I less
@@ -705,24 +716,24 @@ to start at the first occurrence of \fIpattern\fP in the file.
 Provides a way to tailor the three prompt
 styles to your own preference.
 This option would normally be put in the LESS environment
-variable, rather than being typed in with each 
+variable, rather than being typed in with each
 .I less
 command.
 Such an option must either be the last option in the LESS variable,
 or be terminated by a dollar sign.
--Ps followed by a string changes the default (short) prompt 
+ \-Ps followed by a string changes the default (short) prompt
 to that string.
--Pm changes the medium (\-m) prompt.
--PM changes the long (\-M) prompt.
--Ph changes the prompt for the help screen.
--P= changes the message printed by the = command.
--Pw changes the message printed while waiting for data (in the F command).
-All prompt strings consist of a sequence of 
+ \-Pm changes the medium (\-m) prompt.
+ \-PM changes the long (\-M) prompt.
+ \-Ph changes the prompt for the help screen.
+ \-P= changes the message printed by the = command.
+ \-Pw changes the message printed while waiting for data (in the F command).
+All prompt strings consist of a sequence of
 letters and special escape sequences.
 See the section on PROMPTS for more details.
 .IP "\-q or \-\-quiet or \-\-silent"
 Causes moderately "quiet" operation:
-the terminal bell is not rung 
+the terminal bell is not rung
 if an attempt is made to scroll past the end of the file
 or before the beginning of the file.
 If the terminal has a "visual bell", it is used instead.
@@ -748,9 +759,9 @@ Like \-r, but only ANSI "color" escape sequences are output in "raw" form.
 Unlike \-r, the screen appearance is maintained correctly in most cases.
 ANSI "color" escape sequences are sequences of the form:
 .sp
-	ESC [ ... m
+	ESC [ \&...\& m
 .sp
-where the "..." is zero or more color specification characters 
+where the "...\&" is zero or more color specification characters
 For the purpose of keeping track of screen appearance,
 ANSI color escape sequences are assumed to not move the cursor.
 You can make
@@ -758,9 +769,9 @@ You can make
 think that characters other than "m" can end ANSI color escape sequences
 by setting the environment variable LESSANSIENDCHARS to the list of
 characters which can end a color escape sequence.
-And you can make 
-.I less 
-think that characters other than the standard ones may appear between 
+And you can make
+.I less
+think that characters other than the standard ones may appear between
 the ESC and the m by setting the environment variable LESSANSIMIDCHARS
 to the list of characters which can appear.
 .IP "\-s or \-\-squeeze-blank-lines"
@@ -780,16 +791,16 @@ The \-t option, followed immediately by a TAG,
 will edit the file containing that tag.
 For this to work, tag information must be available;
 for example, there may be a file in the current directory called "tags",
-which was previously built by 
+which was previously built by
 .I ctags
 (1) or an equivalent command.
 If the environment variable LESSGLOBALTAGS is set, it is taken to be
-the name of a command compatible with 
+the name of a command compatible with
 .I global
 (1), and that command is executed to find the tag.
 (See http://www.gnu.org/software/global/global.html).
-The \-t option may also be specified from within 
-.I less 
+The \-t option may also be specified from within
+.I less
 (using the \- command) as a way of examining a new file.
 The command ":t" is equivalent to specifying \-t from within
 .I less.
@@ -799,18 +810,18 @@ Specifies a tags file to be used instead of "tags".
 Causes backspaces and carriage returns to be treated as printable characters;
 that is, they are sent to the terminal when they appear in the input.
 .IP "\-U or \-\-UNDERLINE-SPECIAL"
-Causes backspaces, tabs and carriage returns to be 
+Causes backspaces, tabs and carriage returns to be
 treated as control characters;
 that is, they are handled as specified by the \-r option.
 .sp
 By default, if neither \-u nor \-U is given,
 backspaces which appear adjacent to an underscore character
 are treated specially:
-the underlined text is displayed 
+the underlined text is displayed
 using the terminal's hardware underlining capability.
 Also, backspaces which appear between two identical characters
-are treated specially: 
-the overstruck text is printed 
+are treated specially:
+the overstruck text is printed
 using the terminal's hardware boldface capability.
 Other backspaces are deleted, along with the preceding character.
 Carriage returns immediately followed by a newline are deleted.
@@ -818,7 +829,7 @@ Other carriage returns are handled as specified by the \-r option.
 Text which is overstruck or underlined can be searched for
 if neither \-u nor \-U is in effect.
 .IP "\-V or \-\-version"
-Displays the version number of 
+Displays the version number of
 .I less.
 .IP "\-w or \-\-hilite-unread"
 Temporarily highlights the first "new" line after a forward movement
@@ -830,9 +841,9 @@ The highlight is removed at the next command which causes movement.
 The entire line is highlighted, unless the \-J option is in effect,
 in which case only the status column is highlighted.
 .IP "\-W or \-\-HILITE-UNREAD"
-Like \-w, but temporarily highlights the first new line after any 
+Like \-w, but temporarily highlights the first new line after any
 forward movement command larger than one line.
-.IP "\-x\fIn\fP,... or \-\-tabs=\fIn\fP,..."
+.IP "\-x\fIn\fP,...\& or \-\-tabs=\fIn\fP,..."
 Sets tab stops.
 If only one \fIn\fP is specified, tab stops are set at multiples of \fIn\fP.
 If multiple values separated by commas are specified, tab stops
@@ -856,14 +867,14 @@ By default, any forward movement causes scrolling.
 Changes the default scrolling window size to \fIn\fP lines.
 The default is one screenful.
 The z and w commands can also be used to change the window size.
-The "z" may be omitted for compatibility with some versions of 
+The "z" may be omitted for compatibility with some versions of
 .I more.
 If the number
 .I n
-is negative, it indicates 
+is negative, it indicates
 .I n
 lines less than the current screen size.
-For example, if the screen is 24 lines, \fI\-z-4\fP sets the 
+For example, if the screen is 24 lines, \fI\-z\-4\fP sets the
 scrolling window to 20 lines.  If the screen is resized to 40 lines,
 the scrolling window automatically changes to 36 lines.
 .IP "\-\fI\(dqcc\fP\ or\ \-\-quotes=\fIcc\fP"
@@ -889,14 +900,14 @@ in the RIGHTARROW and LEFTARROW commands.
 If the number specified is zero, it sets the default number of
 positions to one half of the screen width.
 Alternately, the number may be specified as a fraction of the width
-of the screen, starting with a decimal point: .5 is half of the
-screen width, .3 is three tenths of the screen width, and so on.
-If the number is specified as a fraction, the actual number of 
-scroll positions is recalculated if the terminal window is resized, 
-so that the actual scroll remains at the specified fraction 
+of the screen, starting with a decimal point: \&.5 is half of the
+screen width, \&.3 is three tenths of the screen width, and so on.
+If the number is specified as a fraction, the actual number of
+scroll positions is recalculated if the terminal window is resized,
+so that the actual scroll remains at the specified fraction
 of the screen width.
 .IP "\-\-follow-name"
-Normally, if the input file is renamed while an F command is executing, 
+Normally, if the input file is renamed while an F command is executing,
 .I less
 will continue to display the contents of the original file despite
 its name change.
@@ -904,7 +915,7 @@ If \-\-follow-name is specified, during an F command
 .I less
 will periodically attempt to reopen the file by name.
 If the reopen succeeds and the file is a different file from the original
-(which means that a new file has been created 
+(which means that a new file has been created
 with the same name as the original (now renamed) file),
 .I less
 will display the contents of that new file.
@@ -930,7 +941,7 @@ For example, +G tells
 .I less
 to start at the end of the file rather than the beginning,
 and +/xyz tells it to start at the first occurrence of "xyz" in the file.
-As a special case, +<number> acts like +<number>g; 
+As a special case, +<number> acts like +<number>g;
 that is, it starts the display at the specified line number
 (however, see the caveat under the "g" command above).
 If the option starts with ++, the initial command applies to
@@ -944,8 +955,8 @@ When entering command line at the bottom of the screen
 or the pattern for a search command),
 certain keys can be used to manipulate the command line.
 Most commands have an alternate form in [ brackets ] which can be used if
-a key does not exist on a particular keyboard. 
-(Note that the forms beginning with ESC do not work 
+a key does not exist on a particular keyboard.
+(Note that the forms beginning with ESC do not work
 in some MS-DOS and Windows systems because ESC is the line erase character.)
 Any of these special keys may be entered literally by preceding
 it with the "literal" character, either ^V or ^A.
@@ -990,7 +1001,7 @@ is entered into the command line.
 Repeated TABs will cycle thru the other matching filenames.
 If the completed filename is a directory, a "/" is appended to the filename.
 (On MS-DOS systems, a "\e" is appended.)
-The environment variable LESSSEPARATOR can be used to specify a 
+The environment variable LESSSEPARATOR can be used to specify a
 different character to append to a directory name.
 .IP "BACKTAB [ ESC-TAB ]"
 Like, TAB, but cycles in the reverse direction thru the matching filenames.
@@ -1007,9 +1018,9 @@ other than ^U, that character is used instead of ^U.
 Delete the entire command line and return to the main prompt.
 
 .SH "KEY BINDINGS"
-You may define your own 
+You may define your own
 .I less
-commands by using the program 
+commands by using the program
 .I lesskey
 (1)
 to create a lesskey file.
@@ -1022,7 +1033,7 @@ and to set environment variables.
 If the environment variable LESSKEY is set,
 .I less
 uses that as the name of the lesskey file.
-Otherwise, 
+Otherwise,
 .I less
 looks in a standard place for the lesskey file:
 On Unix systems,
@@ -1046,24 +1057,24 @@ manual page for more details.
 .P
 A system-wide lesskey file may also be set up to provide key bindings.
 If a key is defined in both a local lesskey file and in the
-system-wide file, key bindings in the local file take precedence over 
+system-wide file, key bindings in the local file take precedence over
 those in the system-wide file.
 If the environment variable LESSKEY_SYSTEM is set,
 .I less
 uses that as the name of the system-wide lesskey file.
 Otherwise,
-.I less 
+.I less
 looks in a standard place for the system-wide lesskey file:
 On Unix systems, the system-wide lesskey file is /usr/local/etc/sysless.
-(However, if 
-.I less 
+(However, if
+.I less
 was built with a different sysconf directory than /usr/local/etc,
 that directory is where the sysless file is found.)
 On MS-DOS and Windows systems, the system-wide lesskey file is c:\e_sysless.
 On OS/2 systems, the system-wide lesskey file is c:\esysless.ini.
 
 .SH "INPUT PREPROCESSOR"
-You may define an "input preprocessor" for 
+You may define an "input preprocessor" for
 .I less.
 Before
 .I less
@@ -1072,10 +1083,10 @@ way the contents of the file are displayed.
 An input preprocessor is simply an executable program (or shell script),
 which writes the contents of the file to a different file,
 called the replacement file.
-The contents of the replacement file are then displayed 
+The contents of the replacement file are then displayed
 in place of the contents of the original file.
 However, it will appear to the user as if the original file is opened;
-that is, 
+that is,
 .I less
 will display the original filename as the name of the current file.
 .PP
@@ -1083,17 +1094,17 @@ An input preprocessor receives one command line argument, the original filename,
 as entered by the user.
 It should create the replacement file, and when finished,
 print the name of the replacement file to its standard output.
-If the input preprocessor does not output a replacement filename, 
+If the input preprocessor does not output a replacement filename,
 .I less
 uses the original file, as normal.
 The input preprocessor is not called when viewing standard input.
 To set up an input preprocessor, set the LESSOPEN environment variable
 to a command line which will invoke your input preprocessor.
-This command line should include one occurrence of the string "%s", 
+This command line should include one occurrence of the string "%s",
 which will be replaced by the filename
 when the input preprocessor command is invoked.
 .PP
-When 
+When
 .I less
 closes a file opened in such a way, it will call another program,
 called the input postprocessor,
@@ -1101,11 +1112,11 @@ which may perform any desired clean-up action (such as deleting the
 replacement file created by LESSOPEN).
 This program receives two command line arguments, the original filename
 as entered by the user, and the name of the replacement file.
-To set up an input postprocessor, set the LESSCLOSE environment variable 
+To set up an input postprocessor, set the LESSCLOSE environment variable
 to a command line which will invoke your input postprocessor.
-It may include two occurrences of the string "%s"; 
-the first is replaced with the original name of the file and 
-the second with the name of the replacement file, 
+It may include two occurrences of the string "%s";
+the first is replaced with the original name of the file and
+the second with the name of the replacement file,
 which was output by LESSOPEN.
 .PP
 For example, on many Unix systems, these two scripts will allow you
@@ -1119,9 +1130,9 @@ lessopen.sh:
 .br
 	case "$1" in
 .br
-	*.Z)	uncompress -\c $1  >/tmp/less.$$  2>/dev/null
+	*.Z)	uncompress \-c $1  >/tmp/less.$$  2>/dev/null
 .br
-		if [ \-s /tmp/less.$$ ]; then 
+		if [ \-s /tmp/less.$$ ]; then
 .br
 			echo /tmp/less.$$
 .br
@@ -1148,21 +1159,21 @@ More complex LESSOPEN and LESSCLOSE scripts may be written
 to accept other types of compressed files, and so on.
 .PP
 It is also possible to set up an input preprocessor to
-pipe the file data directly to 
+pipe the file data directly to
 .I less,
 rather than putting the data into a replacement file.
-This avoids the need to decompress the entire file before 
+This avoids the need to decompress the entire file before
 starting to view it.
 An input preprocessor that works this way is called an input pipe.
 An input pipe, instead of writing the name of a replacement file on
 its standard output,
 writes the entire contents of the replacement file on its standard output.
 If the input pipe does not write any characters on its standard output,
-then there is no replacement file and 
+then there is no replacement file and
 .I less
 uses the original file, as normal.
 To use an input pipe,
-make the first character in the LESSOPEN environment variable a 
+make the first character in the LESSOPEN environment variable a
 vertical bar (|) to signify that the input preprocessor is an input pipe.
 .PP
 For example, on many Unix systems, this script will work like the
@@ -1189,11 +1200,11 @@ To use this script, put it where it can be executed and set
 LESSOPEN="|lesspipe.sh %s".
 .PP
 Note that a preprocessor cannot output an empty file, since that
-is interpreted as meaning there is no replacement, and 
+is interpreted as meaning there is no replacement, and
 the original file is used.
 To avoid this, if LESSOPEN starts with two vertical bars,
 the exit status of the script becomes meaningful.
-If the exit status is zero, the output is considered to be 
+If the exit status is zero, the output is considered to be
 replacement text, even if it empty.
 If the exit status is nonzero, any output is ignored and the
 original file is used.
@@ -1212,17 +1223,17 @@ For compatibility with previous versions of
 .I less,
 the input preprocessor or pipe is not used if
 .I less
-is viewing standard input.  
+is viewing standard input.
 However, if the first character of LESSOPEN is a dash (\-),
 the input preprocessor is used on standard input as well as other files.
-In this case, the dash is not considered to be part of 
+In this case, the dash is not considered to be part of
 the preprocessor command.
 If standard input is being viewed, the input preprocessor is passed
 a file name consisting of a single dash.
 Similarly, if the first two characters of LESSOPEN are vertical bar and dash
-(|\-) or two vertical bars and a dash (||\-), 
+(|\-) or two vertical bars and a dash (||\-),
 the input pipe is used on standard input as well as other files.
-Again, in this case the dash is not considered to be part of 
+Again, in this case the dash is not considered to be part of
 the input pipe command.
 
 .SH "NATIONAL CHARACTER SETS"
@@ -1282,11 +1293,11 @@ one character in the character set.
 The character "." is used for a normal character, "c" for control,
 and "b" for binary.
 A decimal number may be used for repetition.
-For example, "bccc4b." would mean character 0 is binary,
+For example, "bccc4b.\&" would mean character 0 is binary,
 1, 2 and 3 are control, 4, 5, 6 and 7 are binary, and 8 is normal.
 All characters after the last are taken to be the same as the last,
 so characters 9 through 255 would be normal.
-(This is an example, and does not necessarily 
+(This is an example, and does not necessarily
 represent any real character set.)
 .PP
 This table shows the value of LESSCHARDEF which is equivalent
@@ -1313,7 +1324,7 @@ to each of the possible values for LESSCHARSET:
 	next\ \ 	8bcccbcc18b95.bb125.bb
 .PP
 If neither LESSCHARSET nor LESSCHARDEF is set,
-but any of the strings "UTF-8", "UTF8", "utf-8" or "utf8" 
+but any of the strings "UTF-8", "UTF8", "utf-8" or "utf8"
 is found in the LC_ALL, LC_CTYPE or LANG
 environment variables, then the default character set is utf-8.
 .PP
@@ -1331,12 +1342,12 @@ interface is also not available, the default character set is latin1.
 .PP
 Control and binary characters are displayed in standout (reverse video).
 Each such character is displayed in caret notation if possible
-(e.g. ^A for control-A).  Caret notation is used only if 
+(e.g.\& ^A for control-A).  Caret notation is used only if
 inverting the 0100 bit results in a normal printable character.
 Otherwise, the character is displayed as a hex number in angle brackets.
-This format can be changed by 
+This format can be changed by
 setting the LESSBINFMT environment variable.
-LESSBINFMT may begin with a "*" and one character to select 
+LESSBINFMT may begin with a "*" and one character to select
 the display attribute:
 "*k" is blinking, "*d" is bold, "*u" is underlined, "*s" is standout,
 and "*n" is normal.
@@ -1354,12 +1365,12 @@ acts similarly to LESSBINFMT but it applies to Unicode code points
 that were successfully decoded but are unsuitable for display (e.g.,
 unassigned code points).
 Its default value is "<U+%04lX>".
-Note that LESSUTFBINFMT and LESSBINFMT share their display attribute 
-setting ("*x") so specifying one will affect both; 
+Note that LESSUTFBINFMT and LESSBINFMT share their display attribute
+setting ("*x") so specifying one will affect both;
 LESSUTFBINFMT is read after LESSBINFMT so its setting, if any,
-will have priority. 
+will have priority.
 Problematic octets in a UTF-8 file (octets of a truncated sequence,
-octets of a complete but non-shortest form sequence, illegal octets, 
+octets of a complete but non-shortest form sequence, illegal octets,
 and stray trailing octets)
 are displayed individually using LESSBINFMT so as to facilitate diagnostic
 of how the UTF-8 file is ill-formed.
@@ -1424,6 +1435,9 @@ Same as %B.
 .IP "%t"
 Causes any trailing spaces to be removed.
 Usually used at the end of the string, but may appear anywhere.
+.IP "%T"
+Normally expands to the word "file".
+However if viewing files via a tags list using the \-t option, it expands to the word "tag".
 .IP "%x"
 Replaced by the name of the next input file in the list.
 .PP
@@ -1490,7 +1504,7 @@ Some examples:
 This prompt prints the filename, if known;
 otherwise the string "Standard input".
 .sp
-?f%f .?ltLine %lt:?pt%pt\e%:?btByte %bt:-...
+?f%f \&.?ltLine %lt:?pt%pt\e%:?btByte %bt:-...
 .sp
 This prompt would print the filename, if known.
 The filename is followed by the line number, if known,
@@ -1500,7 +1514,7 @@ Notice how each question mark has a matching period,
 and how the % after the %pt
 is included literally by escaping it with a backslash.
 .sp
-?n?f%f\ .?m(file\ %i\ of\ %m)\ ..?e(END)\ ?x-\ Next\e:\ %x..%t
+?n?f%f\ .?m(%T %i of %m)\ ..?e(END)\ ?x-\ Next\e:\ %x..%t";
 .sp
 This prints the filename if this is the first prompt in a file,
 followed by the "file N of N" message if there is more
@@ -1514,17 +1528,17 @@ the other two prompts (\-m and \-M respectively).
 Each is broken into two lines here for readability only.
 .nf
 .sp
-?n?f%f\ .?m(file\ %i\ of\ %m)\ ..?e(END)\ ?x-\ Next\e:\ %x.:
+?n?f%f\ .?m(%T\ %i\ of\ %m)\ ..?e(END)\ ?x-\ Next\e:\ %x.:
 	?pB%pB\e%:byte\ %bB?s/%s...%t
 .sp
-?f%f\ .?n?m(file\ %i\ of\ %m)\ ..?ltlines\ %lt-%lb?L/%L.\ :
+?f%f\ .?n?m(%T\ %i\ of\ %m)\ ..?ltlines\ %lt-%lb?L/%L.\ :
 	byte\ %bB?s/%s.\ .?e(END)\ ?x-\ Next\e:\ %x.:?pB%pB\e%..%t
 .sp
 .fi
 And here is the default message produced by the = command:
 .nf
 .sp
-?f%f\ .?m(file\ %i\ of\ %m)\ .?ltlines\ %lt-%lb?L/%L.\ .
+?f%f\ .?m(%T\ %i\ of\ %m)\ .?ltlines\ %lt-%lb?L/%L.\ .
 	byte\ %bB?s/%s.\ ?e(END)\ :?pB%pB\e%..%t
 .fi
 .PP
@@ -1541,7 +1555,7 @@ The default value for LESSEDIT is:
 Note that this expands to the editor name, followed by a + and the
 line number, followed by the file name.
 If your editor does not accept the "+linenumber" syntax, or has other
-differences in invocation syntax, the LESSEDIT variable can be 
+differences in invocation syntax, the LESSEDIT variable can be
 changed to modify this default.
 
 .SH SECURITY
@@ -1580,12 +1594,12 @@ behaves (mostly) in conformance with the POSIX "more" command specification.
 In this mode, less behaves differently in these ways:
 .PP
 The \-e option works differently.
-If the \-e option is not set, 
+If the \-e option is not set,
 .I less
-behaves as if the \-E option were set.
-If the \-e option is set, 
+behaves as if the \-e option were set.
+If the \-e option is set,
 .I less
-behaves as if the \-e and \-F options were set.
+behaves as if the \-E option were set.
 .PP
 The \-m option works differently.
 If the \-m option is not set, the medium prompt is used,
@@ -1595,7 +1609,7 @@ If the \-m option is set, the short prompt is used.
 The \-n option acts like the \-z option.
 The normal behavior of the \-n option is unavailable in this mode.
 .PP
-The parameter to the \-p option is taken to be a 
+The parameter to the \-p option is taken to be a
 .I less
 command rather than a search pattern.
 .PP
@@ -1604,10 +1618,10 @@ and the MORE environment variable is used in its place.
 
 .SH "ENVIRONMENT VARIABLES"
 Environment variables may be specified either in the system environment
-as usual, or in a 
+as usual, or in a
 .I lesskey
 (1) file.
-If environment variables are defined in more than one place, 
+If environment variables are defined in more than one place,
 variables defined in a local lesskey file take precedence over
 variables defined in the system environment, which take precedence
 over variables defined in the system-wide lesskey file.
@@ -1633,7 +1647,7 @@ Language for determining the character set.
 .IP LC_CTYPE
 Language for determining the character set.
 .IP LESS
-Options which are passed to 
+Options which are passed to
 .I less
 automatically.
 .IP LESSANSIENDCHARS
@@ -1642,7 +1656,7 @@ Characters which may end an ANSI color escape sequence
 .IP LESSANSIMIDCHARS
 Characters which may appear between the ESC character and the
 end character in an ANSI color escape sequence
-(default "0123456789;[?!"'#%()*+\ ".
+(default "0123456789:;[?!"'#%()*+\ ".
 .IP LESSBINFMT
 Format for displaying non-printable, non-control characters.
 .IP LESSCHARDEF
@@ -1665,11 +1679,11 @@ Normally should be set to "global" if your system has the
 (1) command.  If not set, global tags are not used.
 .IP LESSHISTFILE
 Name of the history file used to remember search commands and
-shell commands between invocations of 
+shell commands between invocations of
 .I less.
 If set to "\-" or "/dev/null", a history file is not used.
 The default is "$HOME/.lesshst" on Unix systems, "$HOME/_lesshst" on
-DOS and Windows systems, or "$HOME/lesshst.ini" or "$INIT/lesshst.ini" 
+DOS and Windows systems, or "$HOME/lesshst.ini" or "$INIT/lesshst.ini"
 on OS/2 systems.
 .IP LESSHISTSIZE
 The maximum number of commands to save in the history file.
@@ -1695,7 +1709,7 @@ String to be appended to a directory name in filename completion.
 .IP LESSUTFBINFMT
 Format for displaying non-printable Unicode code points.
 .IP LESS_IS_MORE
-Emulate the 
+Emulate the
 .I more
 (1) command.
 .IP LINES
@@ -1707,11 +1721,11 @@ LINES and COLUMNS environment variables.)
 .IP MORE
 Options which are passed to
 .I less
-automatically when running in 
+automatically when running in
 .I more
 compatible mode.
 .IP PATH
-User's search path (used to find a lesskey file 
+User's search path (used to find a lesskey file
 on MS-DOS and OS/2 systems).
 .IP SHELL
 The shell used to execute the ! command, as well as to expand filenames.
@@ -1726,7 +1740,7 @@ The name of the editor (used for the v command).
 lesskey(1)
 
 .SH COPYRIGHT
-Copyright (C) 1984-2012  Mark Nudelman
+Copyright (C) 1984-2015  Mark Nudelman
 .PP
 less is part of the GNU project and is free software.
 You can redistribute it and/or modify it
@@ -1735,7 +1749,7 @@ under the terms of either
 the Free Software Foundation; or (2) the Less License.
 See the file README in the less distribution for more details
 regarding redistribution.
-You should have received a copy of the GNU General Public License 
+You should have received a copy of the GNU General Public License
 along with the source for less; see the file COPYING.
 If not, write to the Free Software Foundation, 59 Temple Place,
 Suite 330, Boston, MA  02111-1307, USA.
@@ -1749,12 +1763,12 @@ See the GNU General Public License for more details.
 
 .SH AUTHOR
 .PP
-Mark Nudelman 
+Mark Nudelman
 .br
 Send bug reports or comments to <bug-less@gnu.org>
 .br
 See http://www.greenwoodsoftware.com/less/bugs.html for the latest list of known bugs in less.
 .br
-For more information, see the less homepage at 
+For more information, see the less homepage at
 .br
 http://www.greenwoodsoftware.com/less.
diff --git a/contrib/less/lessecho.c b/contrib/less/lessecho.c
index 7098f2d..fb0b22d 100644
--- a/contrib/less/lessecho.c
+++ b/contrib/less/lessecho.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/lessecho.nro b/contrib/less/lessecho.nro
index d7fb390..78b893f 100644
--- a/contrib/less/lessecho.nro
+++ b/contrib/less/lessecho.nro
@@ -1,4 +1,4 @@
-.TH LESSECHO 1 "Version 458: 04 Apr 2013"
+.TH LESSECHO 1 "Version 481: 31 Aug 2015"
 .SH NAME
 lessecho \- expand metacharacters
 .SH SYNOPSIS
diff --git a/contrib/less/lesskey.c b/contrib/less/lesskey.c
index 3d7571e..298748b 100644
--- a/contrib/less/lesskey.c
+++ b/contrib/less/lesskey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -120,6 +120,7 @@ struct cmdname cmdnames[] =
 	{ "forw-search",          A_F_SEARCH },
 	{ "forw-window",          A_F_WINDOW },
 	{ "goto-end",             A_GOEND },
+	{ "goto-end-buffered",    A_GOEND_BUF },
 	{ "goto-line",            A_GOLINE },
 	{ "goto-mark",            A_GOMARK },
 	{ "help",                 A_HELP },
@@ -647,7 +648,7 @@ parse_cmdline(p)
 	do
 	{
 		s = tstr(&p, 1);
-		cmdlen += strlen(s);
+		cmdlen += (int) strlen(s);
 		if (cmdlen > MAX_CMDLEN)
 			error("command too long");
 		else
diff --git a/contrib/less/lesskey.h b/contrib/less/lesskey.h
index 91098a5..34b8c17 100644
--- a/contrib/less/lesskey.h
+++ b/contrib/less/lesskey.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/lesskey.nro b/contrib/less/lesskey.nro
index 2bbd887..826332d 100644
--- a/contrib/less/lesskey.nro
+++ b/contrib/less/lesskey.nro
@@ -1,4 +1,4 @@
-.TH LESSKEY 1 "Version 458: 04 Apr 2013"
+.TH LESSKEY 1 "Version 481: 31 Aug 2015"
 .SH NAME
 lesskey \- specify key bindings for less
 .SH SYNOPSIS
@@ -178,6 +178,8 @@ default command keys used by less:
 	\ee]		right-scroll
 	\ee(		left-scroll
 	\ee)		right-scroll
+	\ekl		left-scroll
+	\ekr		right-scroll
 	{		forw-bracket {}
 	}		back-bracket {}
 	(		forw-bracket ()
@@ -190,6 +192,7 @@ default command keys used by less:
 	\ee>		goto-end 
 	>		goto-end 
 	\eke	goto-end
+	\eeG		goto-end-buffered
 	=		status 
 	^G		status 
 	:f		status 
@@ -356,26 +359,29 @@ which start with a NUL character (0).
 This NUL character should be represented as \e340 in a lesskey file.
 
 .SH COPYRIGHT
-Copyright (C) 2000-2012  Mark Nudelman
+Copyright (C) 1984-2015  Mark Nudelman
 .PP
-lesskey is part of the GNU project and is free software;
-you can redistribute it and/or modify it
-under the terms of the GNU General Public License as published by
-the Free Software Foundation;
-either version 2, or (at your option) any later version.
+less is part of the GNU project and is free software.
+You can redistribute it and/or modify it
+under the terms of either
+(1) the GNU General Public License as published by
+the Free Software Foundation; or (2) the Less License.
+See the file README in the less distribution for more details
+regarding redistribution.
+You should have received a copy of the GNU General Public License
+along with the source for less; see the file COPYING.
+If not, write to the Free Software Foundation, 59 Temple Place,
+Suite 330, Boston, MA  02111-1307, USA.
+You should also have received a copy of the Less License;
+see the file LICENSE.
 .PP
-lesskey is distributed in the hope that it will be useful, but
+less is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 or FITNESS FOR A PARTICULAR PURPOSE.
 See the GNU General Public License for more details.
-.PP
-You should have received a copy of the GNU General Public License 
-along with lesskey; see the file COPYING.
-If not, write to the Free Software Foundation, 59 Temple Place,
-Suite 330, Boston, MA  02111-1307, USA.
 
 .SH AUTHOR
 .PP
-Mark Nudelman <bug-less@gnu.org>
+Mark Nudelman
 .br
-Send bug reports or comments to bug-less@gnu.org.
+Send bug reports or comments to <bug-less@gnu.org>.
diff --git a/contrib/less/lglob.h b/contrib/less/lglob.h
index b08d24c..87b5fb4 100644
--- a/contrib/less/lglob.h
+++ b/contrib/less/lglob.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/line.c b/contrib/less/line.c
index 1eb3914..e54835d 100644
--- a/contrib/less/line.c
+++ b/contrib/less/line.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -35,7 +35,7 @@ static int overstrike;		/* Next char should overstrike previous char */
 static int last_overstrike = AT_NORMAL;
 static int is_null_line;	/* There is no current line */
 static int lmargin;		/* Left margin */
-static char pendc;
+static LWCHAR pendc;
 static POSITION pendpos;
 static char *end_ansi_chars;
 static char *mid_ansi_chars;
@@ -78,7 +78,7 @@ init_line()
 
 	mid_ansi_chars = lgetenv("LESSANSIMIDCHARS");
 	if (mid_ansi_chars == NULL || *mid_ansi_chars == '\0')
-		mid_ansi_chars = "0123456789;[?!\"'#%()*+ ";
+		mid_ansi_chars = "0123456789:;[?!\"'#%()*+ ";
 
 	linebuf = (char *) ecalloc(LINEBUF_SIZE, sizeof(char));
 	attr = (char *) ecalloc(LINEBUF_SIZE, sizeof(char));
@@ -209,7 +209,7 @@ plinenum(pos)
 		int n;
 
 		linenumtoa(linenum, buf);
-		n = strlen(buf);
+		n = (int) strlen(buf);
 		if (n < MIN_LINENUM_WIDTH)
 			n = MIN_LINENUM_WIDTH;
 		sprintf(linebuf+curr, "%*s ", n, buf);
@@ -491,7 +491,7 @@ backc()
 	       && column > lmargin
 	       && (!(attr[curr - 1] & (AT_ANSI|AT_BINARY))))
 	{
-		curr = p - linebuf;
+		curr = (int) (p - linebuf);
 		prev_ch = step_char(&p, -1, linebuf + lmargin);
 		width = pwidth(ch, attr[curr], prev_ch);
 		column -= width;
@@ -604,7 +604,7 @@ store_char(ch, a, rep, pos)
 			do {
 				bch = step_char(&p, -1, linebuf);
 			} while (p > linebuf && !IS_CSI_START(bch));
-			curr = p - linebuf;
+			curr = (int) (p - linebuf);
 			return 0;
 		}
 		a = AT_ANSI;	/* Will force re-AT_'ing around it.  */
@@ -697,7 +697,7 @@ store_tab(attr, pos)
 
 	static int
 store_prchar(c, pos)
-	char c;
+	LWCHAR c;
 	POSITION pos;
 {
 	char *s;
@@ -741,13 +741,15 @@ flush_mbc_buf(pos)
  */
 	public int
 pappend(c, pos)
-	char c;
+	unsigned char c;
 	POSITION pos;
 {
 	int r;
 
 	if (pendc)
 	{
+		if (c == '\r' && pendc == '\r')
+			return (0);
 		if (do_append(pendc, NULL, pendpos))
 			/*
 			 * Oops.  We've probably lost the char which
@@ -781,7 +783,7 @@ pappend(c, pos)
 
 	if (!utf_mode)
 	{
-		r = do_append((LWCHAR) c, NULL, pos);
+		r = do_append(c, NULL, pos);
 	} else
 	{
 		/* Perform strict validation in all possible cases. */
@@ -791,7 +793,7 @@ pappend(c, pos)
 			mbc_buf_index = 1;
 			*mbc_buf = c;
 			if (IS_ASCII_OCTET(c))
-				r = do_append((LWCHAR) c, NULL, pos);
+				r = do_append(c, NULL, pos);
 			else if (IS_UTF8_LEAD(c))
 			{
 				mbc_buf_len = utf_len(c);
@@ -805,7 +807,7 @@ pappend(c, pos)
 			mbc_buf[mbc_buf_index++] = c;
 			if (mbc_buf_index < mbc_buf_len)
 				return (0);
-			if (is_utf8_well_formed(mbc_buf))
+			if (is_utf8_well_formed(mbc_buf, mbc_buf_index))
 				r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
 			else
 				/* Complete, but not shortest form, sequence. */
@@ -885,8 +887,14 @@ do_append(ch, rep, pos)
 		 * or just deletion of the character in the buffer.
 		 */
 		overstrike = utf_mode ? -1 : 0;
-		/* To be correct, this must be a base character.  */
-		prev_ch = get_wchar(linebuf + curr);
+		if (utf_mode)
+		{
+			/* To be correct, this must be a base character.  */
+			prev_ch = get_wchar(linebuf + curr);
+		} else
+		{
+			prev_ch = (unsigned char) linebuf[curr];
+		}
 		a = attr[curr];
 		if (ch == prev_ch)
 		{
diff --git a/contrib/less/linenum.c b/contrib/less/linenum.c
index 4f45be8..6d078ec 100644
--- a/contrib/less/linenum.c
+++ b/contrib/less/linenum.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -216,7 +216,7 @@ longloopmessage()
 
 static int loopcount;
 #if HAVE_TIME
-static long startime;
+static time_type startime;
 #endif
 
 	static void
diff --git a/contrib/less/lsystem.c b/contrib/less/lsystem.c
index 674e5a2..8a7cb8f 100644
--- a/contrib/less/lsystem.c
+++ b/contrib/less/lsystem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -137,7 +137,7 @@ lsystem(cmd, donemsg)
 			char *esccmd = shell_quote(cmd);
 			if (esccmd != NULL)
 			{
-				int len = strlen(shell) + strlen(esccmd) + 5;
+				int len = (int) (strlen(shell) + strlen(esccmd) + 5);
 				p = (char *) ecalloc(len, sizeof(char));
 				SNPRINTF3(p, len, "%s %s %s", shell, shell_coption(), esccmd);
 				free(esccmd);
diff --git a/contrib/less/main.c b/contrib/less/main.c
index 4a66147..6cfd34d 100644
--- a/contrib/less/main.c
+++ b/contrib/less/main.c
@@ -1,6 +1,6 @@
 /* $FreeBSD$ */
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -57,7 +57,6 @@ static char consoleTitle[256];
 extern int	less_is_more;
 extern int	missing_cap;
 extern int	know_dumb;
-extern int	quit_if_one_screen;
 extern int	no_init;
 extern int	pr_type;
 
@@ -167,8 +166,6 @@ main(argc, argv)
 
 	if (less_is_more)
 		no_init = TRUE;
-	if (less_is_more && get_quit_at_eof())
-		quit_if_one_screen = TRUE;
 
 #if EDITOR
 	editor = lgetenv("VISUAL");
diff --git a/contrib/less/mark.c b/contrib/less/mark.c
index c61ce03..44d606f 100644
--- a/contrib/less/mark.c
+++ b/contrib/less/mark.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -15,14 +15,6 @@ extern int sc_height;
 extern int jump_sline;
 
 /*
- * A mark is an ifile (input file) plus a position within the file.
- */
-struct mark {
-	IFILE m_ifile;
-	struct scrpos m_scrpos;
-};
-
-/*
  * The table of marks.
  * Each mark is identified by a lowercase or uppercase letter.
  * The final one is lmark, for the "last mark"; addressed by the apostrophe.
diff --git a/contrib/less/mkhelp.c b/contrib/less/mkhelp.c
index 45530fd..d4e4063 100644
--- a/contrib/less/mkhelp.c
+++ b/contrib/less/mkhelp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/mkutable b/contrib/less/mkutable
new file mode 100755
index 0000000..803335b
--- /dev/null
+++ b/contrib/less/mkutable
@@ -0,0 +1,75 @@
+#! /usr/bin/perl
+use strict;
+
+my $USAGE = <<__EOF__;
+   usage: mkutable [-n] [-f#] type... [--] [<] UnicodeData.txt
+          -n = take non-matching types
+	  -f = zero-based type field (default 2)
+__EOF__
+
+use vars qw( $opt_f $opt_n );
+use Getopt::Std;
+my $type_field = 2;
+
+exit (main() ? 1 : 0);
+
+sub main {
+    my $date = `date`;
+    chomp $date;
+    my $args = join ' ', @ARGV;
+    my $header = "/* Generated by \"$0 $args\" on $date */\n";
+
+    die $USAGE if not getopts('f:n');
+    $type_field = $opt_f if $opt_f;
+    my %types;
+    my $arg;
+    while ($arg = shift @ARGV) {
+        last if $arg eq '--';
+        $types{$arg} = 1;
+    }
+    my %out = ( 'types' => \%types );
+    my $last_code = 0;
+
+    print $header;
+    while (<>) {
+        chomp;
+        s/#.*//;
+        my @fields = split /;/;
+        next if not @fields;
+        my $code = hex $fields[0];
+        my $type = $fields[$type_field];
+        $type =~ s/\s//g;
+        while (++$last_code < $code) {
+            output(\%out, $last_code, '?');
+        }
+        output(\%out, $code, $type);
+    }
+    output(\%out, $last_code+1, '?');
+}
+
+sub output {
+    my ($out, $code, $type) = @_;
+    my $match = ${${$out}{types}}{$type};
+    my $type_change = (not $$out{start_type} or $type ne $$out{start_type});
+    $match = not $match if $opt_n;
+    if ($match and (not $$out{in_run} or $type_change)) {
+        end_run($out, $code-1);
+        start_run($out, $code, $type);
+    } elsif (not $match and $$out{in_run}) {
+        end_run($out, $code-1);
+    }
+}
+
+sub start_run {
+    my ($out, $code, $type) = @_;
+    $$out{start_code} = $code;
+    $$out{start_type} = $type;
+    $$out{in_run} = 1;
+}
+
+sub end_run {
+    my ($out, $code) = @_;
+    return if not $$out{in_run};
+    printf "\t{ 0x%04x, 0x%04x }, /* %s */\n", $$out{start_code}, $code, $$out{start_type};
+    $$out{in_run} = 0;
+}
diff --git a/contrib/less/optfunc.c b/contrib/less/optfunc.c
index e3cd57f..c3bb6b2 100644
--- a/contrib/less/optfunc.c
+++ b/contrib/less/optfunc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -43,6 +43,7 @@ extern char *prproto[];
 extern char *eqproto;
 extern char *hproto;
 extern char *wproto;
+extern char *every_first_cmd;
 extern IFILE curr_ifile;
 extern char version[];
 extern int jump_sline;
@@ -58,6 +59,7 @@ extern int logfile;
 #if TAGS
 public char *tagoption = NULL;
 extern char *tags;
+extern char ztags[];
 #endif
 #if MSDOS_COMPILER
 extern int nm_fg_color, nm_bg_color;
@@ -87,7 +89,7 @@ opt_o(type, s)
 	switch (type)
 	{
 	case INIT:
-		namelogfile = s;
+		namelogfile = save(s);
 		break;
 	case TOGGLE:
 		if (ch_getflags() & CH_CANSEEK)
@@ -101,6 +103,8 @@ opt_o(type, s)
 			return;
 		}
 		s = skipsp(s);
+		if (namelogfile != NULL)
+			free(namelogfile);
 		namelogfile = lglob(s);
 		use_logfile(namelogfile);
 		sync_logfile();
@@ -176,7 +180,7 @@ opt_j(type, s)
 		{
 
 			sprintf(buf, ".%06d", jump_sline_fraction);
-			len = strlen(buf);
+			len = (int) strlen(buf);
 			while (len > 2 && buf[len-1] == '0')
 				len--;
 			buf[len] = '\0';
@@ -241,7 +245,7 @@ opt_shift(type, s)
 		{
 
 			sprintf(buf, ".%06d", shift_count_fraction);
-			len = strlen(buf);
+			len = (int) strlen(buf);
 			while (len > 2 && buf[len-1] == '0')
 				len--;
 			buf[len] = '\0';
@@ -295,7 +299,7 @@ opt_t(type, s)
 	switch (type)
 	{
 	case INIT:
-		tagoption = s;
+		tagoption = save(s);
 		/* Do the rest in main() */
 		break;
 	case TOGGLE:
@@ -335,10 +339,12 @@ opt__T(type, s)
 	switch (type)
 	{
 	case INIT:
-		tags = s;
+		tags = save(s);
 		break;
 	case TOGGLE:
 		s = skipsp(s);
+		if (tags != NULL && tags != ztags)
+			free(tags);
 		tags = lglob(s);
 		break;
 	case QUERY:
@@ -361,18 +367,26 @@ opt_p(type, s)
 	{
 	case INIT:
 		/*
-		 * Unget a search command for the specified string.
-		 * {{ This won't work if the "/" command is
-		 *    changed or invalidated by a .lesskey file. }}
+		 * Unget a command for the specified string.
 		 */
-		plusoption = TRUE;
-		ungetsc(s);
-		/*
-		 * In "more" mode, the -p argument is a command,
-		 * not a search string, so we don't need a slash.
-		 */
-		if (!less_is_more)
+		if (less_is_more)
+		{
+			/*
+			 * In "more" mode, the -p argument is a command,
+			 * not a search string, so we don't need a slash.
+			 */
+			every_first_cmd = save(s);
+		} else
+		{
+			plusoption = TRUE;
+			ungetcc(CHAR_END_COMMAND);
+			ungetsc(s);
+			 /*
+			  * {{ This won't work if the "/" command is
+			  *    changed or invalidated by a .lesskey file. }}
+			  */
 			ungetsc("/");
+		}
 		break;
 	}
 }
@@ -503,7 +517,7 @@ opt__V(type, s)
 		putstr("no ");
 #endif
 		putstr("regular expressions)\n");
-		putstr("Copyright (C) 1984-2012 Mark Nudelman\n\n");
+		putstr("Copyright (C) 1984-2015  Mark Nudelman\n\n");
 		putstr("less comes with NO WARRANTY, to the extent permitted by law.\n");
 		putstr("For information about the terms of redistribution,\n");
 		putstr("see the file named README in the less distribution.\n");
diff --git a/contrib/less/option.c b/contrib/less/option.c
index 2c26dc6..256f569 100644
--- a/contrib/less/option.c
+++ b/contrib/less/option.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -152,7 +152,10 @@ scan_option(s)
 			if (*str == '+')
 				every_first_cmd = save(str+1);
 			else
+			{
+				ungetcc(CHAR_END_COMMAND);
 				ungetsc(str);
+			}
 			free(str);
 			continue;
 		case '0':  case '1':  case '2':  case '3':  case '4':
@@ -701,5 +704,5 @@ get_quit_at_eof()
 	if (!less_is_more)
 		return quit_at_eof;
 	/* When less_is_more is set, the -e flag semantics are different. */
-	return quit_at_eof ? OPT_ON : OPT_ONPLUS;
+	return quit_at_eof ? OPT_ONPLUS : OPT_ON;
 }
diff --git a/contrib/less/option.h b/contrib/less/option.h
index c11ad3b..dc97d75f 100644
--- a/contrib/less/option.h
+++ b/contrib/less/option.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/opttbl.c b/contrib/less/opttbl.c
index 6f582bf..b896391 100644
--- a/contrib/less/opttbl.c
+++ b/contrib/less/opttbl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/os.c b/contrib/less/os.c
index eb75bba..530abe1 100644
--- a/contrib/less/os.c
+++ b/contrib/less/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -33,12 +33,6 @@
 #include <values.h>
 #endif
 
-#if HAVE_TIME_T
-#define time_type	time_t
-#else
-#define	time_type	long
-#endif
-
 /*
  * BSD setjmp() saves (and longjmp() restores) the signal mask.
  * This costs a system call or two per setjmp(), so if possible we clear the
@@ -191,7 +185,7 @@ intread()
  * Return the current time.
  */
 #if HAVE_TIME
-	public long
+	public time_type
 get_time()
 {
 	time_type t;
@@ -243,7 +237,7 @@ errno_message(filename)
 #else
 	p = "cannot open";
 #endif
-	len = strlen(filename) + strlen(p) + 3;
+	len = (int) (strlen(filename) + strlen(p) + 3);
 	m = (char *) ecalloc(len, sizeof(char));
 	SNPRINTF2(m, len, "%s: %s", filename, p);
 	return (m);
diff --git a/contrib/less/output.c b/contrib/less/output.c
index e1f2cff..d6cfc38 100644
--- a/contrib/less/output.c
+++ b/contrib/less/output.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -98,7 +98,7 @@ flush()
 	register int n;
 	register int fd;
 
-	n = ob - obuf;
+	n = (int) (ob - obuf);
 	if (n == 0)
 		return;
 
@@ -197,7 +197,7 @@ flush()
 							 * Leave it unprocessed
 							 * in the buffer.
 							 */
-							int slop = q - anchor;
+							int slop = (int) (q - anchor);
 							/* {{ strcpy args overlap! }} */
 							strcpy(obuf, anchor);
 							ob = &obuf[slop];
@@ -423,7 +423,7 @@ iprint_int(num)
 
 	inttoa(num, buf);
 	putstr(buf);
-	return (strlen(buf));
+	return ((int) strlen(buf));
 }
 
 /*
@@ -437,7 +437,7 @@ iprint_linenum(num)
 
 	linenumtoa(num, buf);
 	putstr(buf);
-	return (strlen(buf));
+	return ((int) strlen(buf));
 }
 
 /*
diff --git a/contrib/less/pattern.c b/contrib/less/pattern.c
index fa26b99..71141c7 100644
--- a/contrib/less/pattern.c
+++ b/contrib/less/pattern.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -20,10 +20,11 @@ extern int caseless;
  * Compile a search pattern, for future use by match_pattern.
  */
 	static int
-compile_pattern2(pattern, search_type, comp_pattern)
+compile_pattern2(pattern, search_type, comp_pattern, show_error)
 	char *pattern;
 	int search_type;
 	void **comp_pattern;
+	int show_error;
 {
 	if (search_type & SRCH_NO_REGEX)
 		return (0);
@@ -37,7 +38,8 @@ compile_pattern2(pattern, search_type, comp_pattern)
 	if (re_compile_pattern(pattern, strlen(pattern), comp))
 	{
 		free(comp);
-		error("Invalid pattern", NULL_PARG);
+		if (show_error)
+			error("Invalid pattern", NULL_PARG);
 		return (-1);
 	}
 	if (*pcomp != NULL)
@@ -50,7 +52,8 @@ compile_pattern2(pattern, search_type, comp_pattern)
 	if (regcomp(comp, pattern, REGCOMP_FLAG))
 	{
 		free(comp);
-		error("Invalid pattern", NULL_PARG);
+		if (show_error)
+			error("Invalid pattern", NULL_PARG);
 		return (-1);
 	}
 	if (*pcomp != NULL)
@@ -68,7 +71,8 @@ compile_pattern2(pattern, search_type, comp_pattern)
 	if (comp == NULL)
 	{
 		parg.p_string = (char *) errstring;
-		error("%s", &parg);
+		if (show_error)
+			error("%s", &parg);
 		return (-1);
 	}
 	*pcomp = comp;
@@ -78,7 +82,8 @@ compile_pattern2(pattern, search_type, comp_pattern)
 	int *pcomp = (int *) comp_pattern;
 	if ((parg.p_string = re_comp(pattern)) != NULL)
 	{
-		error("%s", &parg);
+		if (show_error)
+			error("%s", &parg);
 		return (-1);
 	}
 	*pcomp = 1;
@@ -88,7 +93,8 @@ compile_pattern2(pattern, search_type, comp_pattern)
 	char **pcomp = (char **) comp_pattern;
 	if ((comp = regcmp(pattern, 0)) == NULL)
 	{
-		error("Invalid pattern", NULL_PARG);
+		if (show_error)
+			error("Invalid pattern", NULL_PARG);
 		return (-1);
 	}
 	if (pcomp != NULL)
@@ -98,7 +104,10 @@ compile_pattern2(pattern, search_type, comp_pattern)
 #if HAVE_V8_REGCOMP
 	struct regexp *comp;
 	struct regexp **pcomp = (struct regexp **) comp_pattern;
-	if ((comp = regcomp(pattern)) == NULL)
+	reg_show_error = show_error;
+	comp = regcomp(pattern);
+	reg_show_error = 1;
+	if (comp == NULL)
 	{
 		/*
 		 * regcomp has already printed an error message 
@@ -133,7 +142,7 @@ compile_pattern(pattern, search_type, comp_pattern)
 		cvt_pattern = (char*) ecalloc(1, cvt_length(strlen(pattern), CVT_TO_LC));
 		cvt_text(cvt_pattern, pattern, (int *)NULL, (int *)NULL, CVT_TO_LC);
 	}
-	result = compile_pattern2(cvt_pattern, search_type, comp_pattern);
+	result = compile_pattern2(cvt_pattern, search_type, comp_pattern, 1);
 	if (cvt_pattern != pattern)
 		free(cvt_pattern);
 	return (result);
@@ -183,6 +192,24 @@ uncompile_pattern(pattern)
 }
 
 /*
+ * Can a pattern be successfully compiled?
+ */
+	public int
+valid_pattern(pattern)
+	char *pattern;
+{
+	void *comp_pattern;
+	int result;
+
+	CLEAR_PATTERN(comp_pattern);
+	result = compile_pattern2(pattern, 0, &comp_pattern, 0);
+	if (result != 0)
+		return (0);
+	uncompile_pattern(&comp_pattern);
+	return (1);
+}
+
+/*
  * Is a compiled pattern null?
  */
 	public int
@@ -207,6 +234,9 @@ is_null_pattern(pattern)
 #if HAVE_V8_REGCOMP
 	return (pattern == NULL);
 #endif
+#if NO_REGEX
+	return (pattern == NULL);
+#endif
 }
 
 /*
@@ -227,9 +257,17 @@ match(pattern, pattern_len, buf, buf_len, pfound, pend)
 
 	for ( ;  buf < buf_end;  buf++)
 	{
-		for (pp = pattern, lp = buf;  *pp == *lp;  pp++, lp++)
+		for (pp = pattern, lp = buf;  ;  pp++, lp++)
+		{
+			char cp = *pp;
+			char cl = *lp;
+			if (caseless == OPT_ONPLUS && ASCII_IS_UPPER(cp))
+				cp = ASCII_TO_LOWER(cp);
+			if (cp != cl)
+				break;
 			if (pp == pattern_end || lp == buf_end)
 				break;
+		}
 		if (pp == pattern_end)
 		{
 			if (pfound != NULL)
@@ -277,6 +315,7 @@ match_pattern(pattern, tpattern, line, line_len, sp, ep, notbol, search_type)
 	struct regexp *spattern = (struct regexp *) pattern;
 #endif
 
+	*sp = *ep = NULL;
 #if NO_REGEX
 	search_type |= SRCH_NO_REGEX;
 #endif
@@ -287,24 +326,25 @@ match_pattern(pattern, tpattern, line, line_len, sp, ep, notbol, search_type)
 #if HAVE_GNU_REGEX
 	{
 		struct re_registers search_regs;
-		regoff_t *starts = (regoff_t *) ecalloc(1, sizeof (regoff_t));
-		regoff_t *ends = (regoff_t *) ecalloc(1, sizeof (regoff_t));
 		spattern->not_bol = notbol;
-		re_set_registers(spattern, &search_regs, 1, starts, ends);
+		spattern->regs_allocated = REGS_UNALLOCATED;
 		matched = re_search(spattern, line, line_len, 0, line_len, &search_regs) >= 0;
 		if (matched)
 		{
 			*sp = line + search_regs.start[0];
 			*ep = line + search_regs.end[0];
 		}
-		free(starts);
-		free(ends);
 	}
 #endif
 #if HAVE_POSIX_REGCOMP
 	{
 		regmatch_t rm;
 		int flags = (notbol) ? REG_NOTBOL : 0;
+#ifdef REG_STARTEND
+		flags |= REG_STARTEND;
+		rm.rm_so = 0;
+		rm.rm_eo = line_len;
+#endif
 		matched = !regexec(spattern, line, 1, &rm, flags);
 		if (matched)
 		{
diff --git a/contrib/less/pattern.h b/contrib/less/pattern.h
index 0a90d5d..712fdcf 100644
--- a/contrib/less/pattern.h
+++ b/contrib/less/pattern.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -49,6 +49,7 @@ extern char *__loc1;
 
 #if HAVE_V8_REGCOMP
 #include "regexp.h"
+extern int reg_show_error;
 #define DEFINE_PATTERN(name)  struct regexp *name
 #define CLEAR_PATTERN(name)   name = NULL
 #endif
diff --git a/contrib/less/pckeys.h b/contrib/less/pckeys.h
index b673756..8fb6800 100644
--- a/contrib/less/pckeys.h
+++ b/contrib/less/pckeys.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/position.c b/contrib/less/position.c
index b655f07..dc80fd6 100644
--- a/contrib/less/position.c
+++ b/contrib/less/position.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/position.h b/contrib/less/position.h
index 3b96637..e0e2bff 100644
--- a/contrib/less/position.h
+++ b/contrib/less/position.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/prompt.c b/contrib/less/prompt.c
index f374101..50ced97 100644
--- a/contrib/less/prompt.c
+++ b/contrib/less/prompt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -85,9 +85,9 @@ ap_str(s)
 {
 	int len;
 
-	len = strlen(s);
+	len = (int) strlen(s);
 	if (mp + len >= message + PROMPT_SIZE)
-		len = message + PROMPT_SIZE - mp - 1;
+		len = (int) (message + PROMPT_SIZE - mp - 1);
 	strncpy(mp, s, len);
 	mp += len;
 	*mp = '\0';
diff --git a/contrib/less/regexp.c b/contrib/less/regexp.c
index 77ab611..fcf7c9a 100644
--- a/contrib/less/regexp.c
+++ b/contrib/less/regexp.c
@@ -243,7 +243,10 @@ char *exp;
 	regcode = r->program;
 	regc(MAGIC);
 	if (reg(0, &flags) == NULL)
+	{
+		free(r);
 		return(NULL);
+	}
 
 	/* Dig out information for optimizations. */
 	r->regstart = '\0';	/* Worst-case defaults. */
@@ -274,7 +277,7 @@ char *exp;
 			for (; scan != NULL; scan = regnext(scan))
 				if (OP(scan) == EXACTLY && ((int) strlen(OPERAND(scan))) >= len) {
 					longest = OPERAND(scan);
-					len = strlen(OPERAND(scan));
+					len = (int) strlen(OPERAND(scan));
 				}
 			r->regmust = longest;
 			r->regmlen = len;
@@ -554,7 +557,7 @@ int *flagp;
 			register char ender;
 
 			regparse--;
-			len = strcspn(regparse, META);
+			len = (int) strcspn(regparse, META);
 			if (len <= 0)
 				FAIL("internal disaster");
 			ender = *(regparse+len);
@@ -670,9 +673,9 @@ char *val;
 	}
 
 	if (OP(scan) == BACK)
-		offset = scan - val;
+		offset = (int) (scan - val);
 	else
-		offset = val - scan;
+		offset = (int) (val - scan);
 	*(scan+1) = (offset>>8)&0377;
 	*(scan+2) = offset&0377;
 }
@@ -870,7 +873,7 @@ char *prog;
 				/* Inline the first character, for speed. */
 				if (*opnd != *reginput)
 					return(0);
-				len = strlen(opnd);
+				len = (int) strlen(opnd);
 				if (len > 1 && strncmp(opnd, reginput, len) != 0)
 					return(0);
 				reginput += len;
@@ -1034,7 +1037,7 @@ char *p;
 	opnd = OPERAND(p);
 	switch (OP(p)) {
 	case ANY:
-		count = strlen(scan);
+		count = (int) strlen(scan);
 		scan += count;
 		break;
 	case EXACTLY:
diff --git a/contrib/less/screen.c b/contrib/less/screen.c
index a79eba2..8f8a433 100644
--- a/contrib/less/screen.c
+++ b/contrib/less/screen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/scrsize.c b/contrib/less/scrsize.c
index 9f786fe..91fc03f 100644
--- a/contrib/less/scrsize.c
+++ b/contrib/less/scrsize.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/search.c b/contrib/less/search.c
index 24d4210..e824acb 100644
--- a/contrib/less/search.c
+++ b/contrib/less/search.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -45,15 +45,57 @@ static POSITION prep_endpos;
 static int is_caseless;
 static int is_ucase_pattern;
 
+/*
+ * Structures for maintaining a set of ranges for hilites and filtered-out
+ * lines. Each range is stored as a node within a red-black tree, and we
+ * try to extend existing ranges (without creating overlaps) rather than
+ * create new nodes if possible. We remember the last node found by a
+ * search for constant-time lookup if the next search is near enough to
+ * the previous. To aid that, we overlay a secondary doubly-linked list
+ * on top of the red-black tree so we can find the preceding/succeeding
+ * nodes also in constant time.
+ *
+ * Each node is allocated from a series of pools, each pool double the size
+ * of the previous (for amortised constant time allocation). Since our only
+ * tree operations are clear and node insertion, not node removal, we don't
+ * need to maintain a usage bitmap or freelist and can just return nodes
+ * from the pool in-order until capacity is reached.
+ */
 struct hilite
 {
-	struct hilite *hl_next;
 	POSITION hl_startpos;
 	POSITION hl_endpos;
 };
-static struct hilite hilite_anchor = { NULL, NULL_POSITION, NULL_POSITION };
-static struct hilite filter_anchor = { NULL, NULL_POSITION, NULL_POSITION };
-#define	hl_first	hl_next
+struct hilite_node
+{
+	struct hilite_node *parent;
+	struct hilite_node *left;
+	struct hilite_node *right;
+	struct hilite_node *prev;
+	struct hilite_node *next;
+	int red;
+	struct hilite r;
+};
+struct hilite_storage
+{
+	int capacity;
+	int used;
+	struct hilite_storage *next;
+	struct hilite_node *nodes;
+};
+struct hilite_tree
+{
+	struct hilite_storage *first;
+	struct hilite_storage *current;
+	struct hilite_node *root;
+	struct hilite_node *lookaside;
+};
+#define HILITE_INITIALIZER() { NULL, NULL, NULL, NULL }
+#define HILITE_LOOKASIDE_STEPS 2
+
+static struct hilite_tree hilite_anchor = HILITE_INITIALIZER();
+static struct hilite_tree filter_anchor = HILITE_INITIALIZER();
+
 #endif
 
 /*
@@ -219,7 +261,6 @@ repaint_hilite(on)
 {
 	int slinenum;
 	POSITION pos;
-	POSITION epos;
 	int save_hide_hilite;
 
 	if (squished)
@@ -245,7 +286,6 @@ repaint_hilite(on)
 		pos = position(slinenum);
 		if (pos == NULL_POSITION)
 			continue;
-		epos = position(slinenum+1);
 		(void) forw_line(pos);
 		goto_line(slinenum);
 		put_line();
@@ -324,17 +364,23 @@ undo_search()
  */
 	public void
 clr_hlist(anchor)
-	struct hilite *anchor;
+	struct hilite_tree *anchor;
 {
-	struct hilite *hl;
-	struct hilite *nexthl;
+	struct hilite_storage *hls;
+	struct hilite_storage *nexthls;
 
-	for (hl = anchor->hl_first;  hl != NULL;  hl = nexthl)
+	for (hls = anchor->first;  hls != NULL;  hls = nexthls)
 	{
-		nexthl = hl->hl_next;
-		free((void*)hl);
+		nexthls = hls->next;
+		free((void*)hls->nodes);
+		free((void*)hls);
 	}
-	anchor->hl_first = NULL;
+	anchor->first = NULL;
+	anchor->current = NULL;
+	anchor->root = NULL;
+
+	anchor->lookaside = NULL;
+
 	prep_startpos = prep_endpos = NULL_POSITION;
 }
 
@@ -350,6 +396,126 @@ clr_filter()
 	clr_hlist(&filter_anchor);
 }
 
+	struct hilite_node*
+hlist_last(anchor)
+	struct hilite_tree *anchor;
+{
+	struct hilite_node *n = anchor->root;
+	while (n != NULL && n->right != NULL)
+		n = n->right;
+	return n;
+}
+
+	struct hilite_node*
+hlist_next(n)
+	struct hilite_node *n;
+{
+	return n->next;
+}
+
+	struct hilite_node*
+hlist_prev(n)
+	struct hilite_node *n;
+{
+	return n->prev;
+}
+
+/*
+ * Find the node covering pos, or the node after it if no node covers it,
+ * or return NULL if pos is after the last range. Remember the found node,
+ * to speed up subsequent searches for the same or similar positions (if
+ * we return NULL, remember the last node.)
+ */
+	struct hilite_node*
+hlist_find(anchor, pos)
+	struct hilite_tree *anchor;
+	POSITION pos;
+{
+	struct hilite_node *n, *m;
+
+	if (anchor->lookaside)
+	{
+		int steps = 0;
+		int hit = 0;
+
+		n = anchor->lookaside;
+
+		for (;;)
+		{
+			if (pos < n->r.hl_endpos)
+			{
+				if (n->prev == NULL || pos >= n->prev->r.hl_endpos)
+				{
+					hit = 1;
+					break;
+				}
+			} else if (n->next == NULL)
+			{
+				n = NULL;
+				hit = 1;
+				break;
+			}
+
+			/*
+			 * If we don't find the right node within a small
+			 * distance, don't keep doing a linear search!
+			 */
+			if (steps >= HILITE_LOOKASIDE_STEPS)
+				break;
+			steps++;
+
+			if (pos < n->r.hl_endpos)
+				anchor->lookaside = n = n->prev;
+			else
+				anchor->lookaside = n = n->next;
+		}
+
+		if (hit)
+			return n;
+	}
+
+	n = anchor->root;
+	m = NULL;
+
+	while (n != NULL)
+	{
+		if (pos < n->r.hl_startpos)
+		{
+			if (n->left != NULL)
+			{
+				m = n;
+				n = n->left;
+				continue;
+			}
+			break;
+		}
+		if (pos >= n->r.hl_endpos)
+		{
+			if (n->right != NULL)
+			{
+				n = n->right;
+				continue;
+			}
+			if (m != NULL)
+			{
+				n = m;
+			} else
+			{
+				m = n;
+				n = NULL;
+			}
+		}
+		break;
+	}
+
+	if (n != NULL)
+		anchor->lookaside = n;
+	else if (m != NULL)
+		anchor->lookaside = m;
+
+	return n;
+}
+
 /*
  * Should any characters in a specified range be highlighted?
  */
@@ -358,18 +524,8 @@ is_hilited_range(pos, epos)
 	POSITION pos;
 	POSITION epos;
 {
-	struct hilite *hl;
-
-	/*
-	 * Look at each highlight and see if any part of it falls in the range.
-	 */
-	for (hl = hilite_anchor.hl_first;  hl != NULL;  hl = hl->hl_next)
-	{
-		if (hl->hl_endpos > pos &&
-		    (epos == NULL_POSITION || epos > hl->hl_startpos))
-			return (1);
-	}
-	return (0);
+	struct hilite_node *n = hlist_find(&hilite_anchor, pos);
+	return (n != NULL && (epos == NULL_POSITION || epos > n->r.hl_startpos));
 }
 
 /* 
@@ -379,24 +535,64 @@ is_hilited_range(pos, epos)
 is_filtered(pos)
 	POSITION pos;
 {
-	struct hilite *hl;
+	struct hilite_node *n;
 
 	if (ch_getflags() & CH_HELPFILE)
 		return (0);
 
-	/*
-	 * Look at each filter and see if the start position
-	 * equals the start position of the line.
-	 */
-	for (hl = filter_anchor.hl_first;  hl != NULL;  hl = hl->hl_next)
+	n = hlist_find(&filter_anchor, pos);
+	return (n != NULL && pos >= n->r.hl_startpos);
+}
+
+/*
+ * If pos is hidden, return the next position which isn't, otherwise
+ * just return pos.
+ */
+	public POSITION
+next_unfiltered(pos)
+	POSITION pos;
+{
+	struct hilite_node *n;
+
+	if (ch_getflags() & CH_HELPFILE)
+		return (pos);
+
+	n = hlist_find(&filter_anchor, pos);
+	while (n != NULL && pos >= n->r.hl_startpos)
 	{
-		if (hl->hl_startpos == pos)
-			return (1);
+		pos = n->r.hl_endpos;
+		n = n->next;
 	}
-	return (0);
+	return (pos);
 }
 
 /*
+ * If pos is hidden, return the previous position which isn't or 0 if
+ * we're filtered right to the beginning, otherwise just return pos.
+ */
+	public POSITION
+prev_unfiltered(pos)
+	POSITION pos;
+{
+	struct hilite_node *n;
+
+	if (ch_getflags() & CH_HELPFILE)
+		return (pos);
+
+	n = hlist_find(&filter_anchor, pos);
+	while (n != NULL && pos >= n->r.hl_startpos)
+	{
+		pos = n->r.hl_startpos;
+		if (pos == 0)
+			break;
+		pos--;
+		n = n->prev;
+	}
+	return (pos);
+}
+
+
+/*
  * Should any characters in a specified range be highlighted?
  * If nohide is nonzero, don't consider hide_hilite.
  */
@@ -447,43 +643,288 @@ is_hilited(pos, epos, nohide, p_matches)
 }
 
 /*
+ * Tree node storage: get the current block of nodes if it has spare
+ * capacity, or create a new one if not.
+ */
+	static struct hilite_storage*
+hlist_getstorage(anchor)
+	struct hilite_tree *anchor;
+{
+	int capacity = 1;
+	struct hilite_storage *s;
+
+	if (anchor->current)
+	{
+		if (anchor->current->used < anchor->current->capacity)
+			return anchor->current;
+		capacity = anchor->current->capacity * 2;
+	}
+
+	s = (struct hilite_storage *) ecalloc(1, sizeof(struct hilite_storage));
+	s->nodes = (struct hilite_node *) ecalloc(capacity, sizeof(struct hilite_node));
+	s->capacity = capacity;
+	s->used = 0;
+	s->next = NULL;
+	if (anchor->current)
+		anchor->current->next = s;
+	else
+		anchor->first = s;
+	anchor->current = s;
+	return s;
+}
+
+/*
+ * Tree node storage: retrieve a new empty node to be inserted into the
+ * tree.
+ */
+	static struct hilite_node*
+hlist_getnode(anchor)
+	struct hilite_tree *anchor;
+{
+	struct hilite_storage *s = hlist_getstorage(anchor);
+	return &s->nodes[s->used++];
+}
+
+/*
+ * Rotate the tree left around a pivot node.
+ */
+	static void
+hlist_rotate_left(anchor, n)
+	struct hilite_tree *anchor;
+	struct hilite_node *n;
+{
+	struct hilite_node *np = n->parent;
+	struct hilite_node *nr = n->right;
+	struct hilite_node *nrl = n->right->left;
+
+	if (np != NULL)
+	{
+		if (n == np->left)
+			np->left = nr;
+		else
+			np->right = nr;
+	} else
+	{
+		anchor->root = nr;
+	}
+	nr->left = n;
+	n->right = nrl;
+
+	nr->parent = np;
+	n->parent = nr;
+	if (nrl != NULL)
+		nrl->parent = n;
+}
+
+/*
+ * Rotate the tree right around a pivot node.
+ */
+	static void
+hlist_rotate_right(anchor, n)
+	struct hilite_tree *anchor;
+	struct hilite_node *n;
+{
+	struct hilite_node *np = n->parent;
+	struct hilite_node *nl = n->left;
+	struct hilite_node *nlr = n->left->right;
+
+	if (np != NULL)
+	{
+		if (n == np->right)
+			np->right = nl;
+		else
+			np->left = nl;
+	} else
+	{
+		anchor->root = nl;
+	}
+	nl->right = n;
+	n->left = nlr;
+
+	nl->parent = np;
+	n->parent = nl;
+	if (nlr != NULL)
+		nlr->parent = n;
+}
+
+
+/*
  * Add a new hilite to a hilite list.
  */
 	static void
 add_hilite(anchor, hl)
-	struct hilite *anchor;
+	struct hilite_tree *anchor;
 	struct hilite *hl;
 {
-	struct hilite *ihl;
+	struct hilite_node *p, *n, *u;
+
+	/* Ignore empty ranges. */
+	if (hl->hl_startpos >= hl->hl_endpos)
+		return;
+
+	p = anchor->root;
+
+	/* Inserting the very first node is trivial. */
+	if (p == NULL)
+	{
+		n = hlist_getnode(anchor);
+		n->r = *hl;
+		anchor->root = n;
+		anchor->lookaside = n;
+		return;
+	}
 
 	/*
-	 * Hilites are sorted in the list; find where new one belongs.
-	 * Insert new one after ihl.
+	 * Find our insertion point. If we come across any overlapping
+	 * or adjoining existing ranges, shrink our range and discard
+	 * if it become empty.
 	 */
-	for (ihl = anchor;  ihl->hl_next != NULL;  ihl = ihl->hl_next)
+	for (;;)
 	{
-		if (ihl->hl_next->hl_startpos > hl->hl_startpos)
+		if (hl->hl_startpos < p->r.hl_startpos)
+		{
+			if (hl->hl_endpos > p->r.hl_startpos)
+				hl->hl_endpos = p->r.hl_startpos;
+			if (p->left != NULL)
+			{
+				p = p->left;
+				continue;
+			}
 			break;
+		}
+		if (hl->hl_startpos < p->r.hl_endpos) {
+			hl->hl_startpos = p->r.hl_endpos;
+			if (hl->hl_startpos >= hl->hl_endpos)
+				return;
+		}
+		if (p->right != NULL)
+		{
+			p = p->right;
+			continue;
+		}
+		break;
 	}
 
 	/*
-	 * Truncate hilite so it doesn't overlap any existing ones
-	 * above and below it.
+	 * Now we're at the right leaf, again check for contiguous ranges
+	 * and extend the existing node if possible to avoid the
+	 * insertion. Otherwise insert a new node at the leaf.
 	 */
-	if (ihl != anchor)
-		hl->hl_startpos = MAXPOS(hl->hl_startpos, ihl->hl_endpos);
-	if (ihl->hl_next != NULL)
-		hl->hl_endpos = MINPOS(hl->hl_endpos, ihl->hl_next->hl_startpos);
-	if (hl->hl_startpos >= hl->hl_endpos)
+	if (hl->hl_startpos < p->r.hl_startpos) {
+		if (hl->hl_endpos == p->r.hl_startpos)
+		{
+			p->r.hl_startpos = hl->hl_startpos;
+			return;
+		}
+		if (p->prev != NULL && p->prev->r.hl_endpos == hl->hl_startpos)
+		{
+			p->prev->r.hl_endpos = hl->hl_endpos;
+			return;
+		}
+
+		p->left = n = hlist_getnode(anchor);
+		n->next = p;
+		if (p->prev != NULL)
+		{
+			n->prev = p->prev;
+			p->prev->next = n;
+		}
+		p->prev = n;
+	} else {
+		if (p->r.hl_endpos == hl->hl_startpos)
+		{
+			p->r.hl_endpos = hl->hl_endpos;
+			return;
+		}
+		if (p->next != NULL && hl->hl_endpos == p->next->r.hl_startpos) {
+			p->next->r.hl_startpos = hl->hl_startpos;
+			return;
+		}
+
+		p->right = n = hlist_getnode(anchor);
+		n->prev = p;
+		if (p->next != NULL)
+		{
+			n->next = p->next;
+			p->next->prev = n;
+		}
+		p->next = n;
+	}
+	n->parent = p;
+	n->red = 1;
+	n->r = *hl;
+
+	/*
+	 * The tree is in the correct order and covers the right ranges
+	 * now, but may have become unbalanced. Rebalance it using the
+	 * standard red-black tree constraints and operations.
+	 */
+	for (;;)
 	{
+		/* case 1 - current is root, root is always black */
+		if (n->parent == NULL)
+		{
+			n->red = 0;
+			break;
+		}
+
+		/* case 2 - parent is black, we can always be red */
+		if (!n->parent->red)
+			break;
+
 		/*
-		 * Hilite was truncated out of existence.
+		 * constraint: because the root must be black, if our
+		 * parent is red it cannot be the root therefore we must
+		 * have a grandparent
 		 */
-		free(hl);
-		return;
+
+		/*
+		 * case 3 - parent and uncle are red, repaint them black,
+		 * the grandparent red, and start again at the grandparent.
+		 */
+		u = n->parent->parent->left;
+		if (n->parent == u) 
+			u = n->parent->parent->right;
+		if (u != NULL && u->red)
+		{
+			n->parent->red = 0;
+			u->red = 0;
+			n = n->parent->parent;
+			n->red = 1;
+			continue;
+		}
+
+		/*
+		 * case 4 - parent is red but uncle is black, parent and
+		 * grandparent on opposite sides. We need to start
+		 * changing the structure now. This and case 5 will shorten
+		 * our branch and lengthen the sibling, between them
+		 * restoring balance.
+		 */
+		if (n == n->parent->right &&
+		    n->parent == n->parent->parent->left)
+		{
+			hlist_rotate_left(anchor, n->parent);
+			n = n->left;
+		} else if (n == n->parent->left &&
+			   n->parent == n->parent->parent->right)
+		{
+			hlist_rotate_right(anchor, n->parent);
+			n = n->right;
+		}
+
+		/*
+		 * case 5 - parent is red but uncle is black, parent and
+		 * grandparent on same side
+		 */
+		n->parent->red = 0;
+		n->parent->parent->red = 1;
+		if (n == n->parent->left)
+			hlist_rotate_right(anchor, n->parent->parent);
+		else
+			hlist_rotate_left(anchor, n->parent->parent);
+		break;
 	}
-	hl->hl_next = ihl->hl_next;
-	ihl->hl_next = hl;
 }
 
 /*
@@ -496,12 +937,11 @@ create_hilites(linepos, start_index, end_index, chpos)
 	int end_index;
 	int *chpos;
 {
-	struct hilite *hl;
+	struct hilite hl;
 	int i;
 
 	/* Start the first hilite. */
-	hl = (struct hilite *) ecalloc(1, sizeof(struct hilite));
-	hl->hl_startpos = linepos + chpos[start_index];
+	hl.hl_startpos = linepos + chpos[start_index];
 
 	/*
 	 * Step through the displayed chars.
@@ -515,13 +955,12 @@ create_hilites(linepos, start_index, end_index, chpos)
 	{
 		if (chpos[i] != chpos[i-1] + 1 || i == end_index)
 		{
-			hl->hl_endpos = linepos + chpos[i-1] + 1;
-			add_hilite(&hilite_anchor, hl);
+			hl.hl_endpos = linepos + chpos[i-1] + 1;
+			add_hilite(&hilite_anchor, &hl);
 			/* Start new hilite unless this is the last char. */
 			if (i < end_index)
 			{
-				hl = (struct hilite *) ecalloc(1, sizeof(struct hilite));
-				hl->hl_startpos = linepos + chpos[i];
+				hl.hl_startpos = linepos + chpos[i];
 			}
 		}
 	}
@@ -545,8 +984,6 @@ hilite_line(linepos, line, line_len, chpos, sp, ep, cvt_ops)
 	char *searchp;
 	char *line_end = line + line_len;
 
-	if (sp == NULL || ep == NULL)
-		return;
 	/*
 	 * sp and ep delimit the first match in the line.
 	 * Mark the corresponding file positions, then
@@ -559,6 +996,8 @@ hilite_line(linepos, line, line_len, chpos, sp, ep, cvt_ops)
 	 */
 	searchp = line;
 	do {
+		if (sp == NULL || ep == NULL)
+			return;
 		create_hilites(linepos, sp-line, ep-line, chpos);
 		/*
 		 * If we matched more than zero characters,
@@ -694,11 +1133,10 @@ search_pos(search_type)
 			 * It starts at the jump target (if searching backwards),
 			 * or at the jump target plus one (if forwards).
 			 */
-			linenum = jump_sline;
+			linenum = adjsline(jump_sline);
 			if (search_type & SRCH_FORW) 
-			    add_one = 1;
+				add_one = 1;
 		}
-		linenum = adjsline(linenum);
 		pos = position(linenum);
 		if (add_one)
 			pos = forw_raw_line(pos, (char **)NULL, (int *)NULL);
@@ -709,20 +1147,20 @@ search_pos(search_type)
 	 */
 	if (search_type & SRCH_FORW) 
 	{
-	    while (pos == NULL_POSITION)
-	    {
-	        if (++linenum >= sc_height)
-	            break;
-	        pos = position(linenum);
-	    }
+		while (pos == NULL_POSITION)
+		{
+			if (++linenum >= sc_height)
+				break;
+			pos = position(linenum);
+		}
 	} else 
 	{
-	    while (pos == NULL_POSITION)
-	    {
-	        if (--linenum < 0)
-	            break;
-	        pos = position(linenum);
-	    }
+		while (pos == NULL_POSITION)
+		{
+			if (--linenum < 0)
+				break;
+			pos = position(linenum);
+		}
 	}
 	return (pos);
 }
@@ -842,16 +1280,19 @@ search_range(pos, endpos, search_type, matches, maxlines, plinepos, pendpos)
 		 * Check to see if the line matches the filter pattern.
 		 * If so, add an entry to the filter list.
 		 */
-		if ((search_type & SRCH_FIND_ALL) && prev_pattern(&filter_info)) {
+		if (((search_type & SRCH_FIND_ALL) ||
+		     prep_startpos == NULL_POSITION ||
+		     linepos < prep_startpos || linepos >= prep_endpos) &&
+		    prev_pattern(&filter_info)) {
 			int line_filter = match_pattern(info_compiled(&filter_info), filter_info.text,
 				cline, line_len, &sp, &ep, 0, filter_info.search_type);
 			if (line_filter)
 			{
-				struct hilite *hl = (struct hilite *)
-					ecalloc(1, sizeof(struct hilite));
-				hl->hl_startpos = linepos;
-				hl->hl_endpos = pos;
-				add_hilite(&filter_anchor, hl);
+				struct hilite hl;
+				hl.hl_startpos = linepos;
+				hl.hl_endpos = pos;
+				add_hilite(&filter_anchor, &hl);
+				continue;
 			}
 		}
 #endif
@@ -1108,6 +1549,12 @@ prep_hilite(spos, epos, maxlines)
 		return;
 
 	/*
+	 * Make sure our prep region always starts at the beginning of
+	 * a line. (search_range takes care of the end boundary below.)
+	 */
+	spos = back_raw_line(spos+1, (char **)NULL, (int *)NULL);
+
+	/*
 	 * If we're limited to a max number of lines, figure out the
 	 * file position we should stop at.
 	 */
@@ -1199,12 +1646,48 @@ prep_hilite(spos, epos, maxlines)
 	{
 		int search_type = SRCH_FORW | SRCH_FIND_ALL;
 		search_type |= (search_info.search_type & SRCH_NO_REGEX);
-		result = search_range(spos, epos, search_type, 0,
-				maxlines, (POSITION*)NULL, &new_epos);
-		if (result < 0)
-			return;
-		if (prep_endpos == NULL_POSITION || new_epos > prep_endpos)
-			nprep_endpos = new_epos;
+		for (;;) 
+		{
+			result = search_range(spos, epos, search_type, 0, maxlines, (POSITION*)NULL, &new_epos);
+			if (result < 0)
+				return;
+			if (prep_endpos == NULL_POSITION || new_epos > prep_endpos)
+				nprep_endpos = new_epos;
+
+			/*
+			 * Check both ends of the resulting prep region to
+			 * make sure they're not filtered. If they are,
+			 * keep going at least one more line until we find
+			 * something that isn't filtered, or hit the end.
+			 */
+			if (prep_endpos == NULL_POSITION || nprep_endpos > prep_endpos)
+			{
+				if (new_epos >= nprep_endpos && is_filtered(new_epos-1))
+				{
+					spos = nprep_endpos;
+					epos = forw_raw_line(nprep_endpos, (char **)NULL, (int *)NULL);
+					if (epos == NULL_POSITION)
+						break;
+					maxlines = 1;
+					continue;
+				}
+			}
+
+			if (prep_startpos == NULL_POSITION || nprep_startpos < prep_startpos)
+			{
+				if (nprep_startpos > 0 && is_filtered(nprep_startpos))
+				{
+					epos = nprep_startpos;
+					spos = back_raw_line(nprep_startpos, (char **)NULL, (int *)NULL);
+					if (spos == NULL_POSITION)
+						break;
+					nprep_startpos = spos;
+					maxlines = 1;
+					continue;
+				}
+			}
+			break;
+		}
 	}
 	prep_startpos = nprep_startpos;
 	prep_endpos = nprep_endpos;
@@ -1243,12 +1726,16 @@ is_filtering()
  * This function is called by the V8 regcomp to report 
  * errors in regular expressions.
  */
+public int reg_show_error = 1;
+
 	void 
 regerror(s) 
 	char *s; 
 {
 	PARG parg;
 
+	if (!reg_show_error)
+		return;
 	parg.p_string = s;
 	error("%s", &parg);
 }
diff --git a/contrib/less/signal.c b/contrib/less/signal.c
index 9c6c2f6..caa2143 100644
--- a/contrib/less/signal.c
+++ b/contrib/less/signal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/tags.c b/contrib/less/tags.c
index 51fbb56..5acf374 100644
--- a/contrib/less/tags.c
+++ b/contrib/less/tags.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -14,7 +14,8 @@
 
 #if TAGS
 
-public char *tags = "tags";
+public char ztags[] = "tags";
+public char *tags = ztags;
 
 static int total;
 static int curseq;
@@ -287,7 +288,7 @@ findctag(tag)
 
 	cleantags();
 	total = 0;
-	taglen = strlen(tag);
+	taglen = (int) strlen(tag);
 
 	/*
 	 * Search the tags file for the desired tag.
@@ -445,7 +446,7 @@ ctagsearch()
 		 * If tagendline is set, make sure we match all
 		 * the way to end of line (no extra chars after the match).
 		 */
-		len = strlen(curtag->tag_pattern);
+		len = (int) strlen(curtag->tag_pattern);
 		if (strncmp(curtag->tag_pattern, line, len) == 0 &&
 		    (!curtag->tag_endline || line[len] == '\0' || line[len] == '\r'))
 		{
@@ -491,7 +492,7 @@ findgtag(tag, type)
 	{
 		fp = stdin;
 		/* Set tag default because we cannot read stdin again. */
-		tags = "tags";
+		tags = ztags;
 	} else
 	{
 #if !HAVE_POPEN
@@ -551,7 +552,7 @@ findgtag(tag, type)
 #endif
 				return TAG_INTR;
 			}
-			len = strlen(buf);
+			len = (int) strlen(buf);
 			if (len > 0 && buf[len-1] == '\n')
 				buf[len-1] = '\0';
 			else
diff --git a/contrib/less/ttyin.c b/contrib/less/ttyin.c
index db6e72e..129eea1 100644
--- a/contrib/less/ttyin.c
+++ b/contrib/less/ttyin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
diff --git a/contrib/less/ubin.uni b/contrib/less/ubin.uni
new file mode 100644
index 0000000..39ec303
--- /dev/null
+++ b/contrib/less/ubin.uni
@@ -0,0 +1,32 @@
+/* Generated by "./mkutable -f2 Cc Cf Cs Co Zl Zp -- unicode/UnicodeData.txt" on Mon Jul 14 16:21:22 PDT 2014 */
+	{ 0x0000, 0x001f }, /* Cc */
+	{ 0x007f, 0x009f }, /* Cc */
+	{ 0x00ad, 0x00ad }, /* Cf */
+	{ 0x0600, 0x0605 }, /* Cf */
+	{ 0x061c, 0x061c }, /* Cf */
+	{ 0x06dd, 0x06dd }, /* Cf */
+	{ 0x070f, 0x070f }, /* Cf */
+	{ 0x180e, 0x180e }, /* Cf */
+	{ 0x200b, 0x200f }, /* Cf */
+	{ 0x2028, 0x2028 }, /* Zl */
+	{ 0x2029, 0x2029 }, /* Zp */
+	{ 0x202a, 0x202e }, /* Cf */
+	{ 0x2060, 0x2064 }, /* Cf */
+	{ 0x2066, 0x206f }, /* Cf */
+	{ 0xd800, 0xd800 }, /* Cs */
+	{ 0xdb7f, 0xdb80 }, /* Cs */
+	{ 0xdbff, 0xdc00 }, /* Cs */
+	{ 0xdfff, 0xdfff }, /* Cs */
+	{ 0xe000, 0xe000 }, /* Co */
+	{ 0xf8ff, 0xf8ff }, /* Co */
+	{ 0xfeff, 0xfeff }, /* Cf */
+	{ 0xfff9, 0xfffb }, /* Cf */
+	{ 0x110bd, 0x110bd }, /* Cf */
+	{ 0x1bca0, 0x1bca3 }, /* Cf */
+	{ 0x1d173, 0x1d17a }, /* Cf */
+	{ 0xe0001, 0xe0001 }, /* Cf */
+	{ 0xe0020, 0xe007f }, /* Cf */
+	{ 0xf0000, 0xf0000 }, /* Co */
+	{ 0xffffd, 0xffffd }, /* Co */
+	{ 0x100000, 0x100000 }, /* Co */
+	{ 0x10fffd, 0x10fffd }, /* Co */
diff --git a/contrib/less/version.c b/contrib/less/version.c
index d3ecd14..87b0b42 100644
--- a/contrib/less/version.c
+++ b/contrib/less/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1984-2012  Mark Nudelman
+ * Copyright (C) 1984-2015  Mark Nudelman
  *
  * You may distribute under the terms of either the GNU General Public
  * License or the Less License, as specified in the README file.
@@ -762,6 +762,35 @@ v455  11/5/12   Fix typo.
 v456  11/8/12   Fix option string incompatibility.
 v457  12/8/12   Use new option string syntax only after --use-backslash.
 v458  4/4/13    Fix display bug in using up/down in cmd buffer.
+-----------------------------------------------------------------
+v459  5/6/13    Fix ++ bug.
+v460  6/19/13   Automate construction of Unicode tables.
+v461  6/21/13   Collapse multiple CRs before LF.
+v462  11/26/13  Don't overwrite history file, just append to it.
+v463  7/13/14   Misc. fixes.
+v464  7/19/14   Fix bugs & improve performance in & filtering
+                (thanks to John Sullivan).
+v465  8/9/14    More fixes from John Sullivan.
+v466  8/23/14   Add colon to LESSANSIMIDCHARS.
+v467  9/18/14   Misc. fixes.
+v468  9/18/14   Fix typo
+v469  10/2/14   Allow extra string in command to append to a multichar
+                cmd without executing it; fix bug using GNU regex.
+v470  10/5/14   Fix some compiler warnings.
+v471  12/14/14  Fix unget issues with prompt. Allow disabling history
+                when compiled value of LESSHISTFILE = "-".
+v473  12/19/14  Fix prompt bug with stdin and -^P in lesskey extra string.
+v474  1/30/15   Fix bug in backwards search with match on bottom line.
+                Make follow mode reopen file if file shrinks.
+v475  3/2/15    Fix possible buffer overrun with invalid UTF-8; 
+                fix bug when compiled with no regex; fix non-match search.
+v476  5/3/15    Update man pages.
+v477  5/19/15   Fix off-by-one in jump_forw_buffered;
+                don't add FAKE_* files to cmd history.
+v478  5/21/15   Fix nonportable pointer usage in hilite tree.
+v479  7/6/15    Allow %% escapes in LESSOPEN variable.
+v480  7/24/15	Fix bug in no-regex searches; support MSVC v1900.
+v481  8/20/15	Fix broken -g option.
 */
 
-char version[] = "458";
+char version[] = "481";
diff --git a/contrib/less/wide.uni b/contrib/less/wide.uni
new file mode 100644
index 0000000..b43f7d3
--- /dev/null
+++ b/contrib/less/wide.uni
@@ -0,0 +1,81 @@
+/* Generated by "./mkutable -f1 W -- unicode/EastAsianWidth.txt" on Mon Jul 14 16:21:23 PDT 2014 */
+	{ 0x1100, 0x1100 }, /* W */
+	{ 0x2329, 0x232a }, /* W */
+	{ 0x2e80, 0x2e80 }, /* W */
+	{ 0x2e9b, 0x2e9b }, /* W */
+	{ 0x2f00, 0x2f00 }, /* W */
+	{ 0x2ff0, 0x2ff0 }, /* W */
+	{ 0x3001, 0x3001 }, /* W */
+	{ 0x3004, 0x3012 }, /* W */
+	{ 0x3014, 0x301e }, /* W */
+	{ 0x3020, 0x3021 }, /* W */
+	{ 0x302a, 0x302a }, /* W */
+	{ 0x302e, 0x302e }, /* W */
+	{ 0x3030, 0x3031 }, /* W */
+	{ 0x3036, 0x3036 }, /* W */
+	{ 0x3038, 0x3038 }, /* W */
+	{ 0x303b, 0x303e }, /* W */
+	{ 0x3041, 0x3041 }, /* W */
+	{ 0x3099, 0x3099 }, /* W */
+	{ 0x309b, 0x309b }, /* W */
+	{ 0x309d, 0x309d }, /* W */
+	{ 0x309f, 0x30a1 }, /* W */
+	{ 0x30fb, 0x30fc }, /* W */
+	{ 0x30ff, 0x30ff }, /* W */
+	{ 0x3105, 0x3105 }, /* W */
+	{ 0x3131, 0x3131 }, /* W */
+	{ 0x3190, 0x3190 }, /* W */
+	{ 0x3192, 0x3192 }, /* W */
+	{ 0x3196, 0x3196 }, /* W */
+	{ 0x31a0, 0x31a0 }, /* W */
+	{ 0x31c0, 0x31c0 }, /* W */
+	{ 0x31f0, 0x31f0 }, /* W */
+	{ 0x3200, 0x3200 }, /* W */
+	{ 0x3220, 0x3220 }, /* W */
+	{ 0x322a, 0x322a }, /* W */
+	{ 0x3250, 0x3251 }, /* W */
+	{ 0x3260, 0x3260 }, /* W */
+	{ 0x3280, 0x3280 }, /* W */
+	{ 0x328a, 0x328a }, /* W */
+	{ 0x32b1, 0x32b1 }, /* W */
+	{ 0x32c0, 0x32c0 }, /* W */
+	{ 0x3300, 0x3300 }, /* W */
+	{ 0x3400, 0x3400 }, /* W */
+	{ 0x4db6, 0x4db6 }, /* W */
+	{ 0x4e00, 0x4e00 }, /* W */
+	{ 0x9fcd, 0x9fcd }, /* W */
+	{ 0xa000, 0xa000 }, /* W */
+	{ 0xa015, 0xa016 }, /* W */
+	{ 0xa490, 0xa490 }, /* W */
+	{ 0xa960, 0xa960 }, /* W */
+	{ 0xac00, 0xac00 }, /* W */
+	{ 0xf900, 0xf900 }, /* W */
+	{ 0xfa6e, 0xfa6e }, /* W */
+	{ 0xfa70, 0xfa70 }, /* W */
+	{ 0xfada, 0xfada }, /* W */
+	{ 0xfe10, 0xfe10 }, /* W */
+	{ 0xfe17, 0xfe19 }, /* W */
+	{ 0xfe30, 0xfe31 }, /* W */
+	{ 0xfe33, 0xfe33 }, /* W */
+	{ 0xfe35, 0xfe45 }, /* W */
+	{ 0xfe47, 0xfe49 }, /* W */
+	{ 0xfe4d, 0xfe4d }, /* W */
+	{ 0xfe50, 0xfe50 }, /* W */
+	{ 0xfe54, 0xfe54 }, /* W */
+	{ 0xfe58, 0xfe5f }, /* W */
+	{ 0xfe62, 0xfe64 }, /* W */
+	{ 0xfe68, 0xfe6a }, /* W */
+	{ 0x1b000, 0x1b000 }, /* W */
+	{ 0x1f200, 0x1f200 }, /* W */
+	{ 0x1f210, 0x1f210 }, /* W */
+	{ 0x1f240, 0x1f240 }, /* W */
+	{ 0x1f250, 0x1f250 }, /* W */
+	{ 0x20000, 0x20000 }, /* W */
+	{ 0x2a6d7, 0x2a6d7 }, /* W */
+	{ 0x2a700, 0x2a700 }, /* W */
+	{ 0x2b735, 0x2b735 }, /* W */
+	{ 0x2b740, 0x2b740 }, /* W */
+	{ 0x2b81e, 0x2b81e }, /* W */
+	{ 0x2f800, 0x2f800 }, /* W */
+	{ 0x2fa1e, 0x2fa1e }, /* W */
+	{ 0x30000, 0x30000 }, /* W */
diff --git a/contrib/netcat/nc.1 b/contrib/netcat/nc.1
index e1f4c2d..7e7b9fd 100644
--- a/contrib/netcat/nc.1
+++ b/contrib/netcat/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.67 2014/02/26 20:56:11 claudio Exp $
+.\"     $OpenBSD: nc.1,v 1.68 2015/03/26 10:35:04 tobias Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd April 11, 2014
+.Dd September 26, 2015
 .Dt NC 1
 .Os
 .Sh NAME
@@ -133,7 +133,7 @@ connection to another program (e.g.\&
 .Xr ssh 1
 using the
 .Xr ssh_config 5
-.Cm ProxyUseFdPass
+.Cm ProxyUseFdpass
 option).
 .It Fl h
 Prints out
diff --git a/contrib/netcat/netcat.c b/contrib/netcat/netcat.c
index 041fff8..04e31e8a 100644
--- a/contrib/netcat/netcat.c
+++ b/contrib/netcat/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.127 2015/02/14 22:40:22 jca Exp $ */
+/* $OpenBSD: netcat.c,v 1.130 2015/07/26 19:12:28 chl Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  *
@@ -52,15 +52,16 @@
 #include <err.h>
 #include <errno.h>
 #include <getopt.h>
+#include <fcntl.h>
+#include <limits.h>
 #include <netdb.h>
 #include <poll.h>
+#include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-#include <fcntl.h>
-#include <limits.h>
 #include "atomicio.h"
 
 #ifndef SUN_LEN
@@ -163,6 +164,8 @@ main(int argc, char *argv[])
 	uport = NULL;
 	sv = NULL;
 
+	signal(SIGPIPE, SIG_IGN);
+
 	while ((ch = getopt_long(argc, argv,
 	    "46DdEe:FhI:i:klNnoO:P:p:rSs:tT:UuV:vw:X:x:z",
 	    longopts, NULL)) != -1) {
@@ -1042,7 +1045,6 @@ fdpass(int nfd)
 	bzero(&mh, sizeof(mh));
 	bzero(&cmsgbuf, sizeof(cmsgbuf));
 	bzero(&iov, sizeof(iov));
-	bzero(&pfd, sizeof(pfd));
 
 	mh.msg_control = (caddr_t)&cmsgbuf.buf;
 	mh.msg_controllen = sizeof(cmsgbuf.buf);
@@ -1059,17 +1061,17 @@ fdpass(int nfd)
 
 	bzero(&pfd, sizeof(pfd));
 	pfd.fd = STDOUT_FILENO;
+	pfd.events = POLLOUT;
 	for (;;) {
 		r = sendmsg(STDOUT_FILENO, &mh, 0);
 		if (r == -1) {
 			if (errno == EAGAIN || errno == EINTR) {
-				pfd.events = POLLOUT;
 				if (poll(&pfd, 1, -1) == -1)
 					err(1, "poll");
 				continue;
 			}
 			err(1, "sendmsg");
-		} else if (r == -1)
+		} else if (r != 1)
 			errx(1, "sendmsg: unexpected return value %zd", r);
 		else
 			break;
diff --git a/contrib/netcat/socks.c b/contrib/netcat/socks.c
index f8adda4..1b06e0e 100644
--- a/contrib/netcat/socks.c
+++ b/contrib/netcat/socks.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: socks.c,v 1.20 2012/03/08 09:56:28 espie Exp $	*/
+/*	$OpenBSD: socks.c,v 1.21 2015/03/26 21:19:51 tobias Exp $	*/
 
 /*
  * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
@@ -308,8 +308,8 @@ socks_connect(const char *host, const char *port,
 		}
 
 		/* Terminate headers */
-		if ((r = atomicio(vwrite, proxyfd, "\r\n", 2)) != 2)
-			err(1, "write failed (2/%d)", r);
+		if ((cnt = atomicio(vwrite, proxyfd, "\r\n", 2)) != 2)
+			err(1, "write failed (%zu/2)", cnt);
 
 		/* Read status reply */
 		proxy_read_line(proxyfd, buf, sizeof(buf));
diff --git a/contrib/ntp/ChangeLog b/contrib/ntp/ChangeLog
index 304bd85..cfe4aa1 100644
--- a/contrib/ntp/ChangeLog
+++ b/contrib/ntp/ChangeLog
@@ -1,4 +1,38 @@
 ---
+(4.2.8p6) 2016/01/20 Released by Harlan Stenn <stenn@ntp.org>
+
+* [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode. HStenn.
+* [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+* [Sec 2937] ntpq: nextvar() missing length check. perlinger@ntp.org
+* [Sec 2938] ntpq saveconfig command allows dangerous characters
+  in filenames. perlinger@ntp.org
+* [Sec 2939] reslist NULL pointer dereference.  perlinger@ntp.org
+* [Sec 2940] Stack exhaustion in recursive traversal of restriction
+  list. perlinger@ntp.org
+* [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+* [Sec 2945] Zero Origin Timestamp Bypass. perlinger@ntp.org
+* [Sec 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@ntp.org
+* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
+* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
+  - applied patch by shenpeng11@huawei.com with minor adjustments
+* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
+* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
+* [Bug 2892] Several test cases assume IPv6 capabilities even when
+             IPv6 is disabled in the build. perlinger@ntp.org
+  - Found this already fixed, but validation led to cleanup actions.
+* [Bug 2905] DNS lookups broken. perlinger@ntp.org
+  - added limits to stack consumption, fixed some return code handling
+* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
+  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
+  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
+* [Bug 2980] reduce number of warnings. perlinger@ntp.org
+  - integrated several patches from Havard Eidnes (he@uninett.no)
+* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
+  - implement 'auth_log2()' using integer bithack instead of float calculation
+* Make leapsec_query debug messages less verbose.  Harlan Stenn.
+* Disable incomplete t-ntp_signd.c test.  Harlan Stenn.
+
+---
 (4.2.8p5) 2016/01/07 Released by Harlan Stenn <stenn@ntp.org>
 
 * [Sec 2956] small-step/big-step.  Close the panic gate earlier.  HStenn.
@@ -47,6 +81,7 @@
               lots of clients. perlinger@ntp.org
 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
   - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
+  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
 * Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
 * Unity test cleanup.  Harlan Stenn.
 * Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
@@ -55,9 +90,8 @@
 * Quiet a warning from clang.  Harlan Stenn.
 * Update the NEWS file.  Harlan Stenn.
 * Update scripts/calc_tickadj/Makefile.am.  Harlan Stenn.
+
 ---
-(4.2.8p4) 2015/10/21 Released by Harlan Stenn <stenn@ntp.org>
-(4.2.8p4-RC1) 2015/10/06 Released by Harlan Stenn <stenn@ntp.org>
 
 * [Sec 2899] CVE-2014-9297  perlinger@ntp.org
 * [Sec 2901] Drop invalid packet before checking KoD. Check for all KoD's.
diff --git a/contrib/ntp/CommitLog b/contrib/ntp/CommitLog
index 9caeaa2..26afcc5 100644
--- a/contrib/ntp/CommitLog
+++ b/contrib/ntp/CommitLog
@@ -1,8 +1,633 @@
-ChangeSet@1.3623, 2016-01-07 23:33:11+00:00, stenn@deacon.udel.edu
+ChangeSet@1.3628, 2016-01-20 04:20:12-05:00, stenn@deacon.udel.edu
+  NTP_4_2_8P6
+  TAG: NTP_4_2_8P6
+
+  ChangeLog@1.1793 +1 -0
+    NTP_4_2_8P6
+
+  ntpd/invoke-ntp.conf.texi@1.196 +1 -1
+    NTP_4_2_8P6
+
+  ntpd/invoke-ntp.keys.texi@1.188 +1 -1
+    NTP_4_2_8P6
+
+  ntpd/invoke-ntpd.texi@1.504 +2 -2
+    NTP_4_2_8P6
+
+  ntpd/ntp.conf.5man@1.230 +3 -3
+    NTP_4_2_8P6
+
+  ntpd/ntp.conf.5mdoc@1.230 +2 -3
+    NTP_4_2_8P6
+
+  ntpd/ntp.conf.html@1.183 +60 -2
+    NTP_4_2_8P6
+
+  ntpd/ntp.conf.man.in@1.230 +3 -3
+    NTP_4_2_8P6
+
+  ntpd/ntp.conf.mdoc.in@1.230 +2 -3
+    NTP_4_2_8P6
+
+  ntpd/ntp.keys.5man@1.222 +2 -2
+    NTP_4_2_8P6
+
+  ntpd/ntp.keys.5mdoc@1.222 +3 -3
+    NTP_4_2_8P6
+
+  ntpd/ntp.keys.html@1.184 +21 -33
+    NTP_4_2_8P6
+
+  ntpd/ntp.keys.man.in@1.222 +2 -2
+    NTP_4_2_8P6
+
+  ntpd/ntp.keys.mdoc.in@1.222 +3 -3
+    NTP_4_2_8P6
+
+  ntpd/ntpd-opts.c@1.526 +10 -10
+    NTP_4_2_8P6
+
+  ntpd/ntpd-opts.h@1.525 +4 -4
+    NTP_4_2_8P6
+
+  ntpd/ntpd.1ntpdman@1.333 +4 -4
+    NTP_4_2_8P6
+
+  ntpd/ntpd.1ntpdmdoc@1.333 +3 -3
+    NTP_4_2_8P6
+
+  ntpd/ntpd.html@1.177 +2 -2
+    NTP_4_2_8P6
+
+  ntpd/ntpd.man.in@1.333 +4 -4
+    NTP_4_2_8P6
+
+  ntpd/ntpd.mdoc.in@1.333 +3 -3
+    NTP_4_2_8P6
+
+  ntpdc/invoke-ntpdc.texi@1.501 +2 -2
+    NTP_4_2_8P6
+
+  ntpdc/ntpdc-opts.c@1.519 +10 -10
+    NTP_4_2_8P6
+
+  ntpdc/ntpdc-opts.h@1.518 +4 -4
+    NTP_4_2_8P6
+
+  ntpdc/ntpdc.1ntpdcman@1.332 +4 -4
+    NTP_4_2_8P6
+
+  ntpdc/ntpdc.1ntpdcmdoc@1.332 +3 -3
+    NTP_4_2_8P6
+
+  ntpdc/ntpdc.html@1.345 +2 -2
+    NTP_4_2_8P6
+
+  ntpdc/ntpdc.man.in@1.332 +4 -4
+    NTP_4_2_8P6
+
+  ntpdc/ntpdc.mdoc.in@1.332 +3 -3
+    NTP_4_2_8P6
+
+  ntpq/invoke-ntpq.texi@1.508 +2 -2
+    NTP_4_2_8P6
+
+  ntpq/ntpq-opts.c@1.525 +10 -10
+    NTP_4_2_8P6
+
+  ntpq/ntpq-opts.h@1.523 +4 -4
+    NTP_4_2_8P6
+
+  ntpq/ntpq.1ntpqman@1.336 +4 -4
+    NTP_4_2_8P6
+
+  ntpq/ntpq.1ntpqmdoc@1.336 +3 -3
+    NTP_4_2_8P6
+
+  ntpq/ntpq.html@1.174 +2 -2
+    NTP_4_2_8P6
+
+  ntpq/ntpq.man.in@1.336 +4 -4
+    NTP_4_2_8P6
+
+  ntpq/ntpq.mdoc.in@1.336 +3 -3
+    NTP_4_2_8P6
+
+  ntpsnmpd/invoke-ntpsnmpd.texi@1.503 +2 -2
+    NTP_4_2_8P6
+
+  ntpsnmpd/ntpsnmpd-opts.c@1.521 +10 -10
+    NTP_4_2_8P6
+
+  ntpsnmpd/ntpsnmpd-opts.h@1.520 +4 -4
+    NTP_4_2_8P6
+
+  ntpsnmpd/ntpsnmpd.1ntpsnmpdman@1.332 +4 -4
+    NTP_4_2_8P6
+
+  ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc@1.332 +3 -3
+    NTP_4_2_8P6
+
+  ntpsnmpd/ntpsnmpd.html@1.172 +1 -1
+    NTP_4_2_8P6
+
+  ntpsnmpd/ntpsnmpd.man.in@1.332 +4 -4
+    NTP_4_2_8P6
+
+  ntpsnmpd/ntpsnmpd.mdoc.in@1.332 +3 -3
+    NTP_4_2_8P6
+
+  packageinfo.sh@1.524 +2 -2
+    NTP_4_2_8P6
+
+  scripts/calc_tickadj/calc_tickadj.1calc_tickadjman@1.93 +3 -3
+    NTP_4_2_8P6
+
+  scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc@1.94 +2 -2
+    NTP_4_2_8P6
+
+  scripts/calc_tickadj/calc_tickadj.html@1.95 +1 -1
+    NTP_4_2_8P6
+
+  scripts/calc_tickadj/calc_tickadj.man.in@1.92 +3 -3
+    NTP_4_2_8P6
+
+  scripts/calc_tickadj/calc_tickadj.mdoc.in@1.94 +2 -2
+    NTP_4_2_8P6
+
+  scripts/calc_tickadj/invoke-calc_tickadj.texi@1.97 +1 -1
+    NTP_4_2_8P6
+
+  scripts/invoke-plot_summary.texi@1.114 +2 -2
+    NTP_4_2_8P6
+
+  scripts/invoke-summary.texi@1.114 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntp-wait/invoke-ntp-wait.texi@1.324 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntp-wait/ntp-wait-opts@1.60 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntp-wait/ntp-wait.1ntp-waitman@1.321 +3 -3
+    NTP_4_2_8P6
+
+  scripts/ntp-wait/ntp-wait.1ntp-waitmdoc@1.322 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntp-wait/ntp-wait.html@1.341 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntp-wait/ntp-wait.man.in@1.321 +3 -3
+    NTP_4_2_8P6
+
+  scripts/ntp-wait/ntp-wait.mdoc.in@1.322 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntpsweep/invoke-ntpsweep.texi@1.112 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntpsweep/ntpsweep-opts@1.62 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntpsweep/ntpsweep.1ntpsweepman@1.100 +3 -3
+    NTP_4_2_8P6
+
+  scripts/ntpsweep/ntpsweep.1ntpsweepmdoc@1.100 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntpsweep/ntpsweep.html@1.113 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntpsweep/ntpsweep.man.in@1.100 +3 -3
+    NTP_4_2_8P6
+
+  scripts/ntpsweep/ntpsweep.mdoc.in@1.101 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntptrace/invoke-ntptrace.texi@1.113 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntptrace/ntptrace-opts@1.62 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntptrace/ntptrace.1ntptraceman@1.100 +3 -3
+    NTP_4_2_8P6
+
+  scripts/ntptrace/ntptrace.1ntptracemdoc@1.101 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntptrace/ntptrace.html@1.114 +2 -2
+    NTP_4_2_8P6
+
+  scripts/ntptrace/ntptrace.man.in@1.100 +3 -3
+    NTP_4_2_8P6
+
+  scripts/ntptrace/ntptrace.mdoc.in@1.102 +2 -2
+    NTP_4_2_8P6
+
+  scripts/plot_summary-opts@1.62 +2 -2
+    NTP_4_2_8P6
+
+  scripts/plot_summary.1plot_summaryman@1.112 +3 -3
+    NTP_4_2_8P6
+
+  scripts/plot_summary.1plot_summarymdoc@1.112 +2 -2
+    NTP_4_2_8P6
+
+  scripts/plot_summary.html@1.115 +2 -2
+    NTP_4_2_8P6
+
+  scripts/plot_summary.man.in@1.112 +3 -3
+    NTP_4_2_8P6
+
+  scripts/plot_summary.mdoc.in@1.112 +2 -2
+    NTP_4_2_8P6
+
+  scripts/summary-opts@1.62 +2 -2
+    NTP_4_2_8P6
+
+  scripts/summary.1summaryman@1.112 +3 -3
+    NTP_4_2_8P6
+
+  scripts/summary.1summarymdoc@1.112 +2 -2
+    NTP_4_2_8P6
+
+  scripts/summary.html@1.115 +2 -2
+    NTP_4_2_8P6
+
+  scripts/summary.man.in@1.112 +3 -3
+    NTP_4_2_8P6
+
+  scripts/summary.mdoc.in@1.112 +2 -2
+    NTP_4_2_8P6
+
+  scripts/update-leap/invoke-update-leap.texi@1.13 +1 -1
+    NTP_4_2_8P6
+
+  scripts/update-leap/update-leap-opts@1.13 +2 -2
+    NTP_4_2_8P6
+
+  scripts/update-leap/update-leap.1update-leapman@1.13 +3 -3
+    NTP_4_2_8P6
+
+  scripts/update-leap/update-leap.1update-leapmdoc@1.13 +2 -2
+    NTP_4_2_8P6
+
+  scripts/update-leap/update-leap.html@1.13 +1 -1
+    NTP_4_2_8P6
+
+  scripts/update-leap/update-leap.man.in@1.13 +3 -3
+    NTP_4_2_8P6
+
+  scripts/update-leap/update-leap.mdoc.in@1.13 +2 -2
+    NTP_4_2_8P6
+
+  sntp/invoke-sntp.texi@1.501 +2 -2
+    NTP_4_2_8P6
+
+  sntp/sntp-opts.c@1.520 +10 -10
+    NTP_4_2_8P6
+
+  sntp/sntp-opts.h@1.518 +4 -4
+    NTP_4_2_8P6
+
+  sntp/sntp.1sntpman@1.336 +4 -4
+    NTP_4_2_8P6
+
+  sntp/sntp.1sntpmdoc@1.336 +3 -3
+    NTP_4_2_8P6
+
+  sntp/sntp.html@1.516 +2 -2
+    NTP_4_2_8P6
+
+  sntp/sntp.man.in@1.336 +4 -4
+    NTP_4_2_8P6
+
+  sntp/sntp.mdoc.in@1.336 +3 -3
+    NTP_4_2_8P6
+
+  util/invoke-ntp-keygen.texi@1.504 +2 -2
+    NTP_4_2_8P6
+
+  util/ntp-keygen-opts.c@1.522 +10 -10
+    NTP_4_2_8P6
+
+  util/ntp-keygen-opts.h@1.520 +4 -4
+    NTP_4_2_8P6
+
+  util/ntp-keygen.1ntp-keygenman@1.332 +4 -4
+    NTP_4_2_8P6
+
+  util/ntp-keygen.1ntp-keygenmdoc@1.332 +3 -3
+    NTP_4_2_8P6
+
+  util/ntp-keygen.html@1.178 +2 -2
+    NTP_4_2_8P6
+
+  util/ntp-keygen.man.in@1.332 +4 -4
+    NTP_4_2_8P6
+
+  util/ntp-keygen.mdoc.in@1.332 +3 -3
+    NTP_4_2_8P6
+
+ChangeSet@1.3627, 2016-01-20 04:14:51-05:00, stenn@deacon.udel.edu
+  solaris hack
+
+  libntp/work_thread.c@1.20 +2 -0
+    solaris hack
+
+ChangeSet@1.3626, 2016-01-20 01:50:09-05:00, stenn@deacon.udel.edu
+  4.2.8p6
+
+  packageinfo.sh@1.523 +1 -1
+    4.2.8p6
+
+ChangeSet@1.3625, 2016-01-20 00:34:15+00:00, stenn@psp-deb1.ntp.org
+  updates
+
+  NEWS@1.160 +24 -24
+    updates
+
+ChangeSet@1.3624, 2016-01-19 22:28:41+00:00, stenn@psp-deb1.ntp.org
+  typo
+
+  NEWS@1.159 +1 -1
+    typo
+
+ChangeSet@1.3623, 2016-01-18 11:55:56+00:00, stenn@psp-deb1.ntp.org
+  [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ChangeLog@1.1792 +1 -0
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  NEWS@1.158 +40 -0
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  include/Makefile.am@1.54 +1 -0
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  include/ntp_io.h@1.23 +2 -1
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  include/ntp_keyacc.h@1.1 +13 -0
+    BitKeeper file /home/stenn/ntp-stable-2936/include/ntp_keyacc.h
+
+  include/ntp_keyacc.h@1.0 +0 -0
+
+  include/ntp_stdlib.h@1.81 +4 -1
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  include/ntp_types.h@1.36 +1 -0
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  libntp/Makefile.am@1.77 +1 -0
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  libntp/authkeys.c@1.31 +60 -6
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  libntp/authreadkeys.c@1.25 +50 -1
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  libntp/authusekey.c@1.11 +1 -1
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  libntp/is_ip_address.c@1.1 +129 -0
+    BitKeeper file /home/stenn/ntp-stable-2936/libntp/is_ip_address.c
+
+  libntp/is_ip_address.c@1.0 +0 -0
+
+  ntpd/invoke-ntp.keys.texi@1.187 +11 -3
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp.keys.5man@1.221 +13 -5
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp.keys.5mdoc@1.221 +14 -6
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp.keys.def@1.11 +10 -2
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp.keys.html@1.183 +42 -22
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp.keys.man.in@1.221 +13 -5
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp.keys.mdoc.in@1.221 +14 -6
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp_crypto.c@1.186 +1 -1
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp_io.c@1.412 +0 -72
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  ntpd/ntp_proto.c@1.373 +34 -0
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+  tests/libntp/authkeys.c@1.15 +1 -1
+    [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
+
+ChangeSet@1.3622, 2016-01-17 09:03:57+00:00, stenn@psp-deb1.ntp.org
+  Disable incomplete t-ntp_signd.c test.  Harlan Stenn.
+
+  ChangeLog@1.1791 +1 -0
+    Disable incomplete t-ntp_signd.c test.  Harlan Stenn.
+
+  tests/ntpd/t-ntp_signd.c@1.16 +4 -0
+    Disable incomplete t-ntp_signd.c test.  Harlan Stenn.
+
+ChangeSet@1.3621, 2016-01-17 05:51:14+00:00, stenn@psp-deb1.ntp.org
+  Update NEWS file for 2942
+
+  NEWS@1.157 +22 -0
+    Update NEWS file for 2942
+
+ChangeSet@1.3615.13.1, 2016-01-17 05:07:22+00:00, stenn@psp-deb1.ntp.org
+  [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ChangeLog@1.1786.13.1 +4 -0
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  html/miscopt.html@1.85 +11 -3
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  include/ntp.h@1.213.1.1 +3 -0
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/invoke-ntp.conf.texi@1.195 +64 -3
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/keyword-gen-utd@1.27 +1 -1
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/keyword-gen.c@1.33 +3 -0
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp.conf.5man@1.229 +71 -7
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp.conf.5mdoc@1.229 +71 -7
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp.conf.def@1.21 +67 -4
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp.conf.man.in@1.229 +71 -7
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp.conf.mdoc.in@1.229 +71 -7
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp_config.c@1.335.1.1 +12 -0
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp_keyword.h@1.29 +505 -468
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp_parser.c@1.101 +1762 -1513
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp_parser.h@1.65 +257 -235
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp_parser.y@1.91 +6 -0
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+  ntpd/ntp_proto.c@1.368.2.1 +40 -4
+    [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
+
+ChangeSet@1.3619, 2016-01-14 12:19:16+00:00, stenn@psp-at1.ntp.org
+  NEWS file updates
+
+  NEWS@1.156 +21 -0
+    NEWS file updates
+
+ChangeSet@1.3615.1.9, 2016-01-14 11:33:43+00:00, stenn@psp-at1.ntp.org
+  merge cleanup
+
+  ChangeLog@1.1786.1.9 +3 -0
+    merge cleanup
+
+ChangeSet@1.3615.1.5, 2016-01-14 10:44:13+00:00, stenn@psp-at1.ntp.org
+  merge cleanup
+
+  ChangeLog@1.1786.1.5 +0 -1
+    merge cleanup
+
+ChangeSet@1.3615.12.4, 2016-01-14 10:27:23+00:00, stenn@psp-at1.ntp.org
+  merge cleanup
+
+  ChangeLog@1.1786.12.4 +1 -1
+    merge cleanup
+
+ChangeSet@1.3615.12.2, 2016-01-14 09:49:52+00:00, stenn@psp-at1.ntp.org
+  merge cleanup
+
+  ChangeLog@1.1786.12.2 +2 -2
+    merge cleanup
+
+ChangeSet@1.3615.3.17, 2016-01-14 09:33:56+00:00, stenn@psp-at1.ntp.org
+  merge cleanup
+
+  ChangeLog@1.1786.3.14 +1 -1
+    merge cleanup
+
+ChangeSet@1.3615.3.14, 2016-01-14 07:36:57+00:00, stenn@psp-at1.ntp.org
+  NEWS update
+
+  NEWS@1.155 +98 -7
+    NEWS update
+
+ChangeSet@1.3615.3.12, 2016-01-13 08:07:30+00:00, stenn@psp-deb1.ntp.org
+  typo
+
+  ChangeLog@1.1786.3.10 +1 -1
+    typo
+
+ChangeSet@1.3615.3.10, 2016-01-13 06:08:29+00:00, stenn@psp-deb1.ntp.org
+  Update NEWS file for bug 2938
+
+  NEWS@1.154 +29 -2
+    Update NEWS file for bug 2938
+
+ChangeSet@1.3615.3.8, 2016-01-13 04:23:46+00:00, stenn@psp-deb1.ntp.org
+  Update NEWS file for bug 2935
+
+  NEWS@1.153 +52 -0
+    Update NEWS file for bug 2935
+
+ChangeSet@1.3615.7.12, 2016-01-12 09:53:06+00:00, stenn@psp-at1.ntp.org
+  [Sec 2935] use L_SUB instead of L_ISGT.  Juergen Perlinger
+
+  ntpd/ntp_proto.c@1.368.1.5 +4 -1
+    [Sec 2935] use L_SUB instead of L_ISGT.  Juergen Perlinger
+
+ChangeSet@1.3615.7.11, 2016-01-11 03:02:53-08:00, harlan@max.pfcs.com
+  [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode.
+
+  ChangeLog@1.1786.9.1 +4 -0
+    [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode.
+
+  include/ntp.h@1.215 +1 -0
+    [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode.
+
+  ntpd/ntp_proto.c@1.368.1.4 +67 -0
+    [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode.
+
+ChangeSet@1.3615.7.10, 2016-01-11 02:44:25-08:00, harlan@max.pfcs.com
+  make leapsec_query messages less verbose.
+
+  ntpd/ntp_timer.c@1.93.1.1 +6 -4
+    make leapsec_query messages less verbose.
+
+ChangeSet@1.3615.9.1, 2016-01-11 10:26:12+01:00, jnperlin@hydra.localnet
+  [Bug 2985] bogus calculation in authkeys.c
+   - implement 'auth_log2()' using integer bithack instead of float calculation
+
+  ChangeLog@1.1786.7.5 +2 -0
+    [Bug 2985] bogus calculation in authkeys.c
+     - implement 'auth_log2()' using integer bithack instead of float calculation
+
+  libntp/authkeys.c@1.30 +33 -10
+    [Bug 2985] bogus calculation in authkeys.c
+     - implement 'auth_log2()' using integer bithack instead of float calculation
+
+  tests/libntp/authkeys.c@1.14 +38 -0
+    [Bug 2985] bogus calculation in authkeys.c
+     - test bithack implementation of 'auth_log2()'
+
+  tests/libntp/run-authkeys.c@1.12 +9 -6
+    [Bug 2985] bogus calculation in authkeys.c
+     - update auto-generated file
+
+ChangeSet@1.3615.7.9, 2016-01-09 09:52:44+00:00, stenn@psp-at1.ntp.org
+  Add timelastrec to the peer structure
+
+  include/ntp.h@1.214 +2 -1
+    Add timelastrec to the peer structure
+
+ChangeSet@1.3615.3.6, 2016-01-08 10:00:03+00:00, stenn@psp-at1.ntp.org
+  4.2.8p5 merge cleanup
+
+  ChangeLog@1.1786.3.6 +1 -1
+    4.2.8p5 merge cleanup
+
+ChangeSet@1.3615.7.8, 2016-01-08 00:26:09+00:00, stenn@deacon.udel.edu
+  Update copyright year
+
+  sntp/include/copyright.def@1.26 +1 -1
+    Update copyright year
+
+ChangeSet@1.3615.7.7, 2016-01-07 23:33:11+00:00, stenn@deacon.udel.edu
   NTP_4_2_8P5
   TAG: NTP_4_2_8P5
 
-  ChangeLog@1.1791 +1 -0
+  ChangeLog@1.1786.7.4 +1 -0
     NTP_4_2_8P5
 
   ntpd/invoke-ntp.conf.texi@1.194 +1 -1
@@ -332,60 +957,349 @@ ChangeSet@1.3623, 2016-01-07 23:33:11+00:00, stenn@deacon.udel.edu
   util/ntp-keygen.mdoc.in@1.331 +2 -2
     NTP_4_2_8P5
 
-ChangeSet@1.3622, 2016-01-07 17:52:24-05:00, stenn@deacon.udel.edu
+ChangeSet@1.3615.7.6, 2016-01-07 17:52:24-05:00, stenn@deacon.udel.edu
   ntp-4.2.8p5
 
   packageinfo.sh@1.521 +1 -1
     ntp-4.2.8p5
 
-ChangeSet@1.3621, 2016-01-07 22:20:05+00:00, stenn@psp-at1.ntp.org
+ChangeSet@1.3615.7.5, 2016-01-07 22:20:05+00:00, stenn@psp-at1.ntp.org
   cleanup
 
   NEWS@1.152 +2 -2
     cleanup
 
-ChangeSet@1.3620, 2016-01-07 09:33:11+00:00, stenn@psp-at1.ntp.org
+ChangeSet@1.3615.7.4, 2016-01-07 09:33:11+00:00, stenn@psp-at1.ntp.org
   typo in ntp_proto.c - leap smear.  Reported by Martin Burnicki
 
-  ntpd/ntp_proto.c@1.371 +1 -1
+  ntpd/ntp_proto.c@1.368.1.3 +1 -1
     typo in ntp_proto.c - leap smear.  Reported by Martin Burnicki
 
-ChangeSet@1.3619, 2016-01-07 06:33:08+00:00, stenn@psp-at1.ntp.org
+ChangeSet@1.3615.7.3, 2016-01-07 06:33:08+00:00, stenn@psp-at1.ntp.org
   Update scripts/calc_tickadj/Makefile.am.  Harlan Stenn.
 
-  ChangeLog@1.1790 +1 -0
+  ChangeLog@1.1786.7.3 +1 -0
     Update scripts/calc_tickadj/Makefile.am.  Harlan Stenn.
 
   scripts/calc_tickadj/Makefile.am@1.11 +2 -0
     Update scripts/calc_tickadj/Makefile.am.  Harlan Stenn.
 
-ChangeSet@1.3616.1.1, 2016-01-05 10:57:45+00:00, stenn@psp-at1.ntp.org
+ChangeSet@1.3615.3.2, 2016-01-05 12:34:56+00:00, stenn@psp-at1.ntp.org
+  ntp-4.2.8p6
+
+  ChangeLog@1.1786.3.2 +2 -0
+    ntp-4.2.8p6
+
+ChangeSet@1.3615.8.1, 2016-01-05 10:57:45+00:00, stenn@psp-at1.ntp.org
   Bug 2952 fixes
 
-  ChangeLog@1.1787.1.1 +1 -0
+  ChangeLog@1.1786.8.1 +1 -0
     Bug 2952 fixes
 
-  ntpd/ntp_proto.c@1.370 +165 -152
+  ntpd/ntp_proto.c@1.368.1.2 +165 -152
     Bug 2952 fixes
 
-ChangeSet@1.3617, 2016-01-05 09:56:31+00:00, stenn@psp-at1.ntp.org
+ChangeSet@1.3615.7.1, 2016-01-05 09:56:31+00:00, stenn@psp-at1.ntp.org
   ntp-4.2.8p5 prep
 
-  ChangeLog@1.1788 +2 -1
+  ChangeLog@1.1786.7.1 +2 -1
     ntp-4.2.8p5 prep
 
   NEWS@1.151 +104 -3
     ntp-4.2.8p5 prep
 
-ChangeSet@1.3616, 2015-12-06 11:20:02+00:00, stenn@psp-deb1.ntp.org
+ChangeSet@1.3615.5.1, 2015-12-13 13:35:12+01:00, jnperlin@hydra.localnet
+  [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+    Found this already fixed, but validation lead to further cleanup:
+     - source code formatting
+     - inline variable definitions moved to start of block
+     - made some pure input data pointers 'const void*' instead of 'char*'; avoids casts and warnings
+
+  ChangeLog@1.1786.5.1 +3 -0
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+
+  sntp/crypto.c@1.19 +13 -12
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - sidekick: make pure input pointers 'const void*' instead of 'char*'
+     - sidekick: remove unnecessary casts
+
+  sntp/crypto.h@1.11 +11 -9
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - sidekick: make pure input pointers 'const void*' instead of 'char*'
+     - source formatting
+
+  sntp/main.c@1.99 +1 -1
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - no need to cast input to 'make_mac()' any more
+
+  sntp/networking.c@1.68 +1 -1
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - no need to cast input to 'auth_md5()' any more
+
+  sntp/tests/crypto.c@1.10 +41 -27
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - remove unnecessary casts
+     - source code formatting
+
+  sntp/tests/fileHandlingTest.c@1.4 +43 -20
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - create 'DestroyPath()' companion to 'CreatePath()' to avoid trouble with 'free()' on 'const char*'
+
+  sntp/tests/fileHandlingTest.h.in@1.15 +6 -15
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - create 'DestroyPath()' companion to 'CreatePath()' to avoid trouble with 'free()' on 'const char*'
+
+  sntp/tests/keyFile.c@1.13 +66 -46
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - use 'DestroyPath()' avoid trouble with 'free()' on 'const char*'
+     - printf() combined
+     - source code formatting
+     - move variable declarations to front
+
+  sntp/tests/packetHandling.c@1.6 +75 -64
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - move variable declarations to front
+     - source code formatting
+
+  sntp/tests/packetProcessing.c@1.9 +124 -90
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - move variable declarations to front
+     - source code formatting
+     - drop unnecessary casts
+
+  sntp/tests/run-packetProcessing.c@1.10 +18 -18
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+
+  sntp/unity/unity_internals.h@1.6 +1 -1
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - added missing 'const' in pointer casts
+
+  tests/libntp/decodenetnum.c@1.11 +33 -23
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - source code formatting +  cleanup
+
+  tests/libntp/run-decodenetnum.c@1.11 +4 -4
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+
+  tests/libntp/run-socktoa.c@1.14 +5 -5
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+
+  tests/libntp/socktoa.c@1.12 +23 -17
+    [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build
+     - source code formatting +  cleanup
+
+ChangeSet@1.3615.4.1, 2015-12-11 18:24:16+01:00, jnperlin@hydra.localnet
+  [Bug 2882] Look at ntp_request.c:list_peers_sum()
+
+  ChangeLog@1.1786.4.1 +1 -0
+    [Bug 2882] Look at ntp_request.c:list_peers_sum()
+
+  ntpd/ntp_request.c@1.116 +57 -72
+    [Bug 2882] Look at ntp_request.c:list_peers_sum()
+     - 'list_peers()' and 'list_peers_sum()' skip IPv6 entires if client does not support them,
+       but continue processing until end of list now.
+
+ChangeSet@1.3615.1.3, 2015-12-09 18:23:31+01:00, jnperlin@hydra.localnet
+  [Bug 2891] Deadlock in deferred DNS lookup framework.
+
+  ChangeLog@1.1786.1.3 +1 -0
+    [Bug 2891] Deadlock in deferred DNS lookup framework.
+
+  include/ntp_worker.h@1.5 +31 -22
+    [Bug 2891] Deadlock in deferred DNS lookup framework.
+     - provide signal-safe result-ready detection
+
+  libntp/ntp_worker.c@1.7 +27 -0
+    [Bug 2891] Deadlock in deferred DNS lookup framework.
+     - support signal-safe result-ready detection
+     - provide function to harvest async results from mainloop
+
+  ntpd/ntp_io.c@1.409.1.1 +160 -133
+    [Bug 2891] Deadlock in deferred DNS lookup framework.
+     - do not process async-resolver results from signal handler
+     - set notification tags to harvest asyn-resolver results from mainloop
+     - avoid double select for synchronous IO
+     - avoid several syslog calls in signal-handler context
+     - refactor / conditionalize some functions that cannot be used in signal-driven IO
+
+  ntpd/ntpd.c@1.169 +4 -0
+    [Bug 2891] Deadlock in deferred DNS lookup framework.
+     - reap/harvest async resolver results from mainloop
+
+ChangeSet@1.3615.1.2, 2015-12-06 21:33:26+01:00, jnperlin@hydra.localnet
+  [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
+   - applied patch by shenpeng11@huawei.com with minor adjustments
+
+  ChangeLog@1.1786.1.2 +2 -0
+    [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
+     - applied patch by shenpeng11@huawei.com with minor adjustments
+
+  ntpd/ntpd.c@1.168 +26 -3
+    [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
+     - applied patch by shenpeng11@huawei.com with minor adjustments
+
+ChangeSet@1.3615.2.1, 2015-12-06 20:19:32+01:00, jnperlin@hydra.localnet
+  [Bug 2772] adj_systime overflows tv_usec
+
+  ChangeLog@1.1786.2.1 +1 -0
+    [Bug 2772] adj_systime overflows tv_usec
+
+  libntp/systime.c@1.71 +12 -3
+    [Bug 2772] adj_systime overflows tv_usec
+     - add missing normalisation for nitpicking implementations of 'adjtime()'
+
+ChangeSet@1.3615.1.1, 2015-12-06 11:20:02+00:00, stenn@psp-deb1.ntp.org
   Quiet a warning from clang.  Harlan Stenn.
 
-  ChangeLog@1.1787 +1 -0
+  ChangeLog@1.1786.1.1 +1 -0
     Quiet a warning from clang.  Harlan Stenn.
 
   libntp/ntp_rfc2553.c@1.50 +3 -2
     Quiet a warning from clang.  Harlan Stenn.
 
+ChangeSet@1.3616, 2015-12-05 20:28:19+00:00, perlinger@psp-deb1.ntp.org
+  [Bug 2980] reduce number of warnings
+   - string formatting(arguments should be literals)
+   - applying constness where necessary
+   - removing bad consts that are superfluous
+   - avoid signed/unsigned clashes in conditionals (either by cast or type change)
+   - signed/unsigned and promotion conflicts
+   - add prototypes for function pointer tables
+   - force unsigned argument promotion in calls to 'ctype' functions (is{digit,cntrl,...})
+
+  ChangeLog@1.1787 +2 -0
+    [Bug 2980] reduce number of warnings
+
+  include/parse.h@1.14 +3 -3
+    [Bug 2980] reduce number of warnings
+     - make GPSWRAP and GPSWEEK unqualified literals to avoid signed/unsigned clashes
+
+  ntpd/ntp_config.c@1.336 +2 -0
+    [Bug 2980] reduce number of warnings
+     - add forward declaration of yyparse()
+
+  ntpd/ntp_io.c@1.410 +1 -1
+    [Bug 2980] reduce number of warnings
+     - fix a signedness comparison by adding a cast to size_t
+
+  ntpd/ntp_scanner.c@1.49 +1 -1
+    [Bug 2980] reduce number of warnings
+     - for type compatibility, make counter 'i' a size_t
+
+  ntpd/ntp_timer.c@1.94 +5 -6
+    [Bug 2980] reduce number of warnings
+     - fix a signed / unsigned compare
+
+  ntpd/refclock_chu.c@1.58 +1 -1
+    [Bug 2980] reduce number of warnings
+     - rewrite check to avoid warning about integer overflow
+
+  ntpd/refclock_gpsdjson.c@1.24 +13 -15
+    [Bug 2980] reduce number of warnings
+     - reshuffle to use a literal format string
+     - fix signed/unsigned clashes in compare
+
+  ntpd/refclock_jjy.c@1.30 +47 -44
+    Bug 2980 - reduce number of warnings
+     - make several pointers 'const char*'
+     - add prototypes for function pointer tables
+     - force unsigned argument promotion in calls to 'ctype' functions (is{digit,cntrl,...})
+
+  ntpd/refclock_shm.c@1.39 +1 -1
+    [Bug 2980] reduce number of warnings
+     - fix signed/unsigned clashes in compare
+
+  ntpq/ntpq-subs.c@1.114.1.1 +1 -1
+    [Bug 2980] reduce number of warnings
+     - avoid signed/unsigned clashe in compare
+
+  ntpq/ntpq.c@1.165.1.1 +47 -7
+    [Bug 2980] reduce number of warnings
+     - avoid juggling with formatting into dynamic buffers by a 'asprintf' like function
+
+  sntp/libopts/configfile.c@1.24 +22 -22
+    [Bug 2980] reduce number of warnings
+     - add some pointer constness to avoid casting it away
+
+  sntp/libopts/enum.c@1.14 +5 -5
+    [Bug 2980] reduce number of warnings
+     - avoid some unnecessary casts
+     - avoid shift/promote ambiguity by proper typing
+
+  sntp/libopts/find.c@1.13 +1 -1
+    [Bug 2980] reduce number of warnings
+     - Use VOIDP instead of a (char*) cast
+
+  sntp/libopts/init.c@1.9 +2 -3
+    [Bug 2980] reduce number of warnings
+     - use VOIDP() to replace a complicated double cast
+     - remove one useless cast
+
+  sntp/libopts/load.c@1.22 +1 -1
+    [Bug 2980] reduce number of warnings
+     - remove a useless cast
+
+  sntp/libopts/makeshell.c@1.21 +3 -3
+    [Bug 2980] reduce number of warnings
+     - fix integer promotion in calls to toupper/tolower
+
+  sntp/libopts/nested.c@1.17 +3 -1
+    [Bug 2980] reduce number of warnings
+     - avoid casting away constness by using a helper variable
+
+  sntp/libopts/parse-duration.c@1.15 +8 -2
+    [Bug 2980] reduce number of warnings
+     - avoid casting away constness by using a helper variable
+
+  sntp/libopts/reset.c@1.18 +1 -1
+    [Bug 2980] reduce number of warnings
+     - remove a useless cast
+
+  sntp/libopts/save.c@1.19 +2 -2
+    [Bug 2980] reduce number of warnings
+     - use VOIDP() instead of cast via (void**)
+
+  sntp/libopts/tokenize.c@1.14 +1 -1
+    [Bug 2980] reduce number of warnings
+     - add a required const qualification
+
+ChangeSet@1.3597.1.5, 2015-12-05 14:29:10+01:00, jnperlin@hydra.localnet
+  [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
+    - make CTRL-C work for retrieval and printing od MRU list.
+
+  ChangeLog@1.1770.1.3 +1 -0
+    [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
+      - make CTRL-C work for retrieval and printing od MRU list.
+
+  ntpq/ntpq-subs.c@1.115 +6 -0
+    [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
+     - make CTRL-C work for retrieval and printing od MRU list:
+        1) CTRL-C while collecting terminates the assembling of respose.
+        2) CTRL-C while printing will terminate the print loop.
+        3) both work independently of each other.
+
+  ntpq/ntpq.c@1.166 +16 -0
+    [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
+     - when collecting fragments, CTRL-C will try to cleanly return the list of fragments so far.
+
+ChangeSet@1.3597.5.1, 2015-12-05 13:44:57+01:00, jnperlin@hydra.localnet
+  [Bug 2905] DNS lookups broken.
+    - added limits to stack consumption, fixed some return code handling
+
+  ChangeLog@1.1770.5.1 +2 -0
+    [Bug 2905] DNS lookups broken.
+      - added limits to stack consumption, fixed some return code handling
+
+  libntp/work_thread.c@1.19 +55 -17
+    [Bug 2905] DNS lookups broken.
+     - added limits to stack consumption
+     - fixed some return code handling
+     - harden queue handling
+
+  ntpd/ntpd.c@1.166.1.1 +21 -4
+    [Bug 2905] DNS lookups broken.
+      - added limits to stack consumption of wartmup thread
+
 ChangeSet@1.3615, 2015-12-05 10:41:51+00:00, stenn@psp-at1.ntp.org
   CID 1341677: Nits in sntp/tests/keyFile.c.  HStenn.
 
@@ -1113,7 +2027,7 @@ ChangeSet@1.3584.1.1, 2015-11-13 22:54:35+01:00, jnperlin@hydra.localnet
     [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets
      - avoid 'unused' warnings
 
-  ntpd/ntp_proto.c@1.369 +8 -6
+  ntpd/ntp_proto.c@1.368.1.1 +8 -6
     [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets
      - promote use of 'size_t' for values that express a size
      - format string fixes 
@@ -1164,7 +2078,7 @@ ChangeSet@1.3584.1.1, 2015-11-13 22:54:35+01:00, jnperlin@hydra.localnet
      - promote use of 'size_t' for values that express a size
      - avoid truncation of SOCKET handles
 
-  ntpdc/ntpdc.c@1.105 +36 -34
+  ntpdc/ntpdc.c@1.104.1.1 +36 -34
     [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets
      - promote use of 'size_t' for values that express a size
      - format string fixes
@@ -1827,6 +2741,31 @@ ChangeSet@1.3574, 2015-10-20 08:00:43+00:00, stenn@psp-deb1.ntp.org
   NEWS@1.149 +16 -16
     Update CVEs
 
+ChangeSet@1.3558.8.1, 2015-10-17 23:19:57+02:00, jnperlin@hydra.localnet
+  [Bug 2945] Zero Origin Timestamp Bypass
+
+  ChangeLog@1.1743.8.1 +2 -0
+    [Bug 2945] Zero Origin Timestamp Bypass
+
+  ntpd/ntp_proto.c@1.364.2.1 +9 -1
+    [Bug 2945] Zero Origin Timestamp Bypass
+     - in basic mode 'aorg' is cleared to indicate a response has been received. So a reply has to be dropped
+       when it either does not match the origin timestamp OR the origin time stamp is zero.
+
+ChangeSet@1.3558.7.1, 2015-10-17 21:15:39+02:00, jnperlin@hydra.localnet
+  [Bug 2948] Potential Infinite Loop in ntpq and ntpdc
+
+  ChangeLog@1.1743.7.1 +2 -0
+    [Bug 2948] Potential Infinite Loop in ntpq and ntpdc
+
+  ntpdc/ntpdc.c@1.105 +20 -1
+    [Bug 2948] Potential Infinite Loop in ntpq and ntpdc
+     - check timeout between request and valid response(s) instead of *any* incoming data
+
+  ntpq/ntpq.c@1.161.2.1 +22 -2
+    [Bug 2948] Potential Infinite Loop in ntpq and ntpdc
+     - check timeout between request and valid response(s) instead of *any* incoming data
+
 ChangeSet@1.3573, 2015-10-17 06:28:49+00:00, stenn@psp-deb1.ntp.org
   ntp-4.2.8p4-sec-RC2
 
@@ -2172,6 +3111,53 @@ ChangeSet@1.3571, 2015-10-17 01:39:22+00:00, stenn@psp-deb1.ntp.org
   ChangeLog@1.1755 +4 -1
     [Sec 2941] NAK to the Future: Symmetric association authentication bypass via crypto-NAK
 
+ChangeSet@1.3558.6.2, 2015-10-13 23:31:28+02:00, jnperlin@hydra.localnet
+  [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames.
+   - make sure the file does not exist (no overwrite allowed)
+   - ensure text mode where applicable (windows)
+
+  ntpd/ntp_control.c@1.203.1.2 +17 -3
+    [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames.
+     - make sure the file does not exist (no overwrite allowed)
+     - ensure text mode where applicable (windows)
+
+ChangeSet@1.3558.6.1, 2015-10-12 08:18:56+02:00, jnperlin@hydra.localnet
+  [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames
+
+  ChangeLog@1.1743.6.1 +3 -0
+    [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames
+
+  ntpd/ntp_control.c@1.203.1.1 +161 -37
+    [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames
+     - added function to check safe file names ([_A-Za-z0-9][-+._A-Za-z0-9]*)
+     - checked for truncation, too, not only overrun safey
+
+ChangeSet@1.3558.5.1, 2015-10-11 14:12:31+02:00, jnperlin@hydra.localnet
+  [Bug 2939] reslist NULL pointer dereference
+  [Bug 2940] Stack exhaustion in recursive traversal of restriction list
+    -- these two where fixed together --
+
+  ChangeLog@1.1743.5.1 +4 -0
+    [Bug 2939] reslist NULL pointer dereference
+    [Bug 2940] Stack exhaustion in recursive traversal of restriction list
+
+  ntpd/ntp_request.c@1.113.1.1 +127 -39
+    [Bug 2939] reslist NULL pointer dereference
+    [Bug 2940] Stack exhaustion in recursive traversal of restriction list
+     - use iteration and a scratch pad stack to do the list reversal; deep recusrsion can be dangerous in C
+     - properly terminate processing when 'more_pkt()' indicates packet full
+     - check the return value of 'more_pkt()' when used in iterations, or trash it explicitely
+     - fixed uint32_t vs. u_long clash that would cause security problems on big-endian 64bit machines
+
+ChangeSet@1.3558.4.1, 2015-10-11 09:32:40+02:00, jnperlin@hydra.localnet
+  [Bug 2937] (NTPQ) nextvar() missing length check
+
+  ChangeLog@1.1743.4.1 +2 -0
+    [Bug 2937] (NTPQ) nextvar() missing length check
+
+  ntpq/ntpq.c@1.161.1.1 +2 -0
+    [Bug 2937] (NTPQ) nextvar() missing length check
+
 ChangeSet@1.3558.3.3, 2015-10-11 08:10:20+02:00, jnperlin@hydra.localnet
   [Bug 2941] NAK to the Future: Symmetric association authentication bypass via crypto-NAK
 
diff --git a/contrib/ntp/NEWS b/contrib/ntp/NEWS
index 32c9288..278943c 100644
--- a/contrib/ntp/NEWS
+++ b/contrib/ntp/NEWS
@@ -1,5 +1,258 @@
 ---
 
+NTP 4.2.8p6
+
+Focus: Security, Bug fixes, enhancements.
+
+Severity: MEDIUM
+
+In addition to bug fixes and enhancements, this release fixes the
+following X low- and Y medium-severity vulnerabilities:
+
+* Potential Infinite Loop in 'ntpq'
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2548 / CVE-2015-8158
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
+   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
+   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
+	The loop's only stopping conditions are receiving a complete and
+	correct response or hitting a small number of error conditions.
+	If the packet contains incorrect values that don't trigger one of
+	the error conditions, the loop continues to receive new packets.
+	Note well, this is an attack against an instance of 'ntpq', not
+	'ntpd', and this attack requires the attacker to do one of the
+	following:
+	* Own a malicious NTP server that the client trusts
+	* Prevent a legitimate NTP server from sending packets to
+	    the 'ntpq' client
+	* MITM the 'ntpq' communications between the 'ntpq' client
+	    and the NTP server
+   Mitigation:
+	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
+	or the NTP Public Services Project Download Page
+   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
+
+* 0rigin: Zero Origin Timestamp Bypass
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2945 / CVE-2015-8138
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
+   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
+	(3.7 - LOW if you score AC:L)
+   Summary: To distinguish legitimate peer responses from forgeries, a
+	client attempts to verify a response packet by ensuring that the
+	origin timestamp in the packet matches the origin timestamp it
+	transmitted in its last request.  A logic error exists that
+	allows packets with an origin timestamp of zero to bypass this
+	check whenever there is not an outstanding request to the server.
+   Mitigation:
+	Configure 'ntpd' to get time from multiple sources.
+	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page.
+	Monitor your 'ntpd= instances.
+   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
+
+* Stack exhaustion in recursive traversal of restriction list
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
+   References: Sec 2940 / CVE-2015-7978
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
+   Summary: An unauthenticated 'ntpdc reslist' command can cause a
+   	segmentation fault in ntpd by exhausting the call stack.
+   Mitigation:
+	Implement BCP-38.
+	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page.
+	If you are unable to upgrade:
+            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
+	    If you must enable mode 7:
+		configure the use of a 'requestkey' to control who can
+		    issue mode 7 requests.
+		configure 'restrict noquery' to further limit mode 7
+		    requests to trusted sources.
+		Monitor your ntpd instances.
+   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
+
+* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2942 / CVE-2015-7979
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
+   Summary: An off-path attacker can send broadcast packets with bad
+	authentication (wrong key, mismatched key, incorrect MAC, etc)
+	to broadcast clients. It is observed that the broadcast client
+	tears down the association with the broadcast server upon
+	receiving just one bad packet.
+   Mitigation:
+	Implement BCP-38.
+	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
+	or the NTP Public Services Project Download Page.
+	Monitor your 'ntpd' instances.
+	If this sort of attack is an active problem for you, you have
+	    deeper problems to investigate.  In this case also consider
+	    having smaller NTP broadcast domains.
+   Credit: This weakness was discovered by Aanchal Malhotra of Boston
+   	University.
+
+* reslist NULL pointer dereference
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2939 / CVE-2015-7977
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
+   Summary: An unauthenticated 'ntpdc reslist' command can cause a
+	segmentation fault in ntpd by causing a NULL pointer dereference.
+   Mitigation:
+	Implement BCP-38.
+	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
+	the NTP Public Services Project Download Page.
+	If you are unable to upgrade:
+	    mode 7 is disabled by default.  Don't enable it.
+	    If you must enable mode 7:
+		configure the use of a 'requestkey' to control who can
+		    issue mode 7 requests.
+		configure 'restrict noquery' to further limit mode 7
+		    requests to trusted sources. 
+	Monitor your ntpd instances.
+   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
+
+* 'ntpq saveconfig' command allows dangerous characters in filenames.
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2938 / CVE-2015-7976
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
+   Summary: The ntpq saveconfig command does not do adequate filtering
+   	of special characters from the supplied filename.
+	Note well: The ability to use the saveconfig command is controlled
+	by the 'restrict nomodify' directive, and the recommended default
+	configuration is to disable this capability.  If the ability to
+	execute a 'saveconfig' is required, it can easily (and should) be
+	limited and restricted to a known small number of IP addresses.
+   Mitigation:
+	Implement BCP-38.
+	use 'restrict default nomodify' in your 'ntp.conf' file.
+	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
+	If you are unable to upgrade:
+	    build NTP with 'configure --disable-saveconfig' if you will
+	    	never need this capability, or
+	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
+		careful about what IPs have the ability to send 'modify'
+		requests to 'ntpd'.
+	Monitor your ntpd instances.
+	'saveconfig' requests are logged to syslog - monitor your syslog files.
+   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
+
+* nextvar() missing length check in ntpq
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2937 / CVE-2015-7975
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
+	If you score A:C, this becomes 4.0.
+   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
+   Summary: ntpq may call nextvar() which executes a memcpy() into the
+	name buffer without a proper length check against its maximum
+	length of 256 bytes. Note well that we're taking about ntpq here.
+	The usual worst-case effect of this vulnerability is that the
+	specific instance of ntpq will crash and the person or process
+	that did this will have stopped themselves.
+   Mitigation:
+	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page.
+	If you are unable to upgrade:
+	    If you have scripts that feed input to ntpq make sure there are
+		some sanity checks on the input received from the "outside".
+	    This is potentially more dangerous if ntpq is run as root. 
+   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
+
+* Skeleton Key: Any trusted key system can serve time
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2936 / CVE-2015-7974
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+	4.3.0 up to, but not including 4.3.90
+   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
+   Summary: Symmetric key encryption uses a shared trusted key. The
+	reported title for this issue was "Missing key check allows
+	impersonation between authenticated peers" and the report claimed
+	"A key specified only for one server should only work to
+	authenticate that server, other trusted keys should be refused."
+	Except there has never been any correlation between this trusted
+	key and server v. clients machines and there has never been any
+	way to specify a key only for one server. We have treated this as
+	an enhancement request, and ntp-4.2.8p6 includes other checks and
+	tests to strengthen clients against attacks coming from broadcast
+	servers.
+   Mitigation:
+	Implement BCP-38.
+	If this scenario represents a real or a potential issue for you,
+	    upgrade to 4.2.8p6, or later, from the NTP Project Download
+	    Page or the NTP Public Services Project Download Page, and
+	    use the new field in the ntp.keys file that specifies the list
+	    of IPs that are allowed to serve time. Note that this alone
+	    will not protect against time packets with forged source IP
+	    addresses, however other changes in ntp-4.2.8p6 provide
+	    significant mitigation against broadcast attacks. MITM attacks
+	    are a different story.
+	If you are unable to upgrade:
+	    Don't use broadcast mode if you cannot monitor your client
+	    	servers.
+	    If you choose to use symmetric keys to authenticate time
+	    	packets in a hostile environment where ephemeral time
+		servers can be created, or if it is expected that malicious
+		time servers will participate in an NTP broadcast domain,
+		limit the number of participating systems that participate
+		in the shared-key group. 
+	Monitor your ntpd instances. 
+   Credit: This weakness was discovered by Matt Street of Cisco ASIG. 
+
+* Deja Vu: Replay attack on authenticated broadcast mode
+   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
+   References: Sec 2935 / CVE-2015-7973
+   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
+   	4.3.0 up to, but not including 4.3.90
+   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
+   Summary: If an NTP network is configured for broadcast operations then
+   	either a man-in-the-middle attacker or a malicious participant
+	that has the same trusted keys as the victim can replay time packets.
+   Mitigation:
+	Implement BCP-38.
+	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page.
+	If you are unable to upgrade:
+	    Don't use broadcast mode if you cannot monitor your client servers.
+	Monitor your ntpd instances.
+   Credit: This weakness was discovered by Aanchal Malhotra of Boston
+	University.
+
+Other fixes:
+
+* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
+* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
+  - applied patch by shenpeng11@huawei.com with minor adjustments
+* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
+* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
+* [Bug 2892] Several test cases assume IPv6 capabilities even when
+             IPv6 is disabled in the build. perlinger@ntp.org
+  - Found this already fixed, but validation led to cleanup actions.
+* [Bug 2905] DNS lookups broken. perlinger@ntp.org
+  - added limits to stack consumption, fixed some return code handling
+* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
+  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
+  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
+* [Bug 2980] reduce number of warnings. perlinger@ntp.org
+  - integrated several patches from Havard Eidnes (he@uninett.no)
+* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
+  - implement 'auth_log2()' using integer bithack instead of float calculation
+* Make leapsec_query debug messages less verbose.  Harlan Stenn.
+
+---
+
 NTP 4.2.8p5
 
 Focus: Security, Bug fixes, enhancements.
diff --git a/contrib/ntp/configure b/contrib/ntp/configure
index 758ffa9..75724cc 100755
--- a/contrib/ntp/configure
+++ b/contrib/ntp/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for ntp 4.2.8p5.
+# Generated by GNU Autoconf 2.69 for ntp 4.2.8p6.
 #
 # Report bugs to <http://bugs.ntp.org./>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='ntp'
 PACKAGE_TARNAME='ntp'
-PACKAGE_VERSION='4.2.8p5'
-PACKAGE_STRING='ntp 4.2.8p5'
+PACKAGE_VERSION='4.2.8p6'
+PACKAGE_STRING='ntp 4.2.8p6'
 PACKAGE_BUGREPORT='http://bugs.ntp.org./'
 PACKAGE_URL='http://www.ntp.org./'
 
@@ -1616,7 +1616,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ntp 4.2.8p5 to adapt to many kinds of systems.
+\`configure' configures ntp 4.2.8p6 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1686,7 +1686,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of ntp 4.2.8p5:";;
+     short | recursive ) echo "Configuration of ntp 4.2.8p6:";;
    esac
   cat <<\_ACEOF
 
@@ -1919,7 +1919,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ntp configure 4.2.8p5
+ntp configure 4.2.8p6
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2749,7 +2749,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ntp $as_me 4.2.8p5, which was
+It was created by ntp $as_me 4.2.8p6, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3750,7 +3750,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='ntp'
- VERSION='4.2.8p5'
+ VERSION='4.2.8p6'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -37840,7 +37840,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ntp $as_me 4.2.8p5, which was
+This file was extended by ntp $as_me 4.2.8p6, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -37907,7 +37907,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-ntp config.status 4.2.8p5
+ntp config.status 4.2.8p6
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/contrib/ntp/html/miscopt.html b/contrib/ntp/html/miscopt.html
index 261b08f..bc520f6 100644
--- a/contrib/ntp/html/miscopt.html
+++ b/contrib/ntp/html/miscopt.html
@@ -11,7 +11,7 @@
 <img src="pic/boom3.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
 <p>We have three, now looking for more.</p>
 <p>Last update:
-  <!-- #BeginDate format:En2m -->17-Nov-2015  11:06<!-- #EndDate -->
+  <!-- #BeginDate format:En2m -->16-Jan-2016  13:08<!-- #EndDate -->
     UTC</p>
 <br clear="left">
 <h4>Related Links</h4>
@@ -29,8 +29,9 @@
   <dd>The file format consists of a single line containing a single floating point number, which records the frequency offset measured in parts-per-million (PPM). The file is updated by first writing the current drift value into a temporary file and then renaming this file to replace the old version.</dd>
   <dt id="dscp"><tt>dscp <i>dscp</i></tt></dt>
   <dd>This command specifies the Differentiated Services Code Point (DSCP) value that is used in sent NTP packets.  The default value is 46 for Expedited Forwarding (EF).</dd>
-  <dt id="enable"><tt>enable [auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats]</tt><br>
-    <tt>disable [auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats]</tt></dt>
+  <dt id="enable"><tt>enable [auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats | unpeer_crypto_early | unpeer_crypto_nak_early | unpeer_digest_early]</tt></dt>
+
+  <dt><tt>disable [auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats | unpeer_crypto_early | unpeer_crypto_nak_early | unpeer_digest_early]</tt></dt>
   <dd>Provides a way to enable or disable various system options. Flags not mentioned are unaffected. Note that most of these flags can be modified remotely using <a href="ntpq.html"><tt>ntpq</tt></a> utility program's <tt>:config</tt> and <tt>config-from-file</tt> commands.
     <dl>
       <dt><tt>auth</tt></dt>
@@ -50,6 +51,13 @@
       <dd>Enables time and frequency discipline. In effect, this switch opens and closes the feedback loop, which is useful for testing. The default for this flag is enable.</dd>
       <dt><tt>stats</tt></dt>
       <dd>Enables the statistics facility. See the <a href="monopt.html">Monitoring Options</a> page for further information. The default for this flag is enabled. This flag is excluded from runtime configuration using <tt>ntpq</tt>.</dd>
+| unpeer_crypto_early | unpeer_crypto_nak_early | unpeer_digest_early
+      <dt><tt>unpeer_crypto_early</tt></dt>
+      <dd>Enables the early resetting of an association in case of a crypto failure.  This is generally a feature, but it can be used in a DoS attack.  If you are seeing these packets being used as a DoS attack against your server, you should disable this flag.  The default for this flag is enabled. This flag is excluded from runtime configuration using <tt>ntpq</tt>.</dd>
+      <dt><tt>unpeer_crypto_nak_early</tt></dt>
+      <dd>Enables the early resetting of an association in case of a crypto_NAK message.  This is generally a feature, but it can be used in a DoS attack.  If you are seeing these packets being used as a DoS attack against your server, you should disable this flag.  The default for this flag is enabled. This flag is excluded from runtime configuration using <tt>ntpq</tt>.</dd>
+      <dt><tt>unpeer_digest_early</tt></dt>
+      <dd>Enables the early resetting of an association in case of an autokey digest failur.  This is generally a feature, but it can be used in a DoS attack.  If you are seeing these packets being used as a DoS attack against your server, you should disable this flag.  The default for this flag is enabled. This flag is excluded from runtime configuration using <tt>ntpq</tt>.</dd>
     </dl>
   </dd>
   <dt id="includefile"><tt>includefile <i>includefile</i></tt></dt>
diff --git a/contrib/ntp/include/Makefile.am b/contrib/ntp/include/Makefile.am
index d8b4dd2..521ac14 100644
--- a/contrib/ntp/include/Makefile.am
+++ b/contrib/ntp/include/Makefile.am
@@ -36,6 +36,7 @@ noinst_HEADERS =	\
 	ntp_if.h	\
 	ntp_intres.h	\
 	ntp_io.h	\
+	ntp_keyacc.h	\
 	ntp_libopts.h	\
 	ntp_lineedit.h	\
 	ntp_lists.h	\
diff --git a/contrib/ntp/include/Makefile.in b/contrib/ntp/include/Makefile.in
index 6e45e93..ef92804 100644
--- a/contrib/ntp/include/Makefile.in
+++ b/contrib/ntp/include/Makefile.in
@@ -521,6 +521,7 @@ noinst_HEADERS = \
 	ntp_if.h	\
 	ntp_intres.h	\
 	ntp_io.h	\
+	ntp_keyacc.h	\
 	ntp_libopts.h	\
 	ntp_lineedit.h	\
 	ntp_lists.h	\
diff --git a/contrib/ntp/include/ntp.h b/contrib/ntp/include/ntp.h
index 4ffc35f..6a4e9aa 100644
--- a/contrib/ntp/include/ntp.h
+++ b/contrib/ntp/include/ntp.h
@@ -350,6 +350,7 @@ struct peer {
 	l_fp	dst;		/* destination timestamp */
 	l_fp	aorg;		/* origin timestamp */
 	l_fp	borg;		/* alternate origin timestamp */
+	l_fp	bxmt;		/* most recent broadcast transmit timestamp */
 	double	offset;		/* peer clock offset */
 	double	delay;		/* peer roundtrip delay */
 	double	jitter;		/* peer jitter (squares) */
@@ -382,7 +383,8 @@ struct peer {
 	 * Statistic counters
 	 */
 	u_long	timereset;	/* time stat counters were reset */
-	u_long	timereceived;	/* last packet received time */
+	u_long	timelastrec;	/* last packet received time */
+	u_long	timereceived;	/* last (clean) packet received time */
 	u_long	timereachable;	/* last reachable/unreachable time */
 
 	u_long	sent;		/* packets sent */
@@ -708,6 +710,9 @@ struct pkt {
 #define	PROTO_ORPHAN		26
 #define	PROTO_ORPHWAIT		27
 #define	PROTO_MODE7		28
+#define	PROTO_UECRYPTO		29
+#define	PROTO_UECRYPTONAK	30
+#define	PROTO_UEDIGEST		31
 
 /*
  * Configuration items for the loop filter
diff --git a/contrib/ntp/include/ntp_io.h b/contrib/ntp/include/ntp_io.h
index 5950f00..d34d60a 100644
--- a/contrib/ntp/include/ntp_io.h
+++ b/contrib/ntp/include/ntp_io.h
@@ -40,6 +40,8 @@
 
 #include "libntp.h"	/* This needs Something above for GETDTABLESIZE */
 
+#include "ntp_keyacc.h"
+
 /*
  * Define FNDELAY and FASYNC using O_NONBLOCK and O_ASYNC if we need
  * to (and can).  This is here initially for QNX, but may help for
@@ -83,7 +85,6 @@ typedef enum {
 extern int	qos;
 SOCKET		move_fd(SOCKET fd);
 isc_boolean_t	get_broadcastclient_flag(void);
-extern int	is_ip_address(const char *, u_short, sockaddr_u *);
 extern void	sau_from_netaddr(sockaddr_u *, const isc_netaddr_t *);
 extern void	add_nic_rule(nic_rule_match match_type,
 			     const char *if_name, int prefixlen,
diff --git a/contrib/ntp/include/ntp_keyacc.h b/contrib/ntp/include/ntp_keyacc.h
new file mode 100644
index 0000000..730c310
--- /dev/null
+++ b/contrib/ntp/include/ntp_keyacc.h
@@ -0,0 +1,13 @@
+/*
+ *  ntp_keyacc.h - key access stuff
+ */
+#ifndef NTP_KEYACC_H
+#define NTP_KEYACC_H
+
+typedef struct keyaccess KeyAccT;
+struct keyaccess {
+	KeyAccT *	next;
+	sockaddr_u	addr;
+};
+
+#endif	/* NTP_KEYACC_H */
diff --git a/contrib/ntp/include/ntp_stdlib.h b/contrib/ntp/include/ntp_stdlib.h
index d735b41..98ac69e 100644
--- a/contrib/ntp/include/ntp_stdlib.h
+++ b/contrib/ntp/include/ntp_stdlib.h
@@ -16,6 +16,7 @@
 #include "ntp_malloc.h"
 #include "ntp_string.h"
 #include "ntp_syslog.h"
+#include "ntp_keyacc.h"
 
 #ifdef __GNUC__
 #define NTP_PRINTF(fmt, args) __attribute__((__format__(__printf__, fmt, args)))
@@ -69,6 +70,7 @@ extern	int	authdecrypt	(keyid_t, u_int32 *, size_t, size_t);
 extern	size_t	authencrypt	(keyid_t, u_int32 *, size_t);
 extern	int	authhavekey	(keyid_t);
 extern	int	authistrusted	(keyid_t);
+extern	int	authistrustedip	(keyid_t, sockaddr_u *);
 extern	int	authreadkeys	(const char *);
 extern	void	authtrust	(keyid_t, u_long);
 extern	int	authusekey	(keyid_t, int, const u_char *);
@@ -97,7 +99,7 @@ extern	int	ymd2yd		(int, int, int);
 /* a_md5encrypt.c */
 extern	int	MD5authdecrypt	(int, const u_char *, u_int32 *, size_t, size_t);
 extern	size_t	MD5authencrypt	(int, const u_char *, u_int32 *, size_t);
-extern	void	MD5auth_setkey	(keyid_t, int, const u_char *, size_t);
+extern	void	MD5auth_setkey	(keyid_t, int, const u_char *, size_t, KeyAccT *c);
 extern	u_int32	addr2refid	(sockaddr_u *);
 
 /* emalloc.c */
@@ -141,6 +143,7 @@ extern	int	atouint		(const char *, u_long *);
 extern	int	hextoint	(const char *, u_long *);
 extern	const char *	humanlogtime	(void);
 extern	const char *	humantime	(time_t);
+extern int	is_ip_address	(const char *, u_short, sockaddr_u *);
 extern	char *	mfptoa		(u_int32, u_int32, short);
 extern	char *	mfptoms		(u_int32, u_int32, short);
 extern	const char * modetoa	(size_t);
diff --git a/contrib/ntp/include/ntp_types.h b/contrib/ntp/include/ntp_types.h
index a947f30..7ff3125 100644
--- a/contrib/ntp/include/ntp_types.h
+++ b/contrib/ntp/include/ntp_types.h
@@ -218,6 +218,7 @@ typedef uint16_t	associd_t; /* association ID */
 #define ASSOCID_MAX	USHRT_MAX
 typedef u_int32 keyid_t;	/* cryptographic key ID */
 #define KEYID_T_MAX	(0xffffffff)
+
 typedef u_int32 tstamp_t;	/* NTP seconds timestamp */
 
 /*
diff --git a/contrib/ntp/include/ntp_worker.h b/contrib/ntp/include/ntp_worker.h
index 50616b3..7720b8c 100644
--- a/contrib/ntp/include/ntp_worker.h
+++ b/contrib/ntp/include/ntp_worker.h
@@ -60,33 +60,35 @@ typedef sema_type	*sem_ref;
 #if defined(WORK_FORK)
 
 typedef struct blocking_child_tag {
-	int	reusable;
-	int	pid;
-	int	req_write_pipe;		/* parent */
-	int	resp_read_pipe;
-	void *	resp_read_ctx;
-	int	req_read_pipe;		/* child */
-	int	resp_write_pipe;
-	int	ispipe;
+	int		reusable;
+	int		pid;
+	int		req_write_pipe;		/* parent */
+	int		resp_read_pipe;
+	void *		resp_read_ctx;
+	int		req_read_pipe;		/* child */
+	int		resp_write_pipe;
+	int		ispipe;	
+	volatile u_int	resp_ready_seen;	/* signal/scan */
+	volatile u_int	resp_ready_done;	/* consumer/mainloop */
 } blocking_child;
 
 #elif defined(WORK_THREAD)
 
 typedef struct blocking_child_tag {
-/*
- * blocking workitems and blocking_responses are dynamically-sized
- * one-dimensional arrays of pointers to blocking worker requests and
- * responses.
- *
- * IMPORTANT: This structure is shared between threads, and all access
- * that is not atomic (especially queue operations) must hold the
- * 'accesslock' semaphore to avoid data races.
- *
- * The resource management (thread/semaphore creation/destruction)
- * functions and functions just testing a handle are safe because these
- * are only changed by the main thread when no worker is running on the
- * same data structure.
- */
+	/*
+	 * blocking workitems and blocking_responses are
+	 * dynamically-sized one-dimensional arrays of pointers to
+	 * blocking worker requests and responses.
+	 *
+	 * IMPORTANT: This structure is shared between threads, and all
+	 * access that is not atomic (especially queue operations) must
+	 * hold the 'accesslock' semaphore to avoid data races.
+	 *
+	 * The resource management (thread/semaphore
+	 * creation/destruction) functions and functions just testing a
+	 * handle are safe because these are only changed by the main
+	 * thread when no worker is running on the same data structure.
+	 */
 	int			reusable;
 	sem_ref			accesslock;	/* shared access lock */
 	thr_ref			thread_ref;	/* thread 'handle' */
@@ -117,6 +119,8 @@ typedef struct blocking_child_tag {
 	int			resp_write_pipe;	/* child */
 	int			ispipe;
 	void *			resp_read_ctx;		/* child */
+	volatile u_int		resp_ready_seen;	/* signal/scan */
+	volatile u_int		resp_ready_done;	/* consumer/mainloop */
 #else
 	sem_ref			responses_pending;	/* signalling */
 #endif
@@ -126,6 +130,10 @@ typedef struct blocking_child_tag {
 
 #endif	/* WORK_THREAD */
 
+/* we need some global tag to indicate any blocking child may be ready: */
+extern volatile u_int		blocking_child_ready_seen;/* signal/scan */
+extern volatile u_int		blocking_child_ready_done;/* consumer/mainloop */
+
 extern	blocking_child **	blocking_children;
 extern	size_t			blocking_children_alloc;
 extern	int			worker_per_query;	/* boolean */
@@ -139,6 +147,7 @@ extern	int	queue_blocking_response(blocking_child *,
 					blocking_pipe_header *, size_t,
 					const blocking_pipe_header *);
 extern	void	process_blocking_resp(blocking_child *);
+extern	void	harvest_blocking_responses(void);
 extern	int	send_blocking_req_internal(blocking_child *,
 					   blocking_pipe_header *,
 					   void *);
diff --git a/contrib/ntp/include/parse.h b/contrib/ntp/include/parse.h
index 9b1ffb2..02dbb30 100644
--- a/contrib/ntp/include/parse.h
+++ b/contrib/ntp/include/parse.h
@@ -107,9 +107,9 @@ extern unsigned int splclock (void);
 /*
  * some constants useful for GPS time conversion
  */
-#define GPSORIGIN       2524953600UL                /* NTP origin - GPS origin in seconds */
-#define GPSWRAP         990U                        /* assume week count less than this in the previous epoch */
-#define GPSWEEKS        1024U                       /* number of weeks until the GPS epch rolls over */
+#define GPSORIGIN       2524953600UL         /* NTP origin - GPS origin in seconds */
+#define GPSWRAP         990                  /* assume week count less than this in the previous epoch */
+#define GPSWEEKS        1024                 /* number of weeks until the GPS epch rolls over */
 
 /*
  * state flags
diff --git a/contrib/ntp/libntp/Makefile.am b/contrib/ntp/libntp/Makefile.am
index 914badb..a3b50e1 100644
--- a/contrib/ntp/libntp/Makefile.am
+++ b/contrib/ntp/libntp/Makefile.am
@@ -70,6 +70,7 @@ libntp_a_SRCS =						\
 	humandate.c					\
 	icom.c						\
 	iosignal.c					\
+	is_ip_address.c					\
 	lib_strbuf.c					\
 	machines.c					\
 	mktime.c					\
diff --git a/contrib/ntp/libntp/Makefile.in b/contrib/ntp/libntp/Makefile.in
index 6e40cd4..5cf5703 100644
--- a/contrib/ntp/libntp/Makefile.in
+++ b/contrib/ntp/libntp/Makefile.in
@@ -150,12 +150,12 @@ am__libntp_a_SOURCES_DIST = systime.c a_md5encrypt.c adjtime.c \
 	calyearstart.c clocktime.c clocktypes.c decodenetnum.c \
 	dofptoa.c dolfptoa.c emalloc.c findconfig.c getopt.c \
 	hextoint.c hextolfp.c humandate.c icom.c iosignal.c \
-	lib_strbuf.c machines.c mktime.c modetoa.c mstolfp.c msyslog.c \
-	netof.c ntp_calendar.c ntp_crypto_rnd.c ntp_intres.c \
-	ntp_libopts.c ntp_lineedit.c ntp_random.c ntp_rfc2553.c \
-	ntp_worker.c numtoa.c numtohost.c octtoint.c prettydate.c \
-	refidsmear.c recvbuff.c refnumtoa.c snprintf.c socket.c \
-	socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \
+	is_ip_address.c lib_strbuf.c machines.c mktime.c modetoa.c \
+	mstolfp.c msyslog.c netof.c ntp_calendar.c ntp_crypto_rnd.c \
+	ntp_intres.c ntp_libopts.c ntp_lineedit.c ntp_random.c \
+	ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c octtoint.c \
+	prettydate.c refidsmear.c recvbuff.c refnumtoa.c snprintf.c \
+	socket.c socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \
 	strl_obsd.c syssignal.c timetoa.c timevalops.c uglydate.c \
 	vint64ops.c work_fork.c work_thread.c ymd2yd.c \
 	$(srcdir)/../lib/isc/assertions.c \
@@ -207,21 +207,21 @@ am__objects_4 = a_md5encrypt.$(OBJEXT) adjtime.$(OBJEXT) \
 	dolfptoa.$(OBJEXT) emalloc.$(OBJEXT) findconfig.$(OBJEXT) \
 	getopt.$(OBJEXT) hextoint.$(OBJEXT) hextolfp.$(OBJEXT) \
 	humandate.$(OBJEXT) icom.$(OBJEXT) iosignal.$(OBJEXT) \
-	lib_strbuf.$(OBJEXT) machines.$(OBJEXT) mktime.$(OBJEXT) \
-	modetoa.$(OBJEXT) mstolfp.$(OBJEXT) msyslog.$(OBJEXT) \
-	netof.$(OBJEXT) ntp_calendar.$(OBJEXT) \
-	ntp_crypto_rnd.$(OBJEXT) ntp_intres.$(OBJEXT) \
-	ntp_libopts.$(OBJEXT) ntp_lineedit.$(OBJEXT) \
-	ntp_random.$(OBJEXT) ntp_rfc2553.$(OBJEXT) \
-	ntp_worker.$(OBJEXT) numtoa.$(OBJEXT) numtohost.$(OBJEXT) \
-	octtoint.$(OBJEXT) prettydate.$(OBJEXT) refidsmear.$(OBJEXT) \
-	recvbuff.$(OBJEXT) refnumtoa.$(OBJEXT) snprintf.$(OBJEXT) \
-	socket.$(OBJEXT) socktoa.$(OBJEXT) socktohost.$(OBJEXT) \
-	ssl_init.$(OBJEXT) statestr.$(OBJEXT) strdup.$(OBJEXT) \
-	strl_obsd.$(OBJEXT) syssignal.$(OBJEXT) timetoa.$(OBJEXT) \
-	timevalops.$(OBJEXT) uglydate.$(OBJEXT) vint64ops.$(OBJEXT) \
-	work_fork.$(OBJEXT) work_thread.$(OBJEXT) ymd2yd.$(OBJEXT) \
-	$(am__objects_3) $(am__objects_1)
+	is_ip_address.$(OBJEXT) lib_strbuf.$(OBJEXT) \
+	machines.$(OBJEXT) mktime.$(OBJEXT) modetoa.$(OBJEXT) \
+	mstolfp.$(OBJEXT) msyslog.$(OBJEXT) netof.$(OBJEXT) \
+	ntp_calendar.$(OBJEXT) ntp_crypto_rnd.$(OBJEXT) \
+	ntp_intres.$(OBJEXT) ntp_libopts.$(OBJEXT) \
+	ntp_lineedit.$(OBJEXT) ntp_random.$(OBJEXT) \
+	ntp_rfc2553.$(OBJEXT) ntp_worker.$(OBJEXT) numtoa.$(OBJEXT) \
+	numtohost.$(OBJEXT) octtoint.$(OBJEXT) prettydate.$(OBJEXT) \
+	refidsmear.$(OBJEXT) recvbuff.$(OBJEXT) refnumtoa.$(OBJEXT) \
+	snprintf.$(OBJEXT) socket.$(OBJEXT) socktoa.$(OBJEXT) \
+	socktohost.$(OBJEXT) ssl_init.$(OBJEXT) statestr.$(OBJEXT) \
+	strdup.$(OBJEXT) strl_obsd.$(OBJEXT) syssignal.$(OBJEXT) \
+	timetoa.$(OBJEXT) timevalops.$(OBJEXT) uglydate.$(OBJEXT) \
+	vint64ops.$(OBJEXT) work_fork.$(OBJEXT) work_thread.$(OBJEXT) \
+	ymd2yd.$(OBJEXT) $(am__objects_3) $(am__objects_1)
 am_libntp_a_OBJECTS = systime.$(OBJEXT) $(am__objects_4)
 libntp_a_OBJECTS = $(am_libntp_a_OBJECTS)
 libntpsim_a_AR = $(AR) $(ARFLAGS)
@@ -232,12 +232,12 @@ am__libntpsim_a_SOURCES_DIST = systime_s.c a_md5encrypt.c adjtime.c \
 	calyearstart.c clocktime.c clocktypes.c decodenetnum.c \
 	dofptoa.c dolfptoa.c emalloc.c findconfig.c getopt.c \
 	hextoint.c hextolfp.c humandate.c icom.c iosignal.c \
-	lib_strbuf.c machines.c mktime.c modetoa.c mstolfp.c msyslog.c \
-	netof.c ntp_calendar.c ntp_crypto_rnd.c ntp_intres.c \
-	ntp_libopts.c ntp_lineedit.c ntp_random.c ntp_rfc2553.c \
-	ntp_worker.c numtoa.c numtohost.c octtoint.c prettydate.c \
-	refidsmear.c recvbuff.c refnumtoa.c snprintf.c socket.c \
-	socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \
+	is_ip_address.c lib_strbuf.c machines.c mktime.c modetoa.c \
+	mstolfp.c msyslog.c netof.c ntp_calendar.c ntp_crypto_rnd.c \
+	ntp_intres.c ntp_libopts.c ntp_lineedit.c ntp_random.c \
+	ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c octtoint.c \
+	prettydate.c refidsmear.c recvbuff.c refnumtoa.c snprintf.c \
+	socket.c socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \
 	strl_obsd.c syssignal.c timetoa.c timevalops.c uglydate.c \
 	vint64ops.c work_fork.c work_thread.c ymd2yd.c \
 	$(srcdir)/../lib/isc/assertions.c \
@@ -660,6 +660,7 @@ libntp_a_SRCS = \
 	humandate.c					\
 	icom.c						\
 	iosignal.c					\
+	is_ip_address.c					\
 	lib_strbuf.c					\
 	machines.c					\
 	mktime.c					\
@@ -806,6 +807,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inet_pton.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interfaceiter.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iosignal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/is_ip_address.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib_strbuf.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
diff --git a/contrib/ntp/libntp/authkeys.c b/contrib/ntp/libntp/authkeys.c
index f7462a2..36fdd8b 100644
--- a/contrib/ntp/libntp/authkeys.c
+++ b/contrib/ntp/libntp/authkeys.c
@@ -15,6 +15,7 @@
 #include "ntp_string.h"
 #include "ntp_malloc.h"
 #include "ntp_stdlib.h"
+#include "ntp_keyacc.h"
 
 /*
  * Structure to store keys in in the hash table.
@@ -25,6 +26,7 @@ struct savekey {
 	symkey *	hlink;		/* next in hash bucket */
 	DECL_DLIST_LINK(symkey, llink);	/* for overall & free lists */
 	u_char *	secret;		/* shared secret */
+	KeyAccT *	keyacclist;	/* Private key access list */
 	u_long		lifetime;	/* remaining lifetime */
 	keyid_t		keyid;		/* key identifier */
 	u_short		type;		/* OpenSSL digest NID */
@@ -48,13 +50,13 @@ struct symkey_alloc_tag {
 symkey_alloc *	authallocs;
 #endif	/* DEBUG */
 
-static inline u_short	auth_log2(double x);
-static void		auth_resize_hashtable(void);
-static void		allocsymkey(symkey **, keyid_t,	u_short,
-				    u_short, u_long, u_short, u_char *);
-static void		freesymkey(symkey *, symkey **);
+static u_short	auth_log2(size_t);
+static void	auth_resize_hashtable(void);
+static void	allocsymkey(symkey **, keyid_t,	u_short, u_short,
+			    u_long, u_short, u_char *, KeyAccT *);
+static void	freesymkey(symkey *, symkey **);
 #ifdef DEBUG
-static void		free_auth_mem(void);
+static void	free_auth_mem(void);
 #endif
 
 symkey	key_listhead;		/* list of all in-use keys */;
@@ -97,6 +99,7 @@ u_char *cache_secret;		/* secret */
 u_short	cache_secretsize;	/* secret length */
 int	cache_type;		/* OpenSSL digest NID */
 u_short cache_flags;		/* flags that wave */
+KeyAccT *cache_keyacclist;	/* key access list */
 
 
 /*
@@ -142,6 +145,7 @@ free_auth_mem(void)
 	key_hash = NULL;
 	cache_keyid = 0;
 	cache_flags = 0;
+	cache_keyacclist = NULL;
 	for (alloc = authallocs; alloc != NULL; alloc = next_alloc) {
 		next_alloc = alloc->link;
 		free(alloc->mem);	
@@ -210,10 +214,33 @@ auth_prealloc_symkeys(
 }
 
 
-static inline u_short
-auth_log2(double x)
+static u_short
+auth_log2(size_t x)
 {
-	return (u_short)(log10(x) / log10(2));
+	/*
+	** bithack to calculate floor(log2(x))
+	**
+	** This assumes
+	**   - (sizeof(size_t) is a power of two
+	**   - CHAR_BITS is a power of two
+	**   - returning zero for arguments <= 0 is OK.
+	**
+	** Does only shifts, masks and sums in integer arithmetic in
+	** log2(CHAR_BIT*sizeof(size_t)) steps. (that is, 5/6 steps for
+	** 32bit/64bit size_t)
+	*/
+	int	s;
+	int	r = 0;
+	size_t  m = ~(size_t)0;
+
+	for (s = sizeof(size_t) / 2 * CHAR_BIT; s != 0; s >>= 1) {
+		m <<= s;
+		if (x & m)
+			r += s;
+		else
+			x <<= s;
+	}
+	return (u_short)r;
 }
 
 
@@ -234,7 +261,7 @@ auth_resize_hashtable(void)
 	symkey *	sk;
 
 	totalkeys = authnumkeys + authnumfreekeys;
-	hashbits = auth_log2(totalkeys / 4.0) + 1;
+	hashbits = auth_log2(totalkeys / 4) + 1;
 	hashbits = max(4, hashbits);
 	hashbits = min(15, hashbits);
 
@@ -267,7 +294,8 @@ allocsymkey(
 	u_short		type,
 	u_long		lifetime,
 	u_short		secretsize,
-	u_char *	secret
+	u_char *	secret,
+	KeyAccT *	ka
 	)
 {
 	symkey *	sk;
@@ -281,6 +309,7 @@ allocsymkey(
 	sk->type = type;
 	sk->secretsize = secretsize;
 	sk->secret = secret;
+	sk->keyacclist = ka;
 	sk->lifetime = lifetime;
 	LINK_SLIST(*bucket, sk, hlink);
 	LINK_TAIL_DLIST(key_listhead, sk, llink);
@@ -412,6 +441,7 @@ authhavekey(
 	cache_flags = sk->flags;
 	cache_secret = sk->secret;
 	cache_secretsize = sk->secretsize;
+	cache_keyacclist = sk->keyacclist;
 
 	return TRUE;
 }
@@ -451,6 +481,7 @@ authtrust(
 		if (cache_keyid == id) {
 			cache_flags = 0;
 			cache_keyid = 0;
+			cache_keyacclist = NULL;
 		}
 
 		/*
@@ -480,7 +511,7 @@ authtrust(
 	} else {
 		lifetime = 0;
 	}
-	allocsymkey(bucket, id, KEY_TRUSTED, 0, lifetime, 0, NULL);
+	allocsymkey(bucket, id, KEY_TRUSTED, 0, lifetime, 0, NULL, NULL);
 }
 
 
@@ -511,6 +542,49 @@ authistrusted(
 	return TRUE;
 }
 
+
+/*
+ * authistrustedip - determine if the IP is OK for the keyid
+ */
+ int
+ authistrustedip(
+ 	keyid_t		keyno,
+	sockaddr_u *	sau
+	)
+{
+	symkey *	sk;
+	symkey **	bucket;
+	KeyAccT *	kal;
+	KeyAccT *	k;
+
+	if (keyno == cache_keyid)
+		kal = cache_keyacclist;
+	else {
+		authkeyuncached++;
+		bucket = &key_hash[KEYHASH(keyno)];
+		for (sk = *bucket; sk != NULL; sk = sk->hlink) {
+			if (keyno == sk->keyid)
+				break;
+		}
+		if (NULL == sk || !(KEY_TRUSTED & sk->flags)) {
+			INSIST(!"authistrustedip: keyid not found/trusted!");
+			return FALSE;
+		}
+		kal = sk->keyacclist;
+	}
+
+	if (NULL == kal)
+		return TRUE;
+
+	for (k = kal; k; k = k->next) {
+		if (SOCK_EQ(&k->addr, sau))
+			return TRUE;
+	}
+
+	return FALSE;
+}
+
+
 /* Note: There are two locations below where 'strncpy()' is used. While
  * this function is a hazard by itself, it's essential that it is used
  * here. Bug 1243 involved that the secret was filled with NUL bytes
@@ -527,7 +601,8 @@ MD5auth_setkey(
 	keyid_t keyno,
 	int	keytype,
 	const u_char *key,
-	size_t len
+	size_t	len,
+	KeyAccT *ka
 	)
 {
 	symkey *	sk;
@@ -553,6 +628,7 @@ MD5auth_setkey(
 			sk->type = (u_short)keytype;
 			secretsize = len;
 			sk->secretsize = (u_short)secretsize;
+			sk->keyacclist = ka;
 #ifndef DISABLE_BUG1243_FIX
 			memcpy(sk->secret, key, secretsize);
 #else
@@ -563,6 +639,7 @@ MD5auth_setkey(
 			if (cache_keyid == keyno) {
 				cache_flags = 0;
 				cache_keyid = 0;
+				cache_keyacclist = NULL;
 			}
 			return;
 		}
@@ -580,7 +657,7 @@ MD5auth_setkey(
 	strncpy((char *)secret, (const char *)key, secretsize);
 #endif
 	allocsymkey(bucket, keyno, 0, (u_short)keytype, 0,
-		    (u_short)secretsize, secret);
+		    (u_short)secretsize, secret, ka);
 #ifdef DEBUG
 	if (debug >= 4) {
 		size_t	j;
diff --git a/contrib/ntp/libntp/authreadkeys.c b/contrib/ntp/libntp/authreadkeys.c
index 95a357a..1d4ee30 100644
--- a/contrib/ntp/libntp/authreadkeys.c
+++ b/contrib/ntp/libntp/authreadkeys.c
@@ -5,10 +5,12 @@
 #include <stdio.h>
 #include <ctype.h>
 
+#include "ntpd.h"	/* Only for DPRINTF */
 #include "ntp_fp.h"
 #include "ntp.h"
 #include "ntp_syslog.h"
 #include "ntp_stdlib.h"
+#include "ntp_keyacc.h"
 
 #ifdef OPENSSL
 #include "openssl/objects.h"
@@ -85,6 +87,7 @@ static void log_maybe(u_int*, const char*, ...) NTP_PRINTF(2, 3);
 typedef struct keydata KeyDataT;
 struct keydata {
 	KeyDataT *next;		/* queue/stack link		*/
+	KeyAccT  *keyacclist;	/* key access list		*/
 	keyid_t   keyid;	/* stored key ID		*/
 	u_short   keytype;	/* stored key type		*/
 	u_short   seclen;	/* length of secret		*/
@@ -228,6 +231,7 @@ authreadkeys(
 		len = strlen(token);
 		if (len <= 20) {	/* Bug 2537 */
 			next = emalloc(sizeof(KeyDataT) + len);
+			next->keyacclist = NULL;
 			next->keyid   = keyno;
 			next->keytype = keytype;
 			next->seclen  = len;
@@ -257,11 +261,48 @@ authreadkeys(
 			}
 			len = jlim/2; /* hmmmm.... what about odd length?!? */
 			next = emalloc(sizeof(KeyDataT) + len);
+			next->keyacclist = NULL;
 			next->keyid   = keyno;
 			next->keytype = keytype;
 			next->seclen  = len;
 			memcpy(next->secbuf, keystr, len);
 		}
+
+		token = nexttok(&line);
+DPRINTF(0, ("authreadkeys: full access list <%s>\n", (token) ? token : "NULL"));
+		if (token != NULL) {	/* A comma-separated IP access list */
+			char *tp = token;
+
+			while (tp) {
+				char *i;
+				KeyAccT ka;
+
+				i = strchr(tp, (int)',');
+				if (i)
+					*i = '\0';
+DPRINTF(0, ("authreadkeys: access list:  <%s>\n", tp));
+
+				if (is_ip_address(tp, AF_UNSPEC, &ka.addr)) {
+					KeyAccT *kap;
+
+					kap = emalloc(sizeof(KeyAccT));
+					memcpy(kap, &ka, sizeof ka);
+					kap->next = next->keyacclist;
+					next->keyacclist = kap;
+				} else {
+					log_maybe(&nerr,
+						  "authreadkeys: invalid IP address <%s> for key %d",
+						  tp, keyno);
+				}
+
+				if (i) {
+					tp = i + 1;
+				} else {
+					tp = 0;
+				}
+			}
+		}
+
 		INSIST(NULL != next);
 		next->next = list;
 		list = next;
@@ -286,7 +327,7 @@ authreadkeys(
 	while (NULL != (next = list)) {
 		list = next->next;
 		MD5auth_setkey(next->keyid, next->keytype,
-			       next->secbuf, next->seclen);
+			       next->secbuf, next->seclen, next->keyacclist);
 		/* purge secrets from memory before free()ing it */
 		memset(next, 0, sizeof(*next) + next->seclen);
 		free(next);
@@ -297,6 +338,14 @@ authreadkeys(
 	/* Mop up temporary storage before bailing out. */
 	while (NULL != (next = list)) {
 		list = next->next;
+
+		while (next->keyacclist) {
+			KeyAccT *kap = next->keyacclist;
+
+			next->keyacclist = kap->next;
+			free(kap);
+		}
+
 		/* purge secrets from memory before free()ing it */
 		memset(next, 0, sizeof(*next) + next->seclen);
 		free(next);
diff --git a/contrib/ntp/libntp/authusekey.c b/contrib/ntp/libntp/authusekey.c
index 0ccf522..ff449d3 100644
--- a/contrib/ntp/libntp/authusekey.c
+++ b/contrib/ntp/libntp/authusekey.c
@@ -29,6 +29,6 @@ authusekey(
 	if (0 == len)
 		return 0;
 
-	MD5auth_setkey(keyno, keytype, str, len);
+	MD5auth_setkey(keyno, keytype, str, len, NULL);
 	return 1;
 }
diff --git a/contrib/ntp/libntp/is_ip_address.c b/contrib/ntp/libntp/is_ip_address.c
new file mode 100644
index 0000000..1f21376
--- /dev/null
+++ b/contrib/ntp/libntp/is_ip_address.c
@@ -0,0 +1,129 @@
+/*
+ * is_ip_address
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#if 0
+#include <stdio.h>
+#include <signal.h>
+#ifdef HAVE_FNMATCH_H
+# include <fnmatch.h>
+# if !defined(FNM_CASEFOLD) && defined(FNM_IGNORECASE)
+#  define FNM_CASEFOLD FNM_IGNORECASE
+# endif
+#endif
+#ifdef HAVE_SYS_PARAM_H
+# include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_IOCTL_H
+# include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_SOCKIO_H	/* UXPV: SIOC* #defines (Frank Vance <fvance@waii.com>) */
+# include <sys/sockio.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+# include <sys/uio.h>
+#endif
+#endif
+
+#include "ntp_assert.h"
+#include "ntp_stdlib.h"
+#include "safecast.h"
+
+#if 0
+#include "ntp_machine.h"
+#include "ntpd.h"
+#include "ntp_io.h"
+#include "iosignal.h"
+#include "ntp_lists.h"
+#include "ntp_refclock.h"
+#include "ntp_worker.h"
+#include "ntp_request.h"
+#include "timevalops.h"
+#include "timespecops.h"
+#include "ntpd-opts.h"
+#endif
+
+/* Don't include ISC's version of IPv6 variables and structures */
+#define ISC_IPV6_H 1
+#include <isc/mem.h>
+#include <isc/interfaceiter.h>
+#include <isc/netaddr.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+
+
+/*
+ * Code to tell if we have an IP address
+ * If we have then return the sockaddr structure
+ * and set the return value
+ * see the bind9/getaddresses.c for details
+ */
+int
+is_ip_address(
+	const char *	host,
+	u_short		af,
+	sockaddr_u *	addr
+	)
+{
+	struct in_addr in4;
+	struct addrinfo hints;
+	struct addrinfo *result;
+	struct sockaddr_in6 *resaddr6;
+	char tmpbuf[128];
+	char *pch;
+
+	REQUIRE(host != NULL);
+	REQUIRE(addr != NULL);
+
+	ZERO_SOCK(addr);
+
+	/*
+	 * Try IPv4, then IPv6.  In order to handle the extended format
+	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
+	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
+	 * should be enough for this purpose; the buffer can contain a string
+	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
+	 * addresses (up to 46 bytes), the delimiter character and the
+	 * terminating NULL character.
+	 */
+	if (AF_UNSPEC == af || AF_INET == af)
+		if (inet_pton(AF_INET, host, &in4) == 1) {
+			AF(addr) = AF_INET;
+			SET_ADDR4N(addr, in4.s_addr);
+
+			return TRUE;
+		}
+
+	if (AF_UNSPEC == af || AF_INET6 == af)
+		if (sizeof(tmpbuf) > strlen(host)) {
+			if ('[' == host[0]) {
+				strlcpy(tmpbuf, &host[1], sizeof(tmpbuf));
+				pch = strchr(tmpbuf, ']');
+				if (pch != NULL)
+					*pch = '\0';
+			} else {
+				strlcpy(tmpbuf, host, sizeof(tmpbuf));
+			}
+			ZERO(hints);
+			hints.ai_family = AF_INET6;
+			hints.ai_flags |= AI_NUMERICHOST;
+			if (getaddrinfo(tmpbuf, NULL, &hints, &result) == 0) {
+				AF(addr) = AF_INET6;
+				resaddr6 = UA_PTR(struct sockaddr_in6, result->ai_addr);
+				SET_ADDR6N(addr, resaddr6->sin6_addr);
+				SET_SCOPE(addr, resaddr6->sin6_scope_id);
+
+				freeaddrinfo(result);
+				return TRUE;
+			}
+		}
+	/*
+	 * If we got here it was not an IP address
+	 */
+	return FALSE;
+}
diff --git a/contrib/ntp/libntp/ntp_worker.c b/contrib/ntp/libntp/ntp_worker.c
index f5642e1..087f06c 100644
--- a/contrib/ntp/libntp/ntp_worker.c
+++ b/contrib/ntp/libntp/ntp_worker.c
@@ -27,6 +27,8 @@ blocking_child **	blocking_children;
 size_t			blocking_children_alloc;
 int			worker_per_query;	/* boolean */
 int			intres_req_pending;
+volatile u_int		blocking_child_ready_seen;
+volatile u_int		blocking_child_ready_done;
 
 
 #ifndef HAVE_IO_COMPLETION_PORT
@@ -262,6 +264,31 @@ process_blocking_resp(
 		req_child_exit(c);
 }
 
+void
+harvest_blocking_responses(void)
+{
+	int		idx;
+	blocking_child*	cp;
+	u_int		scseen, scdone;
+
+	scseen = blocking_child_ready_seen;
+	scdone = blocking_child_ready_done;
+	if (scdone != scseen) {
+		blocking_child_ready_done = scseen;
+		for (idx = 0; idx < blocking_children_alloc; idx++) {
+			cp = blocking_children[idx];
+			if (NULL == cp)
+				continue;
+			scseen = cp->resp_ready_seen;
+			scdone = cp->resp_ready_done;
+			if (scdone != scseen) {
+				cp->resp_ready_done = scseen;
+				process_blocking_resp(cp);
+			}
+		}
+	}
+}
+
 
 /*
  * blocking_child_common runs as a forked child or a thread
diff --git a/contrib/ntp/libntp/systime.c b/contrib/ntp/libntp/systime.c
index c89d157..29f1e86 100644
--- a/contrib/ntp/libntp/systime.c
+++ b/contrib/ntp/libntp/systime.c
@@ -323,9 +323,18 @@ adj_systime(
 	else
 		quant = 1e-6;
 	ticks = (long)(dtemp / quant + .5);
-	adjtv.tv_usec = (long)(ticks * quant * 1e6);
-	dtemp -= adjtv.tv_usec / 1e6;
-	sys_residual = dtemp;
+	adjtv.tv_usec = (long)(ticks * quant * 1.e6 + .5);
+	/* The rounding in the conversions could us push over the
+	 * limits: make sure the result is properly normalised!
+	 * note: sign comes later, all numbers non-negative here.
+	 */
+	if (adjtv.tv_usec >= 1000000) {
+		adjtv.tv_sec  += 1;
+		adjtv.tv_usec -= 1000000;
+		dtemp         -= 1.;
+	}
+	/* set the new residual with leftover from correction */
+	sys_residual = dtemp - adjtv.tv_usec * 1.e-6;
 
 	/*
 	 * Convert to signed seconds and microseconds for the Unix
diff --git a/contrib/ntp/libntp/work_thread.c b/contrib/ntp/libntp/work_thread.c
index 49e90c1..11e3267 100644
--- a/contrib/ntp/libntp/work_thread.c
+++ b/contrib/ntp/libntp/work_thread.c
@@ -25,13 +25,38 @@
 
 #define CHILD_EXIT_REQ	((blocking_pipe_header *)(intptr_t)-1)
 #define CHILD_GONE_RESP	CHILD_EXIT_REQ
+/* Queue size increments:
+ * The request queue grows a bit faster than the response queue -- the
+ * deamon can push requests and pull results faster on avarage than the
+ * worker can process requests and push results...  If this really pays
+ * off is debatable.
+ */
 #define WORKITEMS_ALLOC_INC	16
 #define RESPONSES_ALLOC_INC	4
 
+/* Fiddle with min/max stack sizes. 64kB minimum seems to work, so we
+ * set the maximum to 256kB. If the minimum goes below the
+ * system-defined minimum stack size, we have to adjust accordingly.
+ */
 #ifndef THREAD_MINSTACKSIZE
-#define THREAD_MINSTACKSIZE	(64U * 1024)
+# define THREAD_MINSTACKSIZE	(64U * 1024)
+#endif
+#ifndef __sun
+#if defined(PTHREAD_STACK_MIN) && THREAD_MINSTACKSIZE < PTHREAD_STACK_MIN
+# undef THREAD_MINSTACKSIZE
+# define THREAD_MINSTACKSIZE PTHREAD_STACK_MIN
+#endif
 #endif
 
+#ifndef THREAD_MAXSTACKSIZE
+# define THREAD_MAXSTACKSIZE	(256U * 1024)
+#endif
+#if THREAD_MAXSTACKSIZE < THREAD_MINSTACKSIZE
+# undef  THREAD_MAXSTACKSIZE
+# define THREAD_MAXSTACKSIZE THREAD_MINSTACKSIZE
+#endif
+
+
 #ifdef SYS_WINNT
 
 # define thread_exit(c)	_endthreadex(c)
@@ -148,15 +173,19 @@ ensure_workitems_empty_slot(
 
 	size_t	new_alloc;
 	size_t  slots_used;
+	size_t	sidx;
 
 	slots_used = c->head_workitem - c->tail_workitem;
 	if (slots_used >= c->workitems_alloc) {
 		new_alloc  = c->workitems_alloc + WORKITEMS_ALLOC_INC;
 		c->workitems = erealloc(c->workitems, new_alloc * each);
+		for (sidx = c->workitems_alloc; sidx < new_alloc; ++sidx)
+		    c->workitems[sidx] = NULL;
 		c->tail_workitem   = 0;
 		c->head_workitem   = c->workitems_alloc;
 		c->workitems_alloc = new_alloc;
 	}
+	INSIST(NULL == c->workitems[c->head_workitem % c->workitems_alloc]);
 	return (0 == slots_used);
 }
 
@@ -180,15 +209,19 @@ ensure_workresp_empty_slot(
 
 	size_t	new_alloc;
 	size_t  slots_used;
+	size_t	sidx;
 
 	slots_used = c->head_response - c->tail_response;
 	if (slots_used >= c->responses_alloc) {
 		new_alloc  = c->responses_alloc + RESPONSES_ALLOC_INC;
 		c->responses = erealloc(c->responses, new_alloc * each);
+		for (sidx = c->responses_alloc; sidx < new_alloc; ++sidx)
+		    c->responses[sidx] = NULL;
 		c->tail_response   = 0;
 		c->head_response   = c->responses_alloc;
 		c->responses_alloc = new_alloc;
 	}
+	INSIST(NULL == c->responses[c->head_response % c->responses_alloc]);
 	return (0 == slots_used);
 }
 
@@ -478,11 +511,11 @@ start_blocking_thread_internal(
 # endif
 	pthread_attr_t	thr_attr;
 	int		rc;
-	int		saved_errno;
 	int		pipe_ends[2];	/* read then write */
 	int		is_pipe;
 	int		flags;
-	size_t		stacksize;
+	size_t		ostacksize;
+	size_t		nstacksize;
 	sigset_t	saved_sig_mask;
 
 	c->thread_ref = NULL;
@@ -522,21 +555,29 @@ start_blocking_thread_internal(
 	pthread_attr_setdetachstate(&thr_attr, PTHREAD_CREATE_DETACHED);
 #if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
     defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
-	rc = pthread_attr_getstacksize(&thr_attr, &stacksize);
-	if (-1 == rc) {
+	rc = pthread_attr_getstacksize(&thr_attr, &ostacksize);
+	if (0 != rc) {
 		msyslog(LOG_ERR,
-			"start_blocking_thread: pthread_attr_getstacksize %m");
-	} else if (stacksize < THREAD_MINSTACKSIZE) {
-		rc = pthread_attr_setstacksize(&thr_attr,
-					       THREAD_MINSTACKSIZE);
-		if (-1 == rc)
+			"start_blocking_thread: pthread_attr_getstacksize() -> %s",
+			strerror(rc));
+	} else {
+		if (ostacksize < THREAD_MINSTACKSIZE)
+			nstacksize = THREAD_MINSTACKSIZE;
+		else if (ostacksize > THREAD_MAXSTACKSIZE)
+			nstacksize = THREAD_MAXSTACKSIZE;
+		else
+			nstacksize = ostacksize;
+		if (nstacksize != ostacksize)
+			rc = pthread_attr_setstacksize(&thr_attr, nstacksize);
+		if (0 != rc)
 			msyslog(LOG_ERR,
-				"start_blocking_thread: pthread_attr_setstacksize(0x%lx -> 0x%lx) %m",
-				(u_long)stacksize,
-				(u_long)THREAD_MINSTACKSIZE);
+				"start_blocking_thread: pthread_attr_setstacksize(0x%lx -> 0x%lx) -> %s",
+				(u_long)ostacksize, (u_long)nstacksize,
+				strerror(rc));
 	}
 #else
-	UNUSED_ARG(stacksize);
+	UNUSED_ARG(nstacksize);
+	UNUSED_ARG(ostacksize);
 #endif
 #if defined(PTHREAD_SCOPE_SYSTEM) && defined(NEED_PTHREAD_SCOPE_SYSTEM)
 	pthread_attr_setscope(&thr_attr, PTHREAD_SCOPE_SYSTEM);
@@ -545,12 +586,11 @@ start_blocking_thread_internal(
 	block_thread_signals(&saved_sig_mask);
 	rc = pthread_create(&c->thr_table[0], &thr_attr,
 			    &blocking_thread, c);
-	saved_errno = errno;
 	pthread_sigmask(SIG_SETMASK, &saved_sig_mask, NULL);
 	pthread_attr_destroy(&thr_attr);
 	if (0 != rc) {
-		errno = saved_errno;
-		msyslog(LOG_ERR, "pthread_create() blocking child: %m");
+		msyslog(LOG_ERR, "start_blocking_thread: pthread_create() -> %s",
+			strerror(rc));
 		exit(1);
 	}
 	c->thread_ref = &c->thr_table[0];
diff --git a/contrib/ntp/ntpd/invoke-ntp.conf.texi b/contrib/ntp/ntpd/invoke-ntp.conf.texi
index 32b41e6..1d8a621 100644
--- a/contrib/ntp/ntpd/invoke-ntp.conf.texi
+++ b/contrib/ntp/ntpd/invoke-ntp.conf.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntp.conf.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:30:49 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:17:59 AM by AutoGen 5.18.5
 # From the definitions    ntp.conf.def
 # and the template file   agtexi-file.tpl
 @end ignore
@@ -2294,8 +2294,8 @@ otherwise, should be avoided.
 @item @code{dscp} @kbd{value}
 This option specifies the Differentiated Services Control Point (DSCP) value,
 a 6-bit code.  The default value is 46, signifying Expedited Forwarding.
-@item @code{enable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats}]}
-@item @code{disable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats}]}
+@item @code{enable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]}
+@item @code{disable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]}
 Provides a way to enable or disable various server options.
 Flags not mentioned are unaffected.
 Note that all of these flags
@@ -2367,6 +2367,67 @@ See the
 section for further information.
 The default for this flag is
 @code{disable}.
+@item @code{unpeer_crypto_early}
+By default, if
+@code{ntpd(1ntpdmdoc)}
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+@code{peerstats}
+file for evidence of any of these attacks.
+The
+default for this flag is
+@code{enable}.
+@item @code{unpeer_crypto_nak_early}
+By default, if
+@code{ntpd(1ntpdmdoc)}
+receives a crypto-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+@code{peerstats}
+file for evidence of any of these attacks.
+The
+default for this flag is
+@code{enable}.
+@item @code{unpeer_digest_early}
+By default, if
+@code{ntpd(1ntpdmdoc)}
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+@code{peerstats}
+file for evidence of any of these attacks.
+The
+default for this flag is
+@code{enable}.
 @end table
 @item @code{includefile} @kbd{includefile}
 This command allows additional configuration commands
diff --git a/contrib/ntp/ntpd/invoke-ntp.keys.texi b/contrib/ntp/ntpd/invoke-ntp.keys.texi
index b755d97..915044e 100644
--- a/contrib/ntp/ntpd/invoke-ntp.keys.texi
+++ b/contrib/ntp/ntpd/invoke-ntp.keys.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntp.keys.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:30:52 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:18:02 AM by AutoGen 5.18.5
 # From the definitions    ntp.keys.def
 # and the template file   agtexi-file.tpl
 @end ignore
@@ -37,7 +37,7 @@ as the configuration file.
 Key entries use a fixed format of the form
 
 @example
-@kbd{keyno} @kbd{type} @kbd{key}
+@kbd{keyno} @kbd{type} @kbd{key} @kbd{opt_IP_list}
 @end example
 
 where
@@ -47,7 +47,15 @@ is a positive integer (between 1 and 65534),
 is the message digest algorithm,
 and
 @kbd{key}
-is the key itself.
+is the key itself, and
+@kbd{opt_IP_list}
+is an optional comma-separated list of IPs
+that are allowed to serve time.
+If
+@kbd{opt_IP_list}
+is empty,
+any properly-authenticated server message will be
+accepted.
 
 The
 @kbd{key}
diff --git a/contrib/ntp/ntpd/invoke-ntpd.texi b/contrib/ntp/ntpd/invoke-ntpd.texi
index 66ce19d..50e8f65 100644
--- a/contrib/ntp/ntpd/invoke-ntpd.texi
+++ b/contrib/ntp/ntpd/invoke-ntpd.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntpd.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:30:54 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:18:04 AM by AutoGen 5.18.5
 # From the definitions    ntpd-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -142,7 +142,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntpd - NTP daemon program - Ver. 4.2.8p5
+ntpd - NTP daemon program - Ver. 4.2.8p6
 Usage:  ntpd [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \
                 [ <server1> ... <serverN> ]
   Flg Arg Option-Name    Description
diff --git a/contrib/ntp/ntpd/keyword-gen-utd b/contrib/ntp/ntpd/keyword-gen-utd
index 467351b..99c7220 100644
--- a/contrib/ntp/ntpd/keyword-gen-utd
+++ b/contrib/ntp/ntpd/keyword-gen-utd
@@ -1 +1 @@
- *	 Generated 2015-06-25 03:57:00 UTC	  diff_ignore_line
+ *	 Generated 2016-01-16 08:33:03 UTC	  diff_ignore_line
diff --git a/contrib/ntp/ntpd/keyword-gen.c b/contrib/ntp/ntpd/keyword-gen.c
index 42e9497..2e7f621 100644
--- a/contrib/ntp/ntpd/keyword-gen.c
+++ b/contrib/ntp/ntpd/keyword-gen.c
@@ -202,6 +202,9 @@ struct key_tok ntp_keywords[] = {
 { "ntp",		T_Ntp,			FOLLBY_TOKEN },
 { "mode7",		T_Mode7,		FOLLBY_TOKEN },
 { "stats",		T_Stats,		FOLLBY_TOKEN },
+{ "unpeer_crypto_early",	T_UEcrypto,	FOLLBY_TOKEN },
+{ "unpeer_crypto_nak_early",	T_UEcryptonak,	FOLLBY_TOKEN },
+{ "unpeer_digest_early",	T_UEdigest,	FOLLBY_TOKEN },
 /* rlimit_option */
 { "memlock",		T_Memlock,		FOLLBY_TOKEN },
 { "stacksize",		T_Stacksize,		FOLLBY_TOKEN },
diff --git a/contrib/ntp/ntpd/ntp.conf.5man b/contrib/ntp/ntpd/ntp.conf.5man
index 6e6aa32..1e5e464 100644
--- a/contrib/ntp/ntpd/ntp.conf.5man
+++ b/contrib/ntp/ntpd/ntp.conf.5man
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntp.conf 5man "07 Jan 2016" "4.2.8p5" "File Formats"
+.TH ntp.conf 5man "20 Jan 2016" "4.2.8p6" "File Formats"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-8qayqp/ag-Vraqpp)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-gsaOxR/ag-XsaGwR)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:30:35 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:17:45 AM by AutoGen 5.18.5
 .\" From the definitions ntp.conf.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -2573,9 +2573,9 @@ otherwise, should be avoided.
 This option specifies the Differentiated Services Control Point (DSCP) value,
 a 6-bit code.  The default value is 46, signifying Expedited Forwarding.
 .TP 7
-.NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
+.NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
 .TP 7
-.NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
+.NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
 Provides a way to enable or disable various server options.
 Flags not mentioned are unaffected.
 Note that all of these flags
@@ -2655,6 +2655,70 @@ See the
 section for further information.
 The default for this flag is
 \f\*[B-Font]disable\f[].
+.TP 7
+.NOP \f\*[B-Font]unpeer_crypto_early\f[]
+By default, if
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+\f\*[B-Font]peerstats\f[]
+file for evidence of any of these attacks.
+The
+default for this flag is
+\f\*[B-Font]enable\f[].
+.TP 7
+.NOP \f\*[B-Font]unpeer_crypto_nak_early\f[]
+By default, if
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+receives a crypto-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+\f\*[B-Font]peerstats\f[]
+file for evidence of any of these attacks.
+The
+default for this flag is
+\f\*[B-Font]enable\f[].
+.TP 7
+.NOP \f\*[B-Font]unpeer_digest_early\f[]
+By default, if
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+\f\*[B-Font]peerstats\f[]
+file for evidence of any of these attacks.
+The
+default for this flag is
+\f\*[B-Font]enable\f[].
 .RE
 .TP 7
 .NOP \f\*[B-Font]includefile\f[] \f\*[I-Font]includefile\f[]
@@ -3027,7 +3091,7 @@ RFC5905
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 The syntax checking is not picky; some combinations of
diff --git a/contrib/ntp/ntpd/ntp.conf.5mdoc b/contrib/ntp/ntpd/ntp.conf.5mdoc
index 800e995..f2b418b 100644
--- a/contrib/ntp/ntpd/ntp.conf.5mdoc
+++ b/contrib/ntp/ntpd/ntp.conf.5mdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_CONF 5mdoc File Formats
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:30:57 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:07 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.conf.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -2393,16 +2393,18 @@ a 6\-bit code.  The default value is 46, signifying Expedited Forwarding.
 .Oo
 .Cm auth | Cm bclient |
 .Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
 .It Xo Ic disable
 .Oo
 .Cm auth | Cm bclient |
 .Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
 Provides a way to enable or disable various server options.
@@ -2476,6 +2478,67 @@ See the
 section for further information.
 The default for this flag is
 .Ic disable .
+.It Cm unpeer_crypto_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_crypto_nak_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives a crypto\-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto\-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_digest_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
 .El
 .It Ic includefile Ar includefile
 This command allows additional configuration commands
@@ -2834,7 +2897,7 @@ A snapshot of this documentation is available in HTML format in
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 The syntax checking is not picky; some combinations of
diff --git a/contrib/ntp/ntpd/ntp.conf.def b/contrib/ntp/ntpd/ntp.conf.def
index 43835bc..25d9fd0 100644
--- a/contrib/ntp/ntpd/ntp.conf.def
+++ b/contrib/ntp/ntpd/ntp.conf.def
@@ -2395,16 +2395,18 @@ a 6-bit code.  The default value is 46, signifying Expedited Forwarding.
 .Oo
 .Cm auth | Cm bclient |
 .Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
 .It Xo Ic disable
 .Oo
 .Cm auth | Cm bclient |
 .Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
 Provides a way to enable or disable various server options.
@@ -2478,6 +2480,67 @@ See the
 section for further information.
 The default for this flag is
 .Ic disable .
+.It Cm unpeer_crypto_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_crypto_nak_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives a crypto-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_digest_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
 .El
 .It Ic includefile Ar includefile
 This command allows additional configuration commands
diff --git a/contrib/ntp/ntpd/ntp.conf.html b/contrib/ntp/ntpd/ntp.conf.html
index d10a88d..c50f0e1 100644
--- a/contrib/ntp/ntpd/ntp.conf.html
+++ b/contrib/ntp/ntpd/ntp.conf.html
@@ -33,7 +33,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 <p>This document describes the configuration file for the NTP Project's
 <code>ntpd</code> program.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntp.conf</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntp.conf</code>.
 
   <div class="shortcontents">
 <h2>Short Contents</h2>
@@ -2288,7 +2288,7 @@ drift file is located in, and that file system links, symbolic or
 otherwise, should be avoided. 
 <br><dt><code>dscp</code> <kbd>value</kbd><dd>This option specifies the Differentiated Services Control Point (DSCP) value,
 a 6-bit code.  The default value is 46, signifying Expedited Forwarding. 
-<br><dt><code>enable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats]</code><br><dt><code>disable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats]</code><dd>Provides a way to enable or disable various server options. 
+<br><dt><code>enable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats | unpeer_crypto_early | unpeer_crypto_nak_early | unpeer_digest_early]</code><br><dt><code>disable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats | unpeer_crypto_early | unpeer_crypto_nak_early | unpeer_digest_early]</code><dd>Provides a way to enable or disable various server options. 
 Flags not mentioned are unaffected. 
 Note that all of these flags
 can be controlled remotely using the
@@ -2351,6 +2351,64 @@ See the
 section for further information. 
 The default for this flag is
 <code>disable</code>. 
+<br><dt><code>unpeer_crypto_early</code><dd>By default, if
+<code>ntpd(1ntpdmdoc)</code>
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared. 
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero. 
+You can check your
+<code>peerstats</code>
+file for evidence of any of these attacks. 
+The
+default for this flag is
+<code>enable</code>. 
+<br><dt><code>unpeer_crypto_nak_early</code><dd>By default, if
+<code>ntpd(1ntpdmdoc)</code>
+receives a crypto-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared. 
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto-NAK packet
+can be used in a DoS attack. 
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option. 
+You can check your
+<code>peerstats</code>
+file for evidence of any of these attacks. 
+The
+default for this flag is
+<code>enable</code>. 
+<br><dt><code>unpeer_digest_early</code><dd>By default, if
+<code>ntpd(1ntpdmdoc)</code>
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared. 
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack. 
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option. 
+You can check your
+<code>peerstats</code>
+file for evidence of any of these attacks. 
+The
+default for this flag is
+<code>enable</code>. 
 </dl>
      <br><dt><code>includefile</code> <kbd>includefile</kbd><dd>This command allows additional configuration commands
 to be included from a separate file. 
diff --git a/contrib/ntp/ntpd/ntp.conf.man.in b/contrib/ntp/ntpd/ntp.conf.man.in
index f701b41..7a5b750 100644
--- a/contrib/ntp/ntpd/ntp.conf.man.in
+++ b/contrib/ntp/ntpd/ntp.conf.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntp.conf 5 "07 Jan 2016" "4.2.8p5" "File Formats"
+.TH ntp.conf 5 "20 Jan 2016" "4.2.8p6" "File Formats"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-8qayqp/ag-Vraqpp)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-gsaOxR/ag-XsaGwR)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:30:35 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:17:45 AM by AutoGen 5.18.5
 .\" From the definitions ntp.conf.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -2573,9 +2573,9 @@ otherwise, should be avoided.
 This option specifies the Differentiated Services Control Point (DSCP) value,
 a 6-bit code.  The default value is 46, signifying Expedited Forwarding.
 .TP 7
-.NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
+.NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
 .TP 7
-.NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
+.NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
 Provides a way to enable or disable various server options.
 Flags not mentioned are unaffected.
 Note that all of these flags
@@ -2655,6 +2655,70 @@ See the
 section for further information.
 The default for this flag is
 \f\*[B-Font]disable\f[].
+.TP 7
+.NOP \f\*[B-Font]unpeer_crypto_early\f[]
+By default, if
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+\f\*[B-Font]peerstats\f[]
+file for evidence of any of these attacks.
+The
+default for this flag is
+\f\*[B-Font]enable\f[].
+.TP 7
+.NOP \f\*[B-Font]unpeer_crypto_nak_early\f[]
+By default, if
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+receives a crypto-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+\f\*[B-Font]peerstats\f[]
+file for evidence of any of these attacks.
+The
+default for this flag is
+\f\*[B-Font]enable\f[].
+.TP 7
+.NOP \f\*[B-Font]unpeer_digest_early\f[]
+By default, if
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+\f\*[B-Font]peerstats\f[]
+file for evidence of any of these attacks.
+The
+default for this flag is
+\f\*[B-Font]enable\f[].
 .RE
 .TP 7
 .NOP \f\*[B-Font]includefile\f[] \f\*[I-Font]includefile\f[]
@@ -3027,7 +3091,7 @@ RFC5905
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 The syntax checking is not picky; some combinations of
diff --git a/contrib/ntp/ntpd/ntp.conf.mdoc.in b/contrib/ntp/ntpd/ntp.conf.mdoc.in
index 7ad4cc1..fe85d85 100644
--- a/contrib/ntp/ntpd/ntp.conf.mdoc.in
+++ b/contrib/ntp/ntpd/ntp.conf.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_CONF 5 File Formats
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:30:57 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:07 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.conf.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -2393,16 +2393,18 @@ a 6\-bit code.  The default value is 46, signifying Expedited Forwarding.
 .Oo
 .Cm auth | Cm bclient |
 .Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
 .It Xo Ic disable
 .Oo
 .Cm auth | Cm bclient |
 .Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
 Provides a way to enable or disable various server options.
@@ -2476,6 +2478,67 @@ See the
 section for further information.
 The default for this flag is
 .Ic disable .
+.It Cm unpeer_crypto_early
+By default, if
+.Xr ntpd @NTPD_MS@
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_crypto_nak_early
+By default, if
+.Xr ntpd @NTPD_MS@
+receives a crypto\-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto\-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_digest_early
+By default, if
+.Xr ntpd @NTPD_MS@
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
 .El
 .It Ic includefile Ar includefile
 This command allows additional configuration commands
@@ -2834,7 +2897,7 @@ A snapshot of this documentation is available in HTML format in
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 The syntax checking is not picky; some combinations of
diff --git a/contrib/ntp/ntpd/ntp.keys.5man b/contrib/ntp/ntpd/ntp.keys.5man
index bb0028b..6d270b6 100644
--- a/contrib/ntp/ntpd/ntp.keys.5man
+++ b/contrib/ntp/ntpd/ntp.keys.5man
@@ -1,8 +1,8 @@
-.TH ntp.keys 5man "07 Jan 2016" "4.2.8p5" "File Formats"
+.TH ntp.keys 5man "20 Jan 2016" "4.2.8p6" "File Formats"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.man)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:30:41 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:17:51 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.keys.def
 .\"  and the template file   agman-file.tpl
 .Sh NAME
@@ -66,7 +66,7 @@ Key entries use a fixed format of the form
 .ne 2
 
 .in +4
-\f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[]
+\f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[] \f\*[I-Font]opt_IP_list\f[]
 .in -4
 .sp \n(Ppu
 .ne 2
@@ -78,7 +78,15 @@ is a positive integer (between 1 and 65534),
 is the message digest algorithm,
 and
 \f\*[I-Font]key\f[]
-is the key itself.
+is the key itself, and
+\f\*[I-Font]opt_IP_list\f[]
+is an optional comma-separated list of IPs
+that are allowed to serve time.
+If
+\f\*[I-Font]opt_IP_list\f[]
+is empty,
+any properly-authenticated server message will be
+accepted.
 .sp \n(Ppu
 .ne 2
 
@@ -160,7 +168,7 @@ the default name of the configuration file
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpd/ntp.keys.5mdoc b/contrib/ntp/ntpd/ntp.keys.5mdoc
index 9524989..6091e09 100644
--- a/contrib/ntp/ntpd/ntp.keys.5mdoc
+++ b/contrib/ntp/ntpd/ntp.keys.5mdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_KEYS 5mdoc File Formats
 .Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:31:00 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:10 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.keys.def
 .\"  and the template file   agmdoc-file.tpl
 .Sh NAME
@@ -44,7 +44,7 @@ The key file uses the same comment conventions
 as the configuration file.
 Key entries use a fixed format of the form
 .Pp
-.D1 Ar keyno type key
+.D1 Ar keyno type key opt_IP_list
 .Pp
 where
 .Ar keyno
@@ -53,7 +53,15 @@ is a positive integer (between 1 and 65534),
 is the message digest algorithm,
 and
 .Ar key
-is the key itself.
+is the key itself, and
+.Ar opt_IP_list
+is an optional comma\-separated list of IPs
+that are allowed to serve time.
+If
+.Ar opt_IP_list
+is empty,
+any properly\-authenticated server message will be
+accepted.
 .Pp
 The
 .Ar key
@@ -147,7 +155,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpd/ntp.keys.def b/contrib/ntp/ntpd/ntp.keys.def
index dcb3d55..efe774c 100644
--- a/contrib/ntp/ntpd/ntp.keys.def
+++ b/contrib/ntp/ntpd/ntp.keys.def
@@ -43,7 +43,7 @@ The key file uses the same comment conventions
 as the configuration file.
 Key entries use a fixed format of the form
 .Pp
-.D1 Ar keyno type key
+.D1 Ar keyno type key opt_IP_list
 .Pp
 where
 .Ar keyno
@@ -52,7 +52,15 @@ is a positive integer (between 1 and 65534),
 is the message digest algorithm,
 and
 .Ar key
-is the key itself.
+is the key itself, and
+.Ar opt_IP_list
+is an optional comma-separated list of IPs
+that are allowed to serve time.
+If
+.Ar opt_IP_list
+is empty,
+any properly-authenticated server message will be
+accepted.
 .Pp
 The
 .Ar key
diff --git a/contrib/ntp/ntpd/ntp.keys.html b/contrib/ntp/ntpd/ntp.keys.html
index 738f9e0..409e7fc 100644
--- a/contrib/ntp/ntpd/ntp.keys.html
+++ b/contrib/ntp/ntpd/ntp.keys.html
@@ -33,7 +33,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 <p>This document describes the symmetric key file for the NTP Project's
 <code>ntpd</code> program.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntp.keys</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntp.keys</code>.
 
   <div class="shortcontents">
 <h2>Short Contents</h2>
@@ -93,7 +93,7 @@ may be arbitrarily set in the keys file.
 as the configuration file. 
 Key entries use a fixed format of the form
 
-<pre class="example">     <kbd>keyno</kbd> <kbd>type</kbd> <kbd>key</kbd>
+<pre class="example">     <kbd>keyno</kbd> <kbd>type</kbd> <kbd>key</kbd> <kbd>opt_IP_list</kbd>
 </pre>
   <p>where
 <kbd>keyno</kbd>
@@ -102,7 +102,15 @@ is a positive integer (between 1 and 65534),
 is the message digest algorithm,
 and
 <kbd>key</kbd>
-is the key itself.
+is the key itself, and
+<kbd>opt_IP_list</kbd>
+is an optional comma-separated list of IPs
+that are allowed to serve time. 
+If
+<kbd>opt_IP_list</kbd>
+is empty,
+any properly-authenticated server message will be
+accepted.
 
   <p>The
 <kbd>key</kbd>
diff --git a/contrib/ntp/ntpd/ntp.keys.man.in b/contrib/ntp/ntpd/ntp.keys.man.in
index 78d5f09..2e97e27 100644
--- a/contrib/ntp/ntpd/ntp.keys.man.in
+++ b/contrib/ntp/ntpd/ntp.keys.man.in
@@ -1,8 +1,8 @@
-.TH ntp.keys 5 "07 Jan 2016" "4.2.8p5" "File Formats"
+.TH ntp.keys 5 "20 Jan 2016" "4.2.8p6" "File Formats"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.man)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:30:41 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:17:51 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.keys.def
 .\"  and the template file   agman-file.tpl
 .Sh NAME
@@ -66,7 +66,7 @@ Key entries use a fixed format of the form
 .ne 2
 
 .in +4
-\f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[]
+\f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[] \f\*[I-Font]opt_IP_list\f[]
 .in -4
 .sp \n(Ppu
 .ne 2
@@ -78,7 +78,15 @@ is a positive integer (between 1 and 65534),
 is the message digest algorithm,
 and
 \f\*[I-Font]key\f[]
-is the key itself.
+is the key itself, and
+\f\*[I-Font]opt_IP_list\f[]
+is an optional comma-separated list of IPs
+that are allowed to serve time.
+If
+\f\*[I-Font]opt_IP_list\f[]
+is empty,
+any properly-authenticated server message will be
+accepted.
 .sp \n(Ppu
 .ne 2
 
@@ -160,7 +168,7 @@ the default name of the configuration file
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpd/ntp.keys.mdoc.in b/contrib/ntp/ntpd/ntp.keys.mdoc.in
index 40c821e..3b4fa2c 100644
--- a/contrib/ntp/ntpd/ntp.keys.mdoc.in
+++ b/contrib/ntp/ntpd/ntp.keys.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_KEYS 5 File Formats
 .Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:31:00 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:10 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.keys.def
 .\"  and the template file   agmdoc-file.tpl
 .Sh NAME
@@ -44,7 +44,7 @@ The key file uses the same comment conventions
 as the configuration file.
 Key entries use a fixed format of the form
 .Pp
-.D1 Ar keyno type key
+.D1 Ar keyno type key opt_IP_list
 .Pp
 where
 .Ar keyno
@@ -53,7 +53,15 @@ is a positive integer (between 1 and 65534),
 is the message digest algorithm,
 and
 .Ar key
-is the key itself.
+is the key itself, and
+.Ar opt_IP_list
+is an optional comma\-separated list of IPs
+that are allowed to serve time.
+If
+.Ar opt_IP_list
+is empty,
+any properly\-authenticated server message will be
+accepted.
 .Pp
 The
 .Ar key
@@ -147,7 +155,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpd/ntp_config.c b/contrib/ntp/ntpd/ntp_config.c
index 1c754bd..cb32737 100644
--- a/contrib/ntp/ntpd/ntp_config.c
+++ b/contrib/ntp/ntpd/ntp_config.c
@@ -53,6 +53,8 @@
 #include "ntp_parser.h"
 #include "ntpd-opts.h"
 
+extern int yyparse(void);
+
 /* Bug 2817 */
 #if defined(HAVE_SYS_MMAN_H)
 # include <sys/mman.h>
@@ -2981,6 +2983,18 @@ apply_enable_disable(
 			proto_config(PROTO_FILEGEN, enable, 0., NULL);
 			break;
 
+		case T_UEcrypto:
+			proto_config(PROTO_UECRYPTO, enable, 0., NULL);
+			break;
+
+		case T_UEcryptonak:
+			proto_config(PROTO_UECRYPTONAK, enable, 0., NULL);
+			break;
+
+		case T_UEdigest:
+			proto_config(PROTO_UEDIGEST, enable, 0., NULL);
+			break;
+
 #ifdef BC_LIST_FRAMEWORK_NOT_YET_USED
 		case T_Bc_bugXXXX:
 			pentry = bc_list;
diff --git a/contrib/ntp/ntpd/ntp_control.c b/contrib/ntp/ntpd/ntp_control.c
index 2e174d0..e5a567e 100644
--- a/contrib/ntp/ntpd/ntp_control.c
+++ b/contrib/ntp/ntpd/ntp_control.c
@@ -75,6 +75,7 @@ static	void	ctl_putarray	(const char *, double *, int);
 static	void	ctl_putsys	(int);
 static	void	ctl_putpeer	(int, struct peer *);
 static	void	ctl_putfs	(const char *, tstamp_t);
+static	void	ctl_printf	(const char *, ...) NTP_PRINTF(1, 2);
 #ifdef REFCLOCK
 static	void	ctl_putclock	(int, struct refclockstat *, int);
 #endif	/* REFCLOCK */
@@ -111,6 +112,8 @@ static	void	unset_trap	(struct recvbuf *, int);
 static	struct ctl_trap *ctlfindtrap(sockaddr_u *,
 				     struct interface *);
 
+int/*BOOL*/ is_safe_filename(const char * name);
+
 static const struct ctl_proc control_codes[] = {
 	{ CTL_OP_UNSPEC,		NOAUTH,	control_unspec },
 	{ CTL_OP_READSTAT,		NOAUTH,	read_status },
@@ -873,10 +876,66 @@ ctl_error(
 			CTL_HEADER_LEN);
 }
 
+int/*BOOL*/
+is_safe_filename(const char * name)
+{
+	/* We need a strict validation of filenames we should write: The
+	 * daemon might run with special permissions and is remote
+	 * controllable, so we better take care what we allow as file
+	 * name!
+	 *
+	 * The first character must be digit or a letter from the ASCII
+	 * base plane or a '_' ([_A-Za-z0-9]), the following characters
+	 * must be from [-._+A-Za-z0-9].
+	 *
+	 * We do not trust the character classification much here: Since
+	 * the NTP protocol makes no provisions for UTF-8 or local code
+	 * pages, we strictly require the 7bit ASCII code page.
+	 *
+	 * The following table is a packed bit field of 128 two-bit
+	 * groups. The LSB in each group tells us if a character is
+	 * acceptable at the first position, the MSB if the character is
+	 * accepted at any other position.
+	 *
+	 * This does not ensure that the file name is syntactically
+	 * correct (multiple dots will not work with VMS...) but it will
+	 * exclude potential globbing bombs and directory traversal. It
+	 * also rules out drive selection. (For systems that have this
+	 * notion, like Windows or VMS.)
+	 */
+	static const uint32_t chclass[8] = {
+		0x00000000, 0x00000000,
+		0x28800000, 0x000FFFFF,
+		0xFFFFFFFC, 0xC03FFFFF,
+		0xFFFFFFFC, 0x003FFFFF
+	};
+
+	u_int widx, bidx, mask;
+	if (!*name)
+		return FALSE;
+	
+	mask = 1u;
+	while (0 != (widx = (u_char)*name++)) {
+		bidx = (widx & 15) << 1;
+		widx = widx >> 4;
+		if (widx >= sizeof(chclass))
+			return FALSE;
+		if (0 == ((chclass[widx] >> bidx) & mask))
+			return FALSE;
+		mask |= 2u;
+	}
+	return TRUE;
+}
+
+
 /*
  * save_config - Implements ntpq -c "saveconfig <filename>"
  *		 Writes current configuration including any runtime
  *		 changes by ntpq's :config or config-from-file
+ *
+ * Note: There should be no buffer overflow or truncation in the
+ * processing of file names -- both cause security problems. This is bit
+ * painful to code but essential here.
  */
 void
 save_config(
@@ -904,24 +963,38 @@ save_config(
 	    "\\/"	/* separator and critical char for POSIX */
 #endif
 	    ;
-
-
 	char reply[128];
 #ifdef SAVECONFIG
+	static const char savedconfig_eq[] = "savedconfig=";
+
+	/* Build a safe open mode from the available mode flags. We want
+	 * to create a new file and write it in text mode (when
+	 * applicable -- only Windows does this...)
+	 */
+	static const int openmode = O_CREAT | O_TRUNC | O_WRONLY
+#  if defined(O_EXCL)		/* posix, vms */
+	    | O_EXCL
+#  elif defined(_O_EXCL)	/* windows is alway very special... */
+	    | _O_EXCL
+#  endif
+#  if defined(_O_TEXT)		/* windows, again */
+	    | _O_TEXT
+#endif
+	    ; 
+	
 	char filespec[128];
 	char filename[128];
 	char fullpath[512];
-	const char savedconfig_eq[] = "savedconfig=";
 	char savedconfig[sizeof(savedconfig_eq) + sizeof(filename)];
 	time_t now;
 	int fd;
 	FILE *fptr;
+	int prc;
+	size_t reqlen;
 #endif
 
 	if (RES_NOMODIFY & restrict_mask) {
-		snprintf(reply, sizeof(reply),
-			 "saveconfig prohibited by restrict ... nomodify");
-		ctl_putdata(reply, strlen(reply), 0);
+		ctl_printf("%s", "saveconfig prohibited by restrict ... nomodify");
 		ctl_flushpkt(0);
 		NLOG(NLOG_SYSINFO)
 			msyslog(LOG_NOTICE,
@@ -933,9 +1006,7 @@ save_config(
 
 #ifdef SAVECONFIG
 	if (NULL == saveconfigdir) {
-		snprintf(reply, sizeof(reply),
-			 "saveconfig prohibited, no saveconfigdir configured");
-		ctl_putdata(reply, strlen(reply), 0);
+		ctl_printf("%s", "saveconfig prohibited, no saveconfigdir configured");
 		ctl_flushpkt(0);
 		NLOG(NLOG_SYSINFO)
 			msyslog(LOG_NOTICE,
@@ -944,21 +1015,79 @@ save_config(
 		return;
 	}
 
-	if (0 == reqend - reqpt)
+	/* The length checking stuff gets serious. Do not assume a NUL
+	 * byte can be found, but if so, use it to calculate the needed
+	 * buffer size. If the available buffer is too short, bail out;
+	 * likewise if there is no file spec. (The latter will not
+	 * happen when using NTPQ, but there are other ways to craft a
+	 * network packet!)
+	 */
+	reqlen = (size_t)(reqend - reqpt);
+	if (0 != reqlen) {
+		char * nulpos = (char*)memchr(reqpt, 0, reqlen);
+		if (NULL != nulpos)
+			reqlen = (size_t)(nulpos - reqpt);
+	}
+	if (0 == reqlen)
 		return;
+	if (reqlen >= sizeof(filespec)) {
+		ctl_printf("saveconfig exceeded maximum raw name length (%u)",
+			   (u_int)sizeof(filespec));
+		ctl_flushpkt(0);
+		msyslog(LOG_NOTICE,
+			"saveconfig exceeded maximum raw name length from %s",
+			stoa(&rbufp->recv_srcadr));
+		return;
+	}
 
-	strlcpy(filespec, reqpt, sizeof(filespec));
-	time(&now);
-
+	/* copy data directly as we exactly know the size */
+	memcpy(filespec, reqpt, reqlen);
+	filespec[reqlen] = '\0';
+	
 	/*
 	 * allow timestamping of the saved config filename with
 	 * strftime() format such as:
 	 *   ntpq -c "saveconfig ntp-%Y%m%d-%H%M%S.conf"
 	 * XXX: Nice feature, but not too safe.
+	 * YYY: The check for permitted characters in file names should
+	 *      weed out the worst. Let's hope 'strftime()' does not
+	 *      develop pathological problems.
 	 */
+	time(&now);
 	if (0 == strftime(filename, sizeof(filename), filespec,
-			       localtime(&now)))
+			  localtime(&now)))
+	{
+		/*
+		 * If we arrive here, 'strftime()' balked; most likely
+		 * the buffer was too short. (Or it encounterd an empty
+		 * format, or just a format that expands to an empty
+		 * string.) We try to use the original name, though this
+		 * is very likely to fail later if there are format
+		 * specs in the string. Note that truncation cannot
+		 * happen here as long as both buffers have the same
+		 * size!
+		 */
 		strlcpy(filename, filespec, sizeof(filename));
+	}
+
+	/*
+	 * Check the file name for sanity. This might/will rule out file
+	 * names that would be legal but problematic, and it blocks
+	 * directory traversal.
+	 */
+	if (!is_safe_filename(filename)) {
+		ctl_printf("saveconfig rejects unsafe file name '%s'",
+			   filename);
+		ctl_flushpkt(0);
+		msyslog(LOG_NOTICE,
+			"saveconfig rejects unsafe file name from %s",
+			stoa(&rbufp->recv_srcadr));
+		return;
+	}
+
+	/*
+	 * XXX: This next test may not be needed with is_safe_filename()
+	 */
 
 	/* block directory/drive traversal */
 	/* TALOS-CAN-0062: block directory traversal for VMS, too */
@@ -968,38 +1097,49 @@ save_config(
 		ctl_putdata(reply, strlen(reply), 0);
 		ctl_flushpkt(0);
 		msyslog(LOG_NOTICE,
-			"saveconfig with path from %s rejected",
+			"saveconfig rejects unsafe file name from %s",
 			stoa(&rbufp->recv_srcadr));
 		return;
 	}
 
-	snprintf(fullpath, sizeof(fullpath), "%s%s",
-		 saveconfigdir, filename);
+	/* concatenation of directory and path can cause another
+	 * truncation...
+	 */
+	prc = snprintf(fullpath, sizeof(fullpath), "%s%s",
+		       saveconfigdir, filename);
+	if (prc < 0 || prc >= sizeof(fullpath)) {
+		ctl_printf("saveconfig exceeded maximum path length (%u)",
+			   (u_int)sizeof(fullpath));
+		ctl_flushpkt(0);
+		msyslog(LOG_NOTICE,
+			"saveconfig exceeded maximum path length from %s",
+			stoa(&rbufp->recv_srcadr));
+		return;
+	}
 
-	fd = open(fullpath, O_CREAT | O_TRUNC | O_WRONLY,
-		  S_IRUSR | S_IWUSR);
+	fd = open(fullpath, openmode, S_IRUSR | S_IWUSR);
 	if (-1 == fd)
 		fptr = NULL;
 	else
 		fptr = fdopen(fd, "w");
 
 	if (NULL == fptr || -1 == dump_all_config_trees(fptr, 1)) {
-		snprintf(reply, sizeof(reply),
-			 "Unable to save configuration to file %s",
-			 filename);
+		ctl_printf("Unable to save configuration to file '%s': %m",
+			   filename);
 		msyslog(LOG_ERR,
 			"saveconfig %s from %s failed", filename,
 			stoa(&rbufp->recv_srcadr));
 	} else {
-		snprintf(reply, sizeof(reply),
-			 "Configuration saved to %s", filename);
+		ctl_printf("Configuration saved to '%s'", filename);
 		msyslog(LOG_NOTICE,
-			"Configuration saved to %s (requested by %s)",
+			"Configuration saved to '%s' (requested by %s)",
 			fullpath, stoa(&rbufp->recv_srcadr));
 		/*
 		 * save the output filename in system variable
 		 * savedconfig, retrieved with:
 		 *   ntpq -c "rv 0 savedconfig"
+		 * Note: the way 'savedconfig' is defined makes overflow
+		 * checks unnecessary here.
 		 */
 		snprintf(savedconfig, sizeof(savedconfig), "%s%s",
 			 savedconfig_eq, filename);
@@ -1009,11 +1149,9 @@ save_config(
 	if (NULL != fptr)
 		fclose(fptr);
 #else	/* !SAVECONFIG follows */
-	snprintf(reply, sizeof(reply),
-		 "saveconfig unavailable, configured with --disable-saveconfig");
-#endif
-
-	ctl_putdata(reply, strlen(reply), 0);
+	ctl_printf("%s",
+		   "saveconfig unavailable, configured with --disable-saveconfig");
+#endif	
 	ctl_flushpkt(0);
 }
 
@@ -1757,6 +1895,29 @@ ctl_putarray(
 	ctl_putdata(buffer, (unsigned)(cp - buffer), 0);
 }
 
+/*
+ * ctl_printf - put a formatted string into the data buffer
+ */
+static void
+ctl_printf(
+	const char * fmt,
+	...
+	)
+{
+	static const char * ellipsis = "[...]";
+	va_list va;
+	char    fmtbuf[128];
+	int     rc;
+	
+	va_start(va, fmt);
+	rc = vsnprintf(fmtbuf, sizeof(fmtbuf), fmt, va);
+	va_end(va);
+	if (rc < 0 || rc >= sizeof(fmtbuf))
+		strcpy(fmtbuf + sizeof(fmtbuf) - strlen(ellipsis) - 1,
+		       ellipsis);
+	ctl_putdata(fmtbuf, strlen(fmtbuf), 0);
+}
+
 
 /*
  * ctl_putsys - output a system variable
diff --git a/contrib/ntp/ntpd/ntp_crypto.c b/contrib/ntp/ntpd/ntp_crypto.c
index 8574266..5b87f19 100644
--- a/contrib/ntp/ntpd/ntp_crypto.c
+++ b/contrib/ntp/ntpd/ntp_crypto.c
@@ -269,7 +269,7 @@ session_key(
 	memcpy(&keyid, dgst, 4);
 	keyid = ntohl(keyid);
 	if (lifetime != 0) {
-		MD5auth_setkey(keyno, crypto_nid, dgst, len);
+		MD5auth_setkey(keyno, crypto_nid, dgst, len, NULL);
 		authtrust(keyno, lifetime);
 	}
 	DPRINTF(2, ("session_key: %s > %s %08x %08x hash %08x life %lu\n",
diff --git a/contrib/ntp/ntpd/ntp_io.c b/contrib/ntp/ntpd/ntp_io.c
index dd23459..ee52b1a 100644
--- a/contrib/ntp/ntpd/ntp_io.c
+++ b/contrib/ntp/ntpd/ntp_io.c
@@ -62,6 +62,9 @@
 # endif
 #endif
 
+#if defined(HAVE_SIGNALED_IO) && defined(DEBUG_TIMING)
+# undef DEBUG_TIMING
+#endif
 
 /*
  * setsockopt does not always have the same arg declaration
@@ -280,9 +283,12 @@ static int	addr_samesubnet	(const sockaddr_u *, const sockaddr_u *,
 				 const sockaddr_u *, const sockaddr_u *);
 static	int	create_sockets	(u_short);
 static	SOCKET	open_socket	(sockaddr_u *, int, int, endpt *);
-static	char *	fdbits		(int, fd_set *);
 static	void	set_reuseaddr	(int);
 static	isc_boolean_t	socket_broadcast_enable	 (struct interface *, SOCKET, sockaddr_u *);
+
+#if !defined(HAVE_IO_COMPLETION_PORT) && !defined(HAVE_SIGNALED_IO)
+static	char *	fdbits		(int, const fd_set *);
+#endif
 #ifdef  OS_MISSES_SPECIFIC_ROUTE_UPDATES
 static	isc_boolean_t	socket_broadcast_disable (struct interface *, sockaddr_u *);
 #endif
@@ -337,12 +343,15 @@ static int		cmp_addr_distance(const sockaddr_u *,
 #if !defined(HAVE_IO_COMPLETION_PORT)
 static inline int	read_network_packet	(SOCKET, struct interface *, l_fp);
 static void		ntpd_addremove_io_fd	(int, int, int);
-static input_handler_t  input_handler;
+static void 		input_handler_scan	(const l_fp*, const fd_set*);
+static int/*BOOL*/	sanitize_fdset		(int errc);
 #ifdef REFCLOCK
 static inline int	read_refclock_packet	(SOCKET, struct refclockio *, l_fp);
 #endif
+#ifdef HAVE_SIGNALED_IO
+static void 		input_handler		(l_fp*);
+#endif
 #endif
-
 
 
 #ifndef HAVE_IO_COMPLETION_PORT
@@ -455,11 +464,9 @@ init_io(void)
 	addremove_io_fd = &ntpd_addremove_io_fd;
 #endif
 
-#ifdef SYS_WINNT
+#if defined(SYS_WINNT)
 	init_io_completion_port();
-#endif
-
-#if defined(HAVE_SIGNALED_IO)
+#elif defined(HAVE_SIGNALED_IO)
 	(void) set_signal(input_handler);
 #endif
 }
@@ -475,7 +482,8 @@ ntpd_addremove_io_fd(
 	UNUSED_ARG(is_pipe);
 
 #ifdef HAVE_SIGNALED_IO
-	init_socket_sig(fd);
+	if (!remove_it)
+		init_socket_sig(fd);
 #endif /* not HAVE_SIGNALED_IO */
 
 	maintain_activefds(fd, remove_it);
@@ -717,78 +725,6 @@ addr_samesubnet(
 
 
 /*
- * Code to tell if we have an IP address
- * If we have then return the sockaddr structure
- * and set the return value
- * see the bind9/getaddresses.c for details
- */
-int
-is_ip_address(
-	const char *	host,
-	u_short		af,
-	sockaddr_u *	addr
-	)
-{
-	struct in_addr in4;
-	struct addrinfo hints;
-	struct addrinfo *result;
-	struct sockaddr_in6 *resaddr6;
-	char tmpbuf[128];
-	char *pch;
-
-	REQUIRE(host != NULL);
-	REQUIRE(addr != NULL);
-
-	ZERO_SOCK(addr);
-
-	/*
-	 * Try IPv4, then IPv6.  In order to handle the extended format
-	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
-	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
-	 * should be enough for this purpose; the buffer can contain a string
-	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
-	 * addresses (up to 46 bytes), the delimiter character and the
-	 * terminating NULL character.
-	 */
-	if (AF_UNSPEC == af || AF_INET == af)
-		if (inet_pton(AF_INET, host, &in4) == 1) {
-			AF(addr) = AF_INET;
-			SET_ADDR4N(addr, in4.s_addr);
-
-			return TRUE;
-		}
-
-	if (AF_UNSPEC == af || AF_INET6 == af)
-		if (sizeof(tmpbuf) > strlen(host)) {
-			if ('[' == host[0]) {
-				strlcpy(tmpbuf, &host[1], sizeof(tmpbuf));
-				pch = strchr(tmpbuf, ']');
-				if (pch != NULL)
-					*pch = '\0';
-			} else {
-				strlcpy(tmpbuf, host, sizeof(tmpbuf));
-			}
-			ZERO(hints);
-			hints.ai_family = AF_INET6;
-			hints.ai_flags |= AI_NUMERICHOST;
-			if (getaddrinfo(tmpbuf, NULL, &hints, &result) == 0) {
-				AF(addr) = AF_INET6;
-				resaddr6 = UA_PTR(struct sockaddr_in6, result->ai_addr);
-				SET_ADDR6N(addr, resaddr6->sin6_addr);
-				SET_SCOPE(addr, resaddr6->sin6_scope_id);
-
-				freeaddrinfo(result);
-				return TRUE;
-			}
-		}
-	/*
-	 * If we got here it was not an IP address
-	 */
-	return FALSE;
-}
-
-
-/*
  * interface list enumerator - visitor pattern
  */
 void
@@ -2354,6 +2290,7 @@ get_broadcastclient_flag(void)
 {
 	return (broadcast_client_enabled);
 }
+
 /*
  * Check to see if the address is a multicast address
  */
@@ -3204,15 +3141,15 @@ sendpkt(
 }
 
 
-#if !defined(HAVE_IO_COMPLETION_PORT)
+#if !defined(HAVE_IO_COMPLETION_PORT) && !defined(HAVE_SIGNALED_IO)
 /*
  * fdbits - generate ascii representation of fd_set (FAU debug support)
  * HFDF format - highest fd first.
  */
 static char *
 fdbits(
-	int count,
-	fd_set *set
+	int		count,
+	const fd_set*	set
 	)
 {
 	static char buffer[256];
@@ -3228,7 +3165,7 @@ fdbits(
 
 	return buffer;
 }
-
+#endif
 
 #ifdef REFCLOCK
 /*
@@ -3265,7 +3202,7 @@ read_refclock_packet(
 	/* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead
 	 * to buffer overrun and memory corruption
 	 */
-	if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space))
+	if (rp->datalen <= 0 || (size_t)rp->datalen > sizeof(rb->recv_space))
 		read_count = sizeof(rb->recv_space);
 	else
 		read_count = (u_int)rp->datalen;
@@ -3582,6 +3519,7 @@ io_handler(void)
 	 * and - lacking a hardware reference clock - I have
 	 * yet to learn about anything else that is.
 	 */
+	++handler_calls;
 	rdfdes = activefds;
 #   if !defined(VMS) && !defined(SYS_VXWORKS)
 	nfound = select(maxactivefd + 1, &rdfdes, NULL,
@@ -3590,20 +3528,29 @@ io_handler(void)
 	/* make select() wake up after one second */
 	{
 		struct timeval t1;
-
-		t1.tv_sec = 1;
+		t1.tv_sec  = 1;
 		t1.tv_usec = 0;
 		nfound = select(maxactivefd + 1,
 				&rdfdes, NULL, NULL,
 				&t1);
 	}
 #   endif	/* VMS, VxWorks */
+	if (nfound < 0 && sanitize_fdset(errno)) {
+		struct timeval t1;
+		t1.tv_sec  = 0;
+		t1.tv_usec = 0;
+		rdfdes = activefds;
+		nfound = select(maxactivefd + 1,
+				&rdfdes, NULL, NULL,
+				&t1);
+	}
+
 	if (nfound > 0) {
 		l_fp ts;
 
 		get_systime(&ts);
 
-		input_handler(&ts);
+		input_handler_scan(&ts, &rdfdes);
 	} else if (nfound == -1 && errno != EINTR) {
 		msyslog(LOG_ERR, "select() error: %m");
 	}
@@ -3619,46 +3566,22 @@ io_handler(void)
 #  endif /* HAVE_SIGNALED_IO */
 }
 
+#ifdef HAVE_SIGNALED_IO
 /*
  * input_handler - receive packets asynchronously
+ *
+ * ALWAYS IN SIGNAL HANDLER CONTEXT -- only async-safe functions allowed!
  */
-static void
+static RETSIGTYPE
 input_handler(
 	l_fp *	cts
 	)
 {
-	int		buflen;
 	int		n;
-	u_int		idx;
-	int		doing;
-	SOCKET		fd;
-	blocking_child *c;
 	struct timeval	tvzero;
-	l_fp		ts;	/* Timestamp at BOselect() gob */
-#ifdef DEBUG_TIMING
-	l_fp		ts_e;	/* Timestamp at EOselect() gob */
-#endif
 	fd_set		fds;
-	size_t		select_count;
-	endpt *		ep;
-#ifdef REFCLOCK
-	struct refclockio *rp;
-	int		saved_errno;
-	const char *	clk;
-#endif
-#ifdef HAS_ROUTING_SOCKET
-	struct asyncio_reader *	asyncio_reader;
-	struct asyncio_reader *	next_asyncio_reader;
-#endif
-
-	handler_calls++;
-	select_count = 0;
-
-	/*
-	 * If we have something to do, freeze a timestamp.
-	 * See below for the other cases (nothing left to do or error)
-	 */
-	ts = *cts;
+	
+	++handler_calls;
 
 	/*
 	 * Do a poll to see who has data
@@ -3668,82 +3591,133 @@ input_handler(
 	tvzero.tv_sec = tvzero.tv_usec = 0;
 
 	n = select(maxactivefd + 1, &fds, NULL, NULL, &tvzero);
+	if (n < 0 && sanitize_fdset(errno)) {
+		fds = activefds;
+		tvzero.tv_sec = tvzero.tv_usec = 0;
+		n = select(maxactivefd + 1, &fds, NULL, NULL, &tvzero);
+	}
+	if (n > 0)
+		input_handler_scan(cts, &fds);
+}
+#endif /* HAVE_SIGNALED_IO */
+
+
+/*
+ * Try to sanitize the global FD set
+ *
+ * SIGNAL HANDLER CONTEXT if HAVE_SIGNALED_IO, ordinary userspace otherwise
+ */
+static int/*BOOL*/
+sanitize_fdset(
+	int	errc
+	)
+{
+	int j, b, maxscan;
 
+#  ifndef HAVE_SIGNALED_IO
 	/*
-	 * If there are no packets waiting just return
+	 * extended FAU debugging output
 	 */
-	if (n < 0) {
-		int err = errno;
-		int j, b, prior;
-		/*
-		 * extended FAU debugging output
-		 */
-		if (err != EINTR)
-			msyslog(LOG_ERR,
-				"select(%d, %s, 0L, 0L, &0.0) error: %m",
-				maxactivefd + 1,
-				fdbits(maxactivefd, &activefds));
-		if (err != EBADF)
-			goto ih_return;
-		for (j = 0, prior = 0; j <= maxactivefd; j++) {
-			if (FD_ISSET(j, &activefds)) {
-				if (-1 != read(j, &b, 0)) {
-					prior = j;
-					continue;
-				}
-				msyslog(LOG_ERR,
-					"Removing bad file descriptor %d from select set",
-					j);
-				FD_CLR(j, &activefds);
-				if (j == maxactivefd)
-					maxactivefd = prior;
+	if (errc != EINTR) {
+		msyslog(LOG_ERR,
+			"select(%d, %s, 0L, 0L, &0.0) error: %m",
+			maxactivefd + 1,
+			fdbits(maxactivefd, &activefds));
+	}
+#   endif
+	
+	if (errc != EBADF)
+		return FALSE;
+
+	/* if we have oviously bad FDs, try to sanitize the FD set. */
+	for (j = 0, maxscan = 0; j <= maxactivefd; j++) {
+		if (FD_ISSET(j, &activefds)) {
+			if (-1 != read(j, &b, 0)) {
+				maxscan = j;
+				continue;
 			}
+#		    ifndef HAVE_SIGNALED_IO
+			msyslog(LOG_ERR,
+				"Removing bad file descriptor %d from select set",
+				j);
+#		    endif
+			FD_CLR(j, &activefds);
 		}
-		goto ih_return;
 	}
-	else if (n == 0)
-		goto ih_return;
+	if (maxactivefd != maxscan)
+		maxactivefd = maxscan;
+	return TRUE;
+}
+
+/*
+ * scan the known FDs (clocks, servers, ...) for presence in a 'fd_set'. 
+ *
+ * SIGNAL HANDLER CONTEXT if HAVE_SIGNALED_IO, ordinary userspace otherwise
+ */
+static void
+input_handler_scan(
+	const l_fp *	cts,
+	const fd_set *	pfds
+	)
+{
+	int		buflen;
+	u_int		idx;
+	int		doing;
+	SOCKET		fd;
+	blocking_child *c;
+	l_fp		ts;	/* Timestamp at BOselect() gob */
+
+#if defined(DEBUG_TIMING)
+	l_fp		ts_e;	/* Timestamp at EOselect() gob */
+#endif
+	endpt *		ep;
+#ifdef REFCLOCK
+	struct refclockio *rp;
+	int		saved_errno;
+	const char *	clk;
+#endif
+#ifdef HAS_ROUTING_SOCKET
+	struct asyncio_reader *	asyncio_reader;
+	struct asyncio_reader *	next_asyncio_reader;
+#endif
 
 	++handler_pkts;
+	ts = *cts;
 
 #ifdef REFCLOCK
 	/*
 	 * Check out the reference clocks first, if any
 	 */
-
-	if (refio != NULL) {
-		for (rp = refio; rp != NULL; rp = rp->next) {
-			fd = rp->fd;
-
-			if (!FD_ISSET(fd, &fds))
-				continue;
-			++select_count;
-			buflen = read_refclock_packet(fd, rp, ts);
-			/*
-			 * The first read must succeed after select()
-			 * indicates readability, or we've reached
-			 * a permanent EOF.  http://bugs.ntp.org/1732
-			 * reported ntpd munching CPU after a USB GPS
-			 * was unplugged because select was indicating
-			 * EOF but ntpd didn't remove the descriptor
-			 * from the activefds set.
-			 */
-			if (buflen < 0 && EAGAIN != errno) {
-				saved_errno = errno;
-				clk = refnumtoa(&rp->srcclock->srcadr);
-				errno = saved_errno;
-				msyslog(LOG_ERR, "%s read: %m", clk);
-				maintain_activefds(fd, TRUE);
-			} else if (0 == buflen) {
-				clk = refnumtoa(&rp->srcclock->srcadr);
-				msyslog(LOG_ERR, "%s read EOF", clk);
-				maintain_activefds(fd, TRUE);
-			} else {
-				/* drain any remaining refclock input */
-				do {
-					buflen = read_refclock_packet(fd, rp, ts);
-				} while (buflen > 0);
-			}
+	
+	for (rp = refio; rp != NULL; rp = rp->next) {
+		fd = rp->fd;
+		
+		if (!FD_ISSET(fd, pfds))
+			continue;
+		buflen = read_refclock_packet(fd, rp, ts);
+		/*
+		 * The first read must succeed after select() indicates
+		 * readability, or we've reached a permanent EOF.
+		 * http://bugs.ntp.org/1732 reported ntpd munching CPU
+		 * after a USB GPS was unplugged because select was
+		 * indicating EOF but ntpd didn't remove the descriptor
+		 * from the activefds set.
+		 */
+		if (buflen < 0 && EAGAIN != errno) {
+			saved_errno = errno;
+			clk = refnumtoa(&rp->srcclock->srcadr);
+			errno = saved_errno;
+			msyslog(LOG_ERR, "%s read: %m", clk);
+			maintain_activefds(fd, TRUE);
+		} else if (0 == buflen) {
+			clk = refnumtoa(&rp->srcclock->srcadr);
+			msyslog(LOG_ERR, "%s read EOF", clk);
+			maintain_activefds(fd, TRUE);
+		} else {
+			/* drain any remaining refclock input */
+			do {
+				buflen = read_refclock_packet(fd, rp, ts);
+			} while (buflen > 0);
 		}
 	}
 #endif /* REFCLOCK */
@@ -3762,9 +3736,8 @@ input_handler(
 			}
 			if (fd < 0)
 				continue;
-			if (FD_ISSET(fd, &fds))
+			if (FD_ISSET(fd, pfds))
 				do {
-					++select_count;
 					buflen = read_network_packet(
 							fd, ep, ts);
 				} while (buflen > 0);
@@ -3781,10 +3754,8 @@ input_handler(
 	while (asyncio_reader != NULL) {
 		/* callback may unlink and free asyncio_reader */
 		next_asyncio_reader = asyncio_reader->link;
-		if (FD_ISSET(asyncio_reader->fd, &fds)) {
-			++select_count;
+		if (FD_ISSET(asyncio_reader->fd, pfds))
 			(*asyncio_reader->receiver)(asyncio_reader);
-		}
 		asyncio_reader = next_asyncio_reader;
 	}
 #endif /* HAS_ROUTING_SOCKET */
@@ -3796,26 +3767,14 @@ input_handler(
 		c = blocking_children[idx];
 		if (NULL == c || -1 == c->resp_read_pipe)
 			continue;
-		if (FD_ISSET(c->resp_read_pipe, &fds)) {
-			select_count++;
-			process_blocking_resp(c);
+		if (FD_ISSET(c->resp_read_pipe, pfds)) {
+			++c->resp_ready_seen;
+			++blocking_child_ready_seen;
 		}
 	}
 
-	/*
-	 * Done everything from that select.
-	 * If nothing to do, just return.
-	 * If an error occurred, complain and return.
-	 */
-	if (select_count == 0) { /* We really had nothing to do */
-#ifdef DEBUG
-		if (debug)
-			msyslog(LOG_DEBUG, "input_handler: select() returned 0");
-#endif /* DEBUG */
-		goto ih_return;
-	}
 	/* We've done our work */
-#ifdef DEBUG_TIMING
+#if defined(DEBUG_TIMING)
 	get_systime(&ts_e);
 	/*
 	 * (ts_e - ts) is the amount of time we spent
@@ -3829,11 +3788,7 @@ input_handler(
 			"input_handler: Processed a gob of fd's in %s msec",
 			lfptoms(&ts_e, 6));
 #endif /* DEBUG_TIMING */
-	/* We're done... */
-    ih_return:
-	return;
 }
-#endif /* !HAVE_IO_COMPLETION_PORT */
 
 
 /*
diff --git a/contrib/ntp/ntpd/ntp_keyword.h b/contrib/ntp/ntpd/ntp_keyword.h
index 0a593f6..c726c60 100644
--- a/contrib/ntp/ntpd/ntp_keyword.h
+++ b/contrib/ntp/ntpd/ntp_keyword.h
@@ -2,7 +2,7 @@
  * ntp_keyword.h
  * 
  * NOTE: edit this file with caution, it is generated by keyword-gen.c
- *	 Generated 2015-06-25 03:57:00 UTC	  diff_ignore_line
+ *	 Generated 2016-01-16 08:33:03 UTC	  diff_ignore_line
  *
  */
 #include "ntp_scanner.h"
@@ -10,7 +10,7 @@
 
 #define LOWEST_KEYWORD_ID 258
 
-const char * const keyword_text[191] = {
+const char * const keyword_text[194] = {
 	/* 0       258             T_Abbrev */	"abbrev",
 	/* 1       259                T_Age */	"age",
 	/* 2       260                T_All */	"all",
@@ -182,31 +182,34 @@ const char * const keyword_text[191] = {
 	/* 168     426                T_Ttl */	"ttl",
 	/* 169     427               T_Type */	"type",
 	/* 170     428              T_U_int */	NULL,
-	/* 171     429           T_Unconfig */	"unconfig",
-	/* 172     430             T_Unpeer */	"unpeer",
-	/* 173     431            T_Version */	"version",
-	/* 174     432    T_WanderThreshold */	NULL,
-	/* 175     433               T_Week */	"week",
-	/* 176     434           T_Wildcard */	"wildcard",
-	/* 177     435             T_Xleave */	"xleave",
-	/* 178     436               T_Year */	"year",
-	/* 179     437               T_Flag */	NULL,
-	/* 180     438                T_EOC */	NULL,
-	/* 181     439           T_Simulate */	"simulate",
-	/* 182     440         T_Beep_Delay */	"beep_delay",
-	/* 183     441       T_Sim_Duration */	"simulation_duration",
-	/* 184     442      T_Server_Offset */	"server_offset",
-	/* 185     443           T_Duration */	"duration",
-	/* 186     444        T_Freq_Offset */	"freq_offset",
-	/* 187     445             T_Wander */	"wander",
-	/* 188     446             T_Jitter */	"jitter",
-	/* 189     447         T_Prop_Delay */	"prop_delay",
-	/* 190     448         T_Proc_Delay */	"proc_delay"
+	/* 171     429           T_UEcrypto */	"unpeer_crypto_early",
+	/* 172     430        T_UEcryptonak */	"unpeer_crypto_nak_early",
+	/* 173     431           T_UEdigest */	"unpeer_digest_early",
+	/* 174     432           T_Unconfig */	"unconfig",
+	/* 175     433             T_Unpeer */	"unpeer",
+	/* 176     434            T_Version */	"version",
+	/* 177     435    T_WanderThreshold */	NULL,
+	/* 178     436               T_Week */	"week",
+	/* 179     437           T_Wildcard */	"wildcard",
+	/* 180     438             T_Xleave */	"xleave",
+	/* 181     439               T_Year */	"year",
+	/* 182     440               T_Flag */	NULL,
+	/* 183     441                T_EOC */	NULL,
+	/* 184     442           T_Simulate */	"simulate",
+	/* 185     443         T_Beep_Delay */	"beep_delay",
+	/* 186     444       T_Sim_Duration */	"simulation_duration",
+	/* 187     445      T_Server_Offset */	"server_offset",
+	/* 188     446           T_Duration */	"duration",
+	/* 189     447        T_Freq_Offset */	"freq_offset",
+	/* 190     448             T_Wander */	"wander",
+	/* 191     449             T_Jitter */	"jitter",
+	/* 192     450         T_Prop_Delay */	"prop_delay",
+	/* 193     451         T_Proc_Delay */	"proc_delay"
 };
 
-#define SCANNER_INIT_S 853
+#define SCANNER_INIT_S 887
 
-const scan_state sst[856] = {
+const scan_state sst[890] = {
 /*SS_T( ch,	f-by, match, other ),				 */
   0,				      /*     0                   */
   S_ST( '-',	3,      323,     0 ), /*     1                   */
@@ -252,7 +255,7 @@ const scan_state sst[856] = {
   S_ST( 'd',	3,       42,     0 ), /*    41 beep_             */
   S_ST( 'e',	3,       43,     0 ), /*    42 beep_d            */
   S_ST( 'l',	3,       44,     0 ), /*    43 beep_de           */
-  S_ST( 'a',	3,      440,     0 ), /*    44 beep_del          */
+  S_ST( 'a',	3,      443,     0 ), /*    44 beep_del          */
   S_ST( 'r',	3,       46,    34 ), /*    45 b                 */
   S_ST( 'o',	3,       47,     0 ), /*    46 br                */
   S_ST( 'a',	3,       48,     0 ), /*    47 bro               */
@@ -352,7 +355,7 @@ const scan_state sst[856] = {
   S_ST( 'a',	3,      142,     0 ), /*   141 dur               */
   S_ST( 't',	3,      143,     0 ), /*   142 dura              */
   S_ST( 'i',	3,      144,     0 ), /*   143 durat             */
-  S_ST( 'o',	3,      443,     0 ), /*   144 durati            */
+  S_ST( 'o',	3,      446,     0 ), /*   144 durati            */
   S_ST( 'e',	3,      146,   105 ), /*   145                   */
   S_ST( 'n',	3,      293,     0 ), /*   146 e                 */
   S_ST( 'a',	3,      148,     0 ), /*   147 en                */
@@ -378,7 +381,7 @@ const scan_state sst[856] = {
   S_ST( 'f',	3,      168,     0 ), /*   167 freq_o            */
   S_ST( 'f',	3,      169,     0 ), /*   168 freq_of           */
   S_ST( 's',	3,      170,     0 ), /*   169 freq_off          */
-  S_ST( 'e',	3,      444,     0 ), /*   170 freq_offs         */
+  S_ST( 'e',	3,      447,     0 ), /*   170 freq_offs         */
   S_ST( 'u',	3,      172,   163 ), /*   171 f                 */
   S_ST( 'd',	3,      173,     0 ), /*   172 fu                */
   S_ST( 'g',	3,      305,     0 ), /*   173 fud               */
@@ -438,7 +441,7 @@ const scan_state sst[856] = {
   S_ST( 'i',	3,      228,     0 ), /*   227 j                 */
   S_ST( 't',	3,      229,     0 ), /*   228 ji                */
   S_ST( 't',	3,      230,     0 ), /*   229 jit               */
-  S_ST( 'e',	3,      446,     0 ), /*   230 jitt              */
+  S_ST( 'e',	3,      449,     0 ), /*   230 jitt              */
   S_ST( 'k',	3,      238,   226 ), /*   231                   */
   S_ST( 'e',	3,      325,     0 ), /*   232 k                 */
   S_ST( 'r',	3,      234,     0 ), /*   233 ke                */
@@ -447,7 +450,7 @@ const scan_state sst[856] = {
   S_ST( 'd',	3,      237,     0 ), /*   236 keys              */
   S_ST( 'i',	3,      327,     0 ), /*   237 keysd             */
   S_ST( 'o',	3,      328,   232 ), /*   238 k                 */
-  S_ST( 'l',	3,      449,   231 ), /*   239                   */
+  S_ST( 'l',	3,      452,   231 ), /*   239                   */
   S_ST( 'e',	3,      241,     0 ), /*   240 l                 */
   S_ST( 'a',	3,      242,     0 ), /*   241 le                */
   S_ST( 'p',	3,      246,     0 ), /*   242 lea               */
@@ -495,7 +498,7 @@ const scan_state sst[856] = {
   S_ST( 'e',	0,        0,     0 ), /*   284 T_Disable         */
   S_ST( 'd',	0,        0,     0 ), /*   285 T_Discard         */
   S_ST( 'n',	0,        0,     0 ), /*   286 T_Dispersion      */
-  S_ST( 'i',	3,      432,   240 ), /*   287 l                 */
+  S_ST( 'i',	3,      435,   240 ), /*   287 l                 */
   S_ST( 'e',	1,        0,     0 ), /*   288 T_Driftfile       */
   S_ST( 'p',	0,        0,     0 ), /*   289 T_Drop            */
   S_ST( 'p',	0,        0,     0 ), /*   290 T_Dscp            */
@@ -557,7 +560,7 @@ const scan_state sst[856] = {
   S_ST( 'm',	0,        0,     0 ), /*   346 T_Maxmem          */
   S_ST( 'l',	0,        0,     0 ), /*   347 T_Maxpoll         */
   S_ST( 's',	0,        0,     0 ), /*   348 T_Mdnstries       */
-  S_ST( 'm',	0,      518,     0 ), /*   349 T_Mem             */
+  S_ST( 'm',	0,      521,     0 ), /*   349 T_Mem             */
   S_ST( 'k',	0,        0,     0 ), /*   350 T_Memlock         */
   S_ST( 'k',	0,        0,     0 ), /*   351 T_Minclock        */
   S_ST( 'h',	0,        0,     0 ), /*   352 T_Mindepth        */
@@ -583,23 +586,23 @@ const scan_state sst[856] = {
   S_ST( 'e',	0,        0,     0 ), /*   372 T_Noserve         */
   S_ST( 'p',	0,        0,     0 ), /*   373 T_Notrap          */
   S_ST( 't',	0,        0,     0 ), /*   374 T_Notrust         */
-  S_ST( 'p',	0,      614,     0 ), /*   375 T_Ntp             */
+  S_ST( 'p',	0,      617,     0 ), /*   375 T_Ntp             */
   S_ST( 't',	0,        0,     0 ), /*   376 T_Ntpport         */
   S_ST( 't',	1,        0,     0 ), /*   377 T_NtpSignDsocket  */
-  S_ST( 'n',	0,      629,     0 ), /*   378 T_Orphan          */
+  S_ST( 'n',	0,      632,     0 ), /*   378 T_Orphan          */
   S_ST( 't',	0,        0,     0 ), /*   379 T_Orphanwait      */
   S_ST( 'c',	0,        0,     0 ), /*   380 T_Panic           */
-  S_ST( 'r',	1,      638,     0 ), /*   381 T_Peer            */
+  S_ST( 'r',	1,      641,     0 ), /*   381 T_Peer            */
   S_ST( 's',	0,        0,     0 ), /*   382 T_Peerstats       */
   S_ST( 'e',	2,        0,     0 ), /*   383 T_Phone           */
-  S_ST( 'd',	0,      646,     0 ), /*   384 T_Pid             */
+  S_ST( 'd',	0,      649,     0 ), /*   384 T_Pid             */
   S_ST( 'e',	1,        0,     0 ), /*   385 T_Pidfile         */
   S_ST( 'l',	1,        0,     0 ), /*   386 T_Pool            */
   S_ST( 't',	0,        0,     0 ), /*   387 T_Port            */
   S_ST( 't',	0,        0,     0 ), /*   388 T_Preempt         */
   S_ST( 'r',	0,        0,     0 ), /*   389 T_Prefer          */
   S_ST( 's',	0,        0,     0 ), /*   390 T_Protostats      */
-  S_ST( 'w',	1,        0,   652 ), /*   391 T_Pw              */
+  S_ST( 'w',	1,        0,   655 ), /*   391 T_Pw              */
   S_ST( 'e',	1,        0,     0 ), /*   392 T_Randfile        */
   S_ST( 's',	0,        0,     0 ), /*   393 T_Rawstats        */
   S_ST( 'd',	1,        0,     0 ), /*   394 T_Refid           */
@@ -609,20 +612,20 @@ const scan_state sst[856] = {
   S_ST( 'e',	0,        0,     0 ), /*   398 T_Revoke          */
   S_ST( 't',	0,        0,     0 ), /*   399 T_Rlimit          */
   S_ST( 'r',	1,        0,     0 ), /*   400 T_Saveconfigdir   */
-  S_ST( 'r',	1,      729,     0 ), /*   401 T_Server          */
+  S_ST( 'r',	1,      732,     0 ), /*   401 T_Server          */
   S_ST( 'r',	1,        0,     0 ), /*   402 T_Setvar          */
   S_ST( 'e',	0,        0,     0 ), /*   403 T_Source          */
   S_ST( 'e',	0,        0,     0 ), /*   404 T_Stacksize       */
   S_ST( 's',	0,        0,     0 ), /*   405 T_Statistics      */
-  S_ST( 's',	0,      772,   767 ), /*   406 T_Stats           */
+  S_ST( 's',	0,      775,   770 ), /*   406 T_Stats           */
   S_ST( 'r',	1,        0,     0 ), /*   407 T_Statsdir        */
-  S_ST( 'p',	0,      780,     0 ), /*   408 T_Step            */
+  S_ST( 'p',	0,      783,     0 ), /*   408 T_Step            */
   S_ST( 'k',	0,        0,     0 ), /*   409 T_Stepback        */
   S_ST( 'd',	0,        0,     0 ), /*   410 T_Stepfwd         */
   S_ST( 't',	0,        0,     0 ), /*   411 T_Stepout         */
   S_ST( 'm',	0,        0,     0 ), /*   412 T_Stratum         */
   S_ST( 'e',	3,      332,     0 ), /*   413 limit             */
-  S_ST( 's',	0,      787,     0 ), /*   414 T_Sys             */
+  S_ST( 's',	0,      790,     0 ), /*   414 T_Sys             */
   S_ST( 's',	0,        0,     0 ), /*   415 T_Sysstats        */
   S_ST( 'k',	0,        0,     0 ), /*   416 T_Tick            */
   S_ST( '1',	0,        0,     0 ), /*   417 T_Time1           */
@@ -637,432 +640,466 @@ const scan_state sst[856] = {
   S_ST( 'l',	0,        0,     0 ), /*   426 T_Ttl             */
   S_ST( 'e',	0,        0,     0 ), /*   427 T_Type            */
   S_ST( 'n',	3,      333,   294 ), /*   428 li                */
-  S_ST( 'g',	1,        0,     0 ), /*   429 T_Unconfig        */
-  S_ST( 'r',	1,        0,     0 ), /*   430 T_Unpeer          */
-  S_ST( 'n',	0,        0,     0 ), /*   431 T_Version         */
-  S_ST( 's',	3,      437,   428 ), /*   432 li                */
-  S_ST( 'k',	0,        0,     0 ), /*   433 T_Week            */
-  S_ST( 'd',	0,        0,     0 ), /*   434 T_Wildcard        */
-  S_ST( 'e',	0,        0,     0 ), /*   435 T_Xleave          */
-  S_ST( 'r',	0,        0,     0 ), /*   436 T_Year            */
-  S_ST( 't',	3,      438,     0 ), /*   437 lis               */
-  S_ST( 'e',	3,      334,     0 ), /*   438 list              */
-  S_ST( 'e',	0,        0,     0 ), /*   439 T_Simulate        */
-  S_ST( 'y',	0,        0,     0 ), /*   440 T_Beep_Delay      */
-  S_ST( 'n',	0,        0,     0 ), /*   441 T_Sim_Duration    */
-  S_ST( 't',	0,        0,     0 ), /*   442 T_Server_Offset   */
-  S_ST( 'n',	0,        0,     0 ), /*   443 T_Duration        */
-  S_ST( 't',	0,        0,     0 ), /*   444 T_Freq_Offset     */
-  S_ST( 'r',	0,        0,     0 ), /*   445 T_Wander          */
-  S_ST( 'r',	0,        0,     0 ), /*   446 T_Jitter          */
-  S_ST( 'y',	0,        0,     0 ), /*   447 T_Prop_Delay      */
-  S_ST( 'y',	0,        0,     0 ), /*   448 T_Proc_Delay      */
-  S_ST( 'o',	3,      465,   287 ), /*   449 l                 */
-  S_ST( 'g',	3,      456,     0 ), /*   450 lo                */
-  S_ST( 'c',	3,      452,     0 ), /*   451 log               */
-  S_ST( 'o',	3,      453,     0 ), /*   452 logc              */
-  S_ST( 'n',	3,      454,     0 ), /*   453 logco             */
-  S_ST( 'f',	3,      455,     0 ), /*   454 logcon            */
-  S_ST( 'i',	3,      335,     0 ), /*   455 logconf           */
-  S_ST( 'f',	3,      457,   451 ), /*   456 log               */
-  S_ST( 'i',	3,      458,     0 ), /*   457 logf              */
-  S_ST( 'l',	3,      336,     0 ), /*   458 logfi             */
-  S_ST( 'o',	3,      460,   450 ), /*   459 lo                */
-  S_ST( 'p',	3,      461,     0 ), /*   460 loo               */
-  S_ST( 's',	3,      462,     0 ), /*   461 loop              */
-  S_ST( 't',	3,      463,     0 ), /*   462 loops             */
-  S_ST( 'a',	3,      464,     0 ), /*   463 loopst            */
-  S_ST( 't',	3,      337,     0 ), /*   464 loopsta           */
-  S_ST( 'w',	3,      466,   459 ), /*   465 lo                */
-  S_ST( 'p',	3,      467,     0 ), /*   466 low               */
-  S_ST( 'r',	3,      468,     0 ), /*   467 lowp              */
-  S_ST( 'i',	3,      469,     0 ), /*   468 lowpr             */
-  S_ST( 'o',	3,      470,     0 ), /*   469 lowpri            */
-  S_ST( 't',	3,      471,     0 ), /*   470 lowprio           */
-  S_ST( 'r',	3,      472,     0 ), /*   471 lowpriot          */
-  S_ST( 'a',	3,      338,     0 ), /*   472 lowpriotr         */
-  S_ST( 'm',	3,      554,   239 ), /*   473                   */
-  S_ST( 'a',	3,      492,     0 ), /*   474 m                 */
-  S_ST( 'n',	3,      476,     0 ), /*   475 ma                */
-  S_ST( 'y',	3,      477,     0 ), /*   476 man               */
-  S_ST( 'c',	3,      478,     0 ), /*   477 many              */
-  S_ST( 'a',	3,      479,     0 ), /*   478 manyc             */
-  S_ST( 's',	3,      480,     0 ), /*   479 manyca            */
-  S_ST( 't',	3,      486,     0 ), /*   480 manycas           */
-  S_ST( 'c',	3,      482,     0 ), /*   481 manycast          */
-  S_ST( 'l',	3,      483,     0 ), /*   482 manycastc         */
-  S_ST( 'i',	3,      484,     0 ), /*   483 manycastcl        */
-  S_ST( 'e',	3,      485,     0 ), /*   484 manycastcli       */
-  S_ST( 'n',	3,      339,     0 ), /*   485 manycastclie      */
-  S_ST( 's',	3,      487,   481 ), /*   486 manycast          */
-  S_ST( 'e',	3,      488,     0 ), /*   487 manycasts         */
-  S_ST( 'r',	3,      489,     0 ), /*   488 manycastse        */
-  S_ST( 'v',	3,      490,     0 ), /*   489 manycastser       */
-  S_ST( 'e',	3,      340,     0 ), /*   490 manycastserv      */
-  S_ST( 's',	3,      341,   475 ), /*   491 ma                */
-  S_ST( 'x',	3,      507,   491 ), /*   492 ma                */
-  S_ST( 'a',	3,      494,     0 ), /*   493 max               */
-  S_ST( 'g',	3,      342,     0 ), /*   494 maxa              */
-  S_ST( 'c',	3,      496,   493 ), /*   495 max               */
-  S_ST( 'l',	3,      497,     0 ), /*   496 maxc              */
-  S_ST( 'o',	3,      498,     0 ), /*   497 maxcl             */
-  S_ST( 'c',	3,      343,     0 ), /*   498 maxclo            */
-  S_ST( 'd',	3,      503,   495 ), /*   499 max               */
-  S_ST( 'e',	3,      501,     0 ), /*   500 maxd              */
-  S_ST( 'p',	3,      502,     0 ), /*   501 maxde             */
-  S_ST( 't',	3,      344,     0 ), /*   502 maxdep            */
-  S_ST( 'i',	3,      504,   500 ), /*   503 maxd              */
-  S_ST( 's',	3,      345,     0 ), /*   504 maxdi             */
-  S_ST( 'm',	3,      506,   499 ), /*   505 max               */
-  S_ST( 'e',	3,      346,     0 ), /*   506 maxm              */
-  S_ST( 'p',	3,      508,   505 ), /*   507 max               */
-  S_ST( 'o',	3,      509,     0 ), /*   508 maxp              */
-  S_ST( 'l',	3,      347,     0 ), /*   509 maxpo             */
-  S_ST( 'd',	3,      511,   474 ), /*   510 m                 */
-  S_ST( 'n',	3,      512,     0 ), /*   511 md                */
-  S_ST( 's',	3,      513,     0 ), /*   512 mdn               */
-  S_ST( 't',	3,      514,     0 ), /*   513 mdns              */
-  S_ST( 'r',	3,      515,     0 ), /*   514 mdnst             */
-  S_ST( 'i',	3,      516,     0 ), /*   515 mdnstr            */
-  S_ST( 'e',	3,      348,     0 ), /*   516 mdnstri           */
-  S_ST( 'e',	3,      349,   510 ), /*   517 m                 */
-  S_ST( 'l',	3,      519,     0 ), /*   518 mem               */
-  S_ST( 'o',	3,      520,     0 ), /*   519 meml              */
-  S_ST( 'c',	3,      350,     0 ), /*   520 memlo             */
-  S_ST( 'i',	3,      522,   517 ), /*   521 m                 */
-  S_ST( 'n',	3,      539,     0 ), /*   522 mi                */
-  S_ST( 'c',	3,      524,     0 ), /*   523 min               */
-  S_ST( 'l',	3,      525,     0 ), /*   524 minc              */
-  S_ST( 'o',	3,      526,     0 ), /*   525 mincl             */
-  S_ST( 'c',	3,      351,     0 ), /*   526 minclo            */
-  S_ST( 'd',	3,      531,   523 ), /*   527 min               */
-  S_ST( 'e',	3,      529,     0 ), /*   528 mind              */
-  S_ST( 'p',	3,      530,     0 ), /*   529 minde             */
-  S_ST( 't',	3,      352,     0 ), /*   530 mindep            */
-  S_ST( 'i',	3,      532,   528 ), /*   531 mind              */
-  S_ST( 's',	3,      353,     0 ), /*   532 mindi             */
-  S_ST( 'i',	3,      534,   527 ), /*   533 min               */
-  S_ST( 'm',	3,      535,     0 ), /*   534 mini              */
-  S_ST( 'u',	3,      354,     0 ), /*   535 minim             */
-  S_ST( 'p',	3,      537,   533 ), /*   536 min               */
-  S_ST( 'o',	3,      538,     0 ), /*   537 minp              */
-  S_ST( 'l',	3,      355,     0 ), /*   538 minpo             */
-  S_ST( 's',	3,      540,   536 ), /*   539 min               */
-  S_ST( 'a',	3,      541,     0 ), /*   540 mins              */
-  S_ST( 'n',	3,      356,     0 ), /*   541 minsa             */
-  S_ST( 'o',	3,      544,   521 ), /*   542 m                 */
-  S_ST( 'd',	3,      357,     0 ), /*   543 mo                */
-  S_ST( 'n',	3,      548,   543 ), /*   544 mo                */
-  S_ST( 'i',	3,      546,     0 ), /*   545 mon               */
-  S_ST( 't',	3,      547,     0 ), /*   546 moni              */
-  S_ST( 'o',	3,      359,     0 ), /*   547 monit             */
-  S_ST( 't',	3,      360,   545 ), /*   548 mon               */
-  S_ST( 'r',	3,      361,   542 ), /*   549 m                 */
-  S_ST( 's',	3,      551,   549 ), /*   550 m                 */
-  S_ST( 's',	3,      552,     0 ), /*   551 ms                */
-  S_ST( 'n',	3,      553,     0 ), /*   552 mss               */
-  S_ST( 't',	3,      329,     0 ), /*   553 mssn              */
-  S_ST( 'u',	3,      555,   550 ), /*   554 m                 */
-  S_ST( 'l',	3,      556,     0 ), /*   555 mu                */
-  S_ST( 't',	3,      557,     0 ), /*   556 mul               */
-  S_ST( 'i',	3,      558,     0 ), /*   557 mult              */
-  S_ST( 'c',	3,      559,     0 ), /*   558 multi             */
-  S_ST( 'a',	3,      560,     0 ), /*   559 multic            */
-  S_ST( 's',	3,      561,     0 ), /*   560 multica           */
-  S_ST( 't',	3,      562,     0 ), /*   561 multicas          */
-  S_ST( 'c',	3,      563,     0 ), /*   562 multicast         */
-  S_ST( 'l',	3,      564,     0 ), /*   563 multicastc        */
-  S_ST( 'i',	3,      565,     0 ), /*   564 multicastcl       */
-  S_ST( 'e',	3,      566,     0 ), /*   565 multicastcli      */
-  S_ST( 'n',	3,      362,     0 ), /*   566 multicastclie     */
-  S_ST( 'n',	3,      610,   473 ), /*   567                   */
-  S_ST( 'i',	3,      363,     0 ), /*   568 n                 */
-  S_ST( 'o',	3,      605,   568 ), /*   569 n                 */
-  S_ST( 'l',	3,      571,     0 ), /*   570 no                */
-  S_ST( 'i',	3,      572,     0 ), /*   571 nol               */
-  S_ST( 'n',	3,      364,     0 ), /*   572 noli              */
-  S_ST( 'm',	3,      578,   570 ), /*   573 no                */
-  S_ST( 'o',	3,      575,     0 ), /*   574 nom               */
-  S_ST( 'd',	3,      576,     0 ), /*   575 nomo              */
-  S_ST( 'i',	3,      577,     0 ), /*   576 nomod             */
-  S_ST( 'f',	3,      365,     0 ), /*   577 nomodi            */
-  S_ST( 'r',	3,      579,   574 ), /*   578 nom               */
-  S_ST( 'u',	3,      580,     0 ), /*   579 nomr              */
-  S_ST( 'l',	3,      581,     0 ), /*   580 nomru             */
-  S_ST( 'i',	3,      582,     0 ), /*   581 nomrul            */
-  S_ST( 's',	3,      366,     0 ), /*   582 nomruli           */
-  S_ST( 'n',	3,      584,   573 ), /*   583 no                */
-  S_ST( 'v',	3,      585,   367 ), /*   584 non               */
-  S_ST( 'o',	3,      586,     0 ), /*   585 nonv              */
-  S_ST( 'l',	3,      587,     0 ), /*   586 nonvo             */
-  S_ST( 'a',	3,      588,     0 ), /*   587 nonvol            */
-  S_ST( 't',	3,      589,     0 ), /*   588 nonvola           */
-  S_ST( 'i',	3,      590,     0 ), /*   589 nonvolat          */
-  S_ST( 'l',	3,      368,     0 ), /*   590 nonvolati         */
-  S_ST( 'p',	3,      592,   583 ), /*   591 no                */
-  S_ST( 'e',	3,      593,     0 ), /*   592 nop               */
-  S_ST( 'e',	3,      369,     0 ), /*   593 nope              */
-  S_ST( 'q',	3,      595,   591 ), /*   594 no                */
-  S_ST( 'u',	3,      596,     0 ), /*   595 noq               */
-  S_ST( 'e',	3,      597,     0 ), /*   596 noqu              */
-  S_ST( 'r',	3,      370,     0 ), /*   597 noque             */
-  S_ST( 's',	3,      599,   594 ), /*   598 no                */
-  S_ST( 'e',	3,      603,     0 ), /*   599 nos               */
-  S_ST( 'l',	3,      601,     0 ), /*   600 nose              */
-  S_ST( 'e',	3,      602,     0 ), /*   601 nosel             */
-  S_ST( 'c',	3,      371,     0 ), /*   602 nosele            */
-  S_ST( 'r',	3,      604,   600 ), /*   603 nose              */
-  S_ST( 'v',	3,      372,     0 ), /*   604 noser             */
-  S_ST( 't',	3,      606,   598 ), /*   605 no                */
-  S_ST( 'r',	3,      608,     0 ), /*   606 not               */
-  S_ST( 'a',	3,      373,     0 ), /*   607 notr              */
-  S_ST( 'u',	3,      609,   607 ), /*   608 notr              */
-  S_ST( 's',	3,      374,     0 ), /*   609 notru             */
-  S_ST( 't',	3,      375,   569 ), /*   610 n                 */
-  S_ST( 'p',	3,      612,     0 ), /*   611 ntp               */
-  S_ST( 'o',	3,      613,     0 ), /*   612 ntpp              */
-  S_ST( 'r',	3,      376,     0 ), /*   613 ntppo             */
-  S_ST( 's',	3,      615,   611 ), /*   614 ntp               */
-  S_ST( 'i',	3,      616,     0 ), /*   615 ntps              */
-  S_ST( 'g',	3,      617,     0 ), /*   616 ntpsi             */
-  S_ST( 'n',	3,      618,     0 ), /*   617 ntpsig            */
-  S_ST( 'd',	3,      619,     0 ), /*   618 ntpsign           */
-  S_ST( 's',	3,      620,     0 ), /*   619 ntpsignd          */
-  S_ST( 'o',	3,      621,     0 ), /*   620 ntpsignds         */
-  S_ST( 'c',	3,      622,     0 ), /*   621 ntpsigndso        */
-  S_ST( 'k',	3,      623,     0 ), /*   622 ntpsigndsoc       */
-  S_ST( 'e',	3,      377,     0 ), /*   623 ntpsigndsock      */
-  S_ST( 'o',	3,      625,   567 ), /*   624                   */
-  S_ST( 'r',	3,      626,     0 ), /*   625 o                 */
-  S_ST( 'p',	3,      627,     0 ), /*   626 or                */
-  S_ST( 'h',	3,      628,     0 ), /*   627 orp               */
-  S_ST( 'a',	3,      378,     0 ), /*   628 orph              */
-  S_ST( 'w',	3,      630,     0 ), /*   629 orphan            */
-  S_ST( 'a',	3,      631,     0 ), /*   630 orphanw           */
-  S_ST( 'i',	3,      379,     0 ), /*   631 orphanwa          */
-  S_ST( 'p',	3,      391,   624 ), /*   632                   */
-  S_ST( 'a',	3,      634,     0 ), /*   633 p                 */
-  S_ST( 'n',	3,      635,     0 ), /*   634 pa                */
-  S_ST( 'i',	3,      380,     0 ), /*   635 pan               */
-  S_ST( 'e',	3,      637,   633 ), /*   636 p                 */
-  S_ST( 'e',	3,      381,     0 ), /*   637 pe                */
-  S_ST( 's',	3,      639,     0 ), /*   638 peer              */
-  S_ST( 't',	3,      640,     0 ), /*   639 peers             */
-  S_ST( 'a',	3,      641,     0 ), /*   640 peerst            */
-  S_ST( 't',	3,      382,     0 ), /*   641 peersta           */
-  S_ST( 'h',	3,      643,   636 ), /*   642 p                 */
-  S_ST( 'o',	3,      644,     0 ), /*   643 ph                */
-  S_ST( 'n',	3,      383,     0 ), /*   644 pho               */
-  S_ST( 'i',	3,      384,   642 ), /*   645 p                 */
-  S_ST( 'f',	3,      647,     0 ), /*   646 pid               */
-  S_ST( 'i',	3,      648,     0 ), /*   647 pidf              */
-  S_ST( 'l',	3,      385,     0 ), /*   648 pidfi             */
-  S_ST( 'o',	3,      651,   645 ), /*   649 p                 */
-  S_ST( 'o',	3,      386,     0 ), /*   650 po                */
-  S_ST( 'r',	3,      387,   650 ), /*   651 po                */
-  S_ST( 'r',	3,      659,   649 ), /*   652 p                 */
-  S_ST( 'e',	3,      657,     0 ), /*   653 pr                */
-  S_ST( 'e',	3,      655,     0 ), /*   654 pre               */
-  S_ST( 'm',	3,      656,     0 ), /*   655 pree              */
-  S_ST( 'p',	3,      388,     0 ), /*   656 preem             */
-  S_ST( 'f',	3,      658,   654 ), /*   657 pre               */
-  S_ST( 'e',	3,      389,     0 ), /*   658 pref              */
-  S_ST( 'o',	3,      672,   653 ), /*   659 pr                */
-  S_ST( 'c',	3,      661,     0 ), /*   660 pro               */
-  S_ST( '_',	3,      662,     0 ), /*   661 proc              */
-  S_ST( 'd',	3,      663,     0 ), /*   662 proc_             */
-  S_ST( 'e',	3,      664,     0 ), /*   663 proc_d            */
-  S_ST( 'l',	3,      665,     0 ), /*   664 proc_de           */
-  S_ST( 'a',	3,      448,     0 ), /*   665 proc_del          */
-  S_ST( 'p',	3,      667,   660 ), /*   666 pro               */
-  S_ST( '_',	3,      668,     0 ), /*   667 prop              */
-  S_ST( 'd',	3,      669,     0 ), /*   668 prop_             */
-  S_ST( 'e',	3,      670,     0 ), /*   669 prop_d            */
-  S_ST( 'l',	3,      671,     0 ), /*   670 prop_de           */
-  S_ST( 'a',	3,      447,     0 ), /*   671 prop_del          */
-  S_ST( 't',	3,      673,   666 ), /*   672 pro               */
-  S_ST( 'o',	3,      674,     0 ), /*   673 prot              */
-  S_ST( 's',	3,      675,     0 ), /*   674 proto             */
-  S_ST( 't',	3,      676,     0 ), /*   675 protos            */
-  S_ST( 'a',	3,      677,     0 ), /*   676 protost           */
-  S_ST( 't',	3,      390,     0 ), /*   677 protosta          */
-  S_ST( 'r',	3,      709,   632 ), /*   678                   */
-  S_ST( 'a',	3,      685,     0 ), /*   679 r                 */
-  S_ST( 'n',	3,      681,     0 ), /*   680 ra                */
-  S_ST( 'd',	3,      682,     0 ), /*   681 ran               */
-  S_ST( 'f',	3,      683,     0 ), /*   682 rand              */
-  S_ST( 'i',	3,      684,     0 ), /*   683 randf             */
-  S_ST( 'l',	3,      392,     0 ), /*   684 randfi            */
-  S_ST( 'w',	3,      686,   680 ), /*   685 ra                */
-  S_ST( 's',	3,      687,     0 ), /*   686 raw               */
-  S_ST( 't',	3,      688,     0 ), /*   687 raws              */
-  S_ST( 'a',	3,      689,     0 ), /*   688 rawst             */
-  S_ST( 't',	3,      393,     0 ), /*   689 rawsta            */
-  S_ST( 'e',	3,      706,   679 ), /*   690 r                 */
-  S_ST( 'f',	3,      692,     0 ), /*   691 re                */
-  S_ST( 'i',	3,      394,     0 ), /*   692 ref               */
-  S_ST( 'q',	3,      694,   691 ), /*   693 re                */
-  S_ST( 'u',	3,      695,     0 ), /*   694 req               */
-  S_ST( 'e',	3,      696,     0 ), /*   695 requ              */
-  S_ST( 's',	3,      697,     0 ), /*   696 reque             */
-  S_ST( 't',	3,      698,     0 ), /*   697 reques            */
-  S_ST( 'k',	3,      699,     0 ), /*   698 request           */
-  S_ST( 'e',	3,      395,     0 ), /*   699 requestk          */
-  S_ST( 's',	3,      702,   693 ), /*   700 re                */
-  S_ST( 'e',	3,      396,     0 ), /*   701 res               */
-  S_ST( 't',	3,      703,   701 ), /*   702 res               */
-  S_ST( 'r',	3,      704,     0 ), /*   703 rest              */
-  S_ST( 'i',	3,      705,     0 ), /*   704 restr             */
-  S_ST( 'c',	3,      397,     0 ), /*   705 restri            */
-  S_ST( 'v',	3,      707,   700 ), /*   706 re                */
-  S_ST( 'o',	3,      708,     0 ), /*   707 rev               */
-  S_ST( 'k',	3,      398,     0 ), /*   708 revo              */
-  S_ST( 'l',	3,      710,   690 ), /*   709 r                 */
-  S_ST( 'i',	3,      711,     0 ), /*   710 rl                */
-  S_ST( 'm',	3,      712,     0 ), /*   711 rli               */
-  S_ST( 'i',	3,      399,     0 ), /*   712 rlim              */
-  S_ST( 's',	3,      786,   678 ), /*   713                   */
-  S_ST( 'a',	3,      715,     0 ), /*   714 s                 */
-  S_ST( 'v',	3,      716,     0 ), /*   715 sa                */
-  S_ST( 'e',	3,      717,     0 ), /*   716 sav               */
-  S_ST( 'c',	3,      718,     0 ), /*   717 save              */
-  S_ST( 'o',	3,      719,     0 ), /*   718 savec             */
-  S_ST( 'n',	3,      720,     0 ), /*   719 saveco            */
-  S_ST( 'f',	3,      721,     0 ), /*   720 savecon           */
-  S_ST( 'i',	3,      722,     0 ), /*   721 saveconf          */
-  S_ST( 'g',	3,      723,     0 ), /*   722 saveconfi         */
-  S_ST( 'd',	3,      724,     0 ), /*   723 saveconfig        */
-  S_ST( 'i',	3,      400,     0 ), /*   724 saveconfigd       */
-  S_ST( 'e',	3,      735,   714 ), /*   725 s                 */
-  S_ST( 'r',	3,      727,     0 ), /*   726 se                */
-  S_ST( 'v',	3,      728,     0 ), /*   727 ser               */
-  S_ST( 'e',	3,      401,     0 ), /*   728 serv              */
-  S_ST( '_',	3,      730,     0 ), /*   729 server            */
-  S_ST( 'o',	3,      731,     0 ), /*   730 server_           */
-  S_ST( 'f',	3,      732,     0 ), /*   731 server_o          */
-  S_ST( 'f',	3,      733,     0 ), /*   732 server_of         */
-  S_ST( 's',	3,      734,     0 ), /*   733 server_off        */
-  S_ST( 'e',	3,      442,     0 ), /*   734 server_offs       */
-  S_ST( 't',	3,      736,   726 ), /*   735 se                */
-  S_ST( 'v',	3,      737,     0 ), /*   736 set               */
-  S_ST( 'a',	3,      402,     0 ), /*   737 setv              */
-  S_ST( 'i',	3,      739,   725 ), /*   738 s                 */
-  S_ST( 'm',	3,      740,     0 ), /*   739 si                */
-  S_ST( 'u',	3,      741,     0 ), /*   740 sim               */
-  S_ST( 'l',	3,      742,     0 ), /*   741 simu              */
-  S_ST( 'a',	3,      743,     0 ), /*   742 simul             */
-  S_ST( 't',	3,      744,     0 ), /*   743 simula            */
-  S_ST( 'i',	3,      745,   439 ), /*   744 simulat           */
-  S_ST( 'o',	3,      746,     0 ), /*   745 simulati          */
-  S_ST( 'n',	3,      747,     0 ), /*   746 simulatio         */
-  S_ST( '_',	3,      748,     0 ), /*   747 simulation        */
-  S_ST( 'd',	3,      749,     0 ), /*   748 simulation_       */
-  S_ST( 'u',	3,      750,     0 ), /*   749 simulation_d      */
-  S_ST( 'r',	3,      751,     0 ), /*   750 simulation_du     */
-  S_ST( 'a',	3,      752,     0 ), /*   751 simulation_dur    */
-  S_ST( 't',	3,      753,     0 ), /*   752 simulation_dura   */
-  S_ST( 'i',	3,      754,     0 ), /*   753 simulation_durat  */
-  S_ST( 'o',	3,      441,     0 ), /*   754 simulation_durati */
-  S_ST( 'o',	3,      756,   738 ), /*   755 s                 */
-  S_ST( 'u',	3,      757,     0 ), /*   756 so                */
-  S_ST( 'r',	3,      758,     0 ), /*   757 sou               */
-  S_ST( 'c',	3,      403,     0 ), /*   758 sour              */
-  S_ST( 't',	3,      782,   755 ), /*   759 s                 */
-  S_ST( 'a',	3,      766,     0 ), /*   760 st                */
-  S_ST( 'c',	3,      762,     0 ), /*   761 sta               */
-  S_ST( 'k',	3,      763,     0 ), /*   762 stac              */
-  S_ST( 's',	3,      764,     0 ), /*   763 stack             */
-  S_ST( 'i',	3,      765,     0 ), /*   764 stacks            */
-  S_ST( 'z',	3,      404,     0 ), /*   765 stacksi           */
-  S_ST( 't',	3,      406,   761 ), /*   766 sta               */
-  S_ST( 'i',	3,      768,     0 ), /*   767 stat              */
-  S_ST( 's',	3,      769,     0 ), /*   768 stati             */
-  S_ST( 't',	3,      770,     0 ), /*   769 statis            */
-  S_ST( 'i',	3,      771,     0 ), /*   770 statist           */
-  S_ST( 'c',	3,      405,     0 ), /*   771 statisti          */
-  S_ST( 'd',	3,      773,     0 ), /*   772 stats             */
-  S_ST( 'i',	3,      407,     0 ), /*   773 statsd            */
-  S_ST( 'e',	3,      408,   760 ), /*   774 st                */
-  S_ST( 'b',	3,      776,     0 ), /*   775 step              */
-  S_ST( 'a',	3,      777,     0 ), /*   776 stepb             */
-  S_ST( 'c',	3,      409,     0 ), /*   777 stepba            */
-  S_ST( 'f',	3,      779,   775 ), /*   778 step              */
-  S_ST( 'w',	3,      410,     0 ), /*   779 stepf             */
-  S_ST( 'o',	3,      781,   778 ), /*   780 step              */
-  S_ST( 'u',	3,      411,     0 ), /*   781 stepo             */
-  S_ST( 'r',	3,      783,   774 ), /*   782 st                */
-  S_ST( 'a',	3,      784,     0 ), /*   783 str               */
-  S_ST( 't',	3,      785,     0 ), /*   784 stra              */
-  S_ST( 'u',	3,      412,     0 ), /*   785 strat             */
-  S_ST( 'y',	3,      414,   759 ), /*   786 s                 */
-  S_ST( 's',	3,      788,     0 ), /*   787 sys               */
-  S_ST( 't',	3,      789,     0 ), /*   788 syss              */
-  S_ST( 'a',	3,      790,     0 ), /*   789 sysst             */
-  S_ST( 't',	3,      415,     0 ), /*   790 syssta            */
-  S_ST( 't',	3,      817,   713 ), /*   791                   */
-  S_ST( 'i',	3,      803,     0 ), /*   792 t                 */
-  S_ST( 'c',	3,      416,     0 ), /*   793 ti                */
-  S_ST( 'm',	3,      796,   793 ), /*   794 ti                */
-  S_ST( 'e',	3,      419,     0 ), /*   795 tim               */
-  S_ST( 'i',	3,      797,   795 ), /*   796 tim               */
-  S_ST( 'n',	3,      798,     0 ), /*   797 timi              */
-  S_ST( 'g',	3,      799,     0 ), /*   798 timin             */
-  S_ST( 's',	3,      800,     0 ), /*   799 timing            */
-  S_ST( 't',	3,      801,     0 ), /*   800 timings           */
-  S_ST( 'a',	3,      802,     0 ), /*   801 timingst          */
-  S_ST( 't',	3,      420,     0 ), /*   802 timingsta         */
-  S_ST( 'n',	3,      804,   794 ), /*   803 ti                */
-  S_ST( 'k',	3,      805,     0 ), /*   804 tin               */
-  S_ST( 'e',	3,      421,     0 ), /*   805 tink              */
-  S_ST( 'o',	3,      422,   792 ), /*   806 t                 */
-  S_ST( 'r',	3,      809,   806 ), /*   807 t                 */
-  S_ST( 'a',	3,      423,     0 ), /*   808 tr                */
-  S_ST( 'u',	3,      810,   808 ), /*   809 tr                */
-  S_ST( 's',	3,      811,   424 ), /*   810 tru               */
-  S_ST( 't',	3,      812,     0 ), /*   811 trus              */
-  S_ST( 'e',	3,      813,     0 ), /*   812 trust             */
-  S_ST( 'd',	3,      814,     0 ), /*   813 truste            */
-  S_ST( 'k',	3,      815,     0 ), /*   814 trusted           */
-  S_ST( 'e',	3,      425,     0 ), /*   815 trustedk          */
-  S_ST( 't',	3,      426,   807 ), /*   816 t                 */
-  S_ST( 'y',	3,      818,   816 ), /*   817 t                 */
-  S_ST( 'p',	3,      427,     0 ), /*   818 ty                */
-  S_ST( 'u',	3,      820,   791 ), /*   819                   */
-  S_ST( 'n',	3,      826,     0 ), /*   820 u                 */
-  S_ST( 'c',	3,      822,     0 ), /*   821 un                */
-  S_ST( 'o',	3,      823,     0 ), /*   822 unc               */
-  S_ST( 'n',	3,      824,     0 ), /*   823 unco              */
-  S_ST( 'f',	3,      825,     0 ), /*   824 uncon             */
-  S_ST( 'i',	3,      429,     0 ), /*   825 unconf            */
-  S_ST( 'p',	3,      827,   821 ), /*   826 un                */
-  S_ST( 'e',	3,      828,     0 ), /*   827 unp               */
-  S_ST( 'e',	3,      430,     0 ), /*   828 unpe              */
-  S_ST( 'v',	3,      830,   819 ), /*   829                   */
-  S_ST( 'e',	3,      831,     0 ), /*   830 v                 */
-  S_ST( 'r',	3,      832,     0 ), /*   831 ve                */
-  S_ST( 's',	3,      833,     0 ), /*   832 ver               */
-  S_ST( 'i',	3,      834,     0 ), /*   833 vers              */
-  S_ST( 'o',	3,      431,     0 ), /*   834 versi             */
-  S_ST( 'w',	3,      842,   829 ), /*   835                   */
-  S_ST( 'a',	3,      837,     0 ), /*   836 w                 */
-  S_ST( 'n',	3,      838,     0 ), /*   837 wa                */
-  S_ST( 'd',	3,      839,     0 ), /*   838 wan               */
-  S_ST( 'e',	3,      445,     0 ), /*   839 wand              */
-  S_ST( 'e',	3,      841,   836 ), /*   840 w                 */
-  S_ST( 'e',	3,      433,     0 ), /*   841 we                */
-  S_ST( 'i',	3,      843,   840 ), /*   842 w                 */
-  S_ST( 'l',	3,      844,     0 ), /*   843 wi                */
-  S_ST( 'd',	3,      845,     0 ), /*   844 wil               */
-  S_ST( 'c',	3,      846,     0 ), /*   845 wild              */
-  S_ST( 'a',	3,      847,     0 ), /*   846 wildc             */
-  S_ST( 'r',	3,      434,     0 ), /*   847 wildca            */
-  S_ST( 'x',	3,      849,   835 ), /*   848                   */
-  S_ST( 'l',	3,      850,     0 ), /*   849 x                 */
-  S_ST( 'e',	3,      851,     0 ), /*   850 xl                */
-  S_ST( 'a',	3,      852,     0 ), /*   851 xle               */
-  S_ST( 'v',	3,      435,     0 ), /*   852 xlea              */
-  S_ST( 'y',	3,      854,   848 ), /*   853 [initial state]   */
-  S_ST( 'e',	3,      855,     0 ), /*   854 y                 */
-  S_ST( 'a',	3,      436,     0 )  /*   855 ye                */
+  S_ST( 'y',	0,        0,     0 ), /*   429 T_UEcrypto        */
+  S_ST( 'y',	0,        0,     0 ), /*   430 T_UEcryptonak     */
+  S_ST( 'y',	0,        0,     0 ), /*   431 T_UEdigest        */
+  S_ST( 'g',	1,        0,     0 ), /*   432 T_Unconfig        */
+  S_ST( 'r',	1,      832,     0 ), /*   433 T_Unpeer          */
+  S_ST( 'n',	0,        0,     0 ), /*   434 T_Version         */
+  S_ST( 's',	3,      440,   428 ), /*   435 li                */
+  S_ST( 'k',	0,        0,     0 ), /*   436 T_Week            */
+  S_ST( 'd',	0,        0,     0 ), /*   437 T_Wildcard        */
+  S_ST( 'e',	0,        0,     0 ), /*   438 T_Xleave          */
+  S_ST( 'r',	0,        0,     0 ), /*   439 T_Year            */
+  S_ST( 't',	3,      441,     0 ), /*   440 lis               */
+  S_ST( 'e',	3,      334,     0 ), /*   441 list              */
+  S_ST( 'e',	0,        0,     0 ), /*   442 T_Simulate        */
+  S_ST( 'y',	0,        0,     0 ), /*   443 T_Beep_Delay      */
+  S_ST( 'n',	0,        0,     0 ), /*   444 T_Sim_Duration    */
+  S_ST( 't',	0,        0,     0 ), /*   445 T_Server_Offset   */
+  S_ST( 'n',	0,        0,     0 ), /*   446 T_Duration        */
+  S_ST( 't',	0,        0,     0 ), /*   447 T_Freq_Offset     */
+  S_ST( 'r',	0,        0,     0 ), /*   448 T_Wander          */
+  S_ST( 'r',	0,        0,     0 ), /*   449 T_Jitter          */
+  S_ST( 'y',	0,        0,     0 ), /*   450 T_Prop_Delay      */
+  S_ST( 'y',	0,        0,     0 ), /*   451 T_Proc_Delay      */
+  S_ST( 'o',	3,      468,   287 ), /*   452 l                 */
+  S_ST( 'g',	3,      459,     0 ), /*   453 lo                */
+  S_ST( 'c',	3,      455,     0 ), /*   454 log               */
+  S_ST( 'o',	3,      456,     0 ), /*   455 logc              */
+  S_ST( 'n',	3,      457,     0 ), /*   456 logco             */
+  S_ST( 'f',	3,      458,     0 ), /*   457 logcon            */
+  S_ST( 'i',	3,      335,     0 ), /*   458 logconf           */
+  S_ST( 'f',	3,      460,   454 ), /*   459 log               */
+  S_ST( 'i',	3,      461,     0 ), /*   460 logf              */
+  S_ST( 'l',	3,      336,     0 ), /*   461 logfi             */
+  S_ST( 'o',	3,      463,   453 ), /*   462 lo                */
+  S_ST( 'p',	3,      464,     0 ), /*   463 loo               */
+  S_ST( 's',	3,      465,     0 ), /*   464 loop              */
+  S_ST( 't',	3,      466,     0 ), /*   465 loops             */
+  S_ST( 'a',	3,      467,     0 ), /*   466 loopst            */
+  S_ST( 't',	3,      337,     0 ), /*   467 loopsta           */
+  S_ST( 'w',	3,      469,   462 ), /*   468 lo                */
+  S_ST( 'p',	3,      470,     0 ), /*   469 low               */
+  S_ST( 'r',	3,      471,     0 ), /*   470 lowp              */
+  S_ST( 'i',	3,      472,     0 ), /*   471 lowpr             */
+  S_ST( 'o',	3,      473,     0 ), /*   472 lowpri            */
+  S_ST( 't',	3,      474,     0 ), /*   473 lowprio           */
+  S_ST( 'r',	3,      475,     0 ), /*   474 lowpriot          */
+  S_ST( 'a',	3,      338,     0 ), /*   475 lowpriotr         */
+  S_ST( 'm',	3,      557,   239 ), /*   476                   */
+  S_ST( 'a',	3,      495,     0 ), /*   477 m                 */
+  S_ST( 'n',	3,      479,     0 ), /*   478 ma                */
+  S_ST( 'y',	3,      480,     0 ), /*   479 man               */
+  S_ST( 'c',	3,      481,     0 ), /*   480 many              */
+  S_ST( 'a',	3,      482,     0 ), /*   481 manyc             */
+  S_ST( 's',	3,      483,     0 ), /*   482 manyca            */
+  S_ST( 't',	3,      489,     0 ), /*   483 manycas           */
+  S_ST( 'c',	3,      485,     0 ), /*   484 manycast          */
+  S_ST( 'l',	3,      486,     0 ), /*   485 manycastc         */
+  S_ST( 'i',	3,      487,     0 ), /*   486 manycastcl        */
+  S_ST( 'e',	3,      488,     0 ), /*   487 manycastcli       */
+  S_ST( 'n',	3,      339,     0 ), /*   488 manycastclie      */
+  S_ST( 's',	3,      490,   484 ), /*   489 manycast          */
+  S_ST( 'e',	3,      491,     0 ), /*   490 manycasts         */
+  S_ST( 'r',	3,      492,     0 ), /*   491 manycastse        */
+  S_ST( 'v',	3,      493,     0 ), /*   492 manycastser       */
+  S_ST( 'e',	3,      340,     0 ), /*   493 manycastserv      */
+  S_ST( 's',	3,      341,   478 ), /*   494 ma                */
+  S_ST( 'x',	3,      510,   494 ), /*   495 ma                */
+  S_ST( 'a',	3,      497,     0 ), /*   496 max               */
+  S_ST( 'g',	3,      342,     0 ), /*   497 maxa              */
+  S_ST( 'c',	3,      499,   496 ), /*   498 max               */
+  S_ST( 'l',	3,      500,     0 ), /*   499 maxc              */
+  S_ST( 'o',	3,      501,     0 ), /*   500 maxcl             */
+  S_ST( 'c',	3,      343,     0 ), /*   501 maxclo            */
+  S_ST( 'd',	3,      506,   498 ), /*   502 max               */
+  S_ST( 'e',	3,      504,     0 ), /*   503 maxd              */
+  S_ST( 'p',	3,      505,     0 ), /*   504 maxde             */
+  S_ST( 't',	3,      344,     0 ), /*   505 maxdep            */
+  S_ST( 'i',	3,      507,   503 ), /*   506 maxd              */
+  S_ST( 's',	3,      345,     0 ), /*   507 maxdi             */
+  S_ST( 'm',	3,      509,   502 ), /*   508 max               */
+  S_ST( 'e',	3,      346,     0 ), /*   509 maxm              */
+  S_ST( 'p',	3,      511,   508 ), /*   510 max               */
+  S_ST( 'o',	3,      512,     0 ), /*   511 maxp              */
+  S_ST( 'l',	3,      347,     0 ), /*   512 maxpo             */
+  S_ST( 'd',	3,      514,   477 ), /*   513 m                 */
+  S_ST( 'n',	3,      515,     0 ), /*   514 md                */
+  S_ST( 's',	3,      516,     0 ), /*   515 mdn               */
+  S_ST( 't',	3,      517,     0 ), /*   516 mdns              */
+  S_ST( 'r',	3,      518,     0 ), /*   517 mdnst             */
+  S_ST( 'i',	3,      519,     0 ), /*   518 mdnstr            */
+  S_ST( 'e',	3,      348,     0 ), /*   519 mdnstri           */
+  S_ST( 'e',	3,      349,   513 ), /*   520 m                 */
+  S_ST( 'l',	3,      522,     0 ), /*   521 mem               */
+  S_ST( 'o',	3,      523,     0 ), /*   522 meml              */
+  S_ST( 'c',	3,      350,     0 ), /*   523 memlo             */
+  S_ST( 'i',	3,      525,   520 ), /*   524 m                 */
+  S_ST( 'n',	3,      542,     0 ), /*   525 mi                */
+  S_ST( 'c',	3,      527,     0 ), /*   526 min               */
+  S_ST( 'l',	3,      528,     0 ), /*   527 minc              */
+  S_ST( 'o',	3,      529,     0 ), /*   528 mincl             */
+  S_ST( 'c',	3,      351,     0 ), /*   529 minclo            */
+  S_ST( 'd',	3,      534,   526 ), /*   530 min               */
+  S_ST( 'e',	3,      532,     0 ), /*   531 mind              */
+  S_ST( 'p',	3,      533,     0 ), /*   532 minde             */
+  S_ST( 't',	3,      352,     0 ), /*   533 mindep            */
+  S_ST( 'i',	3,      535,   531 ), /*   534 mind              */
+  S_ST( 's',	3,      353,     0 ), /*   535 mindi             */
+  S_ST( 'i',	3,      537,   530 ), /*   536 min               */
+  S_ST( 'm',	3,      538,     0 ), /*   537 mini              */
+  S_ST( 'u',	3,      354,     0 ), /*   538 minim             */
+  S_ST( 'p',	3,      540,   536 ), /*   539 min               */
+  S_ST( 'o',	3,      541,     0 ), /*   540 minp              */
+  S_ST( 'l',	3,      355,     0 ), /*   541 minpo             */
+  S_ST( 's',	3,      543,   539 ), /*   542 min               */
+  S_ST( 'a',	3,      544,     0 ), /*   543 mins              */
+  S_ST( 'n',	3,      356,     0 ), /*   544 minsa             */
+  S_ST( 'o',	3,      547,   524 ), /*   545 m                 */
+  S_ST( 'd',	3,      357,     0 ), /*   546 mo                */
+  S_ST( 'n',	3,      551,   546 ), /*   547 mo                */
+  S_ST( 'i',	3,      549,     0 ), /*   548 mon               */
+  S_ST( 't',	3,      550,     0 ), /*   549 moni              */
+  S_ST( 'o',	3,      359,     0 ), /*   550 monit             */
+  S_ST( 't',	3,      360,   548 ), /*   551 mon               */
+  S_ST( 'r',	3,      361,   545 ), /*   552 m                 */
+  S_ST( 's',	3,      554,   552 ), /*   553 m                 */
+  S_ST( 's',	3,      555,     0 ), /*   554 ms                */
+  S_ST( 'n',	3,      556,     0 ), /*   555 mss               */
+  S_ST( 't',	3,      329,     0 ), /*   556 mssn              */
+  S_ST( 'u',	3,      558,   553 ), /*   557 m                 */
+  S_ST( 'l',	3,      559,     0 ), /*   558 mu                */
+  S_ST( 't',	3,      560,     0 ), /*   559 mul               */
+  S_ST( 'i',	3,      561,     0 ), /*   560 mult              */
+  S_ST( 'c',	3,      562,     0 ), /*   561 multi             */
+  S_ST( 'a',	3,      563,     0 ), /*   562 multic            */
+  S_ST( 's',	3,      564,     0 ), /*   563 multica           */
+  S_ST( 't',	3,      565,     0 ), /*   564 multicas          */
+  S_ST( 'c',	3,      566,     0 ), /*   565 multicast         */
+  S_ST( 'l',	3,      567,     0 ), /*   566 multicastc        */
+  S_ST( 'i',	3,      568,     0 ), /*   567 multicastcl       */
+  S_ST( 'e',	3,      569,     0 ), /*   568 multicastcli      */
+  S_ST( 'n',	3,      362,     0 ), /*   569 multicastclie     */
+  S_ST( 'n',	3,      613,   476 ), /*   570                   */
+  S_ST( 'i',	3,      363,     0 ), /*   571 n                 */
+  S_ST( 'o',	3,      608,   571 ), /*   572 n                 */
+  S_ST( 'l',	3,      574,     0 ), /*   573 no                */
+  S_ST( 'i',	3,      575,     0 ), /*   574 nol               */
+  S_ST( 'n',	3,      364,     0 ), /*   575 noli              */
+  S_ST( 'm',	3,      581,   573 ), /*   576 no                */
+  S_ST( 'o',	3,      578,     0 ), /*   577 nom               */
+  S_ST( 'd',	3,      579,     0 ), /*   578 nomo              */
+  S_ST( 'i',	3,      580,     0 ), /*   579 nomod             */
+  S_ST( 'f',	3,      365,     0 ), /*   580 nomodi            */
+  S_ST( 'r',	3,      582,   577 ), /*   581 nom               */
+  S_ST( 'u',	3,      583,     0 ), /*   582 nomr              */
+  S_ST( 'l',	3,      584,     0 ), /*   583 nomru             */
+  S_ST( 'i',	3,      585,     0 ), /*   584 nomrul            */
+  S_ST( 's',	3,      366,     0 ), /*   585 nomruli           */
+  S_ST( 'n',	3,      587,   576 ), /*   586 no                */
+  S_ST( 'v',	3,      588,   367 ), /*   587 non               */
+  S_ST( 'o',	3,      589,     0 ), /*   588 nonv              */
+  S_ST( 'l',	3,      590,     0 ), /*   589 nonvo             */
+  S_ST( 'a',	3,      591,     0 ), /*   590 nonvol            */
+  S_ST( 't',	3,      592,     0 ), /*   591 nonvola           */
+  S_ST( 'i',	3,      593,     0 ), /*   592 nonvolat          */
+  S_ST( 'l',	3,      368,     0 ), /*   593 nonvolati         */
+  S_ST( 'p',	3,      595,   586 ), /*   594 no                */
+  S_ST( 'e',	3,      596,     0 ), /*   595 nop               */
+  S_ST( 'e',	3,      369,     0 ), /*   596 nope              */
+  S_ST( 'q',	3,      598,   594 ), /*   597 no                */
+  S_ST( 'u',	3,      599,     0 ), /*   598 noq               */
+  S_ST( 'e',	3,      600,     0 ), /*   599 noqu              */
+  S_ST( 'r',	3,      370,     0 ), /*   600 noque             */
+  S_ST( 's',	3,      602,   597 ), /*   601 no                */
+  S_ST( 'e',	3,      606,     0 ), /*   602 nos               */
+  S_ST( 'l',	3,      604,     0 ), /*   603 nose              */
+  S_ST( 'e',	3,      605,     0 ), /*   604 nosel             */
+  S_ST( 'c',	3,      371,     0 ), /*   605 nosele            */
+  S_ST( 'r',	3,      607,   603 ), /*   606 nose              */
+  S_ST( 'v',	3,      372,     0 ), /*   607 noser             */
+  S_ST( 't',	3,      609,   601 ), /*   608 no                */
+  S_ST( 'r',	3,      611,     0 ), /*   609 not               */
+  S_ST( 'a',	3,      373,     0 ), /*   610 notr              */
+  S_ST( 'u',	3,      612,   610 ), /*   611 notr              */
+  S_ST( 's',	3,      374,     0 ), /*   612 notru             */
+  S_ST( 't',	3,      375,   572 ), /*   613 n                 */
+  S_ST( 'p',	3,      615,     0 ), /*   614 ntp               */
+  S_ST( 'o',	3,      616,     0 ), /*   615 ntpp              */
+  S_ST( 'r',	3,      376,     0 ), /*   616 ntppo             */
+  S_ST( 's',	3,      618,   614 ), /*   617 ntp               */
+  S_ST( 'i',	3,      619,     0 ), /*   618 ntps              */
+  S_ST( 'g',	3,      620,     0 ), /*   619 ntpsi             */
+  S_ST( 'n',	3,      621,     0 ), /*   620 ntpsig            */
+  S_ST( 'd',	3,      622,     0 ), /*   621 ntpsign           */
+  S_ST( 's',	3,      623,     0 ), /*   622 ntpsignd          */
+  S_ST( 'o',	3,      624,     0 ), /*   623 ntpsignds         */
+  S_ST( 'c',	3,      625,     0 ), /*   624 ntpsigndso        */
+  S_ST( 'k',	3,      626,     0 ), /*   625 ntpsigndsoc       */
+  S_ST( 'e',	3,      377,     0 ), /*   626 ntpsigndsock      */
+  S_ST( 'o',	3,      628,   570 ), /*   627                   */
+  S_ST( 'r',	3,      629,     0 ), /*   628 o                 */
+  S_ST( 'p',	3,      630,     0 ), /*   629 or                */
+  S_ST( 'h',	3,      631,     0 ), /*   630 orp               */
+  S_ST( 'a',	3,      378,     0 ), /*   631 orph              */
+  S_ST( 'w',	3,      633,     0 ), /*   632 orphan            */
+  S_ST( 'a',	3,      634,     0 ), /*   633 orphanw           */
+  S_ST( 'i',	3,      379,     0 ), /*   634 orphanwa          */
+  S_ST( 'p',	3,      391,   627 ), /*   635                   */
+  S_ST( 'a',	3,      637,     0 ), /*   636 p                 */
+  S_ST( 'n',	3,      638,     0 ), /*   637 pa                */
+  S_ST( 'i',	3,      380,     0 ), /*   638 pan               */
+  S_ST( 'e',	3,      640,   636 ), /*   639 p                 */
+  S_ST( 'e',	3,      381,     0 ), /*   640 pe                */
+  S_ST( 's',	3,      642,     0 ), /*   641 peer              */
+  S_ST( 't',	3,      643,     0 ), /*   642 peers             */
+  S_ST( 'a',	3,      644,     0 ), /*   643 peerst            */
+  S_ST( 't',	3,      382,     0 ), /*   644 peersta           */
+  S_ST( 'h',	3,      646,   639 ), /*   645 p                 */
+  S_ST( 'o',	3,      647,     0 ), /*   646 ph                */
+  S_ST( 'n',	3,      383,     0 ), /*   647 pho               */
+  S_ST( 'i',	3,      384,   645 ), /*   648 p                 */
+  S_ST( 'f',	3,      650,     0 ), /*   649 pid               */
+  S_ST( 'i',	3,      651,     0 ), /*   650 pidf              */
+  S_ST( 'l',	3,      385,     0 ), /*   651 pidfi             */
+  S_ST( 'o',	3,      654,   648 ), /*   652 p                 */
+  S_ST( 'o',	3,      386,     0 ), /*   653 po                */
+  S_ST( 'r',	3,      387,   653 ), /*   654 po                */
+  S_ST( 'r',	3,      662,   652 ), /*   655 p                 */
+  S_ST( 'e',	3,      660,     0 ), /*   656 pr                */
+  S_ST( 'e',	3,      658,     0 ), /*   657 pre               */
+  S_ST( 'm',	3,      659,     0 ), /*   658 pree              */
+  S_ST( 'p',	3,      388,     0 ), /*   659 preem             */
+  S_ST( 'f',	3,      661,   657 ), /*   660 pre               */
+  S_ST( 'e',	3,      389,     0 ), /*   661 pref              */
+  S_ST( 'o',	3,      675,   656 ), /*   662 pr                */
+  S_ST( 'c',	3,      664,     0 ), /*   663 pro               */
+  S_ST( '_',	3,      665,     0 ), /*   664 proc              */
+  S_ST( 'd',	3,      666,     0 ), /*   665 proc_             */
+  S_ST( 'e',	3,      667,     0 ), /*   666 proc_d            */
+  S_ST( 'l',	3,      668,     0 ), /*   667 proc_de           */
+  S_ST( 'a',	3,      451,     0 ), /*   668 proc_del          */
+  S_ST( 'p',	3,      670,   663 ), /*   669 pro               */
+  S_ST( '_',	3,      671,     0 ), /*   670 prop              */
+  S_ST( 'd',	3,      672,     0 ), /*   671 prop_             */
+  S_ST( 'e',	3,      673,     0 ), /*   672 prop_d            */
+  S_ST( 'l',	3,      674,     0 ), /*   673 prop_de           */
+  S_ST( 'a',	3,      450,     0 ), /*   674 prop_del          */
+  S_ST( 't',	3,      676,   669 ), /*   675 pro               */
+  S_ST( 'o',	3,      677,     0 ), /*   676 prot              */
+  S_ST( 's',	3,      678,     0 ), /*   677 proto             */
+  S_ST( 't',	3,      679,     0 ), /*   678 protos            */
+  S_ST( 'a',	3,      680,     0 ), /*   679 protost           */
+  S_ST( 't',	3,      390,     0 ), /*   680 protosta          */
+  S_ST( 'r',	3,      712,   635 ), /*   681                   */
+  S_ST( 'a',	3,      688,     0 ), /*   682 r                 */
+  S_ST( 'n',	3,      684,     0 ), /*   683 ra                */
+  S_ST( 'd',	3,      685,     0 ), /*   684 ran               */
+  S_ST( 'f',	3,      686,     0 ), /*   685 rand              */
+  S_ST( 'i',	3,      687,     0 ), /*   686 randf             */
+  S_ST( 'l',	3,      392,     0 ), /*   687 randfi            */
+  S_ST( 'w',	3,      689,   683 ), /*   688 ra                */
+  S_ST( 's',	3,      690,     0 ), /*   689 raw               */
+  S_ST( 't',	3,      691,     0 ), /*   690 raws              */
+  S_ST( 'a',	3,      692,     0 ), /*   691 rawst             */
+  S_ST( 't',	3,      393,     0 ), /*   692 rawsta            */
+  S_ST( 'e',	3,      709,   682 ), /*   693 r                 */
+  S_ST( 'f',	3,      695,     0 ), /*   694 re                */
+  S_ST( 'i',	3,      394,     0 ), /*   695 ref               */
+  S_ST( 'q',	3,      697,   694 ), /*   696 re                */
+  S_ST( 'u',	3,      698,     0 ), /*   697 req               */
+  S_ST( 'e',	3,      699,     0 ), /*   698 requ              */
+  S_ST( 's',	3,      700,     0 ), /*   699 reque             */
+  S_ST( 't',	3,      701,     0 ), /*   700 reques            */
+  S_ST( 'k',	3,      702,     0 ), /*   701 request           */
+  S_ST( 'e',	3,      395,     0 ), /*   702 requestk          */
+  S_ST( 's',	3,      705,   696 ), /*   703 re                */
+  S_ST( 'e',	3,      396,     0 ), /*   704 res               */
+  S_ST( 't',	3,      706,   704 ), /*   705 res               */
+  S_ST( 'r',	3,      707,     0 ), /*   706 rest              */
+  S_ST( 'i',	3,      708,     0 ), /*   707 restr             */
+  S_ST( 'c',	3,      397,     0 ), /*   708 restri            */
+  S_ST( 'v',	3,      710,   703 ), /*   709 re                */
+  S_ST( 'o',	3,      711,     0 ), /*   710 rev               */
+  S_ST( 'k',	3,      398,     0 ), /*   711 revo              */
+  S_ST( 'l',	3,      713,   693 ), /*   712 r                 */
+  S_ST( 'i',	3,      714,     0 ), /*   713 rl                */
+  S_ST( 'm',	3,      715,     0 ), /*   714 rli               */
+  S_ST( 'i',	3,      399,     0 ), /*   715 rlim              */
+  S_ST( 's',	3,      789,   681 ), /*   716                   */
+  S_ST( 'a',	3,      718,     0 ), /*   717 s                 */
+  S_ST( 'v',	3,      719,     0 ), /*   718 sa                */
+  S_ST( 'e',	3,      720,     0 ), /*   719 sav               */
+  S_ST( 'c',	3,      721,     0 ), /*   720 save              */
+  S_ST( 'o',	3,      722,     0 ), /*   721 savec             */
+  S_ST( 'n',	3,      723,     0 ), /*   722 saveco            */
+  S_ST( 'f',	3,      724,     0 ), /*   723 savecon           */
+  S_ST( 'i',	3,      725,     0 ), /*   724 saveconf          */
+  S_ST( 'g',	3,      726,     0 ), /*   725 saveconfi         */
+  S_ST( 'd',	3,      727,     0 ), /*   726 saveconfig        */
+  S_ST( 'i',	3,      400,     0 ), /*   727 saveconfigd       */
+  S_ST( 'e',	3,      738,   717 ), /*   728 s                 */
+  S_ST( 'r',	3,      730,     0 ), /*   729 se                */
+  S_ST( 'v',	3,      731,     0 ), /*   730 ser               */
+  S_ST( 'e',	3,      401,     0 ), /*   731 serv              */
+  S_ST( '_',	3,      733,     0 ), /*   732 server            */
+  S_ST( 'o',	3,      734,     0 ), /*   733 server_           */
+  S_ST( 'f',	3,      735,     0 ), /*   734 server_o          */
+  S_ST( 'f',	3,      736,     0 ), /*   735 server_of         */
+  S_ST( 's',	3,      737,     0 ), /*   736 server_off        */
+  S_ST( 'e',	3,      445,     0 ), /*   737 server_offs       */
+  S_ST( 't',	3,      739,   729 ), /*   738 se                */
+  S_ST( 'v',	3,      740,     0 ), /*   739 set               */
+  S_ST( 'a',	3,      402,     0 ), /*   740 setv              */
+  S_ST( 'i',	3,      742,   728 ), /*   741 s                 */
+  S_ST( 'm',	3,      743,     0 ), /*   742 si                */
+  S_ST( 'u',	3,      744,     0 ), /*   743 sim               */
+  S_ST( 'l',	3,      745,     0 ), /*   744 simu              */
+  S_ST( 'a',	3,      746,     0 ), /*   745 simul             */
+  S_ST( 't',	3,      747,     0 ), /*   746 simula            */
+  S_ST( 'i',	3,      748,   442 ), /*   747 simulat           */
+  S_ST( 'o',	3,      749,     0 ), /*   748 simulati          */
+  S_ST( 'n',	3,      750,     0 ), /*   749 simulatio         */
+  S_ST( '_',	3,      751,     0 ), /*   750 simulation        */
+  S_ST( 'd',	3,      752,     0 ), /*   751 simulation_       */
+  S_ST( 'u',	3,      753,     0 ), /*   752 simulation_d      */
+  S_ST( 'r',	3,      754,     0 ), /*   753 simulation_du     */
+  S_ST( 'a',	3,      755,     0 ), /*   754 simulation_dur    */
+  S_ST( 't',	3,      756,     0 ), /*   755 simulation_dura   */
+  S_ST( 'i',	3,      757,     0 ), /*   756 simulation_durat  */
+  S_ST( 'o',	3,      444,     0 ), /*   757 simulation_durati */
+  S_ST( 'o',	3,      759,   741 ), /*   758 s                 */
+  S_ST( 'u',	3,      760,     0 ), /*   759 so                */
+  S_ST( 'r',	3,      761,     0 ), /*   760 sou               */
+  S_ST( 'c',	3,      403,     0 ), /*   761 sour              */
+  S_ST( 't',	3,      785,   758 ), /*   762 s                 */
+  S_ST( 'a',	3,      769,     0 ), /*   763 st                */
+  S_ST( 'c',	3,      765,     0 ), /*   764 sta               */
+  S_ST( 'k',	3,      766,     0 ), /*   765 stac              */
+  S_ST( 's',	3,      767,     0 ), /*   766 stack             */
+  S_ST( 'i',	3,      768,     0 ), /*   767 stacks            */
+  S_ST( 'z',	3,      404,     0 ), /*   768 stacksi           */
+  S_ST( 't',	3,      406,   764 ), /*   769 sta               */
+  S_ST( 'i',	3,      771,     0 ), /*   770 stat              */
+  S_ST( 's',	3,      772,     0 ), /*   771 stati             */
+  S_ST( 't',	3,      773,     0 ), /*   772 statis            */
+  S_ST( 'i',	3,      774,     0 ), /*   773 statist           */
+  S_ST( 'c',	3,      405,     0 ), /*   774 statisti          */
+  S_ST( 'd',	3,      776,     0 ), /*   775 stats             */
+  S_ST( 'i',	3,      407,     0 ), /*   776 statsd            */
+  S_ST( 'e',	3,      408,   763 ), /*   777 st                */
+  S_ST( 'b',	3,      779,     0 ), /*   778 step              */
+  S_ST( 'a',	3,      780,     0 ), /*   779 stepb             */
+  S_ST( 'c',	3,      409,     0 ), /*   780 stepba            */
+  S_ST( 'f',	3,      782,   778 ), /*   781 step              */
+  S_ST( 'w',	3,      410,     0 ), /*   782 stepf             */
+  S_ST( 'o',	3,      784,   781 ), /*   783 step              */
+  S_ST( 'u',	3,      411,     0 ), /*   784 stepo             */
+  S_ST( 'r',	3,      786,   777 ), /*   785 st                */
+  S_ST( 'a',	3,      787,     0 ), /*   786 str               */
+  S_ST( 't',	3,      788,     0 ), /*   787 stra              */
+  S_ST( 'u',	3,      412,     0 ), /*   788 strat             */
+  S_ST( 'y',	3,      414,   762 ), /*   789 s                 */
+  S_ST( 's',	3,      791,     0 ), /*   790 sys               */
+  S_ST( 't',	3,      792,     0 ), /*   791 syss              */
+  S_ST( 'a',	3,      793,     0 ), /*   792 sysst             */
+  S_ST( 't',	3,      415,     0 ), /*   793 syssta            */
+  S_ST( 't',	3,      820,   716 ), /*   794                   */
+  S_ST( 'i',	3,      806,     0 ), /*   795 t                 */
+  S_ST( 'c',	3,      416,     0 ), /*   796 ti                */
+  S_ST( 'm',	3,      799,   796 ), /*   797 ti                */
+  S_ST( 'e',	3,      419,     0 ), /*   798 tim               */
+  S_ST( 'i',	3,      800,   798 ), /*   799 tim               */
+  S_ST( 'n',	3,      801,     0 ), /*   800 timi              */
+  S_ST( 'g',	3,      802,     0 ), /*   801 timin             */
+  S_ST( 's',	3,      803,     0 ), /*   802 timing            */
+  S_ST( 't',	3,      804,     0 ), /*   803 timings           */
+  S_ST( 'a',	3,      805,     0 ), /*   804 timingst          */
+  S_ST( 't',	3,      420,     0 ), /*   805 timingsta         */
+  S_ST( 'n',	3,      807,   797 ), /*   806 ti                */
+  S_ST( 'k',	3,      808,     0 ), /*   807 tin               */
+  S_ST( 'e',	3,      421,     0 ), /*   808 tink              */
+  S_ST( 'o',	3,      422,   795 ), /*   809 t                 */
+  S_ST( 'r',	3,      812,   809 ), /*   810 t                 */
+  S_ST( 'a',	3,      423,     0 ), /*   811 tr                */
+  S_ST( 'u',	3,      813,   811 ), /*   812 tr                */
+  S_ST( 's',	3,      814,   424 ), /*   813 tru               */
+  S_ST( 't',	3,      815,     0 ), /*   814 trus              */
+  S_ST( 'e',	3,      816,     0 ), /*   815 trust             */
+  S_ST( 'd',	3,      817,     0 ), /*   816 truste            */
+  S_ST( 'k',	3,      818,     0 ), /*   817 trusted           */
+  S_ST( 'e',	3,      425,     0 ), /*   818 trustedk          */
+  S_ST( 't',	3,      426,   810 ), /*   819 t                 */
+  S_ST( 'y',	3,      821,   819 ), /*   820 t                 */
+  S_ST( 'p',	3,      427,     0 ), /*   821 ty                */
+  S_ST( 'u',	3,      823,   794 ), /*   822                   */
+  S_ST( 'n',	3,      829,     0 ), /*   823 u                 */
+  S_ST( 'c',	3,      825,     0 ), /*   824 un                */
+  S_ST( 'o',	3,      826,     0 ), /*   825 unc               */
+  S_ST( 'n',	3,      827,     0 ), /*   826 unco              */
+  S_ST( 'f',	3,      828,     0 ), /*   827 uncon             */
+  S_ST( 'i',	3,      432,     0 ), /*   828 unconf            */
+  S_ST( 'p',	3,      830,   824 ), /*   829 un                */
+  S_ST( 'e',	3,      831,     0 ), /*   830 unp               */
+  S_ST( 'e',	3,      433,     0 ), /*   831 unpe              */
+  S_ST( '_',	3,      852,     0 ), /*   832 unpeer            */
+  S_ST( 'c',	3,      834,     0 ), /*   833 unpeer_           */
+  S_ST( 'r',	3,      835,     0 ), /*   834 unpeer_c          */
+  S_ST( 'y',	3,      836,     0 ), /*   835 unpeer_cr         */
+  S_ST( 'p',	3,      837,     0 ), /*   836 unpeer_cry        */
+  S_ST( 't',	3,      838,     0 ), /*   837 unpeer_cryp       */
+  S_ST( 'o',	3,      839,     0 ), /*   838 unpeer_crypt      */
+  S_ST( '_',	3,      844,     0 ), /*   839 unpeer_crypto     */
+  S_ST( 'e',	3,      841,     0 ), /*   840 unpeer_crypto_    */
+  S_ST( 'a',	3,      842,     0 ), /*   841 unpeer_crypto_e   */
+  S_ST( 'r',	3,      843,     0 ), /*   842 unpeer_crypto_ea  */
+  S_ST( 'l',	3,      429,     0 ), /*   843 unpeer_crypto_ear */
+  S_ST( 'n',	3,      845,   840 ), /*   844 unpeer_crypto_    */
+  S_ST( 'a',	3,      846,     0 ), /*   845 unpeer_crypto_n   */
+  S_ST( 'k',	3,      847,     0 ), /*   846 unpeer_crypto_na  */
+  S_ST( '_',	3,      848,     0 ), /*   847 unpeer_crypto_nak */
+  S_ST( 'e',	3,      849,     0 ), /*   848 unpeer_crypto_nak_ */
+  S_ST( 'a',	3,      850,     0 ), /*   849 unpeer_crypto_nak_e */
+  S_ST( 'r',	3,      851,     0 ), /*   850 unpeer_crypto_nak_ea */
+  S_ST( 'l',	3,      430,     0 ), /*   851 unpeer_crypto_nak_ear */
+  S_ST( 'd',	3,      853,   833 ), /*   852 unpeer_           */
+  S_ST( 'i',	3,      854,     0 ), /*   853 unpeer_d          */
+  S_ST( 'g',	3,      855,     0 ), /*   854 unpeer_di         */
+  S_ST( 'e',	3,      856,     0 ), /*   855 unpeer_dig        */
+  S_ST( 's',	3,      857,     0 ), /*   856 unpeer_dige       */
+  S_ST( 't',	3,      858,     0 ), /*   857 unpeer_diges      */
+  S_ST( '_',	3,      859,     0 ), /*   858 unpeer_digest     */
+  S_ST( 'e',	3,      860,     0 ), /*   859 unpeer_digest_    */
+  S_ST( 'a',	3,      861,     0 ), /*   860 unpeer_digest_e   */
+  S_ST( 'r',	3,      862,     0 ), /*   861 unpeer_digest_ea  */
+  S_ST( 'l',	3,      431,     0 ), /*   862 unpeer_digest_ear */
+  S_ST( 'v',	3,      864,   822 ), /*   863                   */
+  S_ST( 'e',	3,      865,     0 ), /*   864 v                 */
+  S_ST( 'r',	3,      866,     0 ), /*   865 ve                */
+  S_ST( 's',	3,      867,     0 ), /*   866 ver               */
+  S_ST( 'i',	3,      868,     0 ), /*   867 vers              */
+  S_ST( 'o',	3,      434,     0 ), /*   868 versi             */
+  S_ST( 'w',	3,      876,   863 ), /*   869                   */
+  S_ST( 'a',	3,      871,     0 ), /*   870 w                 */
+  S_ST( 'n',	3,      872,     0 ), /*   871 wa                */
+  S_ST( 'd',	3,      873,     0 ), /*   872 wan               */
+  S_ST( 'e',	3,      448,     0 ), /*   873 wand              */
+  S_ST( 'e',	3,      875,   870 ), /*   874 w                 */
+  S_ST( 'e',	3,      436,     0 ), /*   875 we                */
+  S_ST( 'i',	3,      877,   874 ), /*   876 w                 */
+  S_ST( 'l',	3,      878,     0 ), /*   877 wi                */
+  S_ST( 'd',	3,      879,     0 ), /*   878 wil               */
+  S_ST( 'c',	3,      880,     0 ), /*   879 wild              */
+  S_ST( 'a',	3,      881,     0 ), /*   880 wildc             */
+  S_ST( 'r',	3,      437,     0 ), /*   881 wildca            */
+  S_ST( 'x',	3,      883,   869 ), /*   882                   */
+  S_ST( 'l',	3,      884,     0 ), /*   883 x                 */
+  S_ST( 'e',	3,      885,     0 ), /*   884 xl                */
+  S_ST( 'a',	3,      886,     0 ), /*   885 xle               */
+  S_ST( 'v',	3,      438,     0 ), /*   886 xlea              */
+  S_ST( 'y',	3,      888,   882 ), /*   887 [initial state]   */
+  S_ST( 'e',	3,      889,     0 ), /*   888 y                 */
+  S_ST( 'a',	3,      439,     0 )  /*   889 ye                */
 };
 
diff --git a/contrib/ntp/ntpd/ntp_parser.c b/contrib/ntp/ntpd/ntp_parser.c
index cc17950..3159669 100644
--- a/contrib/ntp/ntpd/ntp_parser.c
+++ b/contrib/ntp/ntpd/ntp_parser.c
@@ -1,19 +1,19 @@
-/* A Bison parser, made by GNU Bison 3.0.2.  */
+/* A Bison parser, made by GNU Bison 2.7.12-4996.  */
 
 /* Bison implementation for Yacc-like parsers in C
-
-   Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
-
+   
+      Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
+   
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
-
+   
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-
+   
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
 
@@ -26,7 +26,7 @@
    special exception, which will cause the skeleton and the resulting
    Bison output files to be licensed under the GNU General Public
    License without this special exception.
-
+   
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
@@ -44,7 +44,7 @@
 #define YYBISON 1
 
 /* Bison version.  */
-#define YYBISON_VERSION "3.0.2"
+#define YYBISON_VERSION "2.7.12-4996"
 
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -62,7 +62,8 @@
 
 
 /* Copy the first part of user declarations.  */
-#line 11 "../../ntpd/ntp_parser.y" /* yacc.c:339  */
+/* Line 371 of yacc.c  */
+#line 11 "../../ntpd/ntp_parser.y"
 
   #ifdef HAVE_CONFIG_H
   # include <config.h>
@@ -96,13 +97,14 @@
   #  define ONLY_SIM(a)	NULL
   #endif
 
-#line 100 "../../ntpd/ntp_parser.c" /* yacc.c:339  */
+/* Line 371 of yacc.c  */
+#line 102 "ntp_parser.c"
 
-# ifndef YY_NULLPTR
+# ifndef YY_NULL
 #  if defined __cplusplus && 201103L <= __cplusplus
-#   define YY_NULLPTR nullptr
+#   define YY_NULL nullptr
 #  else
-#   define YY_NULLPTR 0
+#   define YY_NULL 0
 #  endif
 # endif
 
@@ -116,9 +118,9 @@
 
 /* In a future release of Bison, this section will be replaced
    by #include "y.tab.h".  */
-#ifndef YY_YY__NTPD_NTP_PARSER_H_INCLUDED
-# define YY_YY__NTPD_NTP_PARSER_H_INCLUDED
-/* Debug traces.  */
+#ifndef YY_YY_NTP_PARSER_H_INCLUDED
+# define YY_YY_NTP_PARSER_H_INCLUDED
+/* Enabling traces.  */
 #ifndef YYDEBUG
 # define YYDEBUG 1
 #endif
@@ -126,203 +128,207 @@
 extern int yydebug;
 #endif
 
-/* Token type.  */
+/* Tokens.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
-  enum yytokentype
-  {
-    T_Abbrev = 258,
-    T_Age = 259,
-    T_All = 260,
-    T_Allan = 261,
-    T_Allpeers = 262,
-    T_Auth = 263,
-    T_Autokey = 264,
-    T_Automax = 265,
-    T_Average = 266,
-    T_Bclient = 267,
-    T_Beacon = 268,
-    T_Broadcast = 269,
-    T_Broadcastclient = 270,
-    T_Broadcastdelay = 271,
-    T_Burst = 272,
-    T_Calibrate = 273,
-    T_Ceiling = 274,
-    T_Clockstats = 275,
-    T_Cohort = 276,
-    T_ControlKey = 277,
-    T_Crypto = 278,
-    T_Cryptostats = 279,
-    T_Ctl = 280,
-    T_Day = 281,
-    T_Default = 282,
-    T_Digest = 283,
-    T_Disable = 284,
-    T_Discard = 285,
-    T_Dispersion = 286,
-    T_Double = 287,
-    T_Driftfile = 288,
-    T_Drop = 289,
-    T_Dscp = 290,
-    T_Ellipsis = 291,
-    T_Enable = 292,
-    T_End = 293,
-    T_False = 294,
-    T_File = 295,
-    T_Filegen = 296,
-    T_Filenum = 297,
-    T_Flag1 = 298,
-    T_Flag2 = 299,
-    T_Flag3 = 300,
-    T_Flag4 = 301,
-    T_Flake = 302,
-    T_Floor = 303,
-    T_Freq = 304,
-    T_Fudge = 305,
-    T_Host = 306,
-    T_Huffpuff = 307,
-    T_Iburst = 308,
-    T_Ident = 309,
-    T_Ignore = 310,
-    T_Incalloc = 311,
-    T_Incmem = 312,
-    T_Initalloc = 313,
-    T_Initmem = 314,
-    T_Includefile = 315,
-    T_Integer = 316,
-    T_Interface = 317,
-    T_Intrange = 318,
-    T_Io = 319,
-    T_Ipv4 = 320,
-    T_Ipv4_flag = 321,
-    T_Ipv6 = 322,
-    T_Ipv6_flag = 323,
-    T_Kernel = 324,
-    T_Key = 325,
-    T_Keys = 326,
-    T_Keysdir = 327,
-    T_Kod = 328,
-    T_Mssntp = 329,
-    T_Leapfile = 330,
-    T_Leapsmearinterval = 331,
-    T_Limited = 332,
-    T_Link = 333,
-    T_Listen = 334,
-    T_Logconfig = 335,
-    T_Logfile = 336,
-    T_Loopstats = 337,
-    T_Lowpriotrap = 338,
-    T_Manycastclient = 339,
-    T_Manycastserver = 340,
-    T_Mask = 341,
-    T_Maxage = 342,
-    T_Maxclock = 343,
-    T_Maxdepth = 344,
-    T_Maxdist = 345,
-    T_Maxmem = 346,
-    T_Maxpoll = 347,
-    T_Mdnstries = 348,
-    T_Mem = 349,
-    T_Memlock = 350,
-    T_Minclock = 351,
-    T_Mindepth = 352,
-    T_Mindist = 353,
-    T_Minimum = 354,
-    T_Minpoll = 355,
-    T_Minsane = 356,
-    T_Mode = 357,
-    T_Mode7 = 358,
-    T_Monitor = 359,
-    T_Month = 360,
-    T_Mru = 361,
-    T_Multicastclient = 362,
-    T_Nic = 363,
-    T_Nolink = 364,
-    T_Nomodify = 365,
-    T_Nomrulist = 366,
-    T_None = 367,
-    T_Nonvolatile = 368,
-    T_Nopeer = 369,
-    T_Noquery = 370,
-    T_Noselect = 371,
-    T_Noserve = 372,
-    T_Notrap = 373,
-    T_Notrust = 374,
-    T_Ntp = 375,
-    T_Ntpport = 376,
-    T_NtpSignDsocket = 377,
-    T_Orphan = 378,
-    T_Orphanwait = 379,
-    T_Panic = 380,
-    T_Peer = 381,
-    T_Peerstats = 382,
-    T_Phone = 383,
-    T_Pid = 384,
-    T_Pidfile = 385,
-    T_Pool = 386,
-    T_Port = 387,
-    T_Preempt = 388,
-    T_Prefer = 389,
-    T_Protostats = 390,
-    T_Pw = 391,
-    T_Randfile = 392,
-    T_Rawstats = 393,
-    T_Refid = 394,
-    T_Requestkey = 395,
-    T_Reset = 396,
-    T_Restrict = 397,
-    T_Revoke = 398,
-    T_Rlimit = 399,
-    T_Saveconfigdir = 400,
-    T_Server = 401,
-    T_Setvar = 402,
-    T_Source = 403,
-    T_Stacksize = 404,
-    T_Statistics = 405,
-    T_Stats = 406,
-    T_Statsdir = 407,
-    T_Step = 408,
-    T_Stepback = 409,
-    T_Stepfwd = 410,
-    T_Stepout = 411,
-    T_Stratum = 412,
-    T_String = 413,
-    T_Sys = 414,
-    T_Sysstats = 415,
-    T_Tick = 416,
-    T_Time1 = 417,
-    T_Time2 = 418,
-    T_Timer = 419,
-    T_Timingstats = 420,
-    T_Tinker = 421,
-    T_Tos = 422,
-    T_Trap = 423,
-    T_True = 424,
-    T_Trustedkey = 425,
-    T_Ttl = 426,
-    T_Type = 427,
-    T_U_int = 428,
-    T_Unconfig = 429,
-    T_Unpeer = 430,
-    T_Version = 431,
-    T_WanderThreshold = 432,
-    T_Week = 433,
-    T_Wildcard = 434,
-    T_Xleave = 435,
-    T_Year = 436,
-    T_Flag = 437,
-    T_EOC = 438,
-    T_Simulate = 439,
-    T_Beep_Delay = 440,
-    T_Sim_Duration = 441,
-    T_Server_Offset = 442,
-    T_Duration = 443,
-    T_Freq_Offset = 444,
-    T_Wander = 445,
-    T_Jitter = 446,
-    T_Prop_Delay = 447,
-    T_Proc_Delay = 448
-  };
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     T_Abbrev = 258,
+     T_Age = 259,
+     T_All = 260,
+     T_Allan = 261,
+     T_Allpeers = 262,
+     T_Auth = 263,
+     T_Autokey = 264,
+     T_Automax = 265,
+     T_Average = 266,
+     T_Bclient = 267,
+     T_Beacon = 268,
+     T_Broadcast = 269,
+     T_Broadcastclient = 270,
+     T_Broadcastdelay = 271,
+     T_Burst = 272,
+     T_Calibrate = 273,
+     T_Ceiling = 274,
+     T_Clockstats = 275,
+     T_Cohort = 276,
+     T_ControlKey = 277,
+     T_Crypto = 278,
+     T_Cryptostats = 279,
+     T_Ctl = 280,
+     T_Day = 281,
+     T_Default = 282,
+     T_Digest = 283,
+     T_Disable = 284,
+     T_Discard = 285,
+     T_Dispersion = 286,
+     T_Double = 287,
+     T_Driftfile = 288,
+     T_Drop = 289,
+     T_Dscp = 290,
+     T_Ellipsis = 291,
+     T_Enable = 292,
+     T_End = 293,
+     T_False = 294,
+     T_File = 295,
+     T_Filegen = 296,
+     T_Filenum = 297,
+     T_Flag1 = 298,
+     T_Flag2 = 299,
+     T_Flag3 = 300,
+     T_Flag4 = 301,
+     T_Flake = 302,
+     T_Floor = 303,
+     T_Freq = 304,
+     T_Fudge = 305,
+     T_Host = 306,
+     T_Huffpuff = 307,
+     T_Iburst = 308,
+     T_Ident = 309,
+     T_Ignore = 310,
+     T_Incalloc = 311,
+     T_Incmem = 312,
+     T_Initalloc = 313,
+     T_Initmem = 314,
+     T_Includefile = 315,
+     T_Integer = 316,
+     T_Interface = 317,
+     T_Intrange = 318,
+     T_Io = 319,
+     T_Ipv4 = 320,
+     T_Ipv4_flag = 321,
+     T_Ipv6 = 322,
+     T_Ipv6_flag = 323,
+     T_Kernel = 324,
+     T_Key = 325,
+     T_Keys = 326,
+     T_Keysdir = 327,
+     T_Kod = 328,
+     T_Mssntp = 329,
+     T_Leapfile = 330,
+     T_Leapsmearinterval = 331,
+     T_Limited = 332,
+     T_Link = 333,
+     T_Listen = 334,
+     T_Logconfig = 335,
+     T_Logfile = 336,
+     T_Loopstats = 337,
+     T_Lowpriotrap = 338,
+     T_Manycastclient = 339,
+     T_Manycastserver = 340,
+     T_Mask = 341,
+     T_Maxage = 342,
+     T_Maxclock = 343,
+     T_Maxdepth = 344,
+     T_Maxdist = 345,
+     T_Maxmem = 346,
+     T_Maxpoll = 347,
+     T_Mdnstries = 348,
+     T_Mem = 349,
+     T_Memlock = 350,
+     T_Minclock = 351,
+     T_Mindepth = 352,
+     T_Mindist = 353,
+     T_Minimum = 354,
+     T_Minpoll = 355,
+     T_Minsane = 356,
+     T_Mode = 357,
+     T_Mode7 = 358,
+     T_Monitor = 359,
+     T_Month = 360,
+     T_Mru = 361,
+     T_Multicastclient = 362,
+     T_Nic = 363,
+     T_Nolink = 364,
+     T_Nomodify = 365,
+     T_Nomrulist = 366,
+     T_None = 367,
+     T_Nonvolatile = 368,
+     T_Nopeer = 369,
+     T_Noquery = 370,
+     T_Noselect = 371,
+     T_Noserve = 372,
+     T_Notrap = 373,
+     T_Notrust = 374,
+     T_Ntp = 375,
+     T_Ntpport = 376,
+     T_NtpSignDsocket = 377,
+     T_Orphan = 378,
+     T_Orphanwait = 379,
+     T_Panic = 380,
+     T_Peer = 381,
+     T_Peerstats = 382,
+     T_Phone = 383,
+     T_Pid = 384,
+     T_Pidfile = 385,
+     T_Pool = 386,
+     T_Port = 387,
+     T_Preempt = 388,
+     T_Prefer = 389,
+     T_Protostats = 390,
+     T_Pw = 391,
+     T_Randfile = 392,
+     T_Rawstats = 393,
+     T_Refid = 394,
+     T_Requestkey = 395,
+     T_Reset = 396,
+     T_Restrict = 397,
+     T_Revoke = 398,
+     T_Rlimit = 399,
+     T_Saveconfigdir = 400,
+     T_Server = 401,
+     T_Setvar = 402,
+     T_Source = 403,
+     T_Stacksize = 404,
+     T_Statistics = 405,
+     T_Stats = 406,
+     T_Statsdir = 407,
+     T_Step = 408,
+     T_Stepback = 409,
+     T_Stepfwd = 410,
+     T_Stepout = 411,
+     T_Stratum = 412,
+     T_String = 413,
+     T_Sys = 414,
+     T_Sysstats = 415,
+     T_Tick = 416,
+     T_Time1 = 417,
+     T_Time2 = 418,
+     T_Timer = 419,
+     T_Timingstats = 420,
+     T_Tinker = 421,
+     T_Tos = 422,
+     T_Trap = 423,
+     T_True = 424,
+     T_Trustedkey = 425,
+     T_Ttl = 426,
+     T_Type = 427,
+     T_U_int = 428,
+     T_UEcrypto = 429,
+     T_UEcryptonak = 430,
+     T_UEdigest = 431,
+     T_Unconfig = 432,
+     T_Unpeer = 433,
+     T_Version = 434,
+     T_WanderThreshold = 435,
+     T_Week = 436,
+     T_Wildcard = 437,
+     T_Xleave = 438,
+     T_Year = 439,
+     T_Flag = 440,
+     T_EOC = 441,
+     T_Simulate = 442,
+     T_Beep_Delay = 443,
+     T_Sim_Duration = 444,
+     T_Server_Offset = 445,
+     T_Duration = 446,
+     T_Freq_Offset = 447,
+     T_Wander = 448,
+     T_Jitter = 449,
+     T_Prop_Delay = 450,
+     T_Proc_Delay = 451
+   };
 #endif
 /* Tokens.  */
 #define T_Abbrev 258
@@ -496,33 +502,37 @@ extern int yydebug;
 #define T_Ttl 426
 #define T_Type 427
 #define T_U_int 428
-#define T_Unconfig 429
-#define T_Unpeer 430
-#define T_Version 431
-#define T_WanderThreshold 432
-#define T_Week 433
-#define T_Wildcard 434
-#define T_Xleave 435
-#define T_Year 436
-#define T_Flag 437
-#define T_EOC 438
-#define T_Simulate 439
-#define T_Beep_Delay 440
-#define T_Sim_Duration 441
-#define T_Server_Offset 442
-#define T_Duration 443
-#define T_Freq_Offset 444
-#define T_Wander 445
-#define T_Jitter 446
-#define T_Prop_Delay 447
-#define T_Proc_Delay 448
-
-/* Value type.  */
+#define T_UEcrypto 429
+#define T_UEcryptonak 430
+#define T_UEdigest 431
+#define T_Unconfig 432
+#define T_Unpeer 433
+#define T_Version 434
+#define T_WanderThreshold 435
+#define T_Week 436
+#define T_Wildcard 437
+#define T_Xleave 438
+#define T_Year 439
+#define T_Flag 440
+#define T_EOC 441
+#define T_Simulate 442
+#define T_Beep_Delay 443
+#define T_Sim_Duration 444
+#define T_Server_Offset 445
+#define T_Duration 446
+#define T_Freq_Offset 447
+#define T_Wander 448
+#define T_Jitter 449
+#define T_Prop_Delay 450
+#define T_Proc_Delay 451
+
+
+
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-typedef union YYSTYPE YYSTYPE;
-union YYSTYPE
+typedef union YYSTYPE
 {
-#line 51 "../../ntpd/ntp_parser.y" /* yacc.c:355  */
+/* Line 387 of yacc.c  */
+#line 51 "../../ntpd/ntp_parser.y"
 
 	char *			String;
 	double			Double;
@@ -541,22 +551,37 @@ union YYSTYPE
 	script_info *		Sim_script;
 	script_info_fifo *	Sim_script_fifo;
 
-#line 545 "../../ntpd/ntp_parser.c" /* yacc.c:355  */
-};
+
+/* Line 387 of yacc.c  */
+#line 557 "ntp_parser.c"
+} YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
 #endif
 
-
 extern YYSTYPE yylval;
 
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
 int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
 
-#endif /* !YY_YY__NTPD_NTP_PARSER_H_INCLUDED  */
+#endif /* !YY_YY_NTP_PARSER_H_INCLUDED  */
 
 /* Copy the second part of user declarations.  */
 
-#line 560 "../../ntpd/ntp_parser.c" /* yacc.c:358  */
+/* Line 390 of yacc.c  */
+#line 585 "ntp_parser.c"
 
 #ifdef short
 # undef short
@@ -570,8 +595,11 @@ typedef unsigned char yytype_uint8;
 
 #ifdef YYTYPE_INT8
 typedef YYTYPE_INT8 yytype_int8;
-#else
+#elif (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 typedef signed char yytype_int8;
+#else
+typedef short int yytype_int8;
 #endif
 
 #ifdef YYTYPE_UINT16
@@ -591,7 +619,8 @@ typedef short int yytype_int16;
 #  define YYSIZE_T __SIZE_TYPE__
 # elif defined size_t
 #  define YYSIZE_T size_t
-# elif ! defined YYSIZE_T
+# elif ! defined YYSIZE_T && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 #  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
 #  define YYSIZE_T size_t
 # else
@@ -613,30 +642,11 @@ typedef short int yytype_int16;
 # endif
 #endif
 
-#ifndef YY_ATTRIBUTE
-# if (defined __GNUC__                                               \
-      && (2 < __GNUC__ || (__GNUC__ == 2 && 96 <= __GNUC_MINOR__)))  \
-     || defined __SUNPRO_C && 0x5110 <= __SUNPRO_C
-#  define YY_ATTRIBUTE(Spec) __attribute__(Spec)
-# else
-#  define YY_ATTRIBUTE(Spec) /* empty */
-# endif
-#endif
-
-#ifndef YY_ATTRIBUTE_PURE
-# define YY_ATTRIBUTE_PURE   YY_ATTRIBUTE ((__pure__))
-#endif
-
-#ifndef YY_ATTRIBUTE_UNUSED
-# define YY_ATTRIBUTE_UNUSED YY_ATTRIBUTE ((__unused__))
-#endif
-
-#if !defined _Noreturn \
-     && (!defined __STDC_VERSION__ || __STDC_VERSION__ < 201112)
-# if defined _MSC_VER && 1200 <= _MSC_VER
-#  define _Noreturn __declspec (noreturn)
-# else
-#  define _Noreturn YY_ATTRIBUTE ((__noreturn__))
+#ifndef __attribute__
+/* This feature is available in gcc versions 2.5 and later.  */
+# if (! defined __GNUC__ || __GNUC__ < 2 \
+      || (__GNUC__ == 2 && __GNUC_MINOR__ < 5))
+#  define __attribute__(Spec) /* empty */
 # endif
 #endif
 
@@ -647,26 +657,25 @@ typedef short int yytype_int16;
 # define YYUSE(E) /* empty */
 #endif
 
-#if defined __GNUC__ && 407 <= __GNUC__ * 100 + __GNUC_MINOR__
-/* Suppress an incorrect diagnostic about yylval being uninitialized.  */
-# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN \
-    _Pragma ("GCC diagnostic push") \
-    _Pragma ("GCC diagnostic ignored \"-Wuninitialized\"")\
-    _Pragma ("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
-# define YY_IGNORE_MAYBE_UNINITIALIZED_END \
-    _Pragma ("GCC diagnostic pop")
+
+/* Identity function, used to suppress warnings about constant conditions.  */
+#ifndef lint
+# define YYID(N) (N)
 #else
-# define YY_INITIAL_VALUE(Value) Value
-#endif
-#ifndef YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_END
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static int
+YYID (int yyi)
+#else
+static int
+YYID (yyi)
+    int yyi;
 #endif
-#ifndef YY_INITIAL_VALUE
-# define YY_INITIAL_VALUE(Value) /* Nothing. */
+{
+  return yyi;
+}
 #endif
 
-
 #if ! defined yyoverflow || YYERROR_VERBOSE
 
 /* The parser invokes alloca or malloc; define the necessary symbols.  */
@@ -684,7 +693,8 @@ typedef short int yytype_int16;
 #    define alloca _alloca
 #   else
 #    define YYSTACK_ALLOC alloca
-#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS
+#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 #     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
       /* Use EXIT_SUCCESS as a witness for stdlib.h.  */
 #     ifndef EXIT_SUCCESS
@@ -696,8 +706,8 @@ typedef short int yytype_int16;
 # endif
 
 # ifdef YYSTACK_ALLOC
-   /* Pacify GCC's 'empty if-body' warning.  */
-#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (0)
+   /* Pacify GCC's `empty if-body' warning.  */
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (YYID (0))
 #  ifndef YYSTACK_ALLOC_MAXIMUM
     /* The OS might guarantee only one guard page at the bottom of the stack,
        and a page size can be as small as 4096 bytes.  So we cannot safely
@@ -713,7 +723,7 @@ typedef short int yytype_int16;
 #  endif
 #  if (defined __cplusplus && ! defined EXIT_SUCCESS \
        && ! ((defined YYMALLOC || defined malloc) \
-             && (defined YYFREE || defined free)))
+	     && (defined YYFREE || defined free)))
 #   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
 #   ifndef EXIT_SUCCESS
 #    define EXIT_SUCCESS 0
@@ -721,13 +731,15 @@ typedef short int yytype_int16;
 #  endif
 #  ifndef YYMALLOC
 #   define YYMALLOC malloc
-#   if ! defined malloc && ! defined EXIT_SUCCESS
+#   if ! defined malloc && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
 #   endif
 #  endif
 #  ifndef YYFREE
 #   define YYFREE free
-#   if ! defined free && ! defined EXIT_SUCCESS
+#   if ! defined free && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 void free (void *); /* INFRINGES ON USER NAME SPACE */
 #   endif
 #  endif
@@ -737,7 +749,7 @@ void free (void *); /* INFRINGES ON USER NAME SPACE */
 
 #if (! defined yyoverflow \
      && (! defined __cplusplus \
-         || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
+	 || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
 
 /* A type that is properly aligned for any stack member.  */
 union yyalloc
@@ -762,16 +774,16 @@ union yyalloc
    elements in the stack, and YYPTR gives the new location of the
    stack.  Advance YYPTR to a properly aligned location for the next
    stack.  */
-# define YYSTACK_RELOCATE(Stack_alloc, Stack)                           \
-    do                                                                  \
-      {                                                                 \
-        YYSIZE_T yynewbytes;                                            \
-        YYCOPY (&yyptr->Stack_alloc, Stack, yysize);                    \
-        Stack = &yyptr->Stack_alloc;                                    \
-        yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
-        yyptr += yynewbytes / sizeof (*yyptr);                          \
-      }                                                                 \
-    while (0)
+# define YYSTACK_RELOCATE(Stack_alloc, Stack)				\
+    do									\
+      {									\
+	YYSIZE_T yynewbytes;						\
+	YYCOPY (&yyptr->Stack_alloc, Stack, yysize);			\
+	Stack = &yyptr->Stack_alloc;					\
+	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+	yyptr += yynewbytes / sizeof (*yyptr);				\
+      }									\
+    while (YYID (0))
 
 #endif
 
@@ -790,50 +802,48 @@ union yyalloc
           for (yyi = 0; yyi < (Count); yyi++)   \
             (Dst)[yyi] = (Src)[yyi];            \
         }                                       \
-      while (0)
+      while (YYID (0))
 #  endif
 # endif
 #endif /* !YYCOPY_NEEDED */
 
 /* YYFINAL -- State number of the termination state.  */
-#define YYFINAL  210
+#define YYFINAL  213
 /* YYLAST -- Last index in YYTABLE.  */
-#define YYLAST   647
+#define YYLAST   624
 
 /* YYNTOKENS -- Number of terminals.  */
-#define YYNTOKENS  199
+#define YYNTOKENS  202
 /* YYNNTS -- Number of nonterminals.  */
 #define YYNNTS  105
 /* YYNRULES -- Number of rules.  */
-#define YYNRULES  313
-/* YYNSTATES -- Number of states.  */
-#define YYNSTATES  419
+#define YYNRULES  316
+/* YYNRULES -- Number of states.  */
+#define YYNSTATES  422
 
-/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned
-   by yylex, with out-of-bounds checking.  */
+/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
 #define YYUNDEFTOK  2
-#define YYMAXUTOK   448
+#define YYMAXUTOK   451
 
-#define YYTRANSLATE(YYX)                                                \
+#define YYTRANSLATE(YYX)						\
   ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
 
-/* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM
-   as returned by yylex, without out-of-bounds checking.  */
+/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
 static const yytype_uint8 yytranslate[] =
 {
        0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-     195,   196,     2,     2,     2,     2,     2,     2,     2,     2,
+     198,   199,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,   194,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,   197,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,   197,     2,   198,     2,     2,     2,     2,
+       2,     2,     2,   200,     2,   201,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
@@ -865,45 +875,166 @@ static const yytype_uint8 yytranslate[] =
      155,   156,   157,   158,   159,   160,   161,   162,   163,   164,
      165,   166,   167,   168,   169,   170,   171,   172,   173,   174,
      175,   176,   177,   178,   179,   180,   181,   182,   183,   184,
-     185,   186,   187,   188,   189,   190,   191,   192,   193
+     185,   186,   187,   188,   189,   190,   191,   192,   193,   194,
+     195,   196
 };
 
 #if YYDEBUG
-  /* YYRLINE[YYN] -- Source line where rule number YYN was defined.  */
+/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+   YYRHS.  */
+static const yytype_uint16 yyprhs[] =
+{
+       0,     0,     3,     5,     9,    12,    15,    16,    18,    20,
+      22,    24,    26,    28,    30,    32,    34,    36,    38,    40,
+      42,    46,    48,    50,    52,    54,    56,    58,    61,    63,
+      65,    67,    68,    71,    73,    75,    77,    79,    81,    83,
+      85,    87,    89,    91,    93,    95,    98,   101,   103,   105,
+     107,   109,   111,   113,   116,   118,   121,   123,   125,   127,
+     130,   133,   136,   139,   142,   145,   148,   151,   154,   157,
+     160,   163,   164,   167,   170,   173,   175,   177,   179,   181,
+     183,   186,   189,   191,   194,   197,   200,   202,   204,   206,
+     208,   210,   212,   214,   216,   218,   220,   223,   226,   230,
+     233,   235,   237,   239,   241,   243,   245,   247,   249,   251,
+     252,   255,   258,   261,   263,   265,   267,   269,   271,   273,
+     275,   277,   279,   281,   283,   285,   287,   290,   293,   297,
+     303,   307,   312,   317,   321,   322,   325,   327,   329,   331,
+     333,   335,   337,   339,   341,   343,   345,   347,   349,   351,
+     353,   355,   358,   360,   363,   365,   367,   369,   372,   374,
+     377,   379,   381,   383,   385,   387,   389,   391,   393,   397,
+     400,   402,   405,   408,   411,   414,   417,   419,   421,   423,
+     425,   427,   429,   432,   435,   437,   440,   442,   444,   446,
+     449,   452,   455,   457,   459,   461,   463,   465,   467,   469,
+     471,   473,   475,   477,   479,   481,   483,   486,   489,   491,
+     494,   496,   498,   500,   502,   504,   506,   508,   510,   512,
+     514,   516,   518,   521,   524,   527,   530,   534,   536,   539,
+     542,   545,   548,   552,   555,   557,   559,   561,   563,   565,
+     567,   569,   571,   573,   575,   577,   580,   581,   586,   588,
+     589,   590,   593,   596,   599,   602,   604,   606,   610,   614,
+     616,   618,   620,   622,   624,   626,   628,   630,   632,   635,
+     638,   640,   642,   644,   646,   648,   650,   652,   654,   657,
+     659,   662,   664,   666,   668,   674,   677,   679,   682,   684,
+     686,   688,   690,   692,   694,   700,   702,   706,   709,   713,
+     715,   717,   720,   722,   728,   733,   737,   740,   742,   749,
+     753,   756,   760,   762,   764,   766,   768
+};
+
+/* YYRHS -- A `-1'-separated list of the rules' RHS.  */
+static const yytype_int16 yyrhs[] =
+{
+     203,     0,    -1,   204,    -1,   204,   205,   186,    -1,   205,
+     186,    -1,     1,   186,    -1,    -1,   206,    -1,   219,    -1,
+     221,    -1,   222,    -1,   231,    -1,   239,    -1,   226,    -1,
+     248,    -1,   253,    -1,   257,    -1,   262,    -1,   266,    -1,
+     293,    -1,   207,   208,   211,    -1,   146,    -1,   131,    -1,
+     126,    -1,    14,    -1,    84,    -1,   209,    -1,   210,   158,
+      -1,   158,    -1,    66,    -1,    68,    -1,    -1,   211,   212,
+      -1,   213,    -1,   215,    -1,   217,    -1,   214,    -1,     9,
+      -1,    17,    -1,    53,    -1,   116,    -1,   133,    -1,   134,
+      -1,   169,    -1,   183,    -1,   216,    61,    -1,   216,   173,
+      -1,    70,    -1,   100,    -1,    92,    -1,   171,    -1,   102,
+      -1,   179,    -1,   218,   158,    -1,    54,    -1,   220,   208,
+      -1,   177,    -1,   178,    -1,    15,    -1,    85,   290,    -1,
+     107,   290,    -1,    93,    61,    -1,    10,    61,    -1,    22,
+      61,    -1,    23,   223,    -1,    71,   158,    -1,    72,   158,
+      -1,   140,    61,    -1,   143,    61,    -1,   170,   286,    -1,
+     122,   158,    -1,    -1,   223,   224,    -1,   225,   158,    -1,
+     143,    61,    -1,    51,    -1,    54,    -1,   136,    -1,   137,
+      -1,    28,    -1,   167,   227,    -1,   227,   228,    -1,   228,
+      -1,   229,    61,    -1,   230,   292,    -1,    21,   291,    -1,
+      19,    -1,    48,    -1,   123,    -1,   124,    -1,   101,    -1,
+      13,    -1,    98,    -1,    90,    -1,    96,    -1,    88,    -1,
+     150,   232,    -1,   152,   158,    -1,    41,   233,   234,    -1,
+     232,   233,    -1,   233,    -1,    20,    -1,    24,    -1,    82,
+      -1,   127,    -1,   138,    -1,   160,    -1,   165,    -1,   135,
+      -1,    -1,   234,   235,    -1,    40,   158,    -1,   172,   238,
+      -1,   236,    -1,   237,    -1,    78,    -1,   109,    -1,    37,
+      -1,    29,    -1,   112,    -1,   129,    -1,    26,    -1,   181,
+      -1,   105,    -1,   184,    -1,     4,    -1,    30,   242,    -1,
+     106,   245,    -1,   142,   208,   240,    -1,   142,   209,    86,
+     209,   240,    -1,   142,    27,   240,    -1,   142,    66,    27,
+     240,    -1,   142,    68,    27,   240,    -1,   142,   148,   240,
+      -1,    -1,   240,   241,    -1,    47,    -1,    55,    -1,    73,
+      -1,    74,    -1,    77,    -1,    83,    -1,   110,    -1,   111,
+      -1,   114,    -1,   115,    -1,   117,    -1,   118,    -1,   119,
+      -1,   121,    -1,   179,    -1,   242,   243,    -1,   243,    -1,
+     244,    61,    -1,    11,    -1,    99,    -1,   104,    -1,   245,
+     246,    -1,   246,    -1,   247,    61,    -1,    56,    -1,    57,
+      -1,    58,    -1,    59,    -1,    87,    -1,    89,    -1,    91,
+      -1,    97,    -1,    50,   208,   249,    -1,   249,   250,    -1,
+     250,    -1,   251,   292,    -1,   252,   291,    -1,   157,    61,
+      -1,     3,   158,    -1,   139,   158,    -1,   162,    -1,   163,
+      -1,    43,    -1,    44,    -1,    45,    -1,    46,    -1,   144,
+     254,    -1,   254,   255,    -1,   255,    -1,   256,    61,    -1,
+      95,    -1,   149,    -1,    42,    -1,    37,   258,    -1,    29,
+     258,    -1,   258,   259,    -1,   259,    -1,   260,    -1,   261,
+      -1,     8,    -1,    12,    -1,    18,    -1,    69,    -1,   104,
+      -1,   120,    -1,   103,    -1,   151,    -1,   174,    -1,   175,
+      -1,   176,    -1,   166,   263,    -1,   263,   264,    -1,   264,
+      -1,   265,   292,    -1,     6,    -1,    31,    -1,    49,    -1,
+      52,    -1,   125,    -1,   153,    -1,   154,    -1,   155,    -1,
+     156,    -1,   161,    -1,   278,    -1,   282,    -1,   267,   292,
+      -1,   268,    61,    -1,   269,   158,    -1,   270,   158,    -1,
+      60,   158,   205,    -1,    38,    -1,    33,   271,    -1,    80,
+     276,    -1,   128,   289,    -1,   147,   272,    -1,   168,   209,
+     274,    -1,   171,   285,    -1,    16,    -1,   113,    -1,   161,
+      -1,    35,    -1,    76,    -1,    54,    -1,    75,    -1,    81,
+      -1,   130,    -1,   145,    -1,   158,    -1,   158,    32,    -1,
+      -1,   158,   197,   158,   273,    -1,    27,    -1,    -1,    -1,
+     274,   275,    -1,   132,    61,    -1,    62,   209,    -1,   276,
+     277,    -1,   277,    -1,   158,    -1,   279,   281,   280,    -1,
+     279,   281,   158,    -1,    62,    -1,   108,    -1,     5,    -1,
+      65,    -1,    67,    -1,   182,    -1,    79,    -1,    55,    -1,
+      34,    -1,   141,   283,    -1,   283,   284,    -1,   284,    -1,
+       7,    -1,     8,    -1,    25,    -1,    64,    -1,    94,    -1,
+     159,    -1,   164,    -1,   285,    61,    -1,    61,    -1,   286,
+     287,    -1,   287,    -1,    61,    -1,   288,    -1,   198,    61,
+      36,    61,   199,    -1,   289,   158,    -1,   158,    -1,   290,
+     208,    -1,   208,    -1,    61,    -1,   169,    -1,    39,    -1,
+      61,    -1,    32,    -1,   294,   200,   295,   298,   201,    -1,
+     187,    -1,   295,   296,   186,    -1,   296,   186,    -1,   297,
+     197,   292,    -1,   188,    -1,   189,    -1,   298,   299,    -1,
+     299,    -1,   301,   200,   300,   302,   201,    -1,   190,   197,
+     292,   186,    -1,   146,   197,   208,    -1,   302,   303,    -1,
+     303,    -1,   191,   197,   292,   200,   304,   201,    -1,   304,
+     305,   186,    -1,   305,   186,    -1,   306,   197,   292,    -1,
+     192,    -1,   193,    -1,   194,    -1,   195,    -1,   196,    -1
+};
+
+/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint16 yyrline[] =
 {
-       0,   366,   366,   370,   371,   372,   387,   388,   389,   390,
-     391,   392,   393,   394,   395,   396,   397,   398,   399,   400,
-     408,   418,   419,   420,   421,   422,   426,   427,   432,   437,
-     439,   445,   446,   454,   455,   456,   460,   465,   466,   467,
-     468,   469,   470,   471,   472,   476,   478,   483,   484,   485,
-     486,   487,   488,   492,   497,   506,   516,   517,   527,   529,
-     531,   533,   544,   551,   553,   558,   560,   562,   564,   566,
-     575,   581,   582,   590,   592,   604,   605,   606,   607,   608,
-     617,   622,   627,   635,   637,   639,   644,   645,   646,   647,
-     648,   649,   653,   654,   655,   656,   665,   667,   676,   686,
-     691,   699,   700,   701,   702,   703,   704,   705,   706,   711,
-     712,   720,   730,   739,   754,   759,   760,   764,   765,   769,
-     770,   771,   772,   773,   774,   775,   784,   788,   792,   800,
-     808,   816,   831,   846,   859,   860,   868,   869,   870,   871,
-     872,   873,   874,   875,   876,   877,   878,   879,   880,   881,
-     882,   886,   891,   899,   904,   905,   906,   910,   915,   923,
-     928,   929,   930,   931,   932,   933,   934,   935,   943,   953,
-     958,   966,   968,   970,   979,   981,   986,   987,   991,   992,
-     993,   994,  1002,  1007,  1012,  1020,  1025,  1026,  1027,  1036,
-    1038,  1043,  1048,  1056,  1058,  1075,  1076,  1077,  1078,  1079,
-    1080,  1084,  1085,  1093,  1098,  1103,  1111,  1116,  1117,  1118,
-    1119,  1120,  1121,  1122,  1123,  1124,  1125,  1134,  1135,  1136,
-    1143,  1150,  1157,  1173,  1192,  1194,  1196,  1198,  1200,  1202,
-    1209,  1214,  1215,  1216,  1220,  1224,  1233,  1234,  1238,  1239,
-    1240,  1244,  1255,  1269,  1281,  1286,  1288,  1293,  1294,  1302,
-    1304,  1312,  1317,  1325,  1350,  1357,  1367,  1368,  1372,  1373,
-    1374,  1375,  1379,  1380,  1381,  1385,  1390,  1395,  1403,  1404,
-    1405,  1406,  1407,  1408,  1409,  1419,  1424,  1432,  1437,  1445,
-    1447,  1451,  1456,  1461,  1469,  1474,  1482,  1491,  1492,  1496,
-    1497,  1506,  1524,  1528,  1533,  1541,  1546,  1547,  1551,  1556,
-    1564,  1569,  1574,  1579,  1584,  1592,  1597,  1602,  1610,  1615,
-    1616,  1617,  1618,  1619
+       0,   369,   369,   373,   374,   375,   390,   391,   392,   393,
+     394,   395,   396,   397,   398,   399,   400,   401,   402,   403,
+     411,   421,   422,   423,   424,   425,   429,   430,   435,   440,
+     442,   448,   449,   457,   458,   459,   463,   468,   469,   470,
+     471,   472,   473,   474,   475,   479,   481,   486,   487,   488,
+     489,   490,   491,   495,   500,   509,   519,   520,   530,   532,
+     534,   536,   547,   554,   556,   561,   563,   565,   567,   569,
+     578,   584,   585,   593,   595,   607,   608,   609,   610,   611,
+     620,   625,   630,   638,   640,   642,   647,   648,   649,   650,
+     651,   652,   656,   657,   658,   659,   668,   670,   679,   689,
+     694,   702,   703,   704,   705,   706,   707,   708,   709,   714,
+     715,   723,   733,   742,   757,   762,   763,   767,   768,   772,
+     773,   774,   775,   776,   777,   778,   787,   791,   795,   803,
+     811,   819,   834,   849,   862,   863,   871,   872,   873,   874,
+     875,   876,   877,   878,   879,   880,   881,   882,   883,   884,
+     885,   889,   894,   902,   907,   908,   909,   913,   918,   926,
+     931,   932,   933,   934,   935,   936,   937,   938,   946,   956,
+     961,   969,   971,   973,   982,   984,   989,   990,   994,   995,
+     996,   997,  1005,  1010,  1015,  1023,  1028,  1029,  1030,  1039,
+    1041,  1046,  1051,  1059,  1061,  1078,  1079,  1080,  1081,  1082,
+    1083,  1087,  1088,  1089,  1090,  1091,  1099,  1104,  1109,  1117,
+    1122,  1123,  1124,  1125,  1126,  1127,  1128,  1129,  1130,  1131,
+    1140,  1141,  1142,  1149,  1156,  1163,  1179,  1198,  1200,  1202,
+    1204,  1206,  1208,  1215,  1220,  1221,  1222,  1226,  1230,  1239,
+    1240,  1244,  1245,  1246,  1250,  1261,  1275,  1287,  1292,  1294,
+    1299,  1300,  1308,  1310,  1318,  1323,  1331,  1356,  1363,  1373,
+    1374,  1378,  1379,  1380,  1381,  1385,  1386,  1387,  1391,  1396,
+    1401,  1409,  1410,  1411,  1412,  1413,  1414,  1415,  1425,  1430,
+    1438,  1443,  1451,  1453,  1457,  1462,  1467,  1475,  1480,  1488,
+    1497,  1498,  1502,  1503,  1512,  1530,  1534,  1539,  1547,  1552,
+    1553,  1557,  1562,  1570,  1575,  1580,  1585,  1590,  1598,  1603,
+    1608,  1616,  1621,  1622,  1623,  1624,  1625
 };
 #endif
 
@@ -944,29 +1075,29 @@ static const char *const yytname[] =
   "T_Step", "T_Stepback", "T_Stepfwd", "T_Stepout", "T_Stratum",
   "T_String", "T_Sys", "T_Sysstats", "T_Tick", "T_Time1", "T_Time2",
   "T_Timer", "T_Timingstats", "T_Tinker", "T_Tos", "T_Trap", "T_True",
-  "T_Trustedkey", "T_Ttl", "T_Type", "T_U_int", "T_Unconfig", "T_Unpeer",
-  "T_Version", "T_WanderThreshold", "T_Week", "T_Wildcard", "T_Xleave",
-  "T_Year", "T_Flag", "T_EOC", "T_Simulate", "T_Beep_Delay",
-  "T_Sim_Duration", "T_Server_Offset", "T_Duration", "T_Freq_Offset",
-  "T_Wander", "T_Jitter", "T_Prop_Delay", "T_Proc_Delay", "'='", "'('",
-  "')'", "'{'", "'}'", "$accept", "configuration", "command_list",
-  "command", "server_command", "client_type", "address", "ip_address",
-  "address_fam", "option_list", "option", "option_flag",
-  "option_flag_keyword", "option_int", "option_int_keyword", "option_str",
-  "option_str_keyword", "unpeer_command", "unpeer_keyword",
-  "other_mode_command", "authentication_command", "crypto_command_list",
-  "crypto_command", "crypto_str_keyword", "orphan_mode_command",
-  "tos_option_list", "tos_option", "tos_option_int_keyword",
-  "tos_option_dbl_keyword", "monitoring_command", "stats_list", "stat",
-  "filegen_option_list", "filegen_option", "link_nolink", "enable_disable",
-  "filegen_type", "access_control_command", "ac_flag_list",
-  "access_control_flag", "discard_option_list", "discard_option",
-  "discard_option_keyword", "mru_option_list", "mru_option",
-  "mru_option_keyword", "fudge_command", "fudge_factor_list",
-  "fudge_factor", "fudge_factor_dbl_keyword", "fudge_factor_bool_keyword",
-  "rlimit_command", "rlimit_option_list", "rlimit_option",
-  "rlimit_option_keyword", "system_option_command", "system_option_list",
-  "system_option", "system_option_flag_keyword",
+  "T_Trustedkey", "T_Ttl", "T_Type", "T_U_int", "T_UEcrypto",
+  "T_UEcryptonak", "T_UEdigest", "T_Unconfig", "T_Unpeer", "T_Version",
+  "T_WanderThreshold", "T_Week", "T_Wildcard", "T_Xleave", "T_Year",
+  "T_Flag", "T_EOC", "T_Simulate", "T_Beep_Delay", "T_Sim_Duration",
+  "T_Server_Offset", "T_Duration", "T_Freq_Offset", "T_Wander", "T_Jitter",
+  "T_Prop_Delay", "T_Proc_Delay", "'='", "'('", "')'", "'{'", "'}'",
+  "$accept", "configuration", "command_list", "command", "server_command",
+  "client_type", "address", "ip_address", "address_fam", "option_list",
+  "option", "option_flag", "option_flag_keyword", "option_int",
+  "option_int_keyword", "option_str", "option_str_keyword",
+  "unpeer_command", "unpeer_keyword", "other_mode_command",
+  "authentication_command", "crypto_command_list", "crypto_command",
+  "crypto_str_keyword", "orphan_mode_command", "tos_option_list",
+  "tos_option", "tos_option_int_keyword", "tos_option_dbl_keyword",
+  "monitoring_command", "stats_list", "stat", "filegen_option_list",
+  "filegen_option", "link_nolink", "enable_disable", "filegen_type",
+  "access_control_command", "ac_flag_list", "access_control_flag",
+  "discard_option_list", "discard_option", "discard_option_keyword",
+  "mru_option_list", "mru_option", "mru_option_keyword", "fudge_command",
+  "fudge_factor_list", "fudge_factor", "fudge_factor_dbl_keyword",
+  "fudge_factor_bool_keyword", "rlimit_command", "rlimit_option_list",
+  "rlimit_option", "rlimit_option_keyword", "system_option_command",
+  "system_option_list", "system_option", "system_option_flag_keyword",
   "system_option_local_flag_keyword", "tinker_command",
   "tinker_option_list", "tinker_option", "tinker_option_keyword",
   "miscellaneous_command", "misc_cmd_dbl_keyword", "misc_cmd_int_keyword",
@@ -981,13 +1112,13 @@ static const char *const yytname[] =
   "sim_init_statement_list", "sim_init_statement", "sim_init_keyword",
   "sim_server_list", "sim_server", "sim_server_offset", "sim_server_name",
   "sim_act_list", "sim_act", "sim_act_stmt_list", "sim_act_stmt",
-  "sim_act_keyword", YY_NULLPTR
+  "sim_act_keyword", YY_NULL
 };
 #endif
 
 # ifdef YYPRINT
-/* YYTOKNUM[NUM] -- (External) token number corresponding to the
-   (internal) symbol number NUM (which must be that of a token).  */
+/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+   token YYLEX-NUM.  */
 static const yytype_uint16 yytoknum[] =
 {
        0,   256,   257,   258,   259,   260,   261,   262,   263,   264,
@@ -1009,292 +1140,363 @@ static const yytype_uint16 yytoknum[] =
      415,   416,   417,   418,   419,   420,   421,   422,   423,   424,
      425,   426,   427,   428,   429,   430,   431,   432,   433,   434,
      435,   436,   437,   438,   439,   440,   441,   442,   443,   444,
-     445,   446,   447,   448,    61,    40,    41,   123,   125
+     445,   446,   447,   448,   449,   450,   451,    61,    40,    41,
+     123,   125
 };
 # endif
 
-#define YYPACT_NINF -185
-
-#define yypact_value_is_default(Yystate) \
-  (!!((Yystate) == (-185)))
-
-#define YYTABLE_NINF -7
-
-#define yytable_value_is_error(Yytable_value) \
-  0
+/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const yytype_uint16 yyr1[] =
+{
+       0,   202,   203,   204,   204,   204,   205,   205,   205,   205,
+     205,   205,   205,   205,   205,   205,   205,   205,   205,   205,
+     206,   207,   207,   207,   207,   207,   208,   208,   209,   210,
+     210,   211,   211,   212,   212,   212,   213,   214,   214,   214,
+     214,   214,   214,   214,   214,   215,   215,   216,   216,   216,
+     216,   216,   216,   217,   218,   219,   220,   220,   221,   221,
+     221,   221,   222,   222,   222,   222,   222,   222,   222,   222,
+     222,   223,   223,   224,   224,   225,   225,   225,   225,   225,
+     226,   227,   227,   228,   228,   228,   229,   229,   229,   229,
+     229,   229,   230,   230,   230,   230,   231,   231,   231,   232,
+     232,   233,   233,   233,   233,   233,   233,   233,   233,   234,
+     234,   235,   235,   235,   235,   236,   236,   237,   237,   238,
+     238,   238,   238,   238,   238,   238,   239,   239,   239,   239,
+     239,   239,   239,   239,   240,   240,   241,   241,   241,   241,
+     241,   241,   241,   241,   241,   241,   241,   241,   241,   241,
+     241,   242,   242,   243,   244,   244,   244,   245,   245,   246,
+     247,   247,   247,   247,   247,   247,   247,   247,   248,   249,
+     249,   250,   250,   250,   250,   250,   251,   251,   252,   252,
+     252,   252,   253,   254,   254,   255,   256,   256,   256,   257,
+     257,   258,   258,   259,   259,   260,   260,   260,   260,   260,
+     260,   261,   261,   261,   261,   261,   262,   263,   263,   264,
+     265,   265,   265,   265,   265,   265,   265,   265,   265,   265,
+     266,   266,   266,   266,   266,   266,   266,   266,   266,   266,
+     266,   266,   266,   266,   267,   267,   267,   268,   268,   269,
+     269,   270,   270,   270,   271,   271,   271,   272,   273,   273,
+     274,   274,   275,   275,   276,   276,   277,   278,   278,   279,
+     279,   280,   280,   280,   280,   281,   281,   281,   282,   283,
+     283,   284,   284,   284,   284,   284,   284,   284,   285,   285,
+     286,   286,   287,   287,   288,   289,   289,   290,   290,   291,
+     291,   291,   292,   292,   293,   294,   295,   295,   296,   297,
+     297,   298,   298,   299,   300,   301,   302,   302,   303,   304,
+     304,   305,   306,   306,   306,   306,   306
+};
 
-  /* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
-     STATE-NUM.  */
-static const yytype_int16 yypact[] =
+/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+static const yytype_uint8 yyr2[] =
 {
-      78,  -169,   -34,  -185,  -185,  -185,   -29,  -185,    17,    43,
-    -124,  -185,    17,  -185,    -5,   -27,  -185,  -121,  -185,  -112,
-    -110,  -185,  -185,  -100,  -185,  -185,   -27,     0,   116,   -27,
-    -185,  -185,   -91,  -185,   -89,  -185,  -185,    11,    35,    30,
-      13,    31,  -185,  -185,   -83,    -5,   -78,  -185,   186,   523,
-     -76,   -56,    15,  -185,  -185,  -185,    83,   244,   -99,  -185,
-     -27,  -185,   -27,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,   -12,    24,   -71,   -69,  -185,   -11,  -185,
-    -185,  -107,  -185,  -185,  -185,     8,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,    17,  -185,  -185,  -185,  -185,  -185,
-    -185,    43,  -185,    34,    59,  -185,    17,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,     7,
-    -185,   -61,   407,  -185,  -185,  -185,  -100,  -185,  -185,   -27,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,   116,
-    -185,    44,   -27,  -185,  -185,   -52,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,    35,  -185,  -185,    85,    96,  -185,
-    -185,    39,  -185,  -185,  -185,  -185,    31,  -185,    75,   -46,
-    -185,    -5,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,   186,  -185,   -12,  -185,  -185,   -35,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,   523,  -185,
-      82,   -12,  -185,  -185,    91,   -56,  -185,  -185,  -185,   100,
-    -185,   -26,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,    -2,  -130,  -185,  -185,  -185,  -185,
-    -185,   105,  -185,     9,  -185,  -185,  -185,  -185,    -7,    18,
-    -185,  -185,  -185,  -185,    25,   121,  -185,  -185,     7,  -185,
-     -12,   -35,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-     391,  -185,  -185,   391,   391,   -76,  -185,  -185,    29,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,   -51,
-     153,  -185,  -185,  -185,   464,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,   -82,    14,     1,  -185,  -185,  -185,  -185,
-      38,  -185,  -185,    12,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,   391,
-     391,  -185,   171,   -76,   140,  -185,   141,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,   -55,  -185,    53,    20,
-      33,  -128,  -185,    32,  -185,   -12,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,   391,  -185,  -185,  -185,  -185,
-      16,  -185,  -185,  -185,   -27,  -185,  -185,  -185,    46,  -185,
-    -185,  -185,    37,    48,   -12,    40,  -167,  -185,    54,   -12,
-    -185,  -185,  -185,    45,    79,  -185,  -185,  -185,  -185,  -185,
-      98,    57,    47,  -185,    60,  -185,   -12,  -185,  -185
+       0,     2,     1,     3,     2,     2,     0,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       3,     1,     1,     1,     1,     1,     1,     2,     1,     1,
+       1,     0,     2,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     2,     2,     1,     1,     1,
+       1,     1,     1,     2,     1,     2,     1,     1,     1,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     0,     2,     2,     2,     1,     1,     1,     1,     1,
+       2,     2,     1,     2,     2,     2,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     2,     2,     3,     2,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     0,
+       2,     2,     2,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     2,     2,     3,     5,
+       3,     4,     4,     3,     0,     2,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       1,     2,     1,     2,     1,     1,     1,     2,     1,     2,
+       1,     1,     1,     1,     1,     1,     1,     1,     3,     2,
+       1,     2,     2,     2,     2,     2,     1,     1,     1,     1,
+       1,     1,     2,     2,     1,     2,     1,     1,     1,     2,
+       2,     2,     1,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     2,     2,     1,     2,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     2,     2,     2,     2,     3,     1,     2,     2,
+       2,     2,     3,     2,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     2,     0,     4,     1,     0,
+       0,     2,     2,     2,     2,     1,     1,     3,     3,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     2,     2,
+       1,     1,     1,     1,     1,     1,     1,     1,     2,     1,
+       2,     1,     1,     1,     5,     2,     1,     2,     1,     1,
+       1,     1,     1,     1,     5,     1,     3,     2,     3,     1,
+       1,     2,     1,     5,     4,     3,     2,     1,     6,     3,
+       2,     3,     1,     1,     1,     1,     1
 };
 
-  /* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM.
-     Performed when YYTABLE does not specify something else to do.  Zero
-     means the default is an error.  */
+/* YYDEFACT[STATE-NAME] -- Default reduction number in state STATE-NUM.
+   Performed when YYTABLE doesn't specify something else to do.  Zero
+   means the default is an error.  */
 static const yytype_uint16 yydefact[] =
 {
-       0,     0,     0,    24,    58,   231,     0,    71,     0,     0,
-     243,   234,     0,   224,     0,     0,   236,     0,   256,     0,
-       0,   237,   235,     0,   238,    25,     0,     0,     0,     0,
-     257,   232,     0,    23,     0,   239,    22,     0,     0,     0,
-       0,     0,   240,    21,     0,     0,     0,   233,     0,     0,
-       0,     0,     0,    56,    57,   292,     0,     2,     0,     7,
+       0,     0,     0,    24,    58,   234,     0,    71,     0,     0,
+     246,   237,     0,   227,     0,     0,   239,     0,   259,     0,
+       0,   240,   238,     0,   241,    25,     0,     0,     0,     0,
+     260,   235,     0,    23,     0,   242,    22,     0,     0,     0,
+       0,     0,   243,    21,     0,     0,     0,   236,     0,     0,
+       0,     0,     0,    56,    57,   295,     0,     2,     0,     7,
        0,     8,     0,     9,    10,    13,    11,    12,    14,    15,
-      16,    17,    18,     0,     0,     0,     0,   217,     0,   218,
+      16,    17,    18,     0,     0,     0,     0,   220,     0,   221,
       19,     0,     5,    62,    63,    64,   195,   196,   197,   198,
-     201,   199,   200,   202,   190,   192,   193,   194,   154,   155,
-     156,   126,   152,     0,   241,   225,   189,   101,   102,   103,
-     104,   108,   105,   106,   107,   109,    29,    30,    28,     0,
-      26,     0,     6,    65,    66,   253,   226,   252,   285,    59,
-      61,   160,   161,   162,   163,   164,   165,   166,   167,   127,
-     158,     0,    60,    70,   283,   227,    67,   268,   269,   270,
-     271,   272,   273,   274,   265,   267,   134,    29,    30,   134,
-     134,    26,    68,   188,   186,   187,   182,   184,     0,     0,
-     228,    96,   100,    97,   207,   208,   209,   210,   211,   212,
-     213,   214,   215,   216,   203,   205,     0,    91,    86,     0,
-      87,    95,    93,    94,    92,    90,    88,    89,    80,    82,
-       0,     0,   247,   279,     0,    69,   278,   280,   276,   230,
-       1,     0,     4,    31,    55,   290,   289,   219,   220,   221,
-     222,   264,   263,   262,     0,     0,    79,    75,    76,    77,
-      78,     0,    72,     0,   191,   151,   153,   242,    98,     0,
-     178,   179,   180,   181,     0,     0,   176,   177,   168,   170,
-       0,     0,    27,   223,   251,   284,   157,   159,   282,   266,
-     130,   134,   134,   133,   128,     0,   183,   185,     0,    99,
-     204,   206,   288,   286,   287,    85,    81,    83,    84,   229,
-       0,   277,   275,     3,    20,   258,   259,   260,   255,   261,
-     254,   296,   297,     0,     0,     0,    74,    73,   118,   117,
-       0,   115,   116,     0,   110,   113,   114,   174,   175,   173,
-     169,   171,   172,   136,   137,   138,   139,   140,   141,   142,
-     143,   144,   145,   146,   147,   148,   149,   150,   135,   131,
-     132,   134,   246,     0,     0,   248,     0,    37,    38,    39,
-      54,    47,    49,    48,    51,    40,    41,    42,    43,    50,
-      52,    44,    32,    33,    36,    34,     0,    35,     0,     0,
-       0,     0,   299,     0,   294,     0,   111,   125,   121,   123,
-     119,   120,   122,   124,   112,   129,   245,   244,   250,   249,
-       0,    45,    46,    53,     0,   293,   291,   298,     0,   295,
-     281,   302,     0,     0,     0,     0,     0,   304,     0,     0,
-     300,   303,   301,     0,     0,   309,   310,   311,   312,   313,
-       0,     0,     0,   305,     0,   307,     0,   306,   308
+     201,   199,   200,   202,   203,   204,   205,   190,   192,   193,
+     194,   154,   155,   156,   126,   152,     0,   244,   228,   189,
+     101,   102,   103,   104,   108,   105,   106,   107,   109,    29,
+      30,    28,     0,    26,     0,     6,    65,    66,   256,   229,
+     255,   288,    59,    61,   160,   161,   162,   163,   164,   165,
+     166,   167,   127,   158,     0,    60,    70,   286,   230,    67,
+     271,   272,   273,   274,   275,   276,   277,   268,   270,   134,
+      29,    30,   134,   134,    26,    68,   188,   186,   187,   182,
+     184,     0,     0,   231,    96,   100,    97,   210,   211,   212,
+     213,   214,   215,   216,   217,   218,   219,   206,   208,     0,
+      91,    86,     0,    87,    95,    93,    94,    92,    90,    88,
+      89,    80,    82,     0,     0,   250,   282,     0,    69,   281,
+     283,   279,   233,     1,     0,     4,    31,    55,   293,   292,
+     222,   223,   224,   225,   267,   266,   265,     0,     0,    79,
+      75,    76,    77,    78,     0,    72,     0,   191,   151,   153,
+     245,    98,     0,   178,   179,   180,   181,     0,     0,   176,
+     177,   168,   170,     0,     0,    27,   226,   254,   287,   157,
+     159,   285,   269,   130,   134,   134,   133,   128,     0,   183,
+     185,     0,    99,   207,   209,   291,   289,   290,    85,    81,
+      83,    84,   232,     0,   280,   278,     3,    20,   261,   262,
+     263,   258,   264,   257,   299,   300,     0,     0,     0,    74,
+      73,   118,   117,     0,   115,   116,     0,   110,   113,   114,
+     174,   175,   173,   169,   171,   172,   136,   137,   138,   139,
+     140,   141,   142,   143,   144,   145,   146,   147,   148,   149,
+     150,   135,   131,   132,   134,   249,     0,     0,   251,     0,
+      37,    38,    39,    54,    47,    49,    48,    51,    40,    41,
+      42,    43,    50,    52,    44,    32,    33,    36,    34,     0,
+      35,     0,     0,     0,     0,   302,     0,   297,     0,   111,
+     125,   121,   123,   119,   120,   122,   124,   112,   129,   248,
+     247,   253,   252,     0,    45,    46,    53,     0,   296,   294,
+     301,     0,   298,   284,   305,     0,     0,     0,     0,     0,
+     307,     0,     0,   303,   306,   304,     0,     0,   312,   313,
+     314,   315,   316,     0,     0,     0,   308,     0,   310,     0,
+     309,   311
 };
 
-  /* YYPGOTO[NTERM-NUM].  */
-static const yytype_int16 yypgoto[] =
+/* YYDEFGOTO[NTERM-NUM].  */
+static const yytype_int16 yydefgoto[] =
 {
-    -185,  -185,  -185,   -44,  -185,  -185,   -15,   -38,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,  -185,    28,  -185,  -185,  -185,
-    -185,   -36,  -185,  -185,  -185,  -185,  -185,  -185,  -152,  -185,
-    -185,   146,  -185,  -185,   111,  -185,  -185,  -185,     3,  -185,
-    -185,  -185,  -185,    89,  -185,  -185,   245,   -66,  -185,  -185,
-    -185,  -185,    72,  -185,  -185,  -185,  -185,  -185,  -185,  -185,
-    -185,  -185,  -185,  -185,  -185,   137,  -185,  -185,  -185,  -185,
-    -185,  -185,   110,  -185,  -185,    70,  -185,  -185,   236,    27,
-    -184,  -185,  -185,  -185,   -17,  -185,  -185,   -81,  -185,  -185,
-    -185,  -113,  -185,  -126,  -185
+      -1,    56,    57,    58,    59,    60,   131,   123,   124,   287,
+     355,   356,   357,   358,   359,   360,   361,    61,    62,    63,
+      64,    85,   235,   236,    65,   201,   202,   203,   204,    66,
+     174,   118,   241,   307,   308,   309,   377,    67,   263,   331,
+     104,   105,   106,   142,   143,   144,    68,   251,   252,   253,
+     254,    69,   169,   170,   171,    70,    97,    98,    99,   100,
+      71,   187,   188,   189,    72,    73,    74,    75,    76,   108,
+     173,   380,   282,   338,   129,   130,    77,    78,   293,   227,
+      79,   157,   158,   212,   208,   209,   210,   148,   132,   278,
+     220,    80,    81,   296,   297,   298,   364,   365,   396,   366,
+     399,   400,   413,   414,   415
 };
 
-  /* YYDEFGOTO[NTERM-NUM].  */
-static const yytype_int16 yydefgoto[] =
+/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+   STATE-NUM.  */
+#define YYPACT_NINF -188
+static const yytype_int16 yypact[] =
 {
-      -1,    56,    57,    58,    59,    60,   128,   120,   121,   284,
-     352,   353,   354,   355,   356,   357,   358,    61,    62,    63,
-      64,    85,   232,   233,    65,   198,   199,   200,   201,    66,
-     171,   115,   238,   304,   305,   306,   374,    67,   260,   328,
-     101,   102,   103,   139,   140,   141,    68,   248,   249,   250,
-     251,    69,   166,   167,   168,    70,    94,    95,    96,    97,
-      71,   184,   185,   186,    72,    73,    74,    75,    76,   105,
-     170,   377,   279,   335,   126,   127,    77,    78,   290,   224,
-      79,   154,   155,   209,   205,   206,   207,   145,   129,   275,
-     217,    80,    81,   293,   294,   295,   361,   362,   393,   363,
-     396,   397,   410,   411,   412
+       5,  -160,   -28,  -188,  -188,  -188,   -24,  -188,    60,     0,
+    -119,  -188,    60,  -188,   118,     7,  -188,  -117,  -188,  -110,
+    -108,  -188,  -188,  -101,  -188,  -188,     7,    -1,   345,     7,
+    -188,  -188,   -96,  -188,   -95,  -188,  -188,    21,    -3,    73,
+      33,    11,  -188,  -188,   -94,   118,   -61,  -188,    43,   446,
+     -57,   -58,    41,  -188,  -188,  -188,   105,   179,   -79,  -188,
+       7,  -188,     7,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,    -7,    48,   -48,   -39,  -188,    24,  -188,
+    -188,   -86,  -188,  -188,  -188,    42,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,    60,  -188,  -188,
+    -188,  -188,  -188,  -188,     0,  -188,    59,    89,  -188,    60,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,    80,  -188,     9,   338,  -188,  -188,  -188,  -101,
+    -188,  -188,     7,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,   345,  -188,    67,     7,  -188,  -188,    12,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,    -3,  -188,  -188,
+     107,   116,  -188,  -188,    83,  -188,  -188,  -188,  -188,    11,
+    -188,   113,   -20,  -188,   118,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,    43,  -188,    -7,
+    -188,  -188,   -25,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,   446,  -188,   127,    -7,  -188,  -188,   129,   -58,  -188,
+    -188,  -188,   142,  -188,    19,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,     4,  -158,  -188,
+    -188,  -188,  -188,  -188,   145,  -188,    49,  -188,  -188,  -188,
+    -188,   233,    55,  -188,  -188,  -188,  -188,    64,   157,  -188,
+    -188,    80,  -188,    -7,   -25,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,   445,  -188,  -188,   445,   445,   -57,  -188,
+    -188,    82,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,   -44,   202,  -188,  -188,  -188,   324,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,   -30,    58,    50,  -188,
+    -188,  -188,  -188,    88,  -188,  -188,     3,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,   445,   445,  -188,   221,   -57,   188,  -188,   191,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,   -51,
+    -188,    99,    61,    75,  -114,  -188,    65,  -188,    -7,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,   445,  -188,
+    -188,  -188,  -188,    68,  -188,  -188,  -188,     7,  -188,  -188,
+    -188,    76,  -188,  -188,  -188,    71,    78,    -7,    74,  -178,
+    -188,    90,    -7,  -188,  -188,  -188,    77,    32,  -188,  -188,
+    -188,  -188,  -188,   101,    93,    84,  -188,    94,  -188,    -7,
+    -188,  -188
 };
 
-  /* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM.  If
-     positive, shift that token.  If negative, reduce the rule whose
-     number is the opposite.  If YYTABLE_NINF, syntax error.  */
+/* YYPGOTO[NTERM-NUM].  */
+static const yytype_int16 yypgoto[] =
+{
+    -188,  -188,  -188,   -41,  -188,  -188,   -15,   -38,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,  -188,    81,  -188,  -188,  -188,
+    -188,   -37,  -188,  -188,  -188,  -188,  -188,  -188,  -111,  -188,
+    -188,   170,  -188,  -188,   133,  -188,  -188,  -188,    37,  -188,
+    -188,  -188,  -188,   115,  -188,  -188,   277,   -53,  -188,  -188,
+    -188,  -188,   103,  -188,  -188,  -188,  -188,  -188,  -188,  -188,
+    -188,  -188,  -188,  -188,  -188,   162,  -188,  -188,  -188,  -188,
+    -188,  -188,   143,  -188,  -188,    91,  -188,  -188,   274,    52,
+    -187,  -188,  -188,  -188,     8,  -188,  -188,   -56,  -188,  -188,
+    -188,   -87,  -188,  -100,  -188
+};
+
+/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+   positive, shift that token.  If negative, reduce the rule which
+   number is the opposite.  If YYTABLE_NINF, syntax error.  */
+#define YYTABLE_NINF -7
 static const yytype_int16 yytable[] =
 {
-     119,   161,   271,   285,   272,   203,   381,   263,   264,   172,
-     239,   333,   202,   211,    82,   107,   367,   278,   359,   108,
-     215,   395,   298,   221,   160,    86,   273,    83,   234,    87,
-     299,   400,    84,   300,   104,    88,   226,   122,   368,   116,
-     234,   117,   147,   148,   222,   213,   123,   214,   124,   216,
-     240,   241,   242,   243,    98,   291,   292,   156,   125,   227,
-     149,   130,   228,   286,   359,   287,   311,   143,   223,   144,
-     386,   301,   146,   163,   162,   169,   208,   109,   253,     1,
-     173,   334,   118,   210,   212,   218,    89,   219,     2,   220,
-     225,   237,     3,     4,     5,   236,   157,   252,   158,   150,
-       6,     7,   302,   291,   292,   257,   258,     8,     9,   329,
-     330,    10,   261,    11,   255,    12,    13,   369,   382,    14,
-      90,    91,   110,   262,   370,   265,   164,   255,    15,   151,
-     111,   118,    16,   112,   274,   269,   267,    92,    17,   204,
-      18,   371,    99,   277,   229,   230,   244,   100,   268,    19,
-      20,   231,   280,    21,    22,   113,   288,   283,    23,    24,
-     114,   282,    25,    26,   245,   303,   296,   297,    93,   246,
-     247,    27,   131,   132,   133,   134,   307,   289,   159,   375,
-     165,   389,   309,   308,    28,    29,    30,   332,   118,   336,
-     372,    31,   174,   373,   152,   365,   366,   364,   376,   153,
-      32,   379,   380,   135,    33,   136,    34,   137,    35,    36,
-     398,   383,   390,   138,   384,   403,   385,   175,    37,    38,
-      39,    40,    41,    42,    43,    44,   276,   331,    45,   388,
-      46,   394,   418,   392,   399,   176,   395,   402,   177,    47,
-     415,   416,   404,   417,    48,    49,    50,   235,    51,    52,
-     256,   310,    53,    54,     2,   266,   270,   106,     3,     4,
-       5,    -6,    55,   254,   259,   142,     6,     7,   405,   406,
-     407,   408,   409,     8,     9,   281,   360,    10,   312,    11,
-     387,    12,    13,   401,   414,    14,     0,   405,   406,   407,
-     408,   409,     0,     0,    15,   378,   413,     0,    16,     0,
-       0,     0,     0,     0,    17,     0,    18,     0,     0,     0,
-       0,   178,     0,     0,     0,    19,    20,     0,     0,    21,
-      22,     0,     0,     0,    23,    24,     0,     0,    25,    26,
-       0,     0,     0,     0,     0,     0,     0,    27,     0,   179,
-     180,   181,   182,     0,     0,     0,     0,   183,     0,     0,
-      28,    29,    30,     0,     0,     0,     0,    31,     0,     0,
-       0,     0,     0,     0,     0,     0,    32,     0,     0,   391,
-      33,     0,    34,     0,    35,    36,     0,     0,     0,     0,
-       0,     0,     0,     0,    37,    38,    39,    40,    41,    42,
-      43,    44,     0,     0,    45,     0,    46,     0,     0,     0,
-       0,     0,     0,     0,     0,    47,     0,     0,     0,     0,
-      48,    49,    50,     0,    51,    52,     0,     2,    53,    54,
-       0,     3,     4,     5,     0,     0,     0,    -6,    55,     6,
-       7,     0,     0,     0,     0,     0,     8,     9,   313,     0,
-      10,     0,    11,     0,    12,    13,   314,     0,    14,     0,
-       0,     0,     0,     0,     0,     0,     0,    15,     0,     0,
-       0,    16,     0,     0,   315,   316,     0,    17,   317,    18,
-       0,     0,     0,   337,   318,     0,     0,     0,    19,    20,
-       0,   338,    21,    22,     0,     0,     0,    23,    24,     0,
-       0,    25,    26,     0,     0,     0,     0,     0,     0,     0,
-      27,   319,   320,     0,     0,   321,   322,     0,   323,   324,
-     325,     0,   326,    28,    29,    30,     0,   339,   340,     0,
-      31,     0,     0,     0,     0,     0,     0,     0,     0,    32,
-       0,     0,     0,    33,   341,    34,   187,    35,    36,     0,
-       0,     0,   188,     0,   189,     0,     0,    37,    38,    39,
-      40,    41,    42,    43,    44,     0,   342,    45,     0,    46,
-       0,     0,     0,     0,   343,     0,   344,   327,    47,     0,
-       0,   190,     0,    48,    49,    50,     0,    51,    52,     0,
-     345,    53,    54,     0,     0,     0,     0,     0,     0,     0,
-       0,    55,     0,     0,     0,     0,     0,   346,   347,     0,
+     122,   164,   274,   206,   150,   151,     1,   370,   175,   288,
+     384,   101,   205,   398,   275,     2,   214,   281,   336,     3,
+       4,     5,   152,   403,   163,   218,    82,     6,     7,   371,
+     294,   295,   362,    83,     8,     9,   276,    84,    10,   107,
+      11,   125,    12,    13,   237,   216,    14,   217,   126,   177,
+     127,   266,   267,   166,   219,    15,   237,   128,   224,    16,
+     133,   153,   146,   147,   172,    17,   314,    18,    86,   289,
+     229,   290,    87,   119,   178,   120,    19,    20,    88,   225,
+      21,    22,   149,   242,   256,    23,    24,   389,   337,    25,
+      26,   154,   179,   230,   165,   180,   231,   176,    27,   102,
+     159,   121,   211,   226,   103,   213,   167,   215,   372,   221,
+     222,    28,    29,    30,   228,   373,   362,   258,    31,   223,
+     239,   240,   385,   243,   244,   245,   246,    32,   260,    89,
+     258,    33,   374,    34,   264,    35,    36,   272,   110,   160,
+     207,   161,   111,   265,   277,    37,    38,    39,    40,    41,
+      42,    43,    44,   332,   333,    45,   155,    46,   294,   295,
+     168,   156,   291,    90,    91,   121,    47,   255,   181,   268,
+     261,    48,    49,    50,   270,    51,    52,   271,   232,   233,
+      92,   392,    53,    54,   375,   234,   292,   376,   280,     2,
+     283,    -6,    55,     3,     4,     5,   182,   183,   184,   185,
+     112,     6,     7,   285,   186,   286,   299,   300,     8,     9,
+     401,    93,    10,   310,    11,   406,    12,    13,   312,   247,
+      14,   162,   311,   378,   408,   409,   410,   411,   412,    15,
+     334,   121,   421,    16,    94,    95,    96,   248,   339,    17,
+     335,    18,   249,   250,   367,   113,   369,   368,   379,   382,
+      19,    20,   383,   114,    21,    22,   115,   386,   387,    23,
+      24,   388,   301,    25,    26,   391,   395,   393,   397,   398,
+     302,   402,    27,   303,   238,   259,   405,   407,   116,   418,
+     420,   419,   279,   117,   269,    28,    29,    30,   313,   109,
+     273,   257,    31,   408,   409,   410,   411,   412,   381,   284,
+     262,    32,   416,   145,   363,    33,   315,    34,   390,    35,
+      36,   304,   404,   417,     0,     0,     0,     0,     0,    37,
+      38,    39,    40,    41,    42,    43,    44,     0,     0,    45,
+       0,    46,     0,   340,     0,     0,     0,     0,     0,     0,
+      47,   341,   305,     0,     0,    48,    49,    50,     2,    51,
+      52,     0,     3,     4,     5,     0,    53,    54,     0,     0,
+       6,     7,     0,     0,     0,    -6,    55,     8,     9,     0,
+       0,    10,   394,    11,     0,    12,    13,   342,   343,    14,
+       0,     0,     0,     0,     0,     0,     0,     0,    15,     0,
+       0,     0,    16,     0,   344,     0,     0,     0,    17,     0,
+      18,   134,   135,   136,   137,   306,     0,     0,     0,    19,
+      20,     0,     0,    21,    22,     0,   345,     0,    23,    24,
+       0,     0,    25,    26,   346,     0,   347,     0,     0,     0,
+       0,    27,   138,     0,   139,     0,   140,     0,     0,     0,
+     348,     0,   141,     0,    28,    29,    30,     0,     0,     0,
+       0,    31,     0,     0,     0,     0,     0,   349,   350,   190,
+      32,     0,     0,     0,    33,   191,    34,   192,    35,    36,
+       0,     0,     0,     0,     0,     0,     0,     0,    37,    38,
+      39,    40,    41,    42,    43,    44,     0,     0,    45,     0,
+      46,     0,   316,   351,   193,   352,     0,     0,     0,    47,
+     317,     0,     0,   353,    48,    49,    50,   354,    51,    52,
+       0,     0,     0,     0,     0,    53,    54,     0,   318,   319,
+       0,     0,   320,     0,     0,    55,     0,     0,   321,     0,
+       0,     0,     0,     0,   194,     0,   195,     0,     0,     0,
+       0,     0,   196,     0,   197,     0,     0,   198,     0,     0,
+       0,     0,     0,     0,     0,   322,   323,     0,     0,   324,
+     325,     0,   326,   327,   328,     0,   329,     0,     0,   199,
+     200,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
        0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
-       0,   191,     0,   192,     0,     0,     0,     0,     0,   193,
-       0,   194,     0,     0,   195,     0,     0,     0,     0,     0,
-       0,     0,     0,   348,     0,   349,     0,     0,     0,     0,
-     350,     0,     0,     0,   351,     0,   196,   197
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,   330
 };
 
+#define yypact_value_is_default(Yystate) \
+  (!!((Yystate) == (-188)))
+
+#define yytable_value_is_error(Yytable_value) \
+  YYID (0)
+
 static const yytype_int16 yycheck[] =
 {
-      15,    39,   186,     5,    39,    61,    61,   159,   160,    45,
-       3,    62,    50,    57,   183,    20,     4,   201,   146,    24,
-      32,   188,    29,    34,    39,     8,    61,    61,    94,    12,
-      37,   198,    61,    40,   158,    18,    28,   158,    26,    66,
-     106,    68,     7,     8,    55,    60,   158,    62,   158,    61,
-      43,    44,    45,    46,    11,   185,   186,    27,   158,    51,
-      25,    61,    54,    65,   146,    67,   250,   158,    79,   158,
-     198,    78,    61,    42,    61,   158,    61,    82,   122,     1,
-     158,   132,   158,     0,   183,    61,    69,   158,    10,   158,
-     197,    32,    14,    15,    16,    61,    66,   158,    68,    64,
-      22,    23,   109,   185,   186,    61,   158,    29,    30,   261,
-     262,    33,    27,    35,   129,    37,    38,   105,   173,    41,
-     103,   104,   127,    27,   112,    86,    95,   142,    50,    94,
-     135,   158,    54,   138,   169,   171,    61,   120,    60,   195,
-      62,   129,    99,    61,   136,   137,   139,   104,   194,    71,
-      72,   143,    61,    75,    76,   160,   158,   183,    80,    81,
-     165,    61,    84,    85,   157,   172,    61,   158,   151,   162,
-     163,    93,    56,    57,    58,    59,   158,   179,   148,   331,
-     149,   365,    61,   158,   106,   107,   108,   158,   158,    36,
-     178,   113,     6,   181,   159,   194,   158,   183,    27,   164,
-     122,    61,    61,    87,   126,    89,   128,    91,   130,   131,
-     394,   158,   196,    97,   194,   399,   183,    31,   140,   141,
-     142,   143,   144,   145,   146,   147,   198,   265,   150,   197,
-     152,   194,   416,   187,   194,    49,   188,   183,    52,   161,
-     183,   194,   197,   183,   166,   167,   168,   101,   170,   171,
-     139,   248,   174,   175,    10,   166,   184,    12,    14,    15,
-      16,   183,   184,   126,   154,    29,    22,    23,   189,   190,
-     191,   192,   193,    29,    30,   205,   293,    33,   251,    35,
-     361,    37,    38,   396,   410,    41,    -1,   189,   190,   191,
-     192,   193,    -1,    -1,    50,   333,   198,    -1,    54,    -1,
-      -1,    -1,    -1,    -1,    60,    -1,    62,    -1,    -1,    -1,
-      -1,   125,    -1,    -1,    -1,    71,    72,    -1,    -1,    75,
-      76,    -1,    -1,    -1,    80,    81,    -1,    -1,    84,    85,
-      -1,    -1,    -1,    -1,    -1,    -1,    -1,    93,    -1,   153,
-     154,   155,   156,    -1,    -1,    -1,    -1,   161,    -1,    -1,
-     106,   107,   108,    -1,    -1,    -1,    -1,   113,    -1,    -1,
-      -1,    -1,    -1,    -1,    -1,    -1,   122,    -1,    -1,   384,
-     126,    -1,   128,    -1,   130,   131,    -1,    -1,    -1,    -1,
-      -1,    -1,    -1,    -1,   140,   141,   142,   143,   144,   145,
-     146,   147,    -1,    -1,   150,    -1,   152,    -1,    -1,    -1,
-      -1,    -1,    -1,    -1,    -1,   161,    -1,    -1,    -1,    -1,
-     166,   167,   168,    -1,   170,   171,    -1,    10,   174,   175,
-      -1,    14,    15,    16,    -1,    -1,    -1,   183,   184,    22,
-      23,    -1,    -1,    -1,    -1,    -1,    29,    30,    47,    -1,
-      33,    -1,    35,    -1,    37,    38,    55,    -1,    41,    -1,
-      -1,    -1,    -1,    -1,    -1,    -1,    -1,    50,    -1,    -1,
-      -1,    54,    -1,    -1,    73,    74,    -1,    60,    77,    62,
-      -1,    -1,    -1,     9,    83,    -1,    -1,    -1,    71,    72,
-      -1,    17,    75,    76,    -1,    -1,    -1,    80,    81,    -1,
-      -1,    84,    85,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
-      93,   110,   111,    -1,    -1,   114,   115,    -1,   117,   118,
-     119,    -1,   121,   106,   107,   108,    -1,    53,    54,    -1,
-     113,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,   122,
-      -1,    -1,    -1,   126,    70,   128,    13,   130,   131,    -1,
-      -1,    -1,    19,    -1,    21,    -1,    -1,   140,   141,   142,
-     143,   144,   145,   146,   147,    -1,    92,   150,    -1,   152,
-      -1,    -1,    -1,    -1,   100,    -1,   102,   176,   161,    -1,
-      -1,    48,    -1,   166,   167,   168,    -1,   170,   171,    -1,
-     116,   174,   175,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
-      -1,   184,    -1,    -1,    -1,    -1,    -1,   133,   134,    -1,
+      15,    39,   189,    61,     7,     8,     1,     4,    45,     5,
+      61,    11,    50,   191,    39,    10,    57,   204,    62,    14,
+      15,    16,    25,   201,    39,    32,   186,    22,    23,    26,
+     188,   189,   146,    61,    29,    30,    61,    61,    33,   158,
+      35,   158,    37,    38,    97,    60,    41,    62,   158,     6,
+     158,   162,   163,    42,    61,    50,   109,   158,    34,    54,
+      61,    64,   158,   158,   158,    60,   253,    62,     8,    65,
+      28,    67,    12,    66,    31,    68,    71,    72,    18,    55,
+      75,    76,    61,     3,   125,    80,    81,   201,   132,    84,
+      85,    94,    49,    51,    61,    52,    54,   158,    93,    99,
+      27,   158,    61,    79,   104,     0,    95,   186,   105,    61,
+     158,   106,   107,   108,   200,   112,   146,   132,   113,   158,
+      61,    32,   173,    43,    44,    45,    46,   122,    61,    69,
+     145,   126,   129,   128,    27,   130,   131,   174,    20,    66,
+     198,    68,    24,    27,   169,   140,   141,   142,   143,   144,
+     145,   146,   147,   264,   265,   150,   159,   152,   188,   189,
+     149,   164,   158,   103,   104,   158,   161,   158,   125,    86,
+     158,   166,   167,   168,    61,   170,   171,   197,   136,   137,
+     120,   368,   177,   178,   181,   143,   182,   184,    61,    10,
+      61,   186,   187,    14,    15,    16,   153,   154,   155,   156,
+      82,    22,    23,    61,   161,   186,    61,   158,    29,    30,
+     397,   151,    33,   158,    35,   402,    37,    38,    61,   139,
+      41,   148,   158,   334,   192,   193,   194,   195,   196,    50,
+     268,   158,   419,    54,   174,   175,   176,   157,    36,    60,
+     158,    62,   162,   163,   186,   127,   158,   197,    27,    61,
+      71,    72,    61,   135,    75,    76,   138,   158,   197,    80,
+      81,   186,    29,    84,    85,   200,   190,   199,   197,   191,
+      37,   197,    93,    40,   104,   142,   186,   200,   160,   186,
+     186,   197,   201,   165,   169,   106,   107,   108,   251,    12,
+     187,   129,   113,   192,   193,   194,   195,   196,   336,   208,
+     157,   122,   201,    29,   296,   126,   254,   128,   364,   130,
+     131,    78,   399,   413,    -1,    -1,    -1,    -1,    -1,   140,
+     141,   142,   143,   144,   145,   146,   147,    -1,    -1,   150,
+      -1,   152,    -1,     9,    -1,    -1,    -1,    -1,    -1,    -1,
+     161,    17,   109,    -1,    -1,   166,   167,   168,    10,   170,
+     171,    -1,    14,    15,    16,    -1,   177,   178,    -1,    -1,
+      22,    23,    -1,    -1,    -1,   186,   187,    29,    30,    -1,
+      -1,    33,   387,    35,    -1,    37,    38,    53,    54,    41,
+      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    50,    -1,
+      -1,    -1,    54,    -1,    70,    -1,    -1,    -1,    60,    -1,
+      62,    56,    57,    58,    59,   172,    -1,    -1,    -1,    71,
+      72,    -1,    -1,    75,    76,    -1,    92,    -1,    80,    81,
+      -1,    -1,    84,    85,   100,    -1,   102,    -1,    -1,    -1,
+      -1,    93,    87,    -1,    89,    -1,    91,    -1,    -1,    -1,
+     116,    -1,    97,    -1,   106,   107,   108,    -1,    -1,    -1,
+      -1,   113,    -1,    -1,    -1,    -1,    -1,   133,   134,    13,
+     122,    -1,    -1,    -1,   126,    19,   128,    21,   130,   131,
+      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,   140,   141,
+     142,   143,   144,   145,   146,   147,    -1,    -1,   150,    -1,
+     152,    -1,    47,   169,    48,   171,    -1,    -1,    -1,   161,
+      55,    -1,    -1,   179,   166,   167,   168,   183,   170,   171,
+      -1,    -1,    -1,    -1,    -1,   177,   178,    -1,    73,    74,
+      -1,    -1,    77,    -1,    -1,   187,    -1,    -1,    83,    -1,
+      -1,    -1,    -1,    -1,    88,    -1,    90,    -1,    -1,    -1,
+      -1,    -1,    96,    -1,    98,    -1,    -1,   101,    -1,    -1,
+      -1,    -1,    -1,    -1,    -1,   110,   111,    -1,    -1,   114,
+     115,    -1,   117,   118,   119,    -1,   121,    -1,    -1,   123,
+     124,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
       -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
-      -1,    88,    -1,    90,    -1,    -1,    -1,    -1,    -1,    96,
-      -1,    98,    -1,    -1,   101,    -1,    -1,    -1,    -1,    -1,
-      -1,    -1,    -1,   169,    -1,   171,    -1,    -1,    -1,    -1,
-     176,    -1,    -1,    -1,   180,    -1,   123,   124
+      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,   179
 };
 
-  /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
-     symbol of state STATE-NUM.  */
+/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+   symbol of state STATE-NUM.  */
 static const yytype_uint16 yystos[] =
 {
        0,     1,    10,    14,    15,    16,    22,    23,    29,    30,
@@ -1302,129 +1504,70 @@ static const yytype_uint16 yystos[] =
       72,    75,    76,    80,    81,    84,    85,    93,   106,   107,
      108,   113,   122,   126,   128,   130,   131,   140,   141,   142,
      143,   144,   145,   146,   147,   150,   152,   161,   166,   167,
-     168,   170,   171,   174,   175,   184,   200,   201,   202,   203,
-     204,   216,   217,   218,   219,   223,   228,   236,   245,   250,
-     254,   259,   263,   264,   265,   266,   267,   275,   276,   279,
-     290,   291,   183,    61,    61,   220,     8,    12,    18,    69,
-     103,   104,   120,   151,   255,   256,   257,   258,    11,    99,
-     104,   239,   240,   241,   158,   268,   255,    20,    24,    82,
-     127,   135,   138,   160,   165,   230,    66,    68,   158,   205,
-     206,   207,   158,   158,   158,   158,   273,   274,   205,   287,
-      61,    56,    57,    58,    59,    87,    89,    91,    97,   242,
-     243,   244,   287,   158,   158,   286,    61,     7,     8,    25,
-      64,    94,   159,   164,   280,   281,    27,    66,    68,   148,
-     205,   206,    61,    42,    95,   149,   251,   252,   253,   158,
-     269,   229,   230,   158,     6,    31,    49,    52,   125,   153,
-     154,   155,   156,   161,   260,   261,   262,    13,    19,    21,
-      48,    88,    90,    96,    98,   101,   123,   124,   224,   225,
-     226,   227,   206,    61,   195,   283,   284,   285,    61,   282,
-       0,   202,   183,   205,   205,    32,    61,   289,    61,   158,
-     158,    34,    55,    79,   278,   197,    28,    51,    54,   136,
-     137,   143,   221,   222,   256,   240,    61,    32,   231,     3,
-      43,    44,    45,    46,   139,   157,   162,   163,   246,   247,
-     248,   249,   158,   202,   274,   205,   243,    61,   158,   281,
-     237,    27,    27,   237,   237,    86,   252,    61,   194,   230,
-     261,   289,    39,    61,   169,   288,   225,    61,   289,   271,
-      61,   284,    61,   183,   208,     5,    65,    67,   158,   179,
-     277,   185,   186,   292,   293,   294,    61,   158,    29,    37,
-      40,    78,   109,   172,   232,   233,   234,   158,   158,    61,
-     247,   289,   288,    47,    55,    73,    74,    77,    83,   110,
-     111,   114,   115,   117,   118,   119,   121,   176,   238,   237,
-     237,   206,   158,    62,   132,   272,    36,     9,    17,    53,
-      54,    70,    92,   100,   102,   116,   133,   134,   169,   171,
-     176,   180,   209,   210,   211,   212,   213,   214,   215,   146,
-     293,   295,   296,   298,   183,   194,   158,     4,    26,   105,
-     112,   129,   178,   181,   235,   237,    27,   270,   206,    61,
-      61,    61,   173,   158,   194,   183,   198,   296,   197,   289,
-     196,   205,   187,   297,   194,   188,   299,   300,   289,   194,
-     198,   300,   183,   289,   197,   189,   190,   191,   192,   193,
-     301,   302,   303,   198,   302,   183,   194,   183,   289
-};
-
-  /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
-static const yytype_uint16 yyr1[] =
-{
-       0,   199,   200,   201,   201,   201,   202,   202,   202,   202,
-     202,   202,   202,   202,   202,   202,   202,   202,   202,   202,
-     203,   204,   204,   204,   204,   204,   205,   205,   206,   207,
-     207,   208,   208,   209,   209,   209,   210,   211,   211,   211,
-     211,   211,   211,   211,   211,   212,   212,   213,   213,   213,
-     213,   213,   213,   214,   215,   216,   217,   217,   218,   218,
-     218,   218,   219,   219,   219,   219,   219,   219,   219,   219,
-     219,   220,   220,   221,   221,   222,   222,   222,   222,   222,
-     223,   224,   224,   225,   225,   225,   226,   226,   226,   226,
-     226,   226,   227,   227,   227,   227,   228,   228,   228,   229,
-     229,   230,   230,   230,   230,   230,   230,   230,   230,   231,
-     231,   232,   232,   232,   232,   233,   233,   234,   234,   235,
-     235,   235,   235,   235,   235,   235,   236,   236,   236,   236,
-     236,   236,   236,   236,   237,   237,   238,   238,   238,   238,
-     238,   238,   238,   238,   238,   238,   238,   238,   238,   238,
-     238,   239,   239,   240,   241,   241,   241,   242,   242,   243,
-     244,   244,   244,   244,   244,   244,   244,   244,   245,   246,
-     246,   247,   247,   247,   247,   247,   248,   248,   249,   249,
-     249,   249,   250,   251,   251,   252,   253,   253,   253,   254,
-     254,   255,   255,   256,   256,   257,   257,   257,   257,   257,
-     257,   258,   258,   259,   260,   260,   261,   262,   262,   262,
-     262,   262,   262,   262,   262,   262,   262,   263,   263,   263,
-     263,   263,   263,   263,   263,   263,   263,   263,   263,   263,
-     263,   264,   264,   264,   265,   265,   266,   266,   267,   267,
-     267,   268,   268,   268,   269,   270,   270,   271,   271,   272,
-     272,   273,   273,   274,   275,   275,   276,   276,   277,   277,
-     277,   277,   278,   278,   278,   279,   280,   280,   281,   281,
-     281,   281,   281,   281,   281,   282,   282,   283,   283,   284,
-     284,   285,   286,   286,   287,   287,   288,   288,   288,   289,
-     289,   290,   291,   292,   292,   293,   294,   294,   295,   295,
-     296,   297,   298,   299,   299,   300,   301,   301,   302,   303,
-     303,   303,   303,   303
-};
-
-  /* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN.  */
-static const yytype_uint8 yyr2[] =
-{
-       0,     2,     1,     3,     2,     2,     0,     1,     1,     1,
-       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
-       3,     1,     1,     1,     1,     1,     1,     2,     1,     1,
-       1,     0,     2,     1,     1,     1,     1,     1,     1,     1,
-       1,     1,     1,     1,     1,     2,     2,     1,     1,     1,
-       1,     1,     1,     2,     1,     2,     1,     1,     1,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     0,     2,     2,     2,     1,     1,     1,     1,     1,
-       2,     2,     1,     2,     2,     2,     1,     1,     1,     1,
-       1,     1,     1,     1,     1,     1,     2,     2,     3,     2,
-       1,     1,     1,     1,     1,     1,     1,     1,     1,     0,
-       2,     2,     2,     1,     1,     1,     1,     1,     1,     1,
-       1,     1,     1,     1,     1,     1,     2,     2,     3,     5,
-       3,     4,     4,     3,     0,     2,     1,     1,     1,     1,
-       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
-       1,     2,     1,     2,     1,     1,     1,     2,     1,     2,
-       1,     1,     1,     1,     1,     1,     1,     1,     3,     2,
-       1,     2,     2,     2,     2,     2,     1,     1,     1,     1,
-       1,     1,     2,     2,     1,     2,     1,     1,     1,     2,
-       2,     2,     1,     1,     1,     1,     1,     1,     1,     1,
-       1,     1,     1,     2,     2,     1,     2,     1,     1,     1,
-       1,     1,     1,     1,     1,     1,     1,     1,     1,     2,
-       2,     2,     2,     3,     1,     2,     2,     2,     2,     3,
-       2,     1,     1,     1,     1,     1,     1,     1,     1,     1,
-       1,     1,     2,     0,     4,     1,     0,     0,     2,     2,
-       2,     2,     1,     1,     3,     3,     1,     1,     1,     1,
-       1,     1,     1,     1,     1,     2,     2,     1,     1,     1,
-       1,     1,     1,     1,     1,     2,     1,     2,     1,     1,
-       1,     5,     2,     1,     2,     1,     1,     1,     1,     1,
-       1,     5,     1,     3,     2,     3,     1,     1,     2,     1,
-       5,     4,     3,     2,     1,     6,     3,     2,     3,     1,
-       1,     1,     1,     1
+     168,   170,   171,   177,   178,   187,   203,   204,   205,   206,
+     207,   219,   220,   221,   222,   226,   231,   239,   248,   253,
+     257,   262,   266,   267,   268,   269,   270,   278,   279,   282,
+     293,   294,   186,    61,    61,   223,     8,    12,    18,    69,
+     103,   104,   120,   151,   174,   175,   176,   258,   259,   260,
+     261,    11,    99,   104,   242,   243,   244,   158,   271,   258,
+      20,    24,    82,   127,   135,   138,   160,   165,   233,    66,
+      68,   158,   208,   209,   210,   158,   158,   158,   158,   276,
+     277,   208,   290,    61,    56,    57,    58,    59,    87,    89,
+      91,    97,   245,   246,   247,   290,   158,   158,   289,    61,
+       7,     8,    25,    64,    94,   159,   164,   283,   284,    27,
+      66,    68,   148,   208,   209,    61,    42,    95,   149,   254,
+     255,   256,   158,   272,   232,   233,   158,     6,    31,    49,
+      52,   125,   153,   154,   155,   156,   161,   263,   264,   265,
+      13,    19,    21,    48,    88,    90,    96,    98,   101,   123,
+     124,   227,   228,   229,   230,   209,    61,   198,   286,   287,
+     288,    61,   285,     0,   205,   186,   208,   208,    32,    61,
+     292,    61,   158,   158,    34,    55,    79,   281,   200,    28,
+      51,    54,   136,   137,   143,   224,   225,   259,   243,    61,
+      32,   234,     3,    43,    44,    45,    46,   139,   157,   162,
+     163,   249,   250,   251,   252,   158,   205,   277,   208,   246,
+      61,   158,   284,   240,    27,    27,   240,   240,    86,   255,
+      61,   197,   233,   264,   292,    39,    61,   169,   291,   228,
+      61,   292,   274,    61,   287,    61,   186,   211,     5,    65,
+      67,   158,   182,   280,   188,   189,   295,   296,   297,    61,
+     158,    29,    37,    40,    78,   109,   172,   235,   236,   237,
+     158,   158,    61,   250,   292,   291,    47,    55,    73,    74,
+      77,    83,   110,   111,   114,   115,   117,   118,   119,   121,
+     179,   241,   240,   240,   209,   158,    62,   132,   275,    36,
+       9,    17,    53,    54,    70,    92,   100,   102,   116,   133,
+     134,   169,   171,   179,   183,   212,   213,   214,   215,   216,
+     217,   218,   146,   296,   298,   299,   301,   186,   197,   158,
+       4,    26,   105,   112,   129,   181,   184,   238,   240,    27,
+     273,   209,    61,    61,    61,   173,   158,   197,   186,   201,
+     299,   200,   292,   199,   208,   190,   300,   197,   191,   302,
+     303,   292,   197,   201,   303,   186,   292,   200,   192,   193,
+     194,   195,   196,   304,   305,   306,   201,   305,   186,   197,
+     186,   292
 };
 
-
-#define yyerrok         (yyerrstatus = 0)
-#define yyclearin       (yychar = YYEMPTY)
-#define YYEMPTY         (-2)
-#define YYEOF           0
-
-#define YYACCEPT        goto yyacceptlab
-#define YYABORT         goto yyabortlab
-#define YYERROR         goto yyerrorlab
-
+#define yyerrok		(yyerrstatus = 0)
+#define yyclearin	(yychar = YYEMPTY)
+#define YYEMPTY		(-2)
+#define YYEOF		0
+
+#define YYACCEPT	goto yyacceptlab
+#define YYABORT		goto yyabortlab
+#define YYERROR		goto yyerrorlab
+
+
+/* Like YYERROR except do call yyerror.  This remains here temporarily
+   to ease the transition to the new meaning of YYERROR, for GCC.
+   Once GCC version 2 has supplanted version 1, this can go.  However,
+   YYFAIL appears to be in use.  Nevertheless, it is formally deprecated
+   in Bison 2.4.2's NEWS entry, where a plan to phase it out is
+   discussed.  */
+
+#define YYFAIL		goto yyerrlab
+#if defined YYFAIL
+  /* This is here to suppress warnings from the GCC cpp's
+     -Wunused-macros.  Normally we don't worry about that warning, but
+     some users do, and we want to make it easy for users to remove
+     YYFAIL uses, which will produce warnings from Bison 2.5.  */
+#endif
 
 #define YYRECOVERING()  (!!yyerrstatus)
 
@@ -1441,15 +1584,27 @@ do                                                              \
   else                                                          \
     {                                                           \
       yyerror (YY_("syntax error: cannot back up")); \
-      YYERROR;                                                  \
-    }                                                           \
-while (0)
+      YYERROR;							\
+    }								\
+while (YYID (0))
 
 /* Error token number */
-#define YYTERROR        1
-#define YYERRCODE       256
+#define YYTERROR	1
+#define YYERRCODE	256
 
 
+/* This macro is provided for backward compatibility. */
+#ifndef YY_LOCATION_PRINT
+# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+#endif
+
+
+/* YYLEX -- calling `yylex' with the right arguments.  */
+#ifdef YYLEX_PARAM
+# define YYLEX yylex (YYLEX_PARAM)
+#else
+# define YYLEX yylex ()
+#endif
 
 /* Enable debugging if requested.  */
 #if YYDEBUG
@@ -1459,36 +1614,40 @@ while (0)
 #  define YYFPRINTF fprintf
 # endif
 
-# define YYDPRINTF(Args)                        \
-do {                                            \
-  if (yydebug)                                  \
-    YYFPRINTF Args;                             \
-} while (0)
-
-/* This macro is provided for backward compatibility. */
-#ifndef YY_LOCATION_PRINT
-# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
-#endif
+# define YYDPRINTF(Args)			\
+do {						\
+  if (yydebug)					\
+    YYFPRINTF Args;				\
+} while (YYID (0))
 
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)			  \
+do {									  \
+  if (yydebug)								  \
+    {									  \
+      YYFPRINTF (stderr, "%s ", Title);					  \
+      yy_symbol_print (stderr,						  \
+		  Type, Value); \
+      YYFPRINTF (stderr, "\n");						  \
+    }									  \
+} while (YYID (0))
 
-# define YY_SYMBOL_PRINT(Title, Type, Value, Location)                    \
-do {                                                                      \
-  if (yydebug)                                                            \
-    {                                                                     \
-      YYFPRINTF (stderr, "%s ", Title);                                   \
-      yy_symbol_print (stderr,                                            \
-                  Type, Value); \
-      YYFPRINTF (stderr, "\n");                                           \
-    }                                                                     \
-} while (0)
 
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
 
-/*----------------------------------------.
-| Print this symbol's value on YYOUTPUT.  |
-`----------------------------------------*/
-
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 static void
 yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_value_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
 {
   FILE *yyo = yyoutput;
   YYUSE (yyo);
@@ -1497,6 +1656,8 @@ yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvalue
 # ifdef YYPRINT
   if (yytype < YYNTOKENS)
     YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# else
+  YYUSE (yyoutput);
 # endif
   YYUSE (yytype);
 }
@@ -1506,11 +1667,22 @@ yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvalue
 | Print this symbol on YYOUTPUT.  |
 `--------------------------------*/
 
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 static void
 yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
 {
-  YYFPRINTF (yyoutput, "%s %s (",
-             yytype < YYNTOKENS ? "token" : "nterm", yytname[yytype]);
+  if (yytype < YYNTOKENS)
+    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+  else
+    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
 
   yy_symbol_value_print (yyoutput, yytype, yyvaluep);
   YYFPRINTF (yyoutput, ")");
@@ -1521,8 +1693,16 @@ yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
 | TOP (included).                                                   |
 `------------------------------------------------------------------*/
 
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 static void
 yy_stack_print (yytype_int16 *yybottom, yytype_int16 *yytop)
+#else
+static void
+yy_stack_print (yybottom, yytop)
+    yytype_int16 *yybottom;
+    yytype_int16 *yytop;
+#endif
 {
   YYFPRINTF (stderr, "Stack now");
   for (; yybottom <= yytop; yybottom++)
@@ -1533,42 +1713,49 @@ yy_stack_print (yytype_int16 *yybottom, yytype_int16 *yytop)
   YYFPRINTF (stderr, "\n");
 }
 
-# define YY_STACK_PRINT(Bottom, Top)                            \
-do {                                                            \
-  if (yydebug)                                                  \
-    yy_stack_print ((Bottom), (Top));                           \
-} while (0)
+# define YY_STACK_PRINT(Bottom, Top)				\
+do {								\
+  if (yydebug)							\
+    yy_stack_print ((Bottom), (Top));				\
+} while (YYID (0))
 
 
 /*------------------------------------------------.
 | Report that the YYRULE is going to be reduced.  |
 `------------------------------------------------*/
 
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 static void
-yy_reduce_print (yytype_int16 *yyssp, YYSTYPE *yyvsp, int yyrule)
+yy_reduce_print (YYSTYPE *yyvsp, int yyrule)
+#else
+static void
+yy_reduce_print (yyvsp, yyrule)
+    YYSTYPE *yyvsp;
+    int yyrule;
+#endif
 {
-  unsigned long int yylno = yyrline[yyrule];
   int yynrhs = yyr2[yyrule];
   int yyi;
+  unsigned long int yylno = yyrline[yyrule];
   YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu):\n",
-             yyrule - 1, yylno);
+	     yyrule - 1, yylno);
   /* The symbols being reduced.  */
   for (yyi = 0; yyi < yynrhs; yyi++)
     {
       YYFPRINTF (stderr, "   $%d = ", yyi + 1);
-      yy_symbol_print (stderr,
-                       yystos[yyssp[yyi + 1 - yynrhs]],
-                       &(yyvsp[(yyi + 1) - (yynrhs)])
-                                              );
+      yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
+		       &(yyvsp[(yyi + 1) - (yynrhs)])
+		       		       );
       YYFPRINTF (stderr, "\n");
     }
 }
 
-# define YY_REDUCE_PRINT(Rule)          \
-do {                                    \
-  if (yydebug)                          \
-    yy_reduce_print (yyssp, yyvsp, Rule); \
-} while (0)
+# define YY_REDUCE_PRINT(Rule)		\
+do {					\
+  if (yydebug)				\
+    yy_reduce_print (yyvsp, Rule); \
+} while (YYID (0))
 
 /* Nonzero means print parse trace.  It is left uninitialized so that
    multiple parsers can coexist.  */
@@ -1582,7 +1769,7 @@ int yydebug;
 
 
 /* YYINITDEPTH -- initial size of the parser's stacks.  */
-#ifndef YYINITDEPTH
+#ifndef	YYINITDEPTH
 # define YYINITDEPTH 200
 #endif
 
@@ -1605,8 +1792,15 @@ int yydebug;
 #   define yystrlen strlen
 #  else
 /* Return the length of YYSTR.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 static YYSIZE_T
 yystrlen (const char *yystr)
+#else
+static YYSIZE_T
+yystrlen (yystr)
+    const char *yystr;
+#endif
 {
   YYSIZE_T yylen;
   for (yylen = 0; yystr[yylen]; yylen++)
@@ -1622,8 +1816,16 @@ yystrlen (const char *yystr)
 #  else
 /* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
    YYDEST.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 static char *
 yystpcpy (char *yydest, const char *yysrc)
+#else
+static char *
+yystpcpy (yydest, yysrc)
+    char *yydest;
+    const char *yysrc;
+#endif
 {
   char *yyd = yydest;
   const char *yys = yysrc;
@@ -1653,27 +1855,27 @@ yytnamerr (char *yyres, const char *yystr)
       char const *yyp = yystr;
 
       for (;;)
-        switch (*++yyp)
-          {
-          case '\'':
-          case ',':
-            goto do_not_strip_quotes;
-
-          case '\\':
-            if (*++yyp != '\\')
-              goto do_not_strip_quotes;
-            /* Fall through.  */
-          default:
-            if (yyres)
-              yyres[yyn] = *yyp;
-            yyn++;
-            break;
-
-          case '"':
-            if (yyres)
-              yyres[yyn] = '\0';
-            return yyn;
-          }
+	switch (*++yyp)
+	  {
+	  case '\'':
+	  case ',':
+	    goto do_not_strip_quotes;
+
+	  case '\\':
+	    if (*++yyp != '\\')
+	      goto do_not_strip_quotes;
+	    /* Fall through.  */
+	  default:
+	    if (yyres)
+	      yyres[yyn] = *yyp;
+	    yyn++;
+	    break;
+
+	  case '"':
+	    if (yyres)
+	      yyres[yyn] = '\0';
+	    return yyn;
+	  }
     do_not_strip_quotes: ;
     }
 
@@ -1696,11 +1898,11 @@ static int
 yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                 yytype_int16 *yyssp, int yytoken)
 {
-  YYSIZE_T yysize0 = yytnamerr (YY_NULLPTR, yytname[yytoken]);
+  YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]);
   YYSIZE_T yysize = yysize0;
   enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
   /* Internationalized format string. */
-  const char *yyformat = YY_NULLPTR;
+  const char *yyformat = YY_NULL;
   /* Arguments of yyformat. */
   char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
   /* Number of reported tokens (one for the "unexpected", one per
@@ -1708,6 +1910,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
   int yycount = 0;
 
   /* There are many possibilities here to consider:
+     - Assume YYFAIL is not used.  It's too flawed to consider.  See
+       <http://lists.gnu.org/archive/html/bison-patches/2009-12/msg00024.html>
+       for details.  YYERROR is fine as it does not invoke this
+       function.
      - If this state is a consistent state with a default action, then
        the only way this function was invoked is if the default action
        is an error action.  In that case, don't check for expected
@@ -1757,7 +1963,7 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                   }
                 yyarg[yycount++] = yytname[yyx];
                 {
-                  YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULLPTR, yytname[yyx]);
+                  YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULL, yytname[yyx]);
                   if (! (yysize <= yysize1
                          && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
                     return 2;
@@ -1824,17 +2030,26 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
 | Release the memory associated to this symbol.  |
 `-----------------------------------------------*/
 
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 static void
 yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yydestruct (yymsg, yytype, yyvaluep)
+    const char *yymsg;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
 {
   YYUSE (yyvaluep);
+
   if (!yymsg)
     yymsg = "Deleting";
   YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
 
-  YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
   YYUSE (yytype);
-  YY_IGNORE_MAYBE_UNINITIALIZED_END
 }
 
 
@@ -1843,8 +2058,18 @@ yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
 /* The lookahead symbol.  */
 int yychar;
 
+
+#ifndef YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
+# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
+# define YY_IGNORE_MAYBE_UNINITIALIZED_END
+#endif
+#ifndef YY_INITIAL_VALUE
+# define YY_INITIAL_VALUE(Value) /* Nothing. */
+#endif
+
 /* The semantic value of the lookahead symbol.  */
-YYSTYPE yylval;
+YYSTYPE yylval YY_INITIAL_VALUE(yyval_default);
+
 /* Number of syntax errors so far.  */
 int yynerrs;
 
@@ -1853,16 +2078,35 @@ int yynerrs;
 | yyparse.  |
 `----------*/
 
+#ifdef YYPARSE_PARAM
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void *YYPARSE_PARAM)
+#else
+int
+yyparse (YYPARSE_PARAM)
+    void *YYPARSE_PARAM;
+#endif
+#else /* ! YYPARSE_PARAM */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
 int
 yyparse (void)
+#else
+int
+yyparse ()
+
+#endif
+#endif
 {
     int yystate;
     /* Number of tokens to shift before error messages enabled.  */
     int yyerrstatus;
 
     /* The stacks and their tools:
-       'yyss': related to states.
-       'yyvs': related to semantic values.
+       `yyss': related to states.
+       `yyvs': related to semantic values.
 
        Refer to the stacks through separate pointers, to allow yyoverflow
        to reallocate them elsewhere.  */
@@ -1930,23 +2174,23 @@ yyparse (void)
 
 #ifdef yyoverflow
       {
-        /* Give user a chance to reallocate the stack.  Use copies of
-           these so that the &'s don't force the real ones into
-           memory.  */
-        YYSTYPE *yyvs1 = yyvs;
-        yytype_int16 *yyss1 = yyss;
-
-        /* Each stack pointer address is followed by the size of the
-           data in use in that stack, in bytes.  This used to be a
-           conditional around just the two extra args, but that might
-           be undefined if yyoverflow is a macro.  */
-        yyoverflow (YY_("memory exhausted"),
-                    &yyss1, yysize * sizeof (*yyssp),
-                    &yyvs1, yysize * sizeof (*yyvsp),
-                    &yystacksize);
-
-        yyss = yyss1;
-        yyvs = yyvs1;
+	/* Give user a chance to reallocate the stack.  Use copies of
+	   these so that the &'s don't force the real ones into
+	   memory.  */
+	YYSTYPE *yyvs1 = yyvs;
+	yytype_int16 *yyss1 = yyss;
+
+	/* Each stack pointer address is followed by the size of the
+	   data in use in that stack, in bytes.  This used to be a
+	   conditional around just the two extra args, but that might
+	   be undefined if yyoverflow is a macro.  */
+	yyoverflow (YY_("memory exhausted"),
+		    &yyss1, yysize * sizeof (*yyssp),
+		    &yyvs1, yysize * sizeof (*yyvsp),
+		    &yystacksize);
+
+	yyss = yyss1;
+	yyvs = yyvs1;
       }
 #else /* no yyoverflow */
 # ifndef YYSTACK_RELOCATE
@@ -1954,22 +2198,22 @@ yyparse (void)
 # else
       /* Extend the stack our own way.  */
       if (YYMAXDEPTH <= yystacksize)
-        goto yyexhaustedlab;
+	goto yyexhaustedlab;
       yystacksize *= 2;
       if (YYMAXDEPTH < yystacksize)
-        yystacksize = YYMAXDEPTH;
+	yystacksize = YYMAXDEPTH;
 
       {
-        yytype_int16 *yyss1 = yyss;
-        union yyalloc *yyptr =
-          (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
-        if (! yyptr)
-          goto yyexhaustedlab;
-        YYSTACK_RELOCATE (yyss_alloc, yyss);
-        YYSTACK_RELOCATE (yyvs_alloc, yyvs);
+	yytype_int16 *yyss1 = yyss;
+	union yyalloc *yyptr =
+	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+	if (! yyptr)
+	  goto yyexhaustedlab;
+	YYSTACK_RELOCATE (yyss_alloc, yyss);
+	YYSTACK_RELOCATE (yyvs_alloc, yyvs);
 #  undef YYSTACK_RELOCATE
-        if (yyss1 != yyssa)
-          YYSTACK_FREE (yyss1);
+	if (yyss1 != yyssa)
+	  YYSTACK_FREE (yyss1);
       }
 # endif
 #endif /* no yyoverflow */
@@ -1978,10 +2222,10 @@ yyparse (void)
       yyvsp = yyvs + yysize - 1;
 
       YYDPRINTF ((stderr, "Stack size increased to %lu\n",
-                  (unsigned long int) yystacksize));
+		  (unsigned long int) yystacksize));
 
       if (yyss + yystacksize - 1 <= yyssp)
-        YYABORT;
+	YYABORT;
     }
 
   YYDPRINTF ((stderr, "Entering state %d\n", yystate));
@@ -2010,7 +2254,7 @@ yybackup:
   if (yychar == YYEMPTY)
     {
       YYDPRINTF ((stderr, "Reading a token: "));
-      yychar = yylex ();
+      yychar = YYLEX;
     }
 
   if (yychar <= YYEOF)
@@ -2075,7 +2319,7 @@ yyreduce:
   yylen = yyr2[yyn];
 
   /* If YYLEN is nonzero, implement the default value of the action:
-     '$$ = $1'.
+     `$$ = $1'.
 
      Otherwise, the following line sets YYVAL to garbage.
      This behavior is undocumented and Bison
@@ -2089,7 +2333,8 @@ yyreduce:
   switch (yyn)
     {
         case 5:
-#line 373 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 376 "../../ntpd/ntp_parser.y"
     {
 			/* I will need to incorporate much more fine grained
 			 * error messages. The following should suffice for
@@ -2102,433 +2347,433 @@ yyreduce:
 				ip_ctx->errpos.nline,
 				ip_ctx->errpos.ncol);
 		}
-#line 2106 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 20:
-#line 409 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 412 "../../ntpd/ntp_parser.y"
     {
 			peer_node *my_node;
 
-			my_node = create_peer_node((yyvsp[-2].Integer), (yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo));
+			my_node = create_peer_node((yyvsp[(1) - (3)].Integer), (yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Attr_val_fifo));
 			APPEND_G_FIFO(cfgt.peers, my_node);
 		}
-#line 2117 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 27:
-#line 428 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Address_node) = create_address_node((yyvsp[0].String), (yyvsp[-1].Integer)); }
-#line 2123 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 431 "../../ntpd/ntp_parser.y"
+    { (yyval.Address_node) = create_address_node((yyvsp[(2) - (2)].String), (yyvsp[(1) - (2)].Integer)); }
     break;
 
   case 28:
-#line 433 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Address_node) = create_address_node((yyvsp[0].String), AF_UNSPEC); }
-#line 2129 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 436 "../../ntpd/ntp_parser.y"
+    { (yyval.Address_node) = create_address_node((yyvsp[(1) - (1)].String), AF_UNSPEC); }
     break;
 
   case 29:
-#line 438 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 441 "../../ntpd/ntp_parser.y"
     { (yyval.Integer) = AF_INET; }
-#line 2135 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 30:
-#line 440 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 443 "../../ntpd/ntp_parser.y"
     { (yyval.Integer) = AF_INET6; }
-#line 2141 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 31:
-#line 445 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 448 "../../ntpd/ntp_parser.y"
     { (yyval.Attr_val_fifo) = NULL; }
-#line 2147 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 32:
-#line 447 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 450 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2156 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 36:
-#line 461 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); }
-#line 2162 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 464 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[(1) - (1)].Integer)); }
     break;
 
   case 45:
-#line 477 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2168 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 480 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 46:
-#line 479 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_uval((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2174 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 482 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_uval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 53:
-#line 493 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2180 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 496 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String)); }
     break;
 
   case 55:
-#line 507 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 510 "../../ntpd/ntp_parser.y"
     {
 			unpeer_node *my_node;
 
-			my_node = create_unpeer_node((yyvsp[0].Address_node));
+			my_node = create_unpeer_node((yyvsp[(2) - (2)].Address_node));
 			if (my_node)
 				APPEND_G_FIFO(cfgt.unpeers, my_node);
 		}
-#line 2192 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 58:
-#line 528 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 531 "../../ntpd/ntp_parser.y"
     { cfgt.broadcastclient = 1; }
-#line 2198 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 59:
-#line 530 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.manycastserver, (yyvsp[0].Address_fifo)); }
-#line 2204 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 533 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.manycastserver, (yyvsp[(2) - (2)].Address_fifo)); }
     break;
 
   case 60:
-#line 532 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.multicastclient, (yyvsp[0].Address_fifo)); }
-#line 2210 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 535 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.multicastclient, (yyvsp[(2) - (2)].Address_fifo)); }
     break;
 
   case 61:
-#line 534 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { cfgt.mdnstries = (yyvsp[0].Integer); }
-#line 2216 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 537 "../../ntpd/ntp_parser.y"
+    { cfgt.mdnstries = (yyvsp[(2) - (2)].Integer); }
     break;
 
   case 62:
-#line 545 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 548 "../../ntpd/ntp_parser.y"
     {
 			attr_val *atrv;
 
-			atrv = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
+			atrv = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer));
 			APPEND_G_FIFO(cfgt.vars, atrv);
 		}
-#line 2227 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 63:
-#line 552 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { cfgt.auth.control_key = (yyvsp[0].Integer); }
-#line 2233 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 555 "../../ntpd/ntp_parser.y"
+    { cfgt.auth.control_key = (yyvsp[(2) - (2)].Integer); }
     break;
 
   case 64:
-#line 554 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 557 "../../ntpd/ntp_parser.y"
     {
 			cfgt.auth.cryptosw++;
-			CONCAT_G_FIFOS(cfgt.auth.crypto_cmd_list, (yyvsp[0].Attr_val_fifo));
+			CONCAT_G_FIFOS(cfgt.auth.crypto_cmd_list, (yyvsp[(2) - (2)].Attr_val_fifo));
 		}
-#line 2242 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 65:
-#line 559 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { cfgt.auth.keys = (yyvsp[0].String); }
-#line 2248 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 562 "../../ntpd/ntp_parser.y"
+    { cfgt.auth.keys = (yyvsp[(2) - (2)].String); }
     break;
 
   case 66:
-#line 561 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { cfgt.auth.keysdir = (yyvsp[0].String); }
-#line 2254 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 564 "../../ntpd/ntp_parser.y"
+    { cfgt.auth.keysdir = (yyvsp[(2) - (2)].String); }
     break;
 
   case 67:
-#line 563 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { cfgt.auth.request_key = (yyvsp[0].Integer); }
-#line 2260 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 566 "../../ntpd/ntp_parser.y"
+    { cfgt.auth.request_key = (yyvsp[(2) - (2)].Integer); }
     break;
 
   case 68:
-#line 565 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { cfgt.auth.revoke = (yyvsp[0].Integer); }
-#line 2266 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 568 "../../ntpd/ntp_parser.y"
+    { cfgt.auth.revoke = (yyvsp[(2) - (2)].Integer); }
     break;
 
   case 69:
-#line 567 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 570 "../../ntpd/ntp_parser.y"
     {
-			cfgt.auth.trusted_key_list = (yyvsp[0].Attr_val_fifo);
+			cfgt.auth.trusted_key_list = (yyvsp[(2) - (2)].Attr_val_fifo);
 
 			// if (!cfgt.auth.trusted_key_list)
 			// 	cfgt.auth.trusted_key_list = $2;
 			// else
 			// 	LINK_SLIST(cfgt.auth.trusted_key_list, $2, link);
 		}
-#line 2279 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 70:
-#line 576 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { cfgt.auth.ntp_signd_socket = (yyvsp[0].String); }
-#line 2285 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 579 "../../ntpd/ntp_parser.y"
+    { cfgt.auth.ntp_signd_socket = (yyvsp[(2) - (2)].String); }
     break;
 
   case 71:
-#line 581 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 584 "../../ntpd/ntp_parser.y"
     { (yyval.Attr_val_fifo) = NULL; }
-#line 2291 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 72:
-#line 583 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 586 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2300 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 73:
-#line 591 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2306 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 594 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String)); }
     break;
 
   case 74:
-#line 593 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 596 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val) = NULL;
-			cfgt.auth.revoke = (yyvsp[0].Integer);
+			cfgt.auth.revoke = (yyvsp[(2) - (2)].Integer);
 			msyslog(LOG_WARNING,
 				"'crypto revoke %d' is deprecated, "
 				"please use 'revoke %d' instead.",
 				cfgt.auth.revoke, cfgt.auth.revoke);
 		}
-#line 2319 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 80:
-#line 618 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.orphan_cmds, (yyvsp[0].Attr_val_fifo)); }
-#line 2325 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 621 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.orphan_cmds, (yyvsp[(2) - (2)].Attr_val_fifo)); }
     break;
 
   case 81:
-#line 623 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 626 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2334 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 82:
-#line 628 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 631 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 2343 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 83:
-#line 636 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (double)(yyvsp[0].Integer)); }
-#line 2349 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 639 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_dval((yyvsp[(1) - (2)].Integer), (double)(yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 84:
-#line 638 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); }
-#line 2355 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 641 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_dval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Double)); }
     break;
 
   case 85:
-#line 640 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (double)(yyvsp[0].Integer)); }
-#line 2361 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 643 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_dval((yyvsp[(1) - (2)].Integer), (double)(yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 96:
-#line 666 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.stats_list, (yyvsp[0].Int_fifo)); }
-#line 2367 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 669 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.stats_list, (yyvsp[(2) - (2)].Int_fifo)); }
     break;
 
   case 97:
-#line 668 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 671 "../../ntpd/ntp_parser.y"
     {
 			if (lex_from_file()) {
-				cfgt.stats_dir = (yyvsp[0].String);
+				cfgt.stats_dir = (yyvsp[(2) - (2)].String);
 			} else {
-				YYFREE((yyvsp[0].String));
+				YYFREE((yyvsp[(2) - (2)].String));
 				yyerror("statsdir remote configuration ignored");
 			}
 		}
-#line 2380 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 98:
-#line 677 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 680 "../../ntpd/ntp_parser.y"
     {
 			filegen_node *fgn;
 
-			fgn = create_filegen_node((yyvsp[-1].Integer), (yyvsp[0].Attr_val_fifo));
+			fgn = create_filegen_node((yyvsp[(2) - (3)].Integer), (yyvsp[(3) - (3)].Attr_val_fifo));
 			APPEND_G_FIFO(cfgt.filegen_opts, fgn);
 		}
-#line 2391 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 99:
-#line 687 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 690 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Int_fifo) = (yyvsp[-1].Int_fifo);
-			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
+			(yyval.Int_fifo) = (yyvsp[(1) - (2)].Int_fifo);
+			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[(2) - (2)].Integer)));
 		}
-#line 2400 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 100:
-#line 692 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 695 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Int_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
+			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[(1) - (1)].Integer)));
 		}
-#line 2409 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 109:
-#line 711 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 714 "../../ntpd/ntp_parser.y"
     { (yyval.Attr_val_fifo) = NULL; }
-#line 2415 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 110:
-#line 713 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 716 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2424 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 111:
-#line 721 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 724 "../../ntpd/ntp_parser.y"
     {
 			if (lex_from_file()) {
-				(yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String));
+				(yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String));
 			} else {
 				(yyval.Attr_val) = NULL;
-				YYFREE((yyvsp[0].String));
+				YYFREE((yyvsp[(2) - (2)].String));
 				yyerror("filegen file remote config ignored");
 			}
 		}
-#line 2438 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 112:
-#line 731 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 734 "../../ntpd/ntp_parser.y"
     {
 			if (lex_from_file()) {
-				(yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
+				(yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer));
 			} else {
 				(yyval.Attr_val) = NULL;
 				yyerror("filegen type remote config ignored");
 			}
 		}
-#line 2451 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 113:
-#line 740 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 743 "../../ntpd/ntp_parser.y"
     {
 			const char *err;
 
 			if (lex_from_file()) {
-				(yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer));
+				(yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[(1) - (1)].Integer));
 			} else {
 				(yyval.Attr_val) = NULL;
-				if (T_Link == (yyvsp[0].Integer))
+				if (T_Link == (yyvsp[(1) - (1)].Integer))
 					err = "filegen link remote config ignored";
 				else
 					err = "filegen nolink remote config ignored";
 				yyerror(err);
 			}
 		}
-#line 2470 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 114:
-#line 755 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); }
-#line 2476 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 758 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[(1) - (1)].Integer)); }
     break;
 
   case 126:
-#line 785 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 788 "../../ntpd/ntp_parser.y"
     {
-			CONCAT_G_FIFOS(cfgt.discard_opts, (yyvsp[0].Attr_val_fifo));
+			CONCAT_G_FIFOS(cfgt.discard_opts, (yyvsp[(2) - (2)].Attr_val_fifo));
 		}
-#line 2484 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 127:
-#line 789 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 792 "../../ntpd/ntp_parser.y"
     {
-			CONCAT_G_FIFOS(cfgt.mru_opts, (yyvsp[0].Attr_val_fifo));
+			CONCAT_G_FIFOS(cfgt.mru_opts, (yyvsp[(2) - (2)].Attr_val_fifo));
 		}
-#line 2492 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 128:
-#line 793 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 796 "../../ntpd/ntp_parser.y"
     {
 			restrict_node *rn;
 
-			rn = create_restrict_node((yyvsp[-1].Address_node), NULL, (yyvsp[0].Int_fifo),
+			rn = create_restrict_node((yyvsp[(2) - (3)].Address_node), NULL, (yyvsp[(3) - (3)].Int_fifo),
 						  lex_current()->curpos.nline);
 			APPEND_G_FIFO(cfgt.restrict_opts, rn);
 		}
-#line 2504 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 129:
-#line 801 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 804 "../../ntpd/ntp_parser.y"
     {
 			restrict_node *rn;
 
-			rn = create_restrict_node((yyvsp[-3].Address_node), (yyvsp[-1].Address_node), (yyvsp[0].Int_fifo),
+			rn = create_restrict_node((yyvsp[(2) - (5)].Address_node), (yyvsp[(4) - (5)].Address_node), (yyvsp[(5) - (5)].Int_fifo),
 						  lex_current()->curpos.nline);
 			APPEND_G_FIFO(cfgt.restrict_opts, rn);
 		}
-#line 2516 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 130:
-#line 809 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 812 "../../ntpd/ntp_parser.y"
     {
 			restrict_node *rn;
 
-			rn = create_restrict_node(NULL, NULL, (yyvsp[0].Int_fifo),
+			rn = create_restrict_node(NULL, NULL, (yyvsp[(3) - (3)].Int_fifo),
 						  lex_current()->curpos.nline);
 			APPEND_G_FIFO(cfgt.restrict_opts, rn);
 		}
-#line 2528 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 131:
-#line 817 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 820 "../../ntpd/ntp_parser.y"
     {
 			restrict_node *rn;
 
@@ -2539,15 +2784,15 @@ yyreduce:
 				create_address_node(
 					estrdup("0.0.0.0"),
 					AF_INET),
-				(yyvsp[0].Int_fifo),
+				(yyvsp[(4) - (4)].Int_fifo),
 				lex_current()->curpos.nline);
 			APPEND_G_FIFO(cfgt.restrict_opts, rn);
 		}
-#line 2547 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 132:
-#line 832 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 835 "../../ntpd/ntp_parser.y"
     {
 			restrict_node *rn;
 
@@ -2558,327 +2803,327 @@ yyreduce:
 				create_address_node(
 					estrdup("::"),
 					AF_INET6),
-				(yyvsp[0].Int_fifo),
+				(yyvsp[(4) - (4)].Int_fifo),
 				lex_current()->curpos.nline);
 			APPEND_G_FIFO(cfgt.restrict_opts, rn);
 		}
-#line 2566 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 133:
-#line 847 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 850 "../../ntpd/ntp_parser.y"
     {
 			restrict_node *	rn;
 
-			APPEND_G_FIFO((yyvsp[0].Int_fifo), create_int_node((yyvsp[-1].Integer)));
+			APPEND_G_FIFO((yyvsp[(3) - (3)].Int_fifo), create_int_node((yyvsp[(2) - (3)].Integer)));
 			rn = create_restrict_node(
-				NULL, NULL, (yyvsp[0].Int_fifo), lex_current()->curpos.nline);
+				NULL, NULL, (yyvsp[(3) - (3)].Int_fifo), lex_current()->curpos.nline);
 			APPEND_G_FIFO(cfgt.restrict_opts, rn);
 		}
-#line 2579 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 134:
-#line 859 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 862 "../../ntpd/ntp_parser.y"
     { (yyval.Int_fifo) = NULL; }
-#line 2585 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 135:
-#line 861 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 864 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Int_fifo) = (yyvsp[-1].Int_fifo);
-			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
+			(yyval.Int_fifo) = (yyvsp[(1) - (2)].Int_fifo);
+			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[(2) - (2)].Integer)));
 		}
-#line 2594 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 151:
-#line 887 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 890 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2603 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 152:
-#line 892 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 895 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 2612 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 153:
-#line 900 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2618 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 903 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 157:
-#line 911 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 914 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2627 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 158:
-#line 916 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 919 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 2636 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 159:
-#line 924 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2642 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 927 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 168:
-#line 944 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 947 "../../ntpd/ntp_parser.y"
     {
 			addr_opts_node *aon;
 
-			aon = create_addr_opts_node((yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo));
+			aon = create_addr_opts_node((yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Attr_val_fifo));
 			APPEND_G_FIFO(cfgt.fudge, aon);
 		}
-#line 2653 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 169:
-#line 954 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 957 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2662 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 170:
-#line 959 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 962 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 2671 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 171:
-#line 967 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); }
-#line 2677 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 970 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_dval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Double)); }
     break;
 
   case 172:
-#line 969 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2683 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 972 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 173:
-#line 971 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 974 "../../ntpd/ntp_parser.y"
     {
-			if ((yyvsp[0].Integer) >= 0 && (yyvsp[0].Integer) <= 16) {
-				(yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
+			if ((yyvsp[(2) - (2)].Integer) >= 0 && (yyvsp[(2) - (2)].Integer) <= 16) {
+				(yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer));
 			} else {
 				(yyval.Attr_val) = NULL;
 				yyerror("fudge factor: stratum value not in [0..16], ignored");
 			}
 		}
-#line 2696 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 174:
-#line 980 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2702 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 983 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String)); }
     break;
 
   case 175:
-#line 982 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2708 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 985 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String)); }
     break;
 
   case 182:
-#line 1003 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.rlimit, (yyvsp[0].Attr_val_fifo)); }
-#line 2714 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1006 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.rlimit, (yyvsp[(2) - (2)].Attr_val_fifo)); }
     break;
 
   case 183:
-#line 1008 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1011 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2723 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 184:
-#line 1013 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1016 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 2732 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 185:
-#line 1021 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2738 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1024 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer)); }
     break;
 
   case 189:
-#line 1037 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.enable_opts, (yyvsp[0].Attr_val_fifo)); }
-#line 2744 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1040 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.enable_opts, (yyvsp[(2) - (2)].Attr_val_fifo)); }
     break;
 
   case 190:
-#line 1039 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.disable_opts, (yyvsp[0].Attr_val_fifo)); }
-#line 2750 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1042 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.disable_opts, (yyvsp[(2) - (2)].Attr_val_fifo)); }
     break;
 
   case 191:
-#line 1044 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1047 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2759 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 192:
-#line 1049 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1052 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 2768 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
   case 193:
-#line 1057 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); }
-#line 2774 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1060 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[(1) - (1)].Integer)); }
     break;
 
   case 194:
-#line 1059 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 1062 "../../ntpd/ntp_parser.y"
     {
 			if (lex_from_file()) {
-				(yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer));
+				(yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[(1) - (1)].Integer));
 			} else {
 				char err_str[128];
 
 				(yyval.Attr_val) = NULL;
 				snprintf(err_str, sizeof(err_str),
 					 "enable/disable %s remote configuration ignored",
-					 keyword((yyvsp[0].Integer)));
+					 keyword((yyvsp[(1) - (1)].Integer)));
 				yyerror(err_str);
 			}
 		}
-#line 2792 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 203:
-#line 1094 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.tinker, (yyvsp[0].Attr_val_fifo)); }
-#line 2798 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 206:
+/* Line 1787 of yacc.c  */
+#line 1100 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.tinker, (yyvsp[(2) - (2)].Attr_val_fifo)); }
     break;
 
-  case 204:
-#line 1099 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 207:
+/* Line 1787 of yacc.c  */
+#line 1105 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 2807 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 205:
-#line 1104 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 208:
+/* Line 1787 of yacc.c  */
+#line 1110 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 2816 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 206:
-#line 1112 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); }
-#line 2822 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 209:
+/* Line 1787 of yacc.c  */
+#line 1118 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_dval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Double)); }
     break;
 
-  case 219:
-#line 1137 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 222:
+/* Line 1787 of yacc.c  */
+#line 1143 "../../ntpd/ntp_parser.y"
     {
 			attr_val *av;
 
-			av = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double));
+			av = create_attr_dval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Double));
 			APPEND_G_FIFO(cfgt.vars, av);
 		}
-#line 2833 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 220:
-#line 1144 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 223:
+/* Line 1787 of yacc.c  */
+#line 1150 "../../ntpd/ntp_parser.y"
     {
 			attr_val *av;
 
-			av = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
+			av = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer));
 			APPEND_G_FIFO(cfgt.vars, av);
 		}
-#line 2844 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 221:
-#line 1151 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 224:
+/* Line 1787 of yacc.c  */
+#line 1157 "../../ntpd/ntp_parser.y"
     {
 			attr_val *av;
 
-			av = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String));
+			av = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String));
 			APPEND_G_FIFO(cfgt.vars, av);
 		}
-#line 2855 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 222:
-#line 1158 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 225:
+/* Line 1787 of yacc.c  */
+#line 1164 "../../ntpd/ntp_parser.y"
     {
 			char error_text[64];
 			attr_val *av;
 
 			if (lex_from_file()) {
-				av = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String));
+				av = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String));
 				APPEND_G_FIFO(cfgt.vars, av);
 			} else {
-				YYFREE((yyvsp[0].String));
+				YYFREE((yyvsp[(2) - (2)].String));
 				snprintf(error_text, sizeof(error_text),
 					 "%s remote config ignored",
-					 keyword((yyvsp[-1].Integer)));
+					 keyword((yyvsp[(1) - (2)].Integer)));
 				yyerror(error_text);
 			}
 		}
-#line 2875 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 223:
-#line 1174 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 226:
+/* Line 1787 of yacc.c  */
+#line 1180 "../../ntpd/ntp_parser.y"
     {
 			if (!lex_from_file()) {
-				YYFREE((yyvsp[-1].String)); /* avoid leak */
+				YYFREE((yyvsp[(2) - (3)].String)); /* avoid leak */
 				yyerror("remote includefile ignored");
 				break;
 			}
@@ -2886,108 +3131,108 @@ yyreduce:
 				fprintf(stderr, "getconfig: Maximum include file level exceeded.\n");
 				msyslog(LOG_ERR, "getconfig: Maximum include file level exceeded.");
 			} else {
-				const char * path = FindConfig((yyvsp[-1].String)); /* might return $2! */
+				const char * path = FindConfig((yyvsp[(2) - (3)].String)); /* might return $2! */
 				if (!lex_push_file(path, "r")) {
 					fprintf(stderr, "getconfig: Couldn't open <%s>\n", path);
 					msyslog(LOG_ERR, "getconfig: Couldn't open <%s>", path);
 				}
 			}
-			YYFREE((yyvsp[-1].String)); /* avoid leak */
+			YYFREE((yyvsp[(2) - (3)].String)); /* avoid leak */
 		}
-#line 2898 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 224:
-#line 1193 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 227:
+/* Line 1787 of yacc.c  */
+#line 1199 "../../ntpd/ntp_parser.y"
     { lex_flush_stack(); }
-#line 2904 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 225:
-#line 1195 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 228:
+/* Line 1787 of yacc.c  */
+#line 1201 "../../ntpd/ntp_parser.y"
     { /* see drift_parm below for actions */ }
-#line 2910 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 226:
-#line 1197 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.logconfig, (yyvsp[0].Attr_val_fifo)); }
-#line 2916 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 229:
+/* Line 1787 of yacc.c  */
+#line 1203 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.logconfig, (yyvsp[(2) - (2)].Attr_val_fifo)); }
     break;
 
-  case 227:
-#line 1199 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.phone, (yyvsp[0].String_fifo)); }
-#line 2922 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 230:
+/* Line 1787 of yacc.c  */
+#line 1205 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.phone, (yyvsp[(2) - (2)].String_fifo)); }
     break;
 
-  case 228:
-#line 1201 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { APPEND_G_FIFO(cfgt.setvar, (yyvsp[0].Set_var)); }
-#line 2928 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 231:
+/* Line 1787 of yacc.c  */
+#line 1207 "../../ntpd/ntp_parser.y"
+    { APPEND_G_FIFO(cfgt.setvar, (yyvsp[(2) - (2)].Set_var)); }
     break;
 
-  case 229:
-#line 1203 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 232:
+/* Line 1787 of yacc.c  */
+#line 1209 "../../ntpd/ntp_parser.y"
     {
 			addr_opts_node *aon;
 
-			aon = create_addr_opts_node((yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo));
+			aon = create_addr_opts_node((yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Attr_val_fifo));
 			APPEND_G_FIFO(cfgt.trap, aon);
 		}
-#line 2939 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 230:
-#line 1210 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.ttl, (yyvsp[0].Attr_val_fifo)); }
-#line 2945 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 233:
+/* Line 1787 of yacc.c  */
+#line 1216 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.ttl, (yyvsp[(2) - (2)].Attr_val_fifo)); }
     break;
 
-  case 235:
-#line 1225 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 238:
+/* Line 1787 of yacc.c  */
+#line 1231 "../../ntpd/ntp_parser.y"
     {
 #ifndef LEAP_SMEAR
 			yyerror("Built without LEAP_SMEAR support.");
 #endif
 		}
-#line 2955 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 241:
-#line 1245 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 244:
+/* Line 1787 of yacc.c  */
+#line 1251 "../../ntpd/ntp_parser.y"
     {
 			if (lex_from_file()) {
 				attr_val *av;
-				av = create_attr_sval(T_Driftfile, (yyvsp[0].String));
+				av = create_attr_sval(T_Driftfile, (yyvsp[(1) - (1)].String));
 				APPEND_G_FIFO(cfgt.vars, av);
 			} else {
-				YYFREE((yyvsp[0].String));
+				YYFREE((yyvsp[(1) - (1)].String));
 				yyerror("driftfile remote configuration ignored");
 			}
 		}
-#line 2970 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 242:
-#line 1256 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 245:
+/* Line 1787 of yacc.c  */
+#line 1262 "../../ntpd/ntp_parser.y"
     {
 			if (lex_from_file()) {
 				attr_val *av;
-				av = create_attr_sval(T_Driftfile, (yyvsp[-1].String));
+				av = create_attr_sval(T_Driftfile, (yyvsp[(1) - (2)].String));
 				APPEND_G_FIFO(cfgt.vars, av);
-				av = create_attr_dval(T_WanderThreshold, (yyvsp[0].Double));
+				av = create_attr_dval(T_WanderThreshold, (yyvsp[(2) - (2)].Double));
 				APPEND_G_FIFO(cfgt.vars, av);
 			} else {
-				YYFREE((yyvsp[-1].String));
+				YYFREE((yyvsp[(1) - (2)].String));
 				yyerror("driftfile remote configuration ignored");
 			}
 		}
-#line 2987 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 243:
-#line 1269 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 246:
+/* Line 1787 of yacc.c  */
+#line 1275 "../../ntpd/ntp_parser.y"
     {
 			if (lex_from_file()) {
 				attr_val *av;
@@ -2997,386 +3242,386 @@ yyreduce:
 				yyerror("driftfile remote configuration ignored");
 			}
 		}
-#line 3001 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 244:
-#line 1282 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Set_var) = create_setvar_node((yyvsp[-3].String), (yyvsp[-1].String), (yyvsp[0].Integer)); }
-#line 3007 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 247:
+/* Line 1787 of yacc.c  */
+#line 1288 "../../ntpd/ntp_parser.y"
+    { (yyval.Set_var) = create_setvar_node((yyvsp[(1) - (4)].String), (yyvsp[(3) - (4)].String), (yyvsp[(4) - (4)].Integer)); }
     break;
 
-  case 246:
-#line 1288 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 249:
+/* Line 1787 of yacc.c  */
+#line 1294 "../../ntpd/ntp_parser.y"
     { (yyval.Integer) = 0; }
-#line 3013 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 247:
-#line 1293 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 250:
+/* Line 1787 of yacc.c  */
+#line 1299 "../../ntpd/ntp_parser.y"
     { (yyval.Attr_val_fifo) = NULL; }
-#line 3019 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 248:
-#line 1295 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 251:
+/* Line 1787 of yacc.c  */
+#line 1301 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 3028 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 249:
-#line 1303 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 3034 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 252:
+/* Line 1787 of yacc.c  */
+#line 1309 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Integer)); }
     break;
 
-  case 250:
-#line 1305 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 253:
+/* Line 1787 of yacc.c  */
+#line 1311 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), estrdup((yyvsp[0].Address_node)->address));
-			destroy_address_node((yyvsp[0].Address_node));
+			(yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), estrdup((yyvsp[(2) - (2)].Address_node)->address));
+			destroy_address_node((yyvsp[(2) - (2)].Address_node));
 		}
-#line 3043 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 251:
-#line 1313 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 254:
+/* Line 1787 of yacc.c  */
+#line 1319 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 3052 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 252:
-#line 1318 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 255:
+/* Line 1787 of yacc.c  */
+#line 1324 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 3061 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 253:
-#line 1326 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 256:
+/* Line 1787 of yacc.c  */
+#line 1332 "../../ntpd/ntp_parser.y"
     {
 			char	prefix;
 			char *	type;
 
-			switch ((yyvsp[0].String)[0]) {
+			switch ((yyvsp[(1) - (1)].String)[0]) {
 
 			case '+':
 			case '-':
 			case '=':
-				prefix = (yyvsp[0].String)[0];
-				type = (yyvsp[0].String) + 1;
+				prefix = (yyvsp[(1) - (1)].String)[0];
+				type = (yyvsp[(1) - (1)].String) + 1;
 				break;
 
 			default:
 				prefix = '=';
-				type = (yyvsp[0].String);
+				type = (yyvsp[(1) - (1)].String);
 			}
 
 			(yyval.Attr_val) = create_attr_sval(prefix, estrdup(type));
-			YYFREE((yyvsp[0].String));
+			YYFREE((yyvsp[(1) - (1)].String));
 		}
-#line 3087 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 254:
-#line 1351 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 257:
+/* Line 1787 of yacc.c  */
+#line 1357 "../../ntpd/ntp_parser.y"
     {
 			nic_rule_node *nrn;
 
-			nrn = create_nic_rule_node((yyvsp[0].Integer), NULL, (yyvsp[-1].Integer));
+			nrn = create_nic_rule_node((yyvsp[(3) - (3)].Integer), NULL, (yyvsp[(2) - (3)].Integer));
 			APPEND_G_FIFO(cfgt.nic_rules, nrn);
 		}
-#line 3098 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 255:
-#line 1358 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 258:
+/* Line 1787 of yacc.c  */
+#line 1364 "../../ntpd/ntp_parser.y"
     {
 			nic_rule_node *nrn;
 
-			nrn = create_nic_rule_node(0, (yyvsp[0].String), (yyvsp[-1].Integer));
+			nrn = create_nic_rule_node(0, (yyvsp[(3) - (3)].String), (yyvsp[(2) - (3)].Integer));
 			APPEND_G_FIFO(cfgt.nic_rules, nrn);
 		}
-#line 3109 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 265:
-#line 1386 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { CONCAT_G_FIFOS(cfgt.reset_counters, (yyvsp[0].Int_fifo)); }
-#line 3115 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 268:
+/* Line 1787 of yacc.c  */
+#line 1392 "../../ntpd/ntp_parser.y"
+    { CONCAT_G_FIFOS(cfgt.reset_counters, (yyvsp[(2) - (2)].Int_fifo)); }
     break;
 
-  case 266:
-#line 1391 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 269:
+/* Line 1787 of yacc.c  */
+#line 1397 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Int_fifo) = (yyvsp[-1].Int_fifo);
-			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
+			(yyval.Int_fifo) = (yyvsp[(1) - (2)].Int_fifo);
+			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[(2) - (2)].Integer)));
 		}
-#line 3124 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 267:
-#line 1396 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 270:
+/* Line 1787 of yacc.c  */
+#line 1402 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Int_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
+			APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[(1) - (1)].Integer)));
 		}
-#line 3133 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 275:
-#line 1420 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 278:
+/* Line 1787 of yacc.c  */
+#line 1426 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[0].Integer)));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[(2) - (2)].Integer)));
 		}
-#line 3142 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 276:
-#line 1425 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 279:
+/* Line 1787 of yacc.c  */
+#line 1431 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[0].Integer)));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[(1) - (1)].Integer)));
 		}
-#line 3151 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 277:
-#line 1433 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 280:
+/* Line 1787 of yacc.c  */
+#line 1439 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (2)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (2)].Attr_val));
 		}
-#line 3160 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 278:
-#line 1438 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 281:
+/* Line 1787 of yacc.c  */
+#line 1444 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (1)].Attr_val));
 		}
-#line 3169 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 279:
-#line 1446 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_ival('i', (yyvsp[0].Integer)); }
-#line 3175 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 282:
+/* Line 1787 of yacc.c  */
+#line 1452 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_ival('i', (yyvsp[(1) - (1)].Integer)); }
     break;
 
-  case 281:
-#line 1452 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_rangeval('-', (yyvsp[-3].Integer), (yyvsp[-1].Integer)); }
-#line 3181 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 284:
+/* Line 1787 of yacc.c  */
+#line 1458 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_rangeval('-', (yyvsp[(2) - (5)].Integer), (yyvsp[(4) - (5)].Integer)); }
     break;
 
-  case 282:
-#line 1457 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 285:
+/* Line 1787 of yacc.c  */
+#line 1463 "../../ntpd/ntp_parser.y"
     {
-			(yyval.String_fifo) = (yyvsp[-1].String_fifo);
-			APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[0].String)));
+			(yyval.String_fifo) = (yyvsp[(1) - (2)].String_fifo);
+			APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[(2) - (2)].String)));
 		}
-#line 3190 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 283:
-#line 1462 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 286:
+/* Line 1787 of yacc.c  */
+#line 1468 "../../ntpd/ntp_parser.y"
     {
 			(yyval.String_fifo) = NULL;
-			APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[0].String)));
+			APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[(1) - (1)].String)));
 		}
-#line 3199 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 284:
-#line 1470 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 287:
+/* Line 1787 of yacc.c  */
+#line 1476 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Address_fifo) = (yyvsp[-1].Address_fifo);
-			APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[0].Address_node));
+			(yyval.Address_fifo) = (yyvsp[(1) - (2)].Address_fifo);
+			APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[(2) - (2)].Address_node));
 		}
-#line 3208 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 285:
-#line 1475 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 288:
+/* Line 1787 of yacc.c  */
+#line 1481 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Address_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[0].Address_node));
+			APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[(1) - (1)].Address_node));
 		}
-#line 3217 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 286:
-#line 1483 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 289:
+/* Line 1787 of yacc.c  */
+#line 1489 "../../ntpd/ntp_parser.y"
     {
-			if ((yyvsp[0].Integer) != 0 && (yyvsp[0].Integer) != 1) {
+			if ((yyvsp[(1) - (1)].Integer) != 0 && (yyvsp[(1) - (1)].Integer) != 1) {
 				yyerror("Integer value is not boolean (0 or 1). Assuming 1");
 				(yyval.Integer) = 1;
 			} else {
-				(yyval.Integer) = (yyvsp[0].Integer);
+				(yyval.Integer) = (yyvsp[(1) - (1)].Integer);
 			}
 		}
-#line 3230 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 287:
-#line 1491 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 290:
+/* Line 1787 of yacc.c  */
+#line 1497 "../../ntpd/ntp_parser.y"
     { (yyval.Integer) = 1; }
-#line 3236 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 288:
-#line 1492 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 291:
+/* Line 1787 of yacc.c  */
+#line 1498 "../../ntpd/ntp_parser.y"
     { (yyval.Integer) = 0; }
-#line 3242 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 289:
-#line 1496 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Double) = (double)(yyvsp[0].Integer); }
-#line 3248 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 292:
+/* Line 1787 of yacc.c  */
+#line 1502 "../../ntpd/ntp_parser.y"
+    { (yyval.Double) = (double)(yyvsp[(1) - (1)].Integer); }
     break;
 
-  case 291:
-#line 1507 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 294:
+/* Line 1787 of yacc.c  */
+#line 1513 "../../ntpd/ntp_parser.y"
     {
 			sim_node *sn;
 
-			sn =  create_sim_node((yyvsp[-2].Attr_val_fifo), (yyvsp[-1].Sim_server_fifo));
+			sn =  create_sim_node((yyvsp[(3) - (5)].Attr_val_fifo), (yyvsp[(4) - (5)].Sim_server_fifo));
 			APPEND_G_FIFO(cfgt.sim_details, sn);
 
 			/* Revert from ; to \n for end-of-command */
 			old_config_style = 1;
 		}
-#line 3262 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 292:
-#line 1524 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 295:
+/* Line 1787 of yacc.c  */
+#line 1530 "../../ntpd/ntp_parser.y"
     { old_config_style = 0; }
-#line 3268 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 293:
-#line 1529 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 296:
+/* Line 1787 of yacc.c  */
+#line 1535 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-2].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (3)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (3)].Attr_val));
 		}
-#line 3277 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 294:
-#line 1534 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 297:
+/* Line 1787 of yacc.c  */
+#line 1540 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (2)].Attr_val));
 		}
-#line 3286 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 295:
-#line 1542 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_dval((yyvsp[-2].Integer), (yyvsp[0].Double)); }
-#line 3292 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 298:
+/* Line 1787 of yacc.c  */
+#line 1548 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_dval((yyvsp[(1) - (3)].Integer), (yyvsp[(3) - (3)].Double)); }
     break;
 
-  case 298:
-#line 1552 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 301:
+/* Line 1787 of yacc.c  */
+#line 1558 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Sim_server_fifo) = (yyvsp[-1].Sim_server_fifo);
-			APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[0].Sim_server));
+			(yyval.Sim_server_fifo) = (yyvsp[(1) - (2)].Sim_server_fifo);
+			APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[(2) - (2)].Sim_server));
 		}
-#line 3301 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 299:
-#line 1557 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 302:
+/* Line 1787 of yacc.c  */
+#line 1563 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Sim_server_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[0].Sim_server));
+			APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[(1) - (1)].Sim_server));
 		}
-#line 3310 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 300:
-#line 1565 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Sim_server) = ONLY_SIM(create_sim_server((yyvsp[-4].Address_node), (yyvsp[-2].Double), (yyvsp[-1].Sim_script_fifo))); }
-#line 3316 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 303:
+/* Line 1787 of yacc.c  */
+#line 1571 "../../ntpd/ntp_parser.y"
+    { (yyval.Sim_server) = ONLY_SIM(create_sim_server((yyvsp[(1) - (5)].Address_node), (yyvsp[(3) - (5)].Double), (yyvsp[(4) - (5)].Sim_script_fifo))); }
     break;
 
-  case 301:
-#line 1570 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Double) = (yyvsp[-1].Double); }
-#line 3322 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 304:
+/* Line 1787 of yacc.c  */
+#line 1576 "../../ntpd/ntp_parser.y"
+    { (yyval.Double) = (yyvsp[(3) - (4)].Double); }
     break;
 
-  case 302:
-#line 1575 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Address_node) = (yyvsp[0].Address_node); }
-#line 3328 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 305:
+/* Line 1787 of yacc.c  */
+#line 1581 "../../ntpd/ntp_parser.y"
+    { (yyval.Address_node) = (yyvsp[(3) - (3)].Address_node); }
     break;
 
-  case 303:
-#line 1580 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 306:
+/* Line 1787 of yacc.c  */
+#line 1586 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Sim_script_fifo) = (yyvsp[-1].Sim_script_fifo);
-			APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[0].Sim_script));
+			(yyval.Sim_script_fifo) = (yyvsp[(1) - (2)].Sim_script_fifo);
+			APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[(2) - (2)].Sim_script));
 		}
-#line 3337 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 304:
-#line 1585 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 307:
+/* Line 1787 of yacc.c  */
+#line 1591 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Sim_script_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[0].Sim_script));
+			APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[(1) - (1)].Sim_script));
 		}
-#line 3346 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 305:
-#line 1593 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Sim_script) = ONLY_SIM(create_sim_script_info((yyvsp[-3].Double), (yyvsp[-1].Attr_val_fifo))); }
-#line 3352 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 308:
+/* Line 1787 of yacc.c  */
+#line 1599 "../../ntpd/ntp_parser.y"
+    { (yyval.Sim_script) = ONLY_SIM(create_sim_script_info((yyvsp[(3) - (6)].Double), (yyvsp[(5) - (6)].Attr_val_fifo))); }
     break;
 
-  case 306:
-#line 1598 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 309:
+/* Line 1787 of yacc.c  */
+#line 1604 "../../ntpd/ntp_parser.y"
     {
-			(yyval.Attr_val_fifo) = (yyvsp[-2].Attr_val_fifo);
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
+			(yyval.Attr_val_fifo) = (yyvsp[(1) - (3)].Attr_val_fifo);
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(2) - (3)].Attr_val));
 		}
-#line 3361 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 307:
-#line 1603 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
+  case 310:
+/* Line 1787 of yacc.c  */
+#line 1609 "../../ntpd/ntp_parser.y"
     {
 			(yyval.Attr_val_fifo) = NULL;
-			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
+			APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[(1) - (2)].Attr_val));
 		}
-#line 3370 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
     break;
 
-  case 308:
-#line 1611 "../../ntpd/ntp_parser.y" /* yacc.c:1646  */
-    { (yyval.Attr_val) = create_attr_dval((yyvsp[-2].Integer), (yyvsp[0].Double)); }
-#line 3376 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+  case 311:
+/* Line 1787 of yacc.c  */
+#line 1617 "../../ntpd/ntp_parser.y"
+    { (yyval.Attr_val) = create_attr_dval((yyvsp[(1) - (3)].Integer), (yyvsp[(3) - (3)].Double)); }
     break;
 
 
-#line 3380 "../../ntpd/ntp_parser.c" /* yacc.c:1646  */
+/* Line 1787 of yacc.c  */
+#line 3625 "ntp_parser.c"
       default: break;
     }
   /* User semantic actions sometimes alter yychar, and that requires
@@ -3398,7 +3643,7 @@ yyreduce:
 
   *++yyvsp = yyval;
 
-  /* Now 'shift' the result of the reduction.  Determine what state
+  /* Now `shift' the result of the reduction.  Determine what state
      that goes to, based on the state we popped back to and the rule
      number reduced by.  */
 
@@ -3413,9 +3658,9 @@ yyreduce:
   goto yynewstate;
 
 
-/*--------------------------------------.
-| yyerrlab -- here on detecting error.  |
-`--------------------------------------*/
+/*------------------------------------.
+| yyerrlab -- here on detecting error |
+`------------------------------------*/
 yyerrlab:
   /* Make sure we have latest lookahead translation.  See comments at
      user semantic actions for why this is necessary.  */
@@ -3466,20 +3711,20 @@ yyerrlab:
   if (yyerrstatus == 3)
     {
       /* If just tried and failed to reuse lookahead token after an
-         error, discard it.  */
+	 error, discard it.  */
 
       if (yychar <= YYEOF)
-        {
-          /* Return failure if at end of input.  */
-          if (yychar == YYEOF)
-            YYABORT;
-        }
+	{
+	  /* Return failure if at end of input.  */
+	  if (yychar == YYEOF)
+	    YYABORT;
+	}
       else
-        {
-          yydestruct ("Error: discarding",
-                      yytoken, &yylval);
-          yychar = YYEMPTY;
-        }
+	{
+	  yydestruct ("Error: discarding",
+		      yytoken, &yylval);
+	  yychar = YYEMPTY;
+	}
     }
 
   /* Else will try to reuse lookahead token after shifting the error
@@ -3498,7 +3743,7 @@ yyerrorlab:
   if (/*CONSTCOND*/ 0)
      goto yyerrorlab;
 
-  /* Do not reclaim the symbols of the rule whose action triggered
+  /* Do not reclaim the symbols of the rule which action triggered
      this YYERROR.  */
   YYPOPSTACK (yylen);
   yylen = 0;
@@ -3511,29 +3756,29 @@ yyerrorlab:
 | yyerrlab1 -- common code for both syntax error and YYERROR.  |
 `-------------------------------------------------------------*/
 yyerrlab1:
-  yyerrstatus = 3;      /* Each real token shifted decrements this.  */
+  yyerrstatus = 3;	/* Each real token shifted decrements this.  */
 
   for (;;)
     {
       yyn = yypact[yystate];
       if (!yypact_value_is_default (yyn))
-        {
-          yyn += YYTERROR;
-          if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
-            {
-              yyn = yytable[yyn];
-              if (0 < yyn)
-                break;
-            }
-        }
+	{
+	  yyn += YYTERROR;
+	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+	    {
+	      yyn = yytable[yyn];
+	      if (0 < yyn)
+		break;
+	    }
+	}
 
       /* Pop the current state because it cannot handle the error token.  */
       if (yyssp == yyss)
-        YYABORT;
+	YYABORT;
 
 
       yydestruct ("Error: popping",
-                  yystos[yystate], yyvsp);
+		  yystos[yystate], yyvsp);
       YYPOPSTACK (1);
       yystate = *yyssp;
       YY_STACK_PRINT (yyss, yyssp);
@@ -3584,14 +3829,14 @@ yyreturn:
       yydestruct ("Cleanup: discarding lookahead",
                   yytoken, &yylval);
     }
-  /* Do not reclaim the symbols of the rule whose action triggered
+  /* Do not reclaim the symbols of the rule which action triggered
      this YYABORT or YYACCEPT.  */
   YYPOPSTACK (yylen);
   YY_STACK_PRINT (yyss, yyssp);
   while (yyssp != yyss)
     {
       yydestruct ("Cleanup: popping",
-                  yystos[*yyssp], yyvsp);
+		  yystos[*yyssp], yyvsp);
       YYPOPSTACK (1);
     }
 #ifndef yyoverflow
@@ -3602,9 +3847,13 @@ yyreturn:
   if (yymsg != yymsgbuf)
     YYSTACK_FREE (yymsg);
 #endif
-  return yyresult;
+  /* Make sure YYID is used.  */
+  return YYID (yyresult);
 }
-#line 1622 "../../ntpd/ntp_parser.y" /* yacc.c:1906  */
+
+
+/* Line 2050 of yacc.c  */
+#line 1628 "../../ntpd/ntp_parser.y"
 
 
 void
diff --git a/contrib/ntp/ntpd/ntp_parser.h b/contrib/ntp/ntpd/ntp_parser.h
index 1ec7f8c..ae729b5 100644
--- a/contrib/ntp/ntpd/ntp_parser.h
+++ b/contrib/ntp/ntpd/ntp_parser.h
@@ -1,19 +1,19 @@
-/* A Bison parser, made by GNU Bison 3.0.2.  */
+/* A Bison parser, made by GNU Bison 2.7.12-4996.  */
 
 /* Bison interface for Yacc-like parsers in C
-
-   Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
-
+   
+      Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
+   
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
-
+   
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-
+   
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
 
@@ -26,13 +26,13 @@
    special exception, which will cause the skeleton and the resulting
    Bison output files to be licensed under the GNU General Public
    License without this special exception.
-
+   
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
-#ifndef YY_YY__NTPD_NTP_PARSER_H_INCLUDED
-# define YY_YY__NTPD_NTP_PARSER_H_INCLUDED
-/* Debug traces.  */
+#ifndef YY_YY_NTP_PARSER_H_INCLUDED
+# define YY_YY_NTP_PARSER_H_INCLUDED
+/* Enabling traces.  */
 #ifndef YYDEBUG
 # define YYDEBUG 1
 #endif
@@ -40,203 +40,207 @@
 extern int yydebug;
 #endif
 
-/* Token type.  */
+/* Tokens.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
-  enum yytokentype
-  {
-    T_Abbrev = 258,
-    T_Age = 259,
-    T_All = 260,
-    T_Allan = 261,
-    T_Allpeers = 262,
-    T_Auth = 263,
-    T_Autokey = 264,
-    T_Automax = 265,
-    T_Average = 266,
-    T_Bclient = 267,
-    T_Beacon = 268,
-    T_Broadcast = 269,
-    T_Broadcastclient = 270,
-    T_Broadcastdelay = 271,
-    T_Burst = 272,
-    T_Calibrate = 273,
-    T_Ceiling = 274,
-    T_Clockstats = 275,
-    T_Cohort = 276,
-    T_ControlKey = 277,
-    T_Crypto = 278,
-    T_Cryptostats = 279,
-    T_Ctl = 280,
-    T_Day = 281,
-    T_Default = 282,
-    T_Digest = 283,
-    T_Disable = 284,
-    T_Discard = 285,
-    T_Dispersion = 286,
-    T_Double = 287,
-    T_Driftfile = 288,
-    T_Drop = 289,
-    T_Dscp = 290,
-    T_Ellipsis = 291,
-    T_Enable = 292,
-    T_End = 293,
-    T_False = 294,
-    T_File = 295,
-    T_Filegen = 296,
-    T_Filenum = 297,
-    T_Flag1 = 298,
-    T_Flag2 = 299,
-    T_Flag3 = 300,
-    T_Flag4 = 301,
-    T_Flake = 302,
-    T_Floor = 303,
-    T_Freq = 304,
-    T_Fudge = 305,
-    T_Host = 306,
-    T_Huffpuff = 307,
-    T_Iburst = 308,
-    T_Ident = 309,
-    T_Ignore = 310,
-    T_Incalloc = 311,
-    T_Incmem = 312,
-    T_Initalloc = 313,
-    T_Initmem = 314,
-    T_Includefile = 315,
-    T_Integer = 316,
-    T_Interface = 317,
-    T_Intrange = 318,
-    T_Io = 319,
-    T_Ipv4 = 320,
-    T_Ipv4_flag = 321,
-    T_Ipv6 = 322,
-    T_Ipv6_flag = 323,
-    T_Kernel = 324,
-    T_Key = 325,
-    T_Keys = 326,
-    T_Keysdir = 327,
-    T_Kod = 328,
-    T_Mssntp = 329,
-    T_Leapfile = 330,
-    T_Leapsmearinterval = 331,
-    T_Limited = 332,
-    T_Link = 333,
-    T_Listen = 334,
-    T_Logconfig = 335,
-    T_Logfile = 336,
-    T_Loopstats = 337,
-    T_Lowpriotrap = 338,
-    T_Manycastclient = 339,
-    T_Manycastserver = 340,
-    T_Mask = 341,
-    T_Maxage = 342,
-    T_Maxclock = 343,
-    T_Maxdepth = 344,
-    T_Maxdist = 345,
-    T_Maxmem = 346,
-    T_Maxpoll = 347,
-    T_Mdnstries = 348,
-    T_Mem = 349,
-    T_Memlock = 350,
-    T_Minclock = 351,
-    T_Mindepth = 352,
-    T_Mindist = 353,
-    T_Minimum = 354,
-    T_Minpoll = 355,
-    T_Minsane = 356,
-    T_Mode = 357,
-    T_Mode7 = 358,
-    T_Monitor = 359,
-    T_Month = 360,
-    T_Mru = 361,
-    T_Multicastclient = 362,
-    T_Nic = 363,
-    T_Nolink = 364,
-    T_Nomodify = 365,
-    T_Nomrulist = 366,
-    T_None = 367,
-    T_Nonvolatile = 368,
-    T_Nopeer = 369,
-    T_Noquery = 370,
-    T_Noselect = 371,
-    T_Noserve = 372,
-    T_Notrap = 373,
-    T_Notrust = 374,
-    T_Ntp = 375,
-    T_Ntpport = 376,
-    T_NtpSignDsocket = 377,
-    T_Orphan = 378,
-    T_Orphanwait = 379,
-    T_Panic = 380,
-    T_Peer = 381,
-    T_Peerstats = 382,
-    T_Phone = 383,
-    T_Pid = 384,
-    T_Pidfile = 385,
-    T_Pool = 386,
-    T_Port = 387,
-    T_Preempt = 388,
-    T_Prefer = 389,
-    T_Protostats = 390,
-    T_Pw = 391,
-    T_Randfile = 392,
-    T_Rawstats = 393,
-    T_Refid = 394,
-    T_Requestkey = 395,
-    T_Reset = 396,
-    T_Restrict = 397,
-    T_Revoke = 398,
-    T_Rlimit = 399,
-    T_Saveconfigdir = 400,
-    T_Server = 401,
-    T_Setvar = 402,
-    T_Source = 403,
-    T_Stacksize = 404,
-    T_Statistics = 405,
-    T_Stats = 406,
-    T_Statsdir = 407,
-    T_Step = 408,
-    T_Stepback = 409,
-    T_Stepfwd = 410,
-    T_Stepout = 411,
-    T_Stratum = 412,
-    T_String = 413,
-    T_Sys = 414,
-    T_Sysstats = 415,
-    T_Tick = 416,
-    T_Time1 = 417,
-    T_Time2 = 418,
-    T_Timer = 419,
-    T_Timingstats = 420,
-    T_Tinker = 421,
-    T_Tos = 422,
-    T_Trap = 423,
-    T_True = 424,
-    T_Trustedkey = 425,
-    T_Ttl = 426,
-    T_Type = 427,
-    T_U_int = 428,
-    T_Unconfig = 429,
-    T_Unpeer = 430,
-    T_Version = 431,
-    T_WanderThreshold = 432,
-    T_Week = 433,
-    T_Wildcard = 434,
-    T_Xleave = 435,
-    T_Year = 436,
-    T_Flag = 437,
-    T_EOC = 438,
-    T_Simulate = 439,
-    T_Beep_Delay = 440,
-    T_Sim_Duration = 441,
-    T_Server_Offset = 442,
-    T_Duration = 443,
-    T_Freq_Offset = 444,
-    T_Wander = 445,
-    T_Jitter = 446,
-    T_Prop_Delay = 447,
-    T_Proc_Delay = 448
-  };
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     T_Abbrev = 258,
+     T_Age = 259,
+     T_All = 260,
+     T_Allan = 261,
+     T_Allpeers = 262,
+     T_Auth = 263,
+     T_Autokey = 264,
+     T_Automax = 265,
+     T_Average = 266,
+     T_Bclient = 267,
+     T_Beacon = 268,
+     T_Broadcast = 269,
+     T_Broadcastclient = 270,
+     T_Broadcastdelay = 271,
+     T_Burst = 272,
+     T_Calibrate = 273,
+     T_Ceiling = 274,
+     T_Clockstats = 275,
+     T_Cohort = 276,
+     T_ControlKey = 277,
+     T_Crypto = 278,
+     T_Cryptostats = 279,
+     T_Ctl = 280,
+     T_Day = 281,
+     T_Default = 282,
+     T_Digest = 283,
+     T_Disable = 284,
+     T_Discard = 285,
+     T_Dispersion = 286,
+     T_Double = 287,
+     T_Driftfile = 288,
+     T_Drop = 289,
+     T_Dscp = 290,
+     T_Ellipsis = 291,
+     T_Enable = 292,
+     T_End = 293,
+     T_False = 294,
+     T_File = 295,
+     T_Filegen = 296,
+     T_Filenum = 297,
+     T_Flag1 = 298,
+     T_Flag2 = 299,
+     T_Flag3 = 300,
+     T_Flag4 = 301,
+     T_Flake = 302,
+     T_Floor = 303,
+     T_Freq = 304,
+     T_Fudge = 305,
+     T_Host = 306,
+     T_Huffpuff = 307,
+     T_Iburst = 308,
+     T_Ident = 309,
+     T_Ignore = 310,
+     T_Incalloc = 311,
+     T_Incmem = 312,
+     T_Initalloc = 313,
+     T_Initmem = 314,
+     T_Includefile = 315,
+     T_Integer = 316,
+     T_Interface = 317,
+     T_Intrange = 318,
+     T_Io = 319,
+     T_Ipv4 = 320,
+     T_Ipv4_flag = 321,
+     T_Ipv6 = 322,
+     T_Ipv6_flag = 323,
+     T_Kernel = 324,
+     T_Key = 325,
+     T_Keys = 326,
+     T_Keysdir = 327,
+     T_Kod = 328,
+     T_Mssntp = 329,
+     T_Leapfile = 330,
+     T_Leapsmearinterval = 331,
+     T_Limited = 332,
+     T_Link = 333,
+     T_Listen = 334,
+     T_Logconfig = 335,
+     T_Logfile = 336,
+     T_Loopstats = 337,
+     T_Lowpriotrap = 338,
+     T_Manycastclient = 339,
+     T_Manycastserver = 340,
+     T_Mask = 341,
+     T_Maxage = 342,
+     T_Maxclock = 343,
+     T_Maxdepth = 344,
+     T_Maxdist = 345,
+     T_Maxmem = 346,
+     T_Maxpoll = 347,
+     T_Mdnstries = 348,
+     T_Mem = 349,
+     T_Memlock = 350,
+     T_Minclock = 351,
+     T_Mindepth = 352,
+     T_Mindist = 353,
+     T_Minimum = 354,
+     T_Minpoll = 355,
+     T_Minsane = 356,
+     T_Mode = 357,
+     T_Mode7 = 358,
+     T_Monitor = 359,
+     T_Month = 360,
+     T_Mru = 361,
+     T_Multicastclient = 362,
+     T_Nic = 363,
+     T_Nolink = 364,
+     T_Nomodify = 365,
+     T_Nomrulist = 366,
+     T_None = 367,
+     T_Nonvolatile = 368,
+     T_Nopeer = 369,
+     T_Noquery = 370,
+     T_Noselect = 371,
+     T_Noserve = 372,
+     T_Notrap = 373,
+     T_Notrust = 374,
+     T_Ntp = 375,
+     T_Ntpport = 376,
+     T_NtpSignDsocket = 377,
+     T_Orphan = 378,
+     T_Orphanwait = 379,
+     T_Panic = 380,
+     T_Peer = 381,
+     T_Peerstats = 382,
+     T_Phone = 383,
+     T_Pid = 384,
+     T_Pidfile = 385,
+     T_Pool = 386,
+     T_Port = 387,
+     T_Preempt = 388,
+     T_Prefer = 389,
+     T_Protostats = 390,
+     T_Pw = 391,
+     T_Randfile = 392,
+     T_Rawstats = 393,
+     T_Refid = 394,
+     T_Requestkey = 395,
+     T_Reset = 396,
+     T_Restrict = 397,
+     T_Revoke = 398,
+     T_Rlimit = 399,
+     T_Saveconfigdir = 400,
+     T_Server = 401,
+     T_Setvar = 402,
+     T_Source = 403,
+     T_Stacksize = 404,
+     T_Statistics = 405,
+     T_Stats = 406,
+     T_Statsdir = 407,
+     T_Step = 408,
+     T_Stepback = 409,
+     T_Stepfwd = 410,
+     T_Stepout = 411,
+     T_Stratum = 412,
+     T_String = 413,
+     T_Sys = 414,
+     T_Sysstats = 415,
+     T_Tick = 416,
+     T_Time1 = 417,
+     T_Time2 = 418,
+     T_Timer = 419,
+     T_Timingstats = 420,
+     T_Tinker = 421,
+     T_Tos = 422,
+     T_Trap = 423,
+     T_True = 424,
+     T_Trustedkey = 425,
+     T_Ttl = 426,
+     T_Type = 427,
+     T_U_int = 428,
+     T_UEcrypto = 429,
+     T_UEcryptonak = 430,
+     T_UEdigest = 431,
+     T_Unconfig = 432,
+     T_Unpeer = 433,
+     T_Version = 434,
+     T_WanderThreshold = 435,
+     T_Week = 436,
+     T_Wildcard = 437,
+     T_Xleave = 438,
+     T_Year = 439,
+     T_Flag = 440,
+     T_EOC = 441,
+     T_Simulate = 442,
+     T_Beep_Delay = 443,
+     T_Sim_Duration = 444,
+     T_Server_Offset = 445,
+     T_Duration = 446,
+     T_Freq_Offset = 447,
+     T_Wander = 448,
+     T_Jitter = 449,
+     T_Prop_Delay = 450,
+     T_Proc_Delay = 451
+   };
 #endif
 /* Tokens.  */
 #define T_Abbrev 258
@@ -410,33 +414,37 @@ extern int yydebug;
 #define T_Ttl 426
 #define T_Type 427
 #define T_U_int 428
-#define T_Unconfig 429
-#define T_Unpeer 430
-#define T_Version 431
-#define T_WanderThreshold 432
-#define T_Week 433
-#define T_Wildcard 434
-#define T_Xleave 435
-#define T_Year 436
-#define T_Flag 437
-#define T_EOC 438
-#define T_Simulate 439
-#define T_Beep_Delay 440
-#define T_Sim_Duration 441
-#define T_Server_Offset 442
-#define T_Duration 443
-#define T_Freq_Offset 444
-#define T_Wander 445
-#define T_Jitter 446
-#define T_Prop_Delay 447
-#define T_Proc_Delay 448
+#define T_UEcrypto 429
+#define T_UEcryptonak 430
+#define T_UEdigest 431
+#define T_Unconfig 432
+#define T_Unpeer 433
+#define T_Version 434
+#define T_WanderThreshold 435
+#define T_Week 436
+#define T_Wildcard 437
+#define T_Xleave 438
+#define T_Year 439
+#define T_Flag 440
+#define T_EOC 441
+#define T_Simulate 442
+#define T_Beep_Delay 443
+#define T_Sim_Duration 444
+#define T_Server_Offset 445
+#define T_Duration 446
+#define T_Freq_Offset 447
+#define T_Wander 448
+#define T_Jitter 449
+#define T_Prop_Delay 450
+#define T_Proc_Delay 451
+
+
 
-/* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-typedef union YYSTYPE YYSTYPE;
-union YYSTYPE
+typedef union YYSTYPE
 {
-#line 51 "../../ntpd/ntp_parser.y" /* yacc.c:1909  */
+/* Line 2053 of yacc.c  */
+#line 51 "../../ntpd/ntp_parser.y"
 
 	char *			String;
 	double			Double;
@@ -455,15 +463,29 @@ union YYSTYPE
 	script_info *		Sim_script;
 	script_info_fifo *	Sim_script_fifo;
 
-#line 459 "../../ntpd/ntp_parser.h" /* yacc.c:1909  */
-};
+
+/* Line 2053 of yacc.c  */
+#line 469 "ntp_parser.h"
+} YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
 #endif
 
-
 extern YYSTYPE yylval;
 
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
 int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
 
-#endif /* !YY_YY__NTPD_NTP_PARSER_H_INCLUDED  */
+#endif /* !YY_YY_NTP_PARSER_H_INCLUDED  */
diff --git a/contrib/ntp/ntpd/ntp_proto.c b/contrib/ntp/ntpd/ntp_proto.c
index f770472..ad45409 100644
--- a/contrib/ntp/ntpd/ntp_proto.c
+++ b/contrib/ntp/ntpd/ntp_proto.c
@@ -153,6 +153,19 @@ u_long	sys_declined;		/* declined */
 u_long	sys_limitrejected;	/* rate exceeded */
 u_long	sys_kodsent;		/* KoD sent */
 
+/*
+ * Mechanism knobs: how soon do we unpeer()?
+ *
+ * The default way is "on-receipt".  If this was a packet from a
+ * well-behaved source, on-receipt will offer the fastest recovery.
+ * If this was from a DoS attack, the default way makes it easier
+ * for a bad-guy to DoS us.  So look and see what bites you harder
+ * and choose according to your environment.
+ */
+int unpeer_crypto_early		= 1;	/* bad crypto (TEST9) */
+int unpeer_crypto_nak_early	= 1;	/* crypto_NAK (TEST5) */
+int unpeer_digest_early		= 1;	/* bad digest (TEST5) */
+
 static int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid);
 static	double	root_distance	(struct peer *);
 static	void	clock_combine	(peer_select *, int, int);
@@ -1157,6 +1170,7 @@ receive(
 
 			} else {
 				peer->delay = sys_bdelay;
+				peer->bxmt = p_xmt;
 			}
 			break;
 		}
@@ -1177,6 +1191,7 @@ receive(
 			sys_restricted++;
 			return;			/* ignore duplicate */
 		}
+		peer->bxmt = p_xmt;
 #ifdef AUTOKEY
 		if (skeyid > NTP_MAXKEY)
 			crypto_recv(peer, rbufp);
@@ -1286,6 +1301,73 @@ receive(
 			return;
 		}
 #endif /* AUTOKEY */
+
+		if (MODE_BROADCAST == hismode) {
+			u_char poll;
+			int bail = 0;
+			l_fp tdiff;
+
+			DPRINTF(2, ("receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\n",
+				    (current_time - peer->timelastrec),
+				    peer->ppoll, (1 << peer->ppoll)
+				    ));
+			/* Things we can check:
+			 *
+			 * Did the poll interval change?
+			 * Is the poll interval in the packet in-range?
+			 * Did this packet arrive too soon?
+			 * Is the timestamp in this packet monotonic
+			 *  with respect to the previous packet?
+			 */
+
+			/* This is noteworthy, not error-worthy */
+			if (pkt->ppoll != peer->ppoll) {
+				msyslog(LOG_INFO, "receive: broadcast poll from %s changed from %ud to %ud",
+					stoa(&rbufp->recv_srcadr),
+					peer->ppoll, pkt->ppoll);
+			}
+
+			poll = min(peer->maxpoll,
+				   max(peer->minpoll, pkt->ppoll));
+
+			/* This is error-worthy */
+			if (pkt->ppoll != poll) {
+				msyslog(LOG_INFO, "receive: broadcast poll of %ud from %s is out-of-range (%d to %d)!",
+					pkt->ppoll, stoa(&rbufp->recv_srcadr),
+					peer->minpoll, peer->maxpoll);
+				++bail;
+			}
+
+			if (  (current_time - peer->timelastrec)
+			    < (1 << pkt->ppoll)) {
+				msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %ld, not %d seconds!",
+					stoa(&rbufp->recv_srcadr),
+					(current_time - peer->timelastrec),
+					(1 << pkt->ppoll)
+					);
+				++bail;
+			}
+
+			tdiff = p_xmt;
+			L_SUB(&tdiff, &peer->bxmt);
+			if (tdiff.l_i < 0) {
+				msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x",
+					stoa(&rbufp->recv_srcadr),
+					peer->bxmt.l_ui, peer->bxmt.l_uf,
+					p_xmt.l_ui, p_xmt.l_uf
+					);
+				++bail;
+			}
+
+			peer->bxmt = p_xmt;
+
+			if (bail) {
+				peer->timelastrec = current_time;
+				sys_declined++;
+				return;
+			}
+		}
+
 		break;
 
 	/*
@@ -1362,7 +1444,12 @@ receive(
 	/*
 	 * Basic mode checks:
 	 *
-	 * If there is no origin timestamp, it's an initial packet.
+	 * If there is no origin timestamp, it's either an initial packet
+	 * or we've already received a response to our query.  Of course,
+	 * should 'aorg' be all-zero because this really was the original
+	 * transmit timestamp, we'll drop the reply.  There is a window of
+	 * one nanosecond once every 136 years' time where this is possible.
+	 * We currently ignore this situation.
 	 *
 	 * Otherwise, check for bogus packet in basic mode.
 	 * If it is bogus, switch to interleaved mode and resynchronize,
@@ -1375,7 +1462,8 @@ receive(
 	} else if (peer->flip == 0) {
 		if (0 < hisstratum && L_ISZERO(&p_org)) {
 			L_CLR(&peer->aorg);
-		} else if (!L_ISEQU(&p_org, &peer->aorg)) {
+		} else if (    L_ISZERO(&peer->aorg)
+			   || !L_ISEQU(&p_org, &peer->aorg)) {
 			peer->bogusorg++;
 			peer->flash |= TEST2;	/* bogus */
 			msyslog(LOG_INFO,
@@ -1424,7 +1512,9 @@ receive(
 		peer->flash |= TEST5;		/* bad auth */
 		peer->badauth++;
 		if (peer->flags & FLAG_PREEMPT) {
-			unpeer(peer);
+			if (unpeer_crypto_nak_early) {
+				unpeer(peer);
+			}
 			return;
 		}
 #ifdef AUTOKEY
@@ -1450,7 +1540,9 @@ receive(
 		    && (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
 		if (peer->flags & FLAG_PREEMPT) {
-			unpeer(peer);
+			if (unpeer_digest_early) {
+				unpeer(peer);
+			}
 			return;
 		}
 #ifdef AUTOKEY
@@ -1505,12 +1597,47 @@ receive(
 		return;		/* Drop any other kiss code packets */
 	}
 
+	/*
+	 * If:
+	 *	- this is a *cast (uni-, broad-, or m-) server packet
+	 *	- and it's authenticated
+	 * then see if the sender's IP is trusted for this keyid.
+	 * If it is, great - nothing special to do here.
+	 * Otherwise, we should report and bail.
+	 */
+
+	switch (hismode) {
+	    case MODE_SERVER:		/* server mode */
+	    case MODE_BROADCAST:	/* broadcast mode */
+	    case MODE_ACTIVE:		/* symmetric active mode */
+		if (   is_authentic == AUTH_OK
+		    && !authistrustedip(skeyid, &peer->srcadr)) {
+			report_event(PEVNT_AUTH, peer, "authIP");
+			peer->badauth++;
+			return;
+		}
+	    	break;
+
+	    case MODE_UNSPEC:		/* unspecified (old version) */
+	    case MODE_PASSIVE:		/* symmetric passive mode */
+	    case MODE_CLIENT:		/* client mode */
+#if 0		/* At this point, MODE_CONTROL is overloaded by MODE_BCLIENT */
+	    case MODE_CONTROL:		/* control mode */
+#endif
+	    case MODE_PRIVATE:		/* private mode */
+	    case MODE_BCLIENT:		/* broadcast client mode */
+	    	break;
+	    default:
+	    	break;
+	}
+
 
 	/*
 	 * That was hard and I am sweaty, but the packet is squeaky
 	 * clean. Get on with real work.
 	 */
 	peer->timereceived = current_time;
+	peer->timelastrec = current_time;
 	if (is_authentic == AUTH_OK)
 		peer->flags |= FLAG_AUTHENTIC;
 	else
@@ -1560,8 +1687,11 @@ receive(
 				    "crypto error");
 				peer_clear(peer, "CRYP");
 				peer->flash |= TEST9;	/* bad crypt */
-				if (peer->flags & FLAG_PREEMPT)
-					unpeer(peer);
+				if (peer->flags & FLAG_PREEMPT) {
+					if (unpeer_crypto_early) {
+						unpeer(peer);
+					}
+				}
 			}
 			return;
 		}
@@ -4358,6 +4488,22 @@ proto_config(
 			io_multicast_del(svalue);
 		break;
 
+	/*
+	 * Unpeer Early policy choices
+	 */
+
+	case PROTO_UECRYPTO:	/* Crypto */
+		unpeer_crypto_early = value;
+		break;
+
+	case PROTO_UECRYPTONAK:	/* Crypto_NAK */
+		unpeer_crypto_nak_early = value;
+		break;
+
+	case PROTO_UEDIGEST:	/* Digest */
+		unpeer_digest_early = value;
+		break;
+
 	default:
 		msyslog(LOG_NOTICE,
 		    "proto: unsupported option %d", item);
diff --git a/contrib/ntp/ntpd/ntp_request.c b/contrib/ntp/ntpd/ntp_request.c
index fa78ce1..ba968e2 100644
--- a/contrib/ntp/ntpd/ntp_request.c
+++ b/contrib/ntp/ntpd/ntp_request.c
@@ -81,8 +81,8 @@ static	void	do_unconf	(sockaddr_u *, endpt *, struct req_pkt *);
 static	void	set_sys_flag	(sockaddr_u *, endpt *, struct req_pkt *);
 static	void	clr_sys_flag	(sockaddr_u *, endpt *, struct req_pkt *);
 static	void	setclr_flags	(sockaddr_u *, endpt *, struct req_pkt *, u_long);
-static	void	list_restrict4	(restrict_u *, struct info_restrict **);
-static	void	list_restrict6	(restrict_u *, struct info_restrict **);
+static	void	list_restrict4	(const restrict_u *, struct info_restrict **);
+static	void	list_restrict6	(const restrict_u *, struct info_restrict **);
 static	void	list_restrict	(sockaddr_u *, endpt *, struct req_pkt *);
 static	void	do_resaddflags	(sockaddr_u *, endpt *, struct req_pkt *);
 static	void	do_ressubflags	(sockaddr_u *, endpt *, struct req_pkt *);
@@ -667,43 +667,35 @@ list_peers(
 	struct req_pkt *inpkt
 	)
 {
-	struct info_peer_list *ip;
-	struct peer *pp;
-	int skip = 0;
+	struct info_peer_list *	ip;
+	const struct peer *	pp;
 
 	ip = (struct info_peer_list *)prepare_pkt(srcadr, inter, inpkt,
 	    v6sizeof(struct info_peer_list));
 	for (pp = peer_list; pp != NULL && ip != NULL; pp = pp->p_link) {
 		if (IS_IPV6(&pp->srcadr)) {
-			if (client_v6_capable) {
-				ip->addr6 = SOCK_ADDR6(&pp->srcadr);
-				ip->v6_flag = 1;
-				skip = 0;
-			} else {
-				skip = 1;
-				break;
-			}
+			if (!client_v6_capable)
+				continue;			
+			ip->addr6 = SOCK_ADDR6(&pp->srcadr);
+			ip->v6_flag = 1;
 		} else {
 			ip->addr = NSRCADR(&pp->srcadr);
 			if (client_v6_capable)
 				ip->v6_flag = 0;
-			skip = 0;
 		}
 
-		if (!skip) {
-			ip->port = NSRCPORT(&pp->srcadr);
-			ip->hmode = pp->hmode;
-			ip->flags = 0;
-			if (pp->flags & FLAG_CONFIG)
-				ip->flags |= INFO_FLAG_CONFIG;
-			if (pp == sys_peer)
-				ip->flags |= INFO_FLAG_SYSPEER;
-			if (pp->status == CTL_PST_SEL_SYNCCAND)
-				ip->flags |= INFO_FLAG_SEL_CANDIDATE;
-			if (pp->status >= CTL_PST_SEL_SYSPEER)
-				ip->flags |= INFO_FLAG_SHORTLIST;
-			ip = (struct info_peer_list *)more_pkt();
-		}
+		ip->port = NSRCPORT(&pp->srcadr);
+		ip->hmode = pp->hmode;
+		ip->flags = 0;
+		if (pp->flags & FLAG_CONFIG)
+			ip->flags |= INFO_FLAG_CONFIG;
+		if (pp == sys_peer)
+			ip->flags |= INFO_FLAG_SYSPEER;
+		if (pp->status == CTL_PST_SEL_SYNCCAND)
+			ip->flags |= INFO_FLAG_SEL_CANDIDATE;
+		if (pp->status >= CTL_PST_SEL_SYSPEER)
+			ip->flags |= INFO_FLAG_SHORTLIST;
+		ip = (struct info_peer_list *)more_pkt();
 	}	/* for pp */
 
 	flush_pkt();
@@ -720,10 +712,9 @@ list_peers_sum(
 	struct req_pkt *inpkt
 	)
 {
-	register struct info_peer_summary *ips;
-	register struct peer *pp;
-	l_fp ltmp;
-	register int skip;
+	struct info_peer_summary *	ips;
+	const struct peer *		pp;
+	l_fp 				ltmp;
 
 	DPRINTF(3, ("wants peer list summary\n"));
 
@@ -736,18 +727,14 @@ list_peers_sum(
 		 * want only v4.
 		 */
 		if (IS_IPV6(&pp->srcadr)) {
-			if (client_v6_capable) {
-				ips->srcadr6 = SOCK_ADDR6(&pp->srcadr);
-				ips->v6_flag = 1;
-				if (pp->dstadr)
-					ips->dstadr6 = SOCK_ADDR6(&pp->dstadr->sin);
-				else
-					ZERO(ips->dstadr6);
-				skip = 0;
-			} else {
-				skip = 1;
-				break;
-			}
+			if (!client_v6_capable)
+				continue;
+			ips->srcadr6 = SOCK_ADDR6(&pp->srcadr);
+			ips->v6_flag = 1;
+			if (pp->dstadr)
+				ips->dstadr6 = SOCK_ADDR6(&pp->dstadr->sin);
+			else
+				ZERO(ips->dstadr6);
 		} else {
 			ips->srcadr = NSRCADR(&pp->srcadr);
 			if (client_v6_capable)
@@ -765,39 +752,37 @@ list_peers_sum(
 							ips->dstadr = NSRCADR(&pp->dstadr->bcast);
 					}
 				}
-			} else
+			} else {
 				ips->dstadr = 0;
-
-			skip = 0;
+			}
 		}
 		
-		if (!skip) { 
-			ips->srcport = NSRCPORT(&pp->srcadr);
-			ips->stratum = pp->stratum;
-			ips->hpoll = pp->hpoll;
-			ips->ppoll = pp->ppoll;
-			ips->reach = pp->reach;
-			ips->flags = 0;
-			if (pp == sys_peer)
-				ips->flags |= INFO_FLAG_SYSPEER;
-			if (pp->flags & FLAG_CONFIG)
-				ips->flags |= INFO_FLAG_CONFIG;
-			if (pp->flags & FLAG_REFCLOCK)
-				ips->flags |= INFO_FLAG_REFCLOCK;
-			if (pp->flags & FLAG_PREFER)
-				ips->flags |= INFO_FLAG_PREFER;
-			if (pp->flags & FLAG_BURST)
-				ips->flags |= INFO_FLAG_BURST;
-			if (pp->status == CTL_PST_SEL_SYNCCAND)
-				ips->flags |= INFO_FLAG_SEL_CANDIDATE;
-			if (pp->status >= CTL_PST_SEL_SYSPEER)
-				ips->flags |= INFO_FLAG_SHORTLIST;
-			ips->hmode = pp->hmode;
-			ips->delay = HTONS_FP(DTOFP(pp->delay));
-			DTOLFP(pp->offset, &ltmp);
-			HTONL_FP(&ltmp, &ips->offset);
-			ips->dispersion = HTONS_FP(DTOUFP(SQRT(pp->disp)));
-		}	
+		ips->srcport = NSRCPORT(&pp->srcadr);
+		ips->stratum = pp->stratum;
+		ips->hpoll = pp->hpoll;
+		ips->ppoll = pp->ppoll;
+		ips->reach = pp->reach;
+		ips->flags = 0;
+		if (pp == sys_peer)
+			ips->flags |= INFO_FLAG_SYSPEER;
+		if (pp->flags & FLAG_CONFIG)
+			ips->flags |= INFO_FLAG_CONFIG;
+		if (pp->flags & FLAG_REFCLOCK)
+			ips->flags |= INFO_FLAG_REFCLOCK;
+		if (pp->flags & FLAG_PREFER)
+			ips->flags |= INFO_FLAG_PREFER;
+		if (pp->flags & FLAG_BURST)
+			ips->flags |= INFO_FLAG_BURST;
+		if (pp->status == CTL_PST_SEL_SYNCCAND)
+			ips->flags |= INFO_FLAG_SEL_CANDIDATE;
+		if (pp->status >= CTL_PST_SEL_SYSPEER)
+			ips->flags |= INFO_FLAG_SHORTLIST;
+		ips->hmode = pp->hmode;
+		ips->delay = HTONS_FP(DTOFP(pp->delay));
+		DTOLFP(pp->offset, &ltmp);
+		HTONL_FP(&ltmp, &ips->offset);
+		ips->dispersion = HTONS_FP(DTOUFP(SQRT(pp->disp)));
+
 		ips = (struct info_peer_summary *)more_pkt();
 	}	/* for pp */
 
@@ -1197,7 +1182,7 @@ mem_stats(
 		ms->hashcount[i] = (u_char)
 		    max((u_int)peer_hash_count[i], UCHAR_MAX);
 
-	more_pkt();
+	(void) more_pkt();
 	flush_pkt();
 }
 
@@ -1285,7 +1270,7 @@ loop_info(
 	li->compliance = htonl((u_int32)(tc_counter));
 	li->watchdog_timer = htonl((u_int32)(current_time - sys_epoch));
 
-	more_pkt();
+	(void) more_pkt();
 	flush_pkt();
 }
 
@@ -1571,56 +1556,143 @@ setclr_flags(
 	req_ack(srcadr, inter, inpkt, INFO_OKAY);
 }
 
+/* There have been some issues with the restrict list processing,
+ * ranging from problems with deep recursion (resulting in stack
+ * overflows) and overfull reply buffers.
+ *
+ * To avoid this trouble the list reversal is done iteratively using a
+ * scratch pad.
+ */
+typedef struct RestrictStack RestrictStackT;
+struct RestrictStack {
+	RestrictStackT   *link;
+	size_t            fcnt;
+	const restrict_u *pres[63];
+};
+
+static size_t
+getStackSheetSize(
+	RestrictStackT *sp
+	)
+{
+	if (sp)
+		return sizeof(sp->pres)/sizeof(sp->pres[0]);
+	return 0u;
+}
+
+static int/*BOOL*/
+pushRestriction(
+	RestrictStackT  **spp,
+	const restrict_u *ptr
+	)
+{
+	RestrictStackT *sp;
+
+	if (NULL == (sp = *spp) || 0 == sp->fcnt) {
+		/* need another sheet in the scratch pad */
+		sp = emalloc(sizeof(*sp));
+		sp->link = *spp;
+		sp->fcnt = getStackSheetSize(sp);
+		*spp = sp;
+	}
+	sp->pres[--sp->fcnt] = ptr;
+	return TRUE;
+}
+
+static int/*BOOL*/
+popRestriction(
+	RestrictStackT   **spp,
+	const restrict_u **opp
+	)
+{
+	RestrictStackT *sp;
+
+	if (NULL == (sp = *spp) || sp->fcnt >= getStackSheetSize(sp))
+		return FALSE;
+	
+	*opp = sp->pres[sp->fcnt++];
+	if (sp->fcnt >= getStackSheetSize(sp)) {
+		/* discard sheet from scratch pad */
+		*spp = sp->link;
+		free(sp);
+	}
+	return TRUE;
+}
+
+static void
+flushRestrictionStack(
+	RestrictStackT **spp
+	)
+{
+	RestrictStackT *sp;
+
+	while (NULL != (sp = *spp)) {
+		*spp = sp->link;
+		free(sp);
+	}
+}
+
 /*
- * list_restrict4 - recursive helper for list_restrict dumps IPv4
+ * list_restrict4 - iterative helper for list_restrict dumps IPv4
  *		    restriction list in reverse order.
  */
 static void
 list_restrict4(
-	restrict_u *		res,
+	const restrict_u *	res,
 	struct info_restrict **	ppir
 	)
 {
+	RestrictStackT *	rpad;
 	struct info_restrict *	pir;
 
-	if (res->link != NULL)
-		list_restrict4(res->link, ppir);
-
 	pir = *ppir;
-	pir->addr = htonl(res->u.v4.addr);
-	if (client_v6_capable) 
-		pir->v6_flag = 0;
-	pir->mask = htonl(res->u.v4.mask);
-	pir->count = htonl(res->count);
-	pir->flags = htons(res->flags);
-	pir->mflags = htons(res->mflags);
-	*ppir = (struct info_restrict *)more_pkt();
+	for (rpad = NULL; res; res = res->link)
+		if (!pushRestriction(&rpad, res))
+			break;
+	
+	while (pir && popRestriction(&rpad, &res)) {
+		pir->addr = htonl(res->u.v4.addr);
+		if (client_v6_capable) 
+			pir->v6_flag = 0;
+		pir->mask = htonl(res->u.v4.mask);
+		pir->count = htonl(res->count);
+		pir->flags = htons(res->flags);
+		pir->mflags = htons(res->mflags);
+		pir = (struct info_restrict *)more_pkt();
+	}
+	flushRestrictionStack(&rpad);
+	*ppir = pir;
 }
 
-
 /*
- * list_restrict6 - recursive helper for list_restrict dumps IPv6
+ * list_restrict6 - iterative helper for list_restrict dumps IPv6
  *		    restriction list in reverse order.
  */
 static void
 list_restrict6(
-	restrict_u *		res,
+	const restrict_u *	res,
 	struct info_restrict **	ppir
 	)
 {
+	RestrictStackT *	rpad;
 	struct info_restrict *	pir;
 
-	if (res->link != NULL)
-		list_restrict6(res->link, ppir);
-
 	pir = *ppir;
-	pir->addr6 = res->u.v6.addr; 
-	pir->mask6 = res->u.v6.mask;
-	pir->v6_flag = 1;
-	pir->count = htonl(res->count);
-	pir->flags = htons(res->flags);
-	pir->mflags = htons(res->mflags);
-	*ppir = (struct info_restrict *)more_pkt();
+	for (rpad = NULL; res; res = res->link)
+		if (!pushRestriction(&rpad, res))
+			break;
+
+	while (pir && popRestriction(&rpad, &res)) {
+		pir->addr6 = res->u.v6.addr; 
+		pir->mask6 = res->u.v6.mask;
+		pir->v6_flag = 1;
+		pir->count = htonl(res->count);
+		pir->flags = htons(res->flags);
+		pir->mflags = htons(res->mflags);
+		pir = (struct info_restrict *)more_pkt();
+	}
+	flushRestrictionStack(&rpad);
+	*ppir = pir;
 }
 
 
@@ -1644,8 +1716,7 @@ list_restrict(
 	/*
 	 * The restriction lists are kept sorted in the reverse order
 	 * than they were originally.  To preserve the output semantics,
-	 * dump each list in reverse order.  A recursive helper function
-	 * achieves that.
+	 * dump each list in reverse order. The workers take care of that.
 	 */
 	list_restrict4(restrictlist4, &ir);
 	if (client_v6_capable)
@@ -2010,7 +2081,7 @@ do_trustkey(
 	register int items;
 
 	items = INFO_NITEMS(inpkt->err_nitems);
-	kp = (uint32_t*)&inpkt->u;
+	kp = (uint32_t *)&inpkt->u;
 	while (items-- > 0) {
 		authtrust(*kp, trust);
 		kp++;
@@ -2089,7 +2160,7 @@ req_get_traps(
 	it = (struct info_trap *)prepare_pkt(srcadr, inter, inpkt,
 	    v6sizeof(struct info_trap));
 
-	for (i = 0, tr = ctl_traps; i < COUNTOF(ctl_traps); i++, tr++) {
+	for (i = 0, tr = ctl_traps; it && i < COUNTOF(ctl_traps); i++, tr++) {
 		if (tr->tr_flags & TRAP_INUSE) {
 			if (IS_IPV4(&tr->tr_addr)) {
 				if (tr->tr_localaddr == any_interface)
@@ -2405,7 +2476,7 @@ get_clock_info(
 	ic = (struct info_clock *)prepare_pkt(srcadr, inter, inpkt,
 					      sizeof(struct info_clock));
 
-	while (items-- > 0) {
+	while (items-- > 0 && ic) {
 		NSRCADR(&addr) = *clkaddr++;
 		if (!ISREFCLOCKADR(&addr) || NULL ==
 		    findexistingpeer(&addr, NULL, NULL, -1, 0)) {
@@ -2544,7 +2615,7 @@ get_clkbug_info(
 	ic = (struct info_clkbug *)prepare_pkt(srcadr, inter, inpkt,
 					       sizeof(struct info_clkbug));
 
-	while (items-- > 0) {
+	while (items-- > 0 && ic) {
 		NSRCADR(&addr) = *clkaddr++;
 		if (!ISREFCLOCKADR(&addr) || NULL ==
 		    findexistingpeer(&addr, NULL, NULL, -1, 0)) {
@@ -2592,13 +2663,15 @@ fill_info_if_stats(void *data, interface_info_t *interface_info)
 	struct info_if_stats **ifsp = (struct info_if_stats **)data;
 	struct info_if_stats *ifs = *ifsp;
 	endpt *ep = interface_info->ep;
+
+	if (NULL == ifs)
+		return;
 	
 	ZERO(*ifs);
 	
 	if (IS_IPV6(&ep->sin)) {
-		if (!client_v6_capable) {
+		if (!client_v6_capable)
 			return;
-		}
 		ifs->v6_flag = 1;
 		ifs->unaddr.addr6 = SOCK_ADDR6(&ep->sin);
 		ifs->unbcast.addr6 = SOCK_ADDR6(&ep->bcast);
diff --git a/contrib/ntp/ntpd/ntp_scanner.c b/contrib/ntp/ntpd/ntp_scanner.c
index 49adf6b..631c218 100644
--- a/contrib/ntp/ntpd/ntp_scanner.c
+++ b/contrib/ntp/ntpd/ntp_scanner.c
@@ -669,7 +669,7 @@ int
 yylex(void)
 {
 	static follby	followedby = FOLLBY_TOKEN;
-	int		i;
+	size_t		i;
 	int		instring;
 	int		yylval_was_set;
 	int		converted;
diff --git a/contrib/ntp/ntpd/ntp_timer.c b/contrib/ntp/ntpd/ntp_timer.c
index 03084a3..78c81b6 100644
--- a/contrib/ntp/ntpd/ntp_timer.c
+++ b/contrib/ntp/ntpd/ntp_timer.c
@@ -549,14 +549,16 @@ check_leapsec(
 #ifdef LEAP_SMEAR
 	leap_smear.enabled = leap_smear_intv != 0;
 #endif
-	if (reset)	{
+	if (reset) {
 		lsprox = LSPROX_NOWARN;
 		leapsec_reset_frame();
 		memset(&lsdata, 0, sizeof(lsdata));
 	} else {
-	  int fired = leapsec_query(&lsdata, now, tpiv);
+	  int fired;
 
-	  DPRINTF(1, ("*** leapsec_query: fired %i, now %u (0x%08X), tai_diff %i, ddist %u\n",
+	  fired = leapsec_query(&lsdata, now, tpiv);
+
+	  DPRINTF(3, ("*** leapsec_query: fired %i, now %u (0x%08X), tai_diff %i, ddist %u\n",
 		  fired, now, now, lsdata.tai_diff, lsdata.ddist));
 
 #ifdef LEAP_SMEAR
@@ -572,8 +574,7 @@ check_leapsec(
 				DPRINTF(1, ("*** leapsec_query: setting leap_smear interval %li, begin %.0f, end %.0f\n",
 					leap_smear.interval, leap_smear.intv_start, leap_smear.intv_end));
 			}
-		}
-		else {
+		} else {
 			if (leap_smear.interval)
 				DPRINTF(1, ("*** leapsec_query: clearing leap_smear interval\n"));
 			leap_smear.interval = 0;
@@ -655,10 +656,10 @@ check_leapsec(
 		sys_tai = lsdata.tai_offs;
 	  } else {
 #ifdef AUTOKEY
-		update_autokey = (sys_tai != lsdata.tai_offs);
+		  update_autokey = (sys_tai != (u_int)lsdata.tai_offs);
 #endif
-		lsprox  = lsdata.proximity;
-		sys_tai = lsdata.tai_offs;
+		  lsprox  = lsdata.proximity;
+		  sys_tai = lsdata.tai_offs;
 	  }
 	}
 
diff --git a/contrib/ntp/ntpd/ntpd-opts.c b/contrib/ntp/ntpd/ntpd-opts.c
index 660884b..f435a31 100644
--- a/contrib/ntp/ntpd/ntpd-opts.c
+++ b/contrib/ntp/ntpd/ntpd-opts.c
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpd-opts.c)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:28:29 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:15:45 AM by AutoGen 5.18.5
  *  From the definitions    ntpd-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpd program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -75,8 +75,8 @@ extern FILE * option_usage_fp;
  *  static const strings for ntpd options
  */
 static char const ntpd_opt_strs[3129] =
-/*     0 */ "ntpd 4.2.8p5\n"
-            "Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n"
+/*     0 */ "ntpd 4.2.8p6\n"
+            "Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
             "can be seen at:\n"
@@ -205,12 +205,12 @@ static char const ntpd_opt_strs[3129] =
 /*  2900 */ "output version information and exit\0"
 /*  2936 */ "version\0"
 /*  2944 */ "NTPD\0"
-/*  2949 */ "ntpd - NTP daemon program - Ver. 4.2.8p5\n"
+/*  2949 */ "ntpd - NTP daemon program - Ver. 4.2.8p6\n"
             "Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n"
             "\t\t[ <server1> ... <serverN> ]\n\0"
 /*  3080 */ "http://bugs.ntp.org, bugs@ntp.org\0"
 /*  3114 */ "\n\0"
-/*  3116 */ "ntpd 4.2.8p5";
+/*  3116 */ "ntpd 4.2.8p6";
 
 /**
  *  ipv4 option description with
@@ -1529,8 +1529,8 @@ static void bogus_function(void) {
      translate option names.
    */
   /* referenced via ntpdOptions.pzCopyright */
-  puts(_("ntpd 4.2.8p5\n\
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n\
+  puts(_("ntpd 4.2.8p6\n\
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n\
 This is free software. It is licensed for use, modification and\n\
 redistribution under the terms of the NTP License, copies of which\n\
 can be seen at:\n"));
@@ -1670,7 +1670,7 @@ implied warranty.\n"));
   puts(_("output version information and exit"));
 
   /* referenced via ntpdOptions.pzUsageTitle */
-  puts(_("ntpd - NTP daemon program - Ver. 4.2.8p5\n\
+  puts(_("ntpd - NTP daemon program - Ver. 4.2.8p6\n\
 Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\
 \t\t[ <server1> ... <serverN> ]\n"));
 
@@ -1678,7 +1678,7 @@ Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\
   puts(_("\n"));
 
   /* referenced via ntpdOptions.pzFullVersion */
-  puts(_("ntpd 4.2.8p5"));
+  puts(_("ntpd 4.2.8p6"));
 
   /* referenced via ntpdOptions.pzFullUsage */
   puts(_("<<<NOT-FOUND>>>"));
diff --git a/contrib/ntp/ntpd/ntpd-opts.h b/contrib/ntp/ntpd/ntpd-opts.h
index 571fd34..9427cac 100644
--- a/contrib/ntp/ntpd/ntpd-opts.h
+++ b/contrib/ntp/ntpd/ntpd-opts.h
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpd-opts.h)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:28:28 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:15:43 AM by AutoGen 5.18.5
  *  From the definitions    ntpd-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpd program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -106,9 +106,9 @@ typedef enum {
 /** count of all options for ntpd */
 #define OPTION_CT    38
 /** ntpd version */
-#define NTPD_VERSION       "4.2.8p5"
+#define NTPD_VERSION       "4.2.8p6"
 /** Full ntpd version text */
-#define NTPD_FULL_VERSION  "ntpd 4.2.8p5"
+#define NTPD_FULL_VERSION  "ntpd 4.2.8p6"
 
 /**
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/contrib/ntp/ntpd/ntpd.1ntpdman b/contrib/ntp/ntpd/ntpd.1ntpdman
index 42d0caf..322d0bc4 100644
--- a/contrib/ntp/ntpd/ntpd.1ntpdman
+++ b/contrib/ntp/ntpd/ntpd.1ntpdman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpd 1ntpdman "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpd 1ntpdman "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-KDaWJq/ag-WDaOIq)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-9JaiRS/ag-jKaaQS)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:30:44 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:17:54 AM by AutoGen 5.18.5
 .\" From the definitions ntpd-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -979,7 +979,7 @@ RFC5908
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 The
diff --git a/contrib/ntp/ntpd/ntpd.1ntpdmdoc b/contrib/ntp/ntpd/ntpd.1ntpdmdoc
index dc06f58..301d983 100644
--- a/contrib/ntp/ntpd/ntpd.1ntpdmdoc
+++ b/contrib/ntp/ntpd/ntpd.1ntpdmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPD 1ntpdmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpd-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:31:02 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:12 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpd-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -886,7 +886,7 @@ A snapshot of this documentation is available in HTML format in
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 The
diff --git a/contrib/ntp/ntpd/ntpd.c b/contrib/ntp/ntpd/ntpd.c
index 7630aee..2c7f02e 100644
--- a/contrib/ntp/ntpd/ntpd.c
+++ b/contrib/ntp/ntpd/ntpd.c
@@ -209,6 +209,11 @@ extern int syscall	(int, ...);
 
 
 #if !defined(SIM) && defined(SIGDIE1)
+static volatile int signalled	= 0;
+static volatile int signo	= 0;
+
+/* In an ideal world, 'finish_safe()' would declared as noreturn... */
+static	void		finish_safe	(int);
 static	RETSIGTYPE	finish		(int);
 #endif
 
@@ -298,11 +303,28 @@ my_pthread_warmup_worker(
 static void
 my_pthread_warmup(void)
 {
-	pthread_t thread;
-	int       rc;
+	pthread_t 	thread;
+	pthread_attr_t	thr_attr;
+	int       	rc;
+	
+	pthread_attr_init(&thr_attr);
+#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+    defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE) && \
+    defined(PTHREAD_STACK_MIN)
+	rc = pthread_attr_setstacksize(&thr_attr, PTHREAD_STACK_MIN);
+	if (0 != rc)
+		msyslog(LOG_ERR,
+			"my_pthread_warmup: pthread_attr_setstacksize() -> %s",
+			strerror(rc));
+#endif
 	rc = pthread_create(
-		&thread, NULL, my_pthread_warmup_worker, NULL);
-	if (0 == rc) {
+		&thread, &thr_attr, my_pthread_warmup_worker, NULL);
+	pthread_attr_destroy(&thr_attr);
+	if (0 != rc) {
+		msyslog(LOG_ERR,
+			"my_pthread_warmup: pthread_create() -> %s",
+			strerror(rc));
+	} else {
 		pthread_cancel(thread);
 		pthread_join(thread, NULL);
 	}
@@ -1204,6 +1226,10 @@ int scmp_sc[] = {
 # ifdef HAVE_IO_COMPLETION_PORT
 
 	for (;;) {
+#if !defined(SIM) && defined(SIGDIE1)
+		if (signalled)
+			finish_safe(signo);
+#endif
 		GetReceivedBuffers();
 # else /* normal I/O */
 
@@ -1211,11 +1237,19 @@ int scmp_sc[] = {
 	was_alarmed = FALSE;
 
 	for (;;) {
+#if !defined(SIM) && defined(SIGDIE1)
+		if (signalled)
+			finish_safe(signo);
+#endif		
 		if (alarm_flag) {	/* alarmed? */
 			was_alarmed = TRUE;
 			alarm_flag = FALSE;
 		}
 
+		/* collect async name/addr results */
+		if (!was_alarmed)
+		    harvest_blocking_responses();
+		
 		if (!was_alarmed && !has_full_recv_buffer()) {
 			/*
 			 * Nothing to do.  Wait for something.
@@ -1330,9 +1364,9 @@ int scmp_sc[] = {
 /*
  * finish - exit gracefully
  */
-static RETSIGTYPE
-finish(
-	int sig
+static void
+finish_safe(
+	int	sig
 	)
 {
 	const char *sig_desc;
@@ -1353,6 +1387,16 @@ finish(
 	peer_cleanup();
 	exit(0);
 }
+
+static RETSIGTYPE
+finish(
+	int	sig
+	)
+{
+	signalled = 1;
+	signo = sig;
+}
+
 #endif	/* !SIM && SIGDIE1 */
 
 
diff --git a/contrib/ntp/ntpd/ntpd.html b/contrib/ntp/ntpd/ntpd.html
index ae3e17c..bdf58a1 100644
--- a/contrib/ntp/ntpd/ntpd.html
+++ b/contrib/ntp/ntpd/ntpd.html
@@ -39,7 +39,7 @@ The program can operate in any of several modes, including client/server,
 symmetric and broadcast modes, and with both symmetric-key and public-key
 cryptography.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntpd</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntpd</code>.
 
 <ul class="menu">
 <li><a accesskey="1" href="#ntpd-Description">ntpd Description</a>:             Description
@@ -220,7 +220,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">ntpd - NTP daemon program - Ver. 4.2.8p4
+<pre class="example">ntpd - NTP daemon program - Ver. 4.2.8p5
 Usage:  ntpd [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... \
                 [ &lt;server1&gt; ... &lt;serverN&gt; ]
   Flg Arg Option-Name    Description
diff --git a/contrib/ntp/ntpd/ntpd.man.in b/contrib/ntp/ntpd/ntpd.man.in
index 222f0b3..4abcc57 100644
--- a/contrib/ntp/ntpd/ntpd.man.in
+++ b/contrib/ntp/ntpd/ntpd.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpd @NTPD_MS@ "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpd @NTPD_MS@ "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-KDaWJq/ag-WDaOIq)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-9JaiRS/ag-jKaaQS)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:30:44 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:17:54 AM by AutoGen 5.18.5
 .\" From the definitions ntpd-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -979,7 +979,7 @@ RFC5908
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 The
diff --git a/contrib/ntp/ntpd/ntpd.mdoc.in b/contrib/ntp/ntpd/ntpd.mdoc.in
index e5be1ee..fcd5fc1 100644
--- a/contrib/ntp/ntpd/ntpd.mdoc.in
+++ b/contrib/ntp/ntpd/ntpd.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPD @NTPD_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpd-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:31:02 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:12 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpd-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -886,7 +886,7 @@ A snapshot of this documentation is available in HTML format in
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 The
diff --git a/contrib/ntp/ntpd/refclock_chu.c b/contrib/ntp/ntpd/refclock_chu.c
index 1f02a1c..d745c81 100644
--- a/contrib/ntp/ntpd/refclock_chu.c
+++ b/contrib/ntp/ntpd/refclock_chu.c
@@ -1264,7 +1264,7 @@ chu_a(
 			offset = up->charstamp;
 		else if (k > 0)
 			i = 1;
-		for (; i < nchar && i < k + 10; i++) {
+		for (; i < nchar && (i - 10) < k; i++) {
 			up->tstamp[up->ntstamp] = up->cstamp[i];
 			L_SUB(&up->tstamp[up->ntstamp], &offset);
 			L_ADD(&offset, &up->charstamp);
diff --git a/contrib/ntp/ntpd/refclock_gpsdjson.c b/contrib/ntp/ntpd/refclock_gpsdjson.c
index c2bf09a..24a15e7 100644
--- a/contrib/ntp/ntpd/refclock_gpsdjson.c
+++ b/contrib/ntp/ntpd/refclock_gpsdjson.c
@@ -377,17 +377,6 @@ static int16_t clamped_precision(int rawprec);
  * local / static stuff
  */
 
-/* The logon string is actually the ?WATCH command of GPSD, using JSON
- * data and selecting the GPS device name we created from our unit
- * number. We have an old a newer version that request PPS (and TOFF)
- * transmission.
- * Note: These are actually format strings!
- */
-static const char * const s_req_watch[2] = {
-	"?WATCH={\"device\":\"%s\",\"enable\":true,\"json\":true};\r\n",
-	"?WATCH={\"device\":\"%s\",\"enable\":true,\"json\":true,\"pps\":true};\r\n"
-};
-
 static const char * const s_req_version =
     "?VERSION;\r\n";
 
@@ -1147,7 +1136,7 @@ json_token_skip(
 	const json_ctx * ctx,
 	tok_ref          tid)
 {
-	if (tid >= 0 && tid < ctx->ntok) {
+	if (tid >= 0 && (u_int)tid < ctx->ntok) {
 		int len = ctx->tok[tid].size;
 		/* For arrays and objects, the size is the number of
 		 * ITEMS in the compound. Thats the number of objects in
@@ -1172,7 +1161,10 @@ json_token_skip(
 			++tid;
 			break;
 		}
-		if (tid > ctx->ntok) /* Impossible? Paranoia rulez. */
+		/* The next condition should never be true, but paranoia
+		 * prevails...
+		 */
+		if (tid < 0 || (u_int)tid > ctx->ntok)
 			tid = ctx->ntok;
 	}
 	return tid;
@@ -1200,7 +1192,7 @@ json_object_lookup(
 			tid = json_token_skip(ctx, tid); /* skip val */
 		} else if (strcmp(key, ctx->buf + ctx->tok[tid].start)) {
 			tid = json_token_skip(ctx, tid+1); /* skip key+val */
-		} else if (what < 0 || what == ctx->tok[tid+1].type) {
+		} else if (what < 0 || (u_int)what == ctx->tok[tid+1].type) {
 			return tid + 1;
 		} else {
 			break;
@@ -1513,8 +1505,14 @@ process_version(
 	if (up->fl_watch)
 		return;
 
+	/* The logon string is actually the ?WATCH command of GPSD,
+	 * using JSON data and selecting the GPS device name we created
+	 * from our unit number. We have an old a newer version that
+	 * request PPS (and TOFF) transmission.
+	 */
 	snprintf(up->buffer, sizeof(up->buffer),
-		 s_req_watch[up->pf_toff != 0], up->device);
+		 "?WATCH={\"device\":\"%s\",\"enable\":true,\"json\":true%s};\r\n",
+		 up->device, (up->pf_toff ? ",\"pps\":true" : ""));
 	buf = up->buffer;
 	len = strlen(buf);
 	log_data(peer, "send", buf, len);
diff --git a/contrib/ntp/ntpd/refclock_jjy.c b/contrib/ntp/ntpd/refclock_jjy.c
index fef829c..fc51fd9 100644
--- a/contrib/ntp/ntpd/refclock_jjy.c
+++ b/contrib/ntp/ntpd/refclock_jjy.c
@@ -149,8 +149,8 @@
  */
 
 struct jjyRawDataBreak {
-	char	*pString ;
-	int 	iLength ;
+	const char *	pString ;
+	int 		iLength ;
 } ;
 
 #define	MAX_TIMESTAMP	6
@@ -627,7 +627,7 @@ jjy_receive ( struct recvbuf *rbufp )
 #ifdef DEBUG
 	printf( "\nrefclock_jjy.c : %s : Len=%d  ", sFunctionName, pp->lencode ) ;
 	for ( i = 0 ; i < pp->lencode ; i ++ ) {
-		if ( iscntrl( pp->a_lastcode[i] & 0x7F ) ) {
+		if ( iscntrl( (u_char)(pp->a_lastcode[i] & 0x7F) ) ) {
 			printf( "<x%02X>", pp->a_lastcode[i] & 0xFF ) ;
 		} else {
 			printf( "%c", pp->a_lastcode[i] ) ;
@@ -702,7 +702,7 @@ jjy_receive ( struct recvbuf *rbufp )
 				up->iLineBufLen ++ ;
 
 				/* Copy printable characters */
-				if ( ! iscntrl( up->sRawBuf[i] ) ) {
+				if ( ! iscntrl( (u_char)up->sRawBuf[i] ) ) {
 					up->sTextBuf[up->iTextBufLen] = up->sRawBuf[i] ;
 					up->iTextBufLen ++ ;
 				}
@@ -1154,12 +1154,13 @@ jjy_receive_tristate_jjy01 ( struct recvbuf *rbufp )
 	struct refclockproc *pp ;
 	struct peer	    *peer;
 
-	char	*pBuf, sLog [ 100 ] ;
-	int 	iLen ;
-	int 	rc ;
+	char *		pBuf ;
+	char		sLog [ 100 ] ;
+	int 		iLen ;
+	int 		rc ;
 
-	const char *pCmd ;
-	int 	iCmdLen ;
+	const char *	pCmd ;
+	int 		iCmdLen ;
 
 	/* Initialize pointers  */
 
@@ -1359,8 +1360,8 @@ jjy_poll_tristate_jjy01  ( int unit, struct peer *peer )
 	struct refclockproc *pp ;
 	struct jjyunit	    *up ;
 
-	const char *pCmd ;
-	int 	iCmdLen ;
+	const char *	pCmd ;
+	int 		iCmdLen ;
 
 	pp = peer->procptr;
 	up = pp->unitptr ;
@@ -2010,12 +2011,13 @@ jjy_receive_tristate_gpsclock01 ( struct recvbuf *rbufp )
 	struct refclockproc *pp ;
 	struct peer	    *peer;
 
-	char	*pBuf, sLog [ 100 ] ;
-	int 	iLen ;
-	int 	rc ;
+	char *		pBuf ;
+	char		sLog [ 100 ] ;
+	int 		iLen ;
+	int 		rc ;
 
-	const char	*pCmd ;
-	int 	iCmdLen ;
+	const char *	pCmd ;
+	int 		iCmdLen ;
 
 	/* Initialize pointers */
 
@@ -2239,8 +2241,8 @@ jjy_poll_tristate_gpsclock01 ( int unit, struct peer *peer )
 	struct refclockproc *pp ;
 	struct jjyunit	    *up ;
 
-	const char	*pCmd ;
-	int 	iCmdLen ;
+	const char *	pCmd ;
+	int		iCmdLen ;
 
 	pp = peer->procptr ;
 	up = pp->unitptr ;
@@ -2576,7 +2578,7 @@ static	int 	teljjy_bye_ignore	( struct peer *peer, struct refclockproc *, struct
 static	int 	teljjy_bye_disc 	( struct peer *peer, struct refclockproc *, struct jjyunit * ) ;
 static	int 	teljjy_bye_modem	( struct peer *peer, struct refclockproc *, struct jjyunit * ) ;
 
-static int ( *pTeljjyHandler [ ] [ 5 ] ) ( ) =
+static int ( *pTeljjyHandler [ ] [ 5 ] ) ( struct peer *, struct refclockproc *, struct jjyunit *) =
 {               	/*STATE_IDLE           STATE_DAILOUT       STATE_LOGIN           STATE_CONNECT       STATE_BYE        */
 /* NULL       */	{ teljjy_idle_ignore , teljjy_dial_ignore, teljjy_login_ignore, teljjy_conn_ignore, teljjy_bye_ignore },
 /* START      */	{ teljjy_idle_dialout, teljjy_dial_ignore, teljjy_login_ignore, teljjy_conn_ignore, teljjy_bye_ignore },
@@ -2715,12 +2717,12 @@ jjy_start_telephone ( int unit, struct peer *peer, struct jjyunit *up )
 
 	iNumberOfDigitsOfPhoneNumber = iCommaCount = iCommaPosition = iFirstThreeDigitsCount = 0 ;
 	for ( i = 0 ; i < strlen( sys_phone[0] ) ; i ++ ) {
-		if ( isdigit( *(sys_phone[0]+i) ) ) {
+		if ( isdigit( (u_char)sys_phone[0][i] ) ) {
 			if ( iFirstThreeDigitsCount < sizeof(sFirstThreeDigits)-1 ) {
-				sFirstThreeDigits[iFirstThreeDigitsCount++] = *(sys_phone[0]+i) ;
+				sFirstThreeDigits[iFirstThreeDigitsCount++] = sys_phone[0][i] ;
 			}
 			iNumberOfDigitsOfPhoneNumber ++ ;
-		} else if ( *(sys_phone[0]+i) == ',' ) {
+		} else if ( sys_phone[0][i] == ',' ) {
 			iCommaCount ++ ;
 			if ( iCommaCount > 1 ) {
 				msyslog( LOG_ERR, "refclock_jjy.c : jjy_start_telephone : phone in the ntpd.conf should be zero or one comma." ) ;
@@ -2729,7 +2731,7 @@ jjy_start_telephone ( int unit, struct peer *peer, struct jjyunit *up )
 			}
 			iFirstThreeDigitsCount = 0 ;
 			iCommaPosition = i ;
-		} else if ( *(sys_phone[0]+i) != '-' ) {
+		} else if ( sys_phone[0][i] != '-' ) {
 			msyslog( LOG_ERR, "refclock_jjy.c : jjy_start_telephone : phone in the ntpd.conf should be a number or a hyphen." ) ;
 			up->bInitError = TRUE ;
 			return 1 ;
@@ -3213,8 +3215,8 @@ static int
 teljjy_login_login ( struct peer *peer, struct refclockproc *pp, struct jjyunit *up )
 {
 
-	char	*pCmd ;
-	int	iCmdLen ;
+	const char *	pCmd ;
+	int		iCmdLen ;
 
 	DEBUG_TELJJY_PRINTF( "teljjy_login_login" ) ;
 
@@ -3290,8 +3292,8 @@ static int
 teljjy_conn_send ( struct peer *peer, struct refclockproc *pp, struct jjyunit *up )
 {
 
-	const char	*pCmd ;
-	int	i, iLen, iNextClockState ;
+	const char *	pCmd ;
+	int		i, iLen, iNextClockState ;
 
 	DEBUG_TELJJY_PRINTF( "teljjy_conn_send" ) ;
 
@@ -3527,7 +3529,7 @@ static int
 teljjy_conn_silent ( struct peer *peer, struct refclockproc *pp, struct jjyunit *up )
 {
 
-	const char	*pCmd ;
+	const char *	pCmd ;
 
 	DEBUG_TELJJY_PRINTF( "teljjy_conn_silent" ) ;
 
@@ -3665,7 +3667,7 @@ static	int 	modem_esc_data  	( struct peer *, struct refclockproc *, struct jjyu
 static	int 	modem_esc_silent	( struct peer *, struct refclockproc *, struct jjyunit * ) ;
 static	int 	modem_esc_disc  	( struct peer *, struct refclockproc *, struct jjyunit * ) ;
 
-static int ( *pModemHandler [ ] [ 5 ] ) ( ) =
+static int ( *pModemHandler [ ] [ 5 ] ) ( struct peer *, struct refclockproc *, struct jjyunit * ) =
 {                         	/*STATE_DISCONNECT   STATE_INITIALIZE   STATE_DAILING       STATE_CONNECT      STATE_ESCAPE     */
 /* NULL                 */	{ modem_disc_ignore, modem_init_ignore, modem_dial_ignore , modem_conn_ignore, modem_esc_ignore },
 /* INITIALIZE           */	{ modem_disc_init  , modem_init_start , modem_dial_ignore , modem_conn_ignore, modem_esc_ignore },
@@ -3993,10 +3995,11 @@ static int
 modem_init_resp00 ( struct peer *peer, struct refclockproc *pp, struct jjyunit *up )
 {
 
-	char	*pCmd, cBuf [ 46 ] ;
-	int	iCmdLen ;
-	int	iErrorCorrection, iSpeakerSwitch, iSpeakerVolume ;
-	int	iNextModemState = STAY_MODEM_STATE ;
+	const char *	pCmd ;
+	char		cBuf [ 46 ] ;
+	int		iCmdLen ;
+	int		iErrorCorrection, iSpeakerSwitch, iSpeakerVolume ;
+	int		iNextModemState = STAY_MODEM_STATE ;
 
 	DEBUG_MODEM_PRINTF( "modem_init_resp00" ) ;
 
@@ -4031,7 +4034,7 @@ modem_init_resp00 ( struct peer *peer, struct refclockproc *pp, struct jjyunit *
 		}
 
 		pCmd = cBuf ;
-		snprintf( pCmd, sizeof(cBuf), "ATM%dL%d\r\n", iSpeakerSwitch, iSpeakerVolume ) ;
+		snprintf( cBuf, sizeof(cBuf), "ATM%dL%d\r\n", iSpeakerSwitch, iSpeakerVolume ) ;
 		break ;
 
 	case 3 :
@@ -4060,7 +4063,7 @@ modem_init_resp00 ( struct peer *peer, struct refclockproc *pp, struct jjyunit *
 		}
 
 		pCmd = cBuf ;
-		snprintf( pCmd, sizeof(cBuf), "AT\\N%d\r\n", iErrorCorrection ) ;
+		snprintf( cBuf, sizeof(cBuf), "AT\\N%d\r\n", iErrorCorrection ) ;
 		break ;
 
 	case 7 :
@@ -4251,8 +4254,8 @@ static int
 modem_esc_escape ( struct peer *peer, struct refclockproc *pp, struct jjyunit *up )
 {
 
-	char	*pCmd ;
-	int	iCmdLen ;
+	const char *	pCmd ;
+	int		iCmdLen ;
 
 	DEBUG_MODEM_PRINTF( "modem_esc_escape" ) ;
 
@@ -4317,8 +4320,8 @@ static int
 modem_esc_disc ( struct peer *peer, struct refclockproc *pp, struct jjyunit *up )
 {
 
-	char	*pCmd ;
-	int	iCmdLen ;
+	const char *	pCmd ;
+	int		iCmdLen ;
 
 	DEBUG_MODEM_PRINTF( "modem_esc_disc" ) ;
 
@@ -4349,9 +4352,9 @@ static void
 jjy_write_clockstats ( struct peer *peer, int iMark, const char *pData )
 {
 
-	char	sLog [ 100 ] ;
-	char	*pMark ;
-	int 	iMarkLen, iDataLen ;
+	char		sLog [ 100 ] ;
+	const char *	pMark ;
+	int 		iMarkLen, iDataLen ;
 
 	switch ( iMark ) {
 	case JJY_CLOCKSTATS_MARK_JJY :
diff --git a/contrib/ntp/ntpd/refclock_shm.c b/contrib/ntp/ntpd/refclock_shm.c
index f3e7f51..f031a39 100644
--- a/contrib/ntp/ntpd/refclock_shm.c
+++ b/contrib/ntp/ntpd/refclock_shm.c
@@ -600,7 +600,7 @@ shm_timer(
 		     cd.year, cd.month, cd.monthday,
 		     cd.hour, cd.minute, cd.second,
 		     (long)shm_stat.tvt.tv_nsec);
-	pp->lencode = (c < sizeof(pp->a_lastcode)) ? c : 0;
+	pp->lencode = (c > 0 && (size_t)c < sizeof(pp->a_lastcode)) ? c : 0;
 
 	/* check 1: age control of local time stamp */
 	tt = shm_stat.tvc.tv_sec - shm_stat.tvr.tv_sec;
diff --git a/contrib/ntp/ntpdc/invoke-ntpdc.texi b/contrib/ntp/ntpdc/invoke-ntpdc.texi
index f8283de..a2f440a 100644
--- a/contrib/ntp/ntpdc/invoke-ntpdc.texi
+++ b/contrib/ntp/ntpdc/invoke-ntpdc.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntpdc.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:31:26 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:18:37 AM by AutoGen 5.18.5
 # From the definitions    ntpdc-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -76,7 +76,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p5
+ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p6
 Usage:  ntpdc [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 DNS name resolution
diff --git a/contrib/ntp/ntpdc/ntpdc-opts.c b/contrib/ntp/ntpdc/ntpdc-opts.c
index da89ee2..568a97a 100644
--- a/contrib/ntp/ntpdc/ntpdc-opts.c
+++ b/contrib/ntp/ntpdc/ntpdc-opts.c
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.c)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:31:12 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:18:22 AM by AutoGen 5.18.5
  *  From the definitions    ntpdc-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpdc program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -69,8 +69,8 @@ extern FILE * option_usage_fp;
  *  static const strings for ntpdc options
  */
 static char const ntpdc_opt_strs[1911] =
-/*     0 */ "ntpdc 4.2.8p5\n"
-            "Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n"
+/*     0 */ "ntpdc 4.2.8p6\n"
+            "Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
             "can be seen at:\n"
@@ -128,14 +128,14 @@ static char const ntpdc_opt_strs[1911] =
 /*  1694 */ "no-load-opts\0"
 /*  1707 */ "no\0"
 /*  1710 */ "NTPDC\0"
-/*  1716 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p5\n"
+/*  1716 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p6\n"
             "Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n\0"
 /*  1846 */ "$HOME\0"
 /*  1852 */ ".\0"
 /*  1854 */ ".ntprc\0"
 /*  1861 */ "http://bugs.ntp.org, bugs@ntp.org\0"
 /*  1895 */ "\n\0"
-/*  1897 */ "ntpdc 4.2.8p5";
+/*  1897 */ "ntpdc 4.2.8p6";
 
 /**
  *  ipv4 option description with
@@ -796,8 +796,8 @@ static void bogus_function(void) {
      translate option names.
    */
   /* referenced via ntpdcOptions.pzCopyright */
-  puts(_("ntpdc 4.2.8p5\n\
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n\
+  puts(_("ntpdc 4.2.8p6\n\
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n\
 This is free software. It is licensed for use, modification and\n\
 redistribution under the terms of the NTP License, copies of which\n\
 can be seen at:\n"));
@@ -862,14 +862,14 @@ implied warranty.\n"));
   puts(_("load options from a config file"));
 
   /* referenced via ntpdcOptions.pzUsageTitle */
-  puts(_("ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p5\n\
+  puts(_("ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p6\n\
 Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n"));
 
   /* referenced via ntpdcOptions.pzExplain */
   puts(_("\n"));
 
   /* referenced via ntpdcOptions.pzFullVersion */
-  puts(_("ntpdc 4.2.8p5"));
+  puts(_("ntpdc 4.2.8p6"));
 
   /* referenced via ntpdcOptions.pzFullUsage */
   puts(_("<<<NOT-FOUND>>>"));
diff --git a/contrib/ntp/ntpdc/ntpdc-opts.h b/contrib/ntp/ntpdc/ntpdc-opts.h
index d3326a7..a022a72 100644
--- a/contrib/ntp/ntpdc/ntpdc-opts.h
+++ b/contrib/ntp/ntpdc/ntpdc-opts.h
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.h)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:31:11 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:18:21 AM by AutoGen 5.18.5
  *  From the definitions    ntpdc-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpdc program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -83,9 +83,9 @@ typedef enum {
 /** count of all options for ntpdc */
 #define OPTION_CT    15
 /** ntpdc version */
-#define NTPDC_VERSION       "4.2.8p5"
+#define NTPDC_VERSION       "4.2.8p6"
 /** Full ntpdc version text */
-#define NTPDC_FULL_VERSION  "ntpdc 4.2.8p5"
+#define NTPDC_FULL_VERSION  "ntpdc 4.2.8p6"
 
 /**
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/contrib/ntp/ntpdc/ntpdc.1ntpdcman b/contrib/ntp/ntpdc/ntpdc.1ntpdcman
index 3e78896..e764a11 100644
--- a/contrib/ntp/ntpdc/ntpdc.1ntpdcman
+++ b/contrib/ntp/ntpdc/ntpdc.1ntpdcman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpdc 1ntpdcman "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpdc 1ntpdcman "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-EXaGzs/ag-QXayys)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-n4aaHU/ag-A4a4FU)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:31:22 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:18:33 AM by AutoGen 5.18.5
 .\" From the definitions ntpdc-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -848,7 +848,7 @@ RFC1305
 .SH AUTHORS
 The formatting directives in this document came from FreeBSD.
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 The
diff --git a/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc b/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc
index df53d89..b3e5895 100644
--- a/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc
+++ b/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPDC 1ntpdcmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:31:29 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:39 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpdc-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -787,7 +787,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh AUTHORS
 The formatting directives in this document came from FreeBSD.
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 The
diff --git a/contrib/ntp/ntpdc/ntpdc.c b/contrib/ntp/ntpdc/ntpdc.c
index bef9ca3..8a79d0b 100644
--- a/contrib/ntp/ntpdc/ntpdc.c
+++ b/contrib/ntp/ntpdc/ntpdc.c
@@ -605,7 +605,11 @@ getresponse(
 	int seq;
 	fd_set fds;
 	ssize_t n;
-	size_t pad;
+	int pad;
+	/* absolute timeout checks. Not 'time_t' by intention! */
+	uint32_t tobase;	/* base value for timeout */
+	uint32_t tospan;	/* timeout span (max delay) */
+	uint32_t todiff;	/* current delay */
 
 	/*
 	 * This is pretty tricky.  We may get between 1 and many packets
@@ -622,12 +626,14 @@ getresponse(
 	lastseq = 999;	/* too big to be a sequence number */
 	ZERO(haveseq);
 	FD_ZERO(&fds);
+	tobase = (uint32_t)time(NULL);
 
     again:
 	if (firstpkt)
 		tvo = tvout;
 	else
 		tvo = tvsout;
+	tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0);
 	
 	FD_SET(sockfd, &fds);
 	n = select(sockfd+1, &fds, NULL, NULL, &tvo);
@@ -635,6 +641,17 @@ getresponse(
 		warning("select fails");
 		return -1;
 	}
+	
+	/*
+	 * Check if this is already too late. Trash the data and fake a
+	 * timeout if this is so.
+	 */
+	todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu;
+	if ((n > 0) && (todiff > tospan)) {
+		n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0);
+		n = 0; /* faked timeout return from 'select()'*/
+	}
+	
 	if (n == 0) {
 		/*
 		 * Timed out.  Return what we have
@@ -780,8 +797,10 @@ getresponse(
 	}
 
 	/*
-	 * So far, so good.  Copy this data into the output array.
+	 * So far, so good.  Copy this data into the output array. Bump
+	 * the timeout base, in case we expect more data.
 	 */
+	tobase = (uint32_t)time(NULL);
 	if ((datap + datasize + (pad * items)) > (pktdata + pktdatasize)) {
 		size_t offset = datap - pktdata;
 		growpktdata();
diff --git a/contrib/ntp/ntpdc/ntpdc.html b/contrib/ntp/ntpdc/ntpdc.html
index 107af9b..ce73039 100644
--- a/contrib/ntp/ntpdc/ntpdc.html
+++ b/contrib/ntp/ntpdc/ntpdc.html
@@ -36,7 +36,7 @@ display the time offset of the system clock relative to the server
 clock.  Run as root, it can correct the system clock to this offset as
 well.  It can be run as an interactive command or from a cron job.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntpdc</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntpdc</code>.
 
   <p>The program implements the SNTP protocol as defined by RFC 5905, the NTPv4
 IETF specification.
@@ -152,7 +152,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p5
+<pre class="example">ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p6
 Usage:  ntpdc [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 DNS name resolution
diff --git a/contrib/ntp/ntpdc/ntpdc.man.in b/contrib/ntp/ntpdc/ntpdc.man.in
index 6662438..d7e25fa 100644
--- a/contrib/ntp/ntpdc/ntpdc.man.in
+++ b/contrib/ntp/ntpdc/ntpdc.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpdc @NTPDC_MS@ "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpdc @NTPDC_MS@ "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-EXaGzs/ag-QXayys)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-n4aaHU/ag-A4a4FU)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:31:22 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:18:33 AM by AutoGen 5.18.5
 .\" From the definitions ntpdc-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -848,7 +848,7 @@ RFC1305
 .SH AUTHORS
 The formatting directives in this document came from FreeBSD.
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 The
diff --git a/contrib/ntp/ntpdc/ntpdc.mdoc.in b/contrib/ntp/ntpdc/ntpdc.mdoc.in
index 2e2fd31..4dd9e15 100644
--- a/contrib/ntp/ntpdc/ntpdc.mdoc.in
+++ b/contrib/ntp/ntpdc/ntpdc.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPDC @NTPDC_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:31:29 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:18:39 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpdc-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -787,7 +787,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh AUTHORS
 The formatting directives in this document came from FreeBSD.
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 The
diff --git a/contrib/ntp/ntpq/invoke-ntpq.texi b/contrib/ntp/ntpq/invoke-ntpq.texi
index b01127c..bcd1df4 100644
--- a/contrib/ntp/ntpq/invoke-ntpq.texi
+++ b/contrib/ntp/ntpq/invoke-ntpq.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntpq.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:32:00 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:19:10 AM by AutoGen 5.18.5
 # From the definitions    ntpq-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -847,7 +847,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntpq - standard NTP query program - Ver. 4.2.8p5
+ntpq - standard NTP query program - Ver. 4.2.8p6
 Usage:  ntpq [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 DNS name resolution
diff --git a/contrib/ntp/ntpq/ntpq-opts.c b/contrib/ntp/ntpq/ntpq-opts.c
index 69f4881..42131a3 100644
--- a/contrib/ntp/ntpq/ntpq-opts.c
+++ b/contrib/ntp/ntpq/ntpq-opts.c
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpq-opts.c)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:31:32 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:18:42 AM by AutoGen 5.18.5
  *  From the definitions    ntpq-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpq program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -69,8 +69,8 @@ extern FILE * option_usage_fp;
  *  static const strings for ntpq options
  */
 static char const ntpq_opt_strs[1925] =
-/*     0 */ "ntpq 4.2.8p5\n"
-            "Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n"
+/*     0 */ "ntpq 4.2.8p6\n"
+            "Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
             "can be seen at:\n"
@@ -129,13 +129,13 @@ static char const ntpq_opt_strs[1925] =
 /*  1723 */ "no-load-opts\0"
 /*  1736 */ "no\0"
 /*  1739 */ "NTPQ\0"
-/*  1744 */ "ntpq - standard NTP query program - Ver. 4.2.8p5\n"
+/*  1744 */ "ntpq - standard NTP query program - Ver. 4.2.8p6\n"
             "Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n\0"
 /*  1863 */ "$HOME\0"
 /*  1869 */ ".\0"
 /*  1871 */ ".ntprc\0"
 /*  1878 */ "http://bugs.ntp.org, bugs@ntp.org\0"
-/*  1912 */ "ntpq 4.2.8p5";
+/*  1912 */ "ntpq 4.2.8p6";
 
 /**
  *  ipv4 option description with
@@ -786,8 +786,8 @@ static void bogus_function(void) {
      translate option names.
    */
   /* referenced via ntpqOptions.pzCopyright */
-  puts(_("ntpq 4.2.8p5\n\
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n\
+  puts(_("ntpq 4.2.8p6\n\
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n\
 This is free software. It is licensed for use, modification and\n\
 redistribution under the terms of the NTP License, copies of which\n\
 can be seen at:\n"));
@@ -852,11 +852,11 @@ implied warranty.\n"));
   puts(_("load options from a config file"));
 
   /* referenced via ntpqOptions.pzUsageTitle */
-  puts(_("ntpq - standard NTP query program - Ver. 4.2.8p5\n\
+  puts(_("ntpq - standard NTP query program - Ver. 4.2.8p6\n\
 Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n"));
 
   /* referenced via ntpqOptions.pzFullVersion */
-  puts(_("ntpq 4.2.8p5"));
+  puts(_("ntpq 4.2.8p6"));
 
   /* referenced via ntpqOptions.pzFullUsage */
   puts(_("<<<NOT-FOUND>>>"));
diff --git a/contrib/ntp/ntpq/ntpq-opts.h b/contrib/ntp/ntpq/ntpq-opts.h
index 758817f..af7a4c2 100644
--- a/contrib/ntp/ntpq/ntpq-opts.h
+++ b/contrib/ntp/ntpq/ntpq-opts.h
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpq-opts.h)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:31:32 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:18:42 AM by AutoGen 5.18.5
  *  From the definitions    ntpq-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpq program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -83,9 +83,9 @@ typedef enum {
 /** count of all options for ntpq */
 #define OPTION_CT    15
 /** ntpq version */
-#define NTPQ_VERSION       "4.2.8p5"
+#define NTPQ_VERSION       "4.2.8p6"
 /** Full ntpq version text */
-#define NTPQ_FULL_VERSION  "ntpq 4.2.8p5"
+#define NTPQ_FULL_VERSION  "ntpq 4.2.8p6"
 
 /**
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/contrib/ntp/ntpq/ntpq-subs.c b/contrib/ntp/ntpq/ntpq-subs.c
index 438c7ca..8e70477 100644
--- a/contrib/ntp/ntpq/ntpq-subs.c
+++ b/contrib/ntp/ntpq/ntpq-subs.c
@@ -2861,7 +2861,7 @@ collect_mru_list(
 				 ri, sptoa(&recent->addr), ri,
 				 recent->last.l_ui, recent->last.l_uf);
 			chars = strlen(buf);
-			if (REQ_ROOM <= chars)
+			if ((size_t)REQ_ROOM <= chars)
 				break;
 			memcpy(req, buf, chars + 1);
 			req += chars;
@@ -3173,6 +3173,7 @@ mrulist(
 		qsort(sorted, mru_count, sizeof(sorted[0]),
 		      mru_qcmp_table[order]);
 
+	mrulist_interrupted = FALSE;
 	printf(	"lstint avgint rstr r m v  count rport remote address\n"
 		"==============================================================================\n");
 		/* '=' x 78 */
@@ -3199,6 +3200,11 @@ mrulist(
 			nntohost(&recent->addr));
 		if (showhostnames)
 			fflush(fp);
+		if (mrulist_interrupted) {
+			fputs("\n --interrupted--\n", fp);
+			fflush(fp);
+			break;
+		}
 	}
 	fflush(fp);
 	if (debug) {
diff --git a/contrib/ntp/ntpq/ntpq.1ntpqman b/contrib/ntp/ntpq/ntpq.1ntpqman
index 1c26076..b96d106 100644
--- a/contrib/ntp/ntpq/ntpq.1ntpqman
+++ b/contrib/ntp/ntpq/ntpq.1ntpqman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpq 1ntpqman "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpq 1ntpqman "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-4VaaKt/ag-eWa4It)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Z7aWRV/ag-_7aOQV)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:31:55 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:06 AM by AutoGen 5.18.5
 .\" From the definitions ntpq-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -1412,7 +1412,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpq/ntpq.1ntpqmdoc b/contrib/ntp/ntpq/ntpq.1ntpqmdoc
index bf8d101..d4da8d7 100644
--- a/contrib/ntp/ntpq/ntpq.1ntpqmdoc
+++ b/contrib/ntp/ntpq/ntpq.1ntpqmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPQ 1ntpqmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpq-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:32:02 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:19:12 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpq-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -955,7 +955,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpq/ntpq.c b/contrib/ntp/ntpq/ntpq.c
index 5b3c9cb..1dcaeb7 100644
--- a/contrib/ntp/ntpq/ntpq.c
+++ b/contrib/ntp/ntpq/ntpq.c
@@ -218,7 +218,7 @@ static	void	outputarr	(FILE *, char *, int, l_fp *);
 static	int	assoccmp	(const void *, const void *);
 static	void	on_ctrlc	(void);
 	u_short	varfmt		(const char *);
-
+static	int	my_easprintf	(char**, const char *, ...) NTP_PRINTF(2, 3);
 void	ntpq_custom_opt_handler	(tOptions *, tOptDesc *);
 
 #ifdef OPENSSL
@@ -472,7 +472,7 @@ ntpqmain(
 
 	{
 	    char *list;
-	    char *msg, *fmt;
+	    char *msg;
 
 	    list = list_digest_names();
 	    for (icmd = 0; icmd < sizeof(builtins)/sizeof(builtins[0]); icmd++) {
@@ -486,13 +486,15 @@ ntpqmain(
 
 #ifdef OPENSSL
 	    builtins[icmd].desc[0] = "digest-name";
-	    fmt = "set key type to use for authenticated requests, one of:%s";
+	    my_easprintf(&msg,
+			 "set key type to use for authenticated requests, one of:%s",
+			 list);
 #else
 	    builtins[icmd].desc[0] = "md5";
-	    fmt = "set key type to use for authenticated requests (%s)";
+	    my_easprintf(&msg,
+			 "set key type to use for authenticated requests (%s)",
+			 list);
 #endif
-	    msg = emalloc(strlen(fmt) + strlen(list) - strlen("%s") +1);
-	    sprintf(msg, fmt, list);
 	    builtins[icmd].comment = msg;
 	    free(list);
 	}
@@ -844,6 +846,10 @@ getresponse(
 	fd_set fds;
 	int n;
 	int errcode;
+	/* absolute timeout checks. Not 'time_t' by intention! */
+	uint32_t tobase;	/* base value for timeout */
+	uint32_t tospan;	/* timeout span (max delay) */
+	uint32_t todiff;	/* current delay */
 
 	/*
 	 * This is pretty tricky.  We may get between 1 and MAXFRAG packets
@@ -860,6 +866,8 @@ getresponse(
 	numfrags = 0;
 	seenlastfrag = 0;
 
+	tobase = (uint32_t)time(NULL);
+	
 	FD_ZERO(&fds);
 
 	/*
@@ -872,13 +880,40 @@ getresponse(
 			tvo = tvout;
 		else
 			tvo = tvsout;
+		tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0);
 
 		FD_SET(sockfd, &fds);
 		n = select(sockfd+1, &fds, NULL, NULL, &tvo);
 		if (n == -1) {
+#if !defined(SYS_WINNT) && defined(EINTR)
+			/* Windows does not know about EINTR (until very
+			 * recently) and the handling of console events
+			 * is *very* different from POSIX/UNIX signal
+			 * handling anyway.
+			 *
+			 * Under non-windows targets we map EINTR as
+			 * 'last packet was received' and try to exit
+			 * the receive sequence.
+			 */
+			if (errno == EINTR) {
+				seenlastfrag = 1;
+				goto maybe_final;
+			}
+#endif
 			warning("select fails");
 			return -1;
 		}
+
+		/*
+		 * Check if this is already too late. Trash the data and
+		 * fake a timeout if this is so.
+		 */
+		todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu;
+		if ((n > 0) && (todiff > tospan)) {
+			n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0);
+			n = 0; /* faked timeout return from 'select()'*/
+		}
+		
 		if (n == 0) {
 			/*
 			 * Timed out.  Return what we have
@@ -1141,14 +1176,17 @@ getresponse(
 		}
 
 		/*
-		 * Copy the data into the data buffer.
+		 * Copy the data into the data buffer, and bump the
+		 * timout base in case we need more.
 		 */
 		memcpy((char *)pktdata + offset, &rpkt.u, count);
-
+		tobase = (uint32_t)time(NULL);
+		
 		/*
 		 * If we've seen the last fragment, look for holes in the sequence.
 		 * If there aren't any, we're done.
 		 */
+	  maybe_final:
 		if (seenlastfrag && offsets[0] == 0) {
 			for (f = 1; f < numfrags; f++)
 				if (offsets[f-1] + counts[f-1] !=
@@ -2954,6 +2992,8 @@ nextvar(
 	len = srclen;
 	while (len > 0 && isspace((unsigned char)cp[len - 1]))
 		len--;
+	if (len >= sizeof(name))
+	    return 0;
 	if (len > 0)
 		memcpy(name, cp, len);
 	name[len] = '\0';
@@ -3615,3 +3655,41 @@ on_ctrlc(void)
 		if ((*ctrlc_stack[--size])())
 			break;
 }
+
+static int
+my_easprintf(
+	char ** 	ppinto,
+	const char *	fmt   ,
+	...
+	)
+{
+	va_list	va;
+	int	prc;
+	size_t	len = 128;
+	char *	buf = emalloc(len);
+
+  again:
+	/* Note: we expect the memory allocation to fail long before the
+	 * increment in buffer size actually overflows.
+	 */
+	buf = (buf) ? erealloc(buf, len) : emalloc(len);
+
+	va_start(va, fmt);
+	prc = vsnprintf(buf, len, fmt, va);
+	va_end(va);
+
+	if (prc < 0) {
+		/* might be very old vsnprintf. Or actually MSVC... */
+		len += len >> 1;
+		goto again;
+	}
+	if ((size_t)prc >= len) {
+		/* at least we have the proper size now... */
+		len = (size_t)prc + 1;
+		goto again;
+	}
+	if ((size_t)prc < (len - 32))
+		buf = erealloc(buf, (size_t)prc + 1);
+	*ppinto = buf;
+	return prc;
+}
diff --git a/contrib/ntp/ntpq/ntpq.html b/contrib/ntp/ntpq/ntpq.html
index 16f2597..96df83d 100644
--- a/contrib/ntp/ntpq/ntpq.html
+++ b/contrib/ntp/ntpq/ntpq.html
@@ -44,7 +44,7 @@ monitor the operational status
 and determine the performance of
 <code>ntpd</code>, the NTP daemon.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntpq</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntpq</code>.
 
 <ul class="menu">
 <li><a accesskey="1" href="#ntpq-Description">ntpq Description</a>
@@ -769,7 +769,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">ntpq - standard NTP query program - Ver. 4.2.8p4
+<pre class="example">ntpq - standard NTP query program - Ver. 4.2.8p5
 Usage:  ntpq [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 DNS name resolution
diff --git a/contrib/ntp/ntpq/ntpq.man.in b/contrib/ntp/ntpq/ntpq.man.in
index 17ccb1c..abe2608 100644
--- a/contrib/ntp/ntpq/ntpq.man.in
+++ b/contrib/ntp/ntpq/ntpq.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpq @NTPQ_MS@ "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpq @NTPQ_MS@ "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-4VaaKt/ag-eWa4It)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Z7aWRV/ag-_7aOQV)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:31:55 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:06 AM by AutoGen 5.18.5
 .\" From the definitions ntpq-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -1412,7 +1412,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpq/ntpq.mdoc.in b/contrib/ntp/ntpq/ntpq.mdoc.in
index 9214a66..d71c508 100644
--- a/contrib/ntp/ntpq/ntpq.mdoc.in
+++ b/contrib/ntp/ntpq/ntpq.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPQ @NTPQ_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpq-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:32:02 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:19:12 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpq-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -955,7 +955,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi b/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi
index 1185316..fcbc23e 100644
--- a/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi
+++ b/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntpsnmpd.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:32:15 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:19:26 AM by AutoGen 5.18.5
 # From the definitions    ntpsnmpd-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -47,7 +47,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p5
+ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p6
 Usage:  ntpsnmpd [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
   Flg Arg Option-Name    Description
    -n no  nofork         Do not fork
diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c
index cb48b16..772f364 100644
--- a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c
+++ b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpsnmpd-opts.c)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:32:05 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:19:15 AM by AutoGen 5.18.5
  *  From the definitions    ntpsnmpd-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpsnmpd program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -61,8 +61,8 @@ extern FILE * option_usage_fp;
  *  static const strings for ntpsnmpd options
  */
 static char const ntpsnmpd_opt_strs[1610] =
-/*     0 */ "ntpsnmpd 4.2.8p5\n"
-            "Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n"
+/*     0 */ "ntpsnmpd 4.2.8p6\n"
+            "Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
             "can be seen at:\n"
@@ -101,14 +101,14 @@ static char const ntpsnmpd_opt_strs[1610] =
 /*  1414 */ "no-load-opts\0"
 /*  1427 */ "no\0"
 /*  1430 */ "NTPSNMPD\0"
-/*  1439 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p5\n"
+/*  1439 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p6\n"
             "Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
 /*  1542 */ "$HOME\0"
 /*  1548 */ ".\0"
 /*  1550 */ ".ntprc\0"
 /*  1557 */ "http://bugs.ntp.org, bugs@ntp.org\0"
 /*  1591 */ "\n\0"
-/*  1593 */ "ntpsnmpd 4.2.8p5";
+/*  1593 */ "ntpsnmpd 4.2.8p6";
 
 /**
  *  nofork option description:
@@ -554,8 +554,8 @@ static void bogus_function(void) {
      translate option names.
    */
   /* referenced via ntpsnmpdOptions.pzCopyright */
-  puts(_("ntpsnmpd 4.2.8p5\n\
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n\
+  puts(_("ntpsnmpd 4.2.8p6\n\
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n\
 This is free software. It is licensed for use, modification and\n\
 redistribution under the terms of the NTP License, copies of which\n\
 can be seen at:\n"));
@@ -599,14 +599,14 @@ implied warranty.\n"));
   puts(_("load options from a config file"));
 
   /* referenced via ntpsnmpdOptions.pzUsageTitle */
-  puts(_("ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p5\n\
+  puts(_("ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p6\n\
 Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n"));
 
   /* referenced via ntpsnmpdOptions.pzExplain */
   puts(_("\n"));
 
   /* referenced via ntpsnmpdOptions.pzFullVersion */
-  puts(_("ntpsnmpd 4.2.8p5"));
+  puts(_("ntpsnmpd 4.2.8p6"));
 
   /* referenced via ntpsnmpdOptions.pzFullUsage */
   puts(_("<<<NOT-FOUND>>>"));
diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h
index 8146eb9..de27f4b 100644
--- a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h
+++ b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntpsnmpd-opts.h)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:32:04 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:19:14 AM by AutoGen 5.18.5
  *  From the definitions    ntpsnmpd-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntpsnmpd program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -76,9 +76,9 @@ typedef enum {
 /** count of all options for ntpsnmpd */
 #define OPTION_CT    8
 /** ntpsnmpd version */
-#define NTPSNMPD_VERSION       "4.2.8p5"
+#define NTPSNMPD_VERSION       "4.2.8p6"
 /** Full ntpsnmpd version text */
-#define NTPSNMPD_FULL_VERSION  "ntpsnmpd 4.2.8p5"
+#define NTPSNMPD_FULL_VERSION  "ntpsnmpd 4.2.8p6"
 
 /**
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman
index e7fc2eb..d36ca07 100644
--- a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman
+++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpsnmpd 1ntpsnmpdman "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpsnmpd 1ntpsnmpdman "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-dZaaSu/ag-qZa4Qu)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-FaaWZW/ag-SaaOYW)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:32:12 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:22 AM by AutoGen 5.18.5
 .\" From the definitions ntpsnmpd-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -138,7 +138,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .NOP  "Heiko Gerstung" 
 .br
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc
index ba8d82a..6b513dc 100644
--- a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc
+++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPSNMPD 1ntpsnmpdmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpsnmpd-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:32:18 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:19:28 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpsnmpd-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -110,7 +110,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh AUTHORS
 .An "Heiko Gerstung"
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.html b/contrib/ntp/ntpsnmpd/ntpsnmpd.html
index 94df056..9bd75b9 100644
--- a/contrib/ntp/ntpsnmpd/ntpsnmpd.html
+++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.html
@@ -42,7 +42,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 <p>The <code>ntpsnmpd</code> utility program is used to monitor NTP daemon <code>ntpd</code>
 operations and determine performance.  It uses the standard NTP mode 6 control
 
-  <p>This document applies to version 4.2.8p5 of <code>ntpsnmpd</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntpsnmpd</code>.
 
 <ul class="menu">
 <li><a accesskey="1" href="#ntpsnmpd-Description">ntpsnmpd Description</a>:             Description
diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in b/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in
index b5fe93d..3dbade2 100644
--- a/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in
+++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpsnmpd @NTPSNMPD_MS@ "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH ntpsnmpd @NTPSNMPD_MS@ "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-dZaaSu/ag-qZa4Qu)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-FaaWZW/ag-SaaOYW)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:32:12 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:22 AM by AutoGen 5.18.5
 .\" From the definitions ntpsnmpd-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -138,7 +138,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .NOP  "Heiko Gerstung" 
 .br
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in b/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in
index 9349c2f..11ab184 100644
--- a/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in
+++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPSNMPD @NTPSNMPD_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpsnmpd-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:32:18 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:19:28 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpsnmpd-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -110,7 +110,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh AUTHORS
 .An "Heiko Gerstung"
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/packageinfo.sh b/contrib/ntp/packageinfo.sh
index 9b94198..1835576 100644
--- a/contrib/ntp/packageinfo.sh
+++ b/contrib/ntp/packageinfo.sh
@@ -83,7 +83,7 @@ CLTAG=NTP_4_2_0
 # - Numeric values increment
 # - empty 'increments' to 1
 # - NEW 'increments' to empty
-point=5
+point=6
 
 ### betapoint is normally modified by script.
 # ntp-stable Beta number (betapoint)
diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman
index cfeca4d..8ec5024 100644
--- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman
+++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH calc_tickadj 1calc_tickadjman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH calc_tickadj 1calc_tickadjman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-nyaOMf/ag-AyaWLf)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-lWayEG/ag-yWaGDG)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:26 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:09:44 AM by AutoGen 5.18.5
 .\" From the definitions calc_tickadj-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc
index 8aed38f..aef4ada 100644
--- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc
+++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt CALC_TICKADJ 1calc_tickadjmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (calc_tickadj-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:26:28 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:09:46 AM by AutoGen 5.18.5
 .\"  From the definitions    calc_tickadj-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html
index 484e112..4869e66 100644
--- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html
+++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html
@@ -31,7 +31,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 <h2 class="unnumbered">calc_tickadj User's Manual</h2>
 
 <p>This document describes the use of the NTP Project's <code>calc_tickadj</code> program. 
-This document applies to version 4.2.8p5 of <code>calc_tickadj</code>.
+This document applies to version 4.2.8p6 of <code>calc_tickadj</code>.
 
   <div class="shortcontents">
 <h2>Short Contents</h2>
diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in
index cfeca4d..8ec5024 100644
--- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in
+++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH calc_tickadj 1calc_tickadjman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH calc_tickadj 1calc_tickadjman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-nyaOMf/ag-AyaWLf)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-lWayEG/ag-yWaGDG)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:26 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:09:44 AM by AutoGen 5.18.5
 .\" From the definitions calc_tickadj-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in
index 8aed38f..aef4ada 100644
--- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in
+++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt CALC_TICKADJ 1calc_tickadjmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (calc_tickadj-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:26:28 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:09:46 AM by AutoGen 5.18.5
 .\"  From the definitions    calc_tickadj-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi b/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi
index c78d53d..418562f 100644
--- a/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi
+++ b/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-calc_tickadj.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:26:30 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:09:47 AM by AutoGen 5.18.5
 # From the definitions    calc_tickadj-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
diff --git a/contrib/ntp/scripts/invoke-plot_summary.texi b/contrib/ntp/scripts/invoke-plot_summary.texi
index 93cc07a..96b5714 100644
--- a/contrib/ntp/scripts/invoke-plot_summary.texi
+++ b/contrib/ntp/scripts/invoke-plot_summary.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-plot_summary.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:27:16 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:34 AM by AutoGen 5.18.5
 # From the definitions    plot_summary-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -41,7 +41,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-plot_summary - plot statistics generated by summary script - Ver. 4.2.8p5
+plot_summary - plot statistics generated by summary script - Ver. 4.2.8p6
 USAGE: plot_summary [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... 
 
         --directory=str          Where the summary files are
diff --git a/contrib/ntp/scripts/invoke-summary.texi b/contrib/ntp/scripts/invoke-summary.texi
index 521a7ff..9a05d51 100644
--- a/contrib/ntp/scripts/invoke-summary.texi
+++ b/contrib/ntp/scripts/invoke-summary.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-summary.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:27:22 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:40 AM by AutoGen 5.18.5
 # From the definitions    summary-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -42,7 +42,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-summary - compute various stastics from NTP stat files - Ver. 4.2.8p5
+summary - compute various stastics from NTP stat files - Ver. 4.2.8p6
 USAGE: summary [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... 
 
         --directory=str          Directory containing stat files
diff --git a/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi b/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi
index f2de360..d2e964c 100644
--- a/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi
+++ b/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntp-wait.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:26:39 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:09:57 AM by AutoGen 5.18.5
 # From the definitions    ntp-wait-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -61,7 +61,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p5
+ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p6
 USAGE: ntp-wait [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... 
 
     -n, --tries=num              Number of times to check ntpd
diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait-opts b/contrib/ntp/scripts/ntp-wait/ntp-wait-opts
index 24db0a3..1c6a815 100644
--- a/contrib/ntp/scripts/ntp-wait/ntp-wait-opts
+++ b/contrib/ntp/scripts/ntp-wait/ntp-wait-opts
@@ -1,6 +1,6 @@
 # EDIT THIS FILE WITH CAUTION  (ntp-wait-opts)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:26:33 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:09:51 AM by AutoGen 5.18.5
 # From the definitions    ntp-wait-opts.def
 # and the template file   perlopt
 
@@ -40,7 +40,7 @@ sub processOptions {
         'help|?', 'more-help'));
 
     $usage = <<'USAGE';
-ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p5
+ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p6
 USAGE: ntp-wait [ -<flag> [<val>] | --<name>[{=| }<val>] ]... 
 
     -n, --tries=num              Number of times to check ntpd
diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman
index b49cd94..44b0d00 100644
--- a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman
+++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntp-wait 1ntp-waitman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntp-wait 1ntp-waitman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-7OaOah/ag-iPaW_g)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-4fay4H/ag-fgaG3H)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:35 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:09:53 AM by AutoGen 5.18.5
 .\" From the definitions ntp-wait-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc
index 293bb0e..b052fcc 100644
--- a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc
+++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_WAIT 1ntp-waitmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-wait-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:26:41 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:09:59 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp-wait-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.html b/contrib/ntp/scripts/ntp-wait/ntp-wait.html
index e8f08d4..53accf6 100644
--- a/contrib/ntp/scripts/ntp-wait/ntp-wait.html
+++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.html
@@ -39,7 +39,7 @@ until the system's time has stabilized and synchronized,
 and only then start any applicaitons (like database servers) that require
 accurate and stable time.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntp-wait</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntp-wait</code>.
 
 <div class="shortcontents">
 <h2>Short Contents</h2>
@@ -114,7 +114,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p5
+<pre class="example">ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p6
 USAGE: ntp-wait [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
 
     -n, --tries=num              Number of times to check ntpd
diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in b/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in
index f7326de..693cea7 100644
--- a/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in
+++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntp-wait @NTP_WAIT_MS@ "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntp-wait @NTP_WAIT_MS@ "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-7OaOah/ag-iPaW_g)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-4fay4H/ag-fgaG3H)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:35 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:09:53 AM by AutoGen 5.18.5
 .\" From the definitions ntp-wait-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in b/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in
index d3562ba..faa7361 100644
--- a/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in
+++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_WAIT @NTP_WAIT_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-wait-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:26:41 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:09:59 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp-wait-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi b/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi
index 0556da8..5e90637 100644
--- a/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi
+++ b/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntpsweep.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:26:45 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:03 AM by AutoGen 5.18.5
 # From the definitions    ntpsweep-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -45,7 +45,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p5
+ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p6
 USAGE: ntpsweep [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostfile]
 
     -l, --host-list=str          Host to execute actions on
diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep-opts b/contrib/ntp/scripts/ntpsweep/ntpsweep-opts
index 2629d29..7cd1e3d 100644
--- a/contrib/ntp/scripts/ntpsweep/ntpsweep-opts
+++ b/contrib/ntp/scripts/ntpsweep/ntpsweep-opts
@@ -1,6 +1,6 @@
 # EDIT THIS FILE WITH CAUTION  (ntpsweep-opts)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:26:43 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:01 AM by AutoGen 5.18.5
 # From the definitions    ntpsweep-opts.def
 # and the template file   perlopt
 
@@ -43,7 +43,7 @@ sub processOptions {
         'help|?', 'more-help'));
 
     $usage = <<'USAGE';
-ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p5
+ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p6
 USAGE: ntpsweep [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [hostfile]
 
     -l, --host-list=str          Host to execute actions on
diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman
index 0f61f64..0419a17 100644
--- a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman
+++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpsweep 1ntpsweepman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntpsweep 1ntpsweepman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-eHaGCi/ag-rHaOBi)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-3aaGuJ/ag-ebaOtJ)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:47 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:05 AM by AutoGen 5.18.5
 .\" From the definitions ntpsweep-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc
index 6d0c357..8b1af98 100644
--- a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc
+++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPSWEEP 1ntpsweepmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpsweep-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:26:50 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:09 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpsweep-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.html b/contrib/ntp/scripts/ntpsweep/ntpsweep.html
index aba6b5f..b5dac39 100644
--- a/contrib/ntp/scripts/ntpsweep/ntpsweep.html
+++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.html
@@ -30,7 +30,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 
   <p>This document describes the use of the NTP Project's <code>ntpsweep</code> program.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntpsweep</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntpsweep</code>.
 
   <div class="shortcontents">
 <h2>Short Contents</h2>
@@ -90,7 +90,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p5
+<pre class="example">ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p6
 USAGE: ntpsweep [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [hostfile]
 
     -l, --host-list=str          Host to execute actions on
diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in b/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in
index 0f61f64..0419a17 100644
--- a/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in
+++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntpsweep 1ntpsweepman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntpsweep 1ntpsweepman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-eHaGCi/ag-rHaOBi)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-3aaGuJ/ag-ebaOtJ)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:47 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:05 AM by AutoGen 5.18.5
 .\" From the definitions ntpsweep-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in b/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in
index 6d0c357..8b1af98 100644
--- a/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in
+++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPSWEEP 1ntpsweepmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntpsweep-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:26:50 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:09 AM by AutoGen 5.18.5
 .\"  From the definitions    ntpsweep-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi b/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi
index 29f48f4..0545b4a 100644
--- a/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi
+++ b/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntptrace.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:26:58 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:16 AM by AutoGen 5.18.5
 # From the definitions    ntptrace-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -62,7 +62,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntptrace - Trace peers of an NTP server - Ver. 4.2.8p5
+ntptrace - Trace peers of an NTP server - Ver. 4.2.8p6
 USAGE: ntptrace [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [host]
 
     -n, --numeric                Print IP addresses instead of hostnames
diff --git a/contrib/ntp/scripts/ntptrace/ntptrace-opts b/contrib/ntp/scripts/ntptrace/ntptrace-opts
index d1cecf8..9744414 100644
--- a/contrib/ntp/scripts/ntptrace/ntptrace-opts
+++ b/contrib/ntp/scripts/ntptrace/ntptrace-opts
@@ -1,6 +1,6 @@
 # EDIT THIS FILE WITH CAUTION  (ntptrace-opts)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:26:52 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:10 AM by AutoGen 5.18.5
 # From the definitions    ntptrace-opts.def
 # and the template file   perlopt
 
@@ -40,7 +40,7 @@ sub processOptions {
         'help|?', 'more-help'));
 
     $usage = <<'USAGE';
-ntptrace - Trace peers of an NTP server - Ver. 4.2.8p5
+ntptrace - Trace peers of an NTP server - Ver. 4.2.8p6
 USAGE: ntptrace [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [host]
 
     -n, --numeric                Print IP addresses instead of hostnames
diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman
index 33854e6..870d184 100644
--- a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman
+++ b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntptrace 1ntptraceman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntptrace 1ntptraceman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-tqaWUj/ag-Gqa4Tj)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-s0aOMK/ag-G0aWLK)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:54 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:13 AM by AutoGen 5.18.5
 .\" From the definitions ntptrace-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc
index eea1d62..0a8a83a 100644
--- a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc
+++ b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPTRACE 1ntptracemdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntptrace-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:00 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:18 AM by AutoGen 5.18.5
 .\"  From the definitions    ntptrace-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.html b/contrib/ntp/scripts/ntptrace/ntptrace.html
index fb96e71..2da3424 100644
--- a/contrib/ntp/scripts/ntptrace/ntptrace.html
+++ b/contrib/ntp/scripts/ntptrace/ntptrace.html
@@ -31,7 +31,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 <h2 class="unnumbered">Simple Network Time Protocol User Manual</h2>
 
 <p>This document describes the use of the NTP Project's <code>ntptrace</code> program. 
-This document applies to version 4.2.8p5 of <code>ntptrace</code>.
+This document applies to version 4.2.8p6 of <code>ntptrace</code>.
 
   <div class="shortcontents">
 <h2>Short Contents</h2>
@@ -107,7 +107,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">ntptrace - Trace peers of an NTP server - Ver. 4.2.8p5
+<pre class="example">ntptrace - Trace peers of an NTP server - Ver. 4.2.8p6
 USAGE: ntptrace [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [host]
 
     -n, --numeric                Print IP addresses instead of hostnames
diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.man.in b/contrib/ntp/scripts/ntptrace/ntptrace.man.in
index 04c8c91..d602938 100644
--- a/contrib/ntp/scripts/ntptrace/ntptrace.man.in
+++ b/contrib/ntp/scripts/ntptrace/ntptrace.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntptrace @NTPTRACE_MS@ "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntptrace @NTPTRACE_MS@ "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-tqaWUj/ag-Gqa4Tj)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-s0aOMK/ag-G0aWLK)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:26:54 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:13 AM by AutoGen 5.18.5
 .\" From the definitions ntptrace-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in b/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in
index 6e8b389..b7be946 100644
--- a/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in
+++ b/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTPTRACE @NTPTRACE_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntptrace-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:00 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:18 AM by AutoGen 5.18.5
 .\"  From the definitions    ntptrace-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/plot_summary-opts b/contrib/ntp/scripts/plot_summary-opts
index 28ea583..03c0dbb 100644
--- a/contrib/ntp/scripts/plot_summary-opts
+++ b/contrib/ntp/scripts/plot_summary-opts
@@ -1,6 +1,6 @@
 # EDIT THIS FILE WITH CAUTION  (plot_summary-opts)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:27:12 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:30 AM by AutoGen 5.18.5
 # From the definitions    plot_summary-opts.def
 # and the template file   perlopt
 
@@ -46,7 +46,7 @@ sub processOptions {
         'help|?', 'more-help'));
 
     $usage = <<'USAGE';
-plot_summary - plot statistics generated by summary script - Ver. 4.2.8p5
+plot_summary - plot statistics generated by summary script - Ver. 4.2.8p6
 USAGE: plot_summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]... 
 
         --directory=str          Where the summary files are
diff --git a/contrib/ntp/scripts/plot_summary.1plot_summaryman b/contrib/ntp/scripts/plot_summary.1plot_summaryman
index 9094f8e..1aec5a7 100644
--- a/contrib/ntp/scripts/plot_summary.1plot_summaryman
+++ b/contrib/ntp/scripts/plot_summary.1plot_summaryman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH plot_summary 1plot_summaryman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH plot_summary 1plot_summaryman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-xiaqKm/ag-KiayJm)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-CNaiCN/ag-PNaqBN)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:27:18 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:36 AM by AutoGen 5.18.5
 .\" From the definitions plot_summary-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/plot_summary.1plot_summarymdoc b/contrib/ntp/scripts/plot_summary.1plot_summarymdoc
index 99c5d8c..e816434 100644
--- a/contrib/ntp/scripts/plot_summary.1plot_summarymdoc
+++ b/contrib/ntp/scripts/plot_summary.1plot_summarymdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt PLOT_SUMMARY 1plot_summarymdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (plot_summary-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:20 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:38 AM by AutoGen 5.18.5
 .\"  From the definitions    plot_summary-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/plot_summary.html b/contrib/ntp/scripts/plot_summary.html
index 3cb2ed4..6d8e5a4 100644
--- a/contrib/ntp/scripts/plot_summary.html
+++ b/contrib/ntp/scripts/plot_summary.html
@@ -31,7 +31,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 <h2 class="unnumbered">Plot_summary User Manual</h2>
 
 <p>This document describes the use of the NTP Project's <code>plot_summary</code> program. 
-This document applies to version 4.2.8p5 of <code>plot_summary</code>.
+This document applies to version 4.2.8p6 of <code>plot_summary</code>.
 
   <div class="shortcontents">
 <h2>Short Contents</h2>
@@ -89,7 +89,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">plot_summary - plot statistics generated by summary script - Ver. 4.2.8p5
+<pre class="example">plot_summary - plot statistics generated by summary script - Ver. 4.2.8p6
 USAGE: plot_summary [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
 
         --directory=str          Where the summary files are
diff --git a/contrib/ntp/scripts/plot_summary.man.in b/contrib/ntp/scripts/plot_summary.man.in
index 9094f8e..1aec5a7 100644
--- a/contrib/ntp/scripts/plot_summary.man.in
+++ b/contrib/ntp/scripts/plot_summary.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH plot_summary 1plot_summaryman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH plot_summary 1plot_summaryman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-xiaqKm/ag-KiayJm)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-CNaiCN/ag-PNaqBN)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:27:18 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:36 AM by AutoGen 5.18.5
 .\" From the definitions plot_summary-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/plot_summary.mdoc.in b/contrib/ntp/scripts/plot_summary.mdoc.in
index 99c5d8c..e816434 100644
--- a/contrib/ntp/scripts/plot_summary.mdoc.in
+++ b/contrib/ntp/scripts/plot_summary.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt PLOT_SUMMARY 1plot_summarymdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (plot_summary-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:20 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:38 AM by AutoGen 5.18.5
 .\"  From the definitions    plot_summary-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/summary-opts b/contrib/ntp/scripts/summary-opts
index 47661ee..2fa6a7d 100644
--- a/contrib/ntp/scripts/summary-opts
+++ b/contrib/ntp/scripts/summary-opts
@@ -1,6 +1,6 @@
 # EDIT THIS FILE WITH CAUTION  (summary-opts)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:27:14 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:32 AM by AutoGen 5.18.5
 # From the definitions    summary-opts.def
 # and the template file   perlopt
 
@@ -44,7 +44,7 @@ sub processOptions {
         'help|?', 'more-help'));
 
     $usage = <<'USAGE';
-summary - compute various stastics from NTP stat files - Ver. 4.2.8p5
+summary - compute various stastics from NTP stat files - Ver. 4.2.8p6
 USAGE: summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]... 
 
         --directory=str          Directory containing stat files
diff --git a/contrib/ntp/scripts/summary.1summaryman b/contrib/ntp/scripts/summary.1summaryman
index 0573b11..fd5d8d2 100644
--- a/contrib/ntp/scripts/summary.1summaryman
+++ b/contrib/ntp/scripts/summary.1summaryman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH summary 1summaryman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH summary 1summaryman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-.Ca4Xm/ag-lDaaXm)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-z8aWPN/ag-M8a4ON)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:27:24 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:42 AM by AutoGen 5.18.5
 .\" From the definitions summary-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/summary.1summarymdoc b/contrib/ntp/scripts/summary.1summarymdoc
index 5e28a57..f6fd0c1 100644
--- a/contrib/ntp/scripts/summary.1summarymdoc
+++ b/contrib/ntp/scripts/summary.1summarymdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt SUMMARY 1summarymdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (summary-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:25 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:44 AM by AutoGen 5.18.5
 .\"  From the definitions    summary-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/summary.html b/contrib/ntp/scripts/summary.html
index 566531e..d9c57e9 100644
--- a/contrib/ntp/scripts/summary.html
+++ b/contrib/ntp/scripts/summary.html
@@ -31,7 +31,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 <h2 class="unnumbered">Summary User Manual</h2>
 
 <p>This document describes the use of the NTP Project's <code>summary</code> program. 
-This document applies to version 4.2.8p5 of <code>summary</code>.
+This document applies to version 4.2.8p6 of <code>summary</code>.
 
   <div class="shortcontents">
 <h2>Short Contents</h2>
@@ -88,7 +88,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">summary - compute various stastics from NTP stat files - Ver. 4.2.8p5
+<pre class="example">summary - compute various stastics from NTP stat files - Ver. 4.2.8p6
 USAGE: summary [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
 
         --directory=str          Directory containing stat files
diff --git a/contrib/ntp/scripts/summary.man.in b/contrib/ntp/scripts/summary.man.in
index 0573b11..fd5d8d2 100644
--- a/contrib/ntp/scripts/summary.man.in
+++ b/contrib/ntp/scripts/summary.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH summary 1summaryman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH summary 1summaryman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-.Ca4Xm/ag-lDaaXm)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-z8aWPN/ag-M8a4ON)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:27:24 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:42 AM by AutoGen 5.18.5
 .\" From the definitions summary-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/summary.mdoc.in b/contrib/ntp/scripts/summary.mdoc.in
index 5e28a57..f6fd0c1 100644
--- a/contrib/ntp/scripts/summary.mdoc.in
+++ b/contrib/ntp/scripts/summary.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt SUMMARY 1summarymdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (summary-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:25 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:44 AM by AutoGen 5.18.5
 .\"  From the definitions    summary-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/update-leap/invoke-update-leap.texi b/contrib/ntp/scripts/update-leap/invoke-update-leap.texi
index 4231979..a3aa6b4 100644
--- a/contrib/ntp/scripts/update-leap/invoke-update-leap.texi
+++ b/contrib/ntp/scripts/update-leap/invoke-update-leap.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-update-leap.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:27:05 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:24 AM by AutoGen 5.18.5
 # From the definitions    update-leap-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
diff --git a/contrib/ntp/scripts/update-leap/update-leap-opts b/contrib/ntp/scripts/update-leap/update-leap-opts
index 506a746..8b9827e 100644
--- a/contrib/ntp/scripts/update-leap/update-leap-opts
+++ b/contrib/ntp/scripts/update-leap/update-leap-opts
@@ -1,6 +1,6 @@
 # EDIT THIS FILE WITH CAUTION  (update-leap-opts)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:27:11 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:10:30 AM by AutoGen 5.18.5
 # From the definitions    update-leap-opts.def
 # and the template file   perlopt
 
@@ -46,7 +46,7 @@ sub processOptions {
         'help|?', 'more-help'));
 
     $usage = <<'USAGE';
-update-leap - leap-seconds file manager/updater - Ver. 4.2.8p5
+update-leap - leap-seconds file manager/updater - Ver. 4.2.8p6
 USAGE: update-leap [ -<flag> [<val>] | --<name>[{=| }<val>] ]... 
 
     -s, --source-url=str         The URL of the master copy of the leapseconds file
diff --git a/contrib/ntp/scripts/update-leap/update-leap.1update-leapman b/contrib/ntp/scripts/update-leap/update-leap.1update-leapman
index 4fdf467..891a2ab 100644
--- a/contrib/ntp/scripts/update-leap/update-leap.1update-leapman
+++ b/contrib/ntp/scripts/update-leap/update-leap.1update-leapman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH update-leap 1update-leapman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH update-leap 1update-leapman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-9hayKk/ag-kiaGJk)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-iOaqCL/ag-uOayBL)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:27:02 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:20 AM by AutoGen 5.18.5
 .\" From the definitions update-leap-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc b/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc
index 8827df7..1212586 100644
--- a/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc
+++ b/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt UPDATE_LEAP 1update-leapmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (update-leap-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:10 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:28 AM by AutoGen 5.18.5
 .\"  From the definitions    update-leap-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/scripts/update-leap/update-leap.html b/contrib/ntp/scripts/update-leap/update-leap.html
index a7d2a70..6013b1e 100644
--- a/contrib/ntp/scripts/update-leap/update-leap.html
+++ b/contrib/ntp/scripts/update-leap/update-leap.html
@@ -30,7 +30,7 @@ Up:&nbsp;<a rel="up" accesskey="u" href="#dir">(dir)</a>
 
   <p>This document describes the use of the NTP Project's <code>update-leap</code> program.
 
-  <p>This document applies to version 4.2.8p5 of <code>update-leap</code>.
+  <p>This document applies to version 4.2.8p6 of <code>update-leap</code>.
 
 <div class="shortcontents">
 <h2>Short Contents</h2>
diff --git a/contrib/ntp/scripts/update-leap/update-leap.man.in b/contrib/ntp/scripts/update-leap/update-leap.man.in
index 4fdf467..891a2ab 100644
--- a/contrib/ntp/scripts/update-leap/update-leap.man.in
+++ b/contrib/ntp/scripts/update-leap/update-leap.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH update-leap 1update-leapman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH update-leap 1update-leapman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-9hayKk/ag-kiaGJk)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-iOaqCL/ag-uOayBL)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:27:02 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:10:20 AM by AutoGen 5.18.5
 .\" From the definitions update-leap-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
diff --git a/contrib/ntp/scripts/update-leap/update-leap.mdoc.in b/contrib/ntp/scripts/update-leap/update-leap.mdoc.in
index 8827df7..1212586 100644
--- a/contrib/ntp/scripts/update-leap/update-leap.mdoc.in
+++ b/contrib/ntp/scripts/update-leap/update-leap.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt UPDATE_LEAP 1update-leapmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (update-leap-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:27:10 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:10:28 AM by AutoGen 5.18.5
 .\"  From the definitions    update-leap-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/contrib/ntp/sntp/configure b/contrib/ntp/sntp/configure
index ce397ef..b4ce6de 100755
--- a/contrib/ntp/sntp/configure
+++ b/contrib/ntp/sntp/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for sntp 4.2.8p5.
+# Generated by GNU Autoconf 2.69 for sntp 4.2.8p6.
 #
 # Report bugs to <http://bugs.ntp.org./>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sntp'
 PACKAGE_TARNAME='sntp'
-PACKAGE_VERSION='4.2.8p5'
-PACKAGE_STRING='sntp 4.2.8p5'
+PACKAGE_VERSION='4.2.8p6'
+PACKAGE_STRING='sntp 4.2.8p6'
 PACKAGE_BUGREPORT='http://bugs.ntp.org./'
 PACKAGE_URL='http://www.ntp.org./'
 
@@ -1491,7 +1491,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sntp 4.2.8p5 to adapt to many kinds of systems.
+\`configure' configures sntp 4.2.8p6 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1561,7 +1561,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sntp 4.2.8p5:";;
+     short | recursive ) echo "Configuration of sntp 4.2.8p6:";;
    esac
   cat <<\_ACEOF
 
@@ -1706,7 +1706,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sntp configure 4.2.8p5
+sntp configure 4.2.8p6
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2536,7 +2536,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sntp $as_me 4.2.8p5, which was
+It was created by sntp $as_me 4.2.8p6, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3533,7 +3533,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='sntp'
- VERSION='4.2.8p5'
+ VERSION='4.2.8p6'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -31110,7 +31110,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sntp $as_me 4.2.8p5, which was
+This file was extended by sntp $as_me 4.2.8p6, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -31177,7 +31177,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-sntp config.status 4.2.8p5
+sntp config.status 4.2.8p6
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/contrib/ntp/sntp/crypto.c b/contrib/ntp/sntp/crypto.c
index b178f8c..234e137 100644
--- a/contrib/ntp/sntp/crypto.c
+++ b/contrib/ntp/sntp/crypto.c
@@ -7,11 +7,11 @@ size_t key_cnt = 0;
 
 int
 make_mac(
-	char *pkt_data,
+	const void *pkt_data,
 	int pkt_size,
 	int mac_size,
-	struct key *cmp_key,
-	char * digest
+	const struct key *cmp_key,
+	void * digest
 	)
 {
 	u_int		len = mac_size;
@@ -26,39 +26,40 @@ make_mac(
 	INIT_SSL();
 	key_type = keytype_from_text(cmp_key->type, NULL);
 	EVP_DigestInit(&ctx, EVP_get_digestbynid(key_type));
-	EVP_DigestUpdate(&ctx, (u_char *)cmp_key->key_seq, (u_int)cmp_key->key_len);
-	EVP_DigestUpdate(&ctx, (u_char *)pkt_data, (u_int)pkt_size);
-	EVP_DigestFinal(&ctx, (u_char *)digest, &len);
+	EVP_DigestUpdate(&ctx, (const u_char *)cmp_key->key_seq, (u_int)cmp_key->key_len);
+	EVP_DigestUpdate(&ctx, pkt_data, (u_int)pkt_size);
+	EVP_DigestFinal(&ctx, digest, &len);
 
 	return (int)len;
 }
 
 
-/* Generates a md5 digest of the key specified in keyid concatinated with the 
+/* Generates a md5 digest of the key specified in keyid concatenated with the 
  * ntp packet (exluding the MAC) and compares this digest to the digest in
  * the packet's MAC. If they're equal this function returns 1 (packet is 
  * authentic) or else 0 (not authentic).
  */
 int
 auth_md5(
-	char *pkt_data,
+	const void *pkt_data,
 	int pkt_size,
 	int mac_size,
-	struct key *cmp_key
+	const struct key *cmp_key
 	)
 {
 	int  hash_len;
 	int  authentic;
 	char digest[20];
-
+	const u_char *pkt_ptr; 
 	if (mac_size > (int)sizeof(digest))
 		return 0;
-	hash_len = make_mac(pkt_data, pkt_size, sizeof(digest), cmp_key,
+	pkt_ptr = pkt_data;
+	hash_len = make_mac(pkt_ptr, pkt_size, sizeof(digest), cmp_key,
 			    digest);
 	if (!hash_len)
 		authentic = FALSE;
 	else
-		authentic = !memcmp(digest, pkt_data + pkt_size + 4,
+		authentic = !memcmp(digest, pkt_ptr + pkt_size + 4,
 				    hash_len);
 	return authentic;
 }
diff --git a/contrib/ntp/sntp/crypto.h b/contrib/ntp/sntp/crypto.h
index 39e0e6b..19cdbc4 100644
--- a/contrib/ntp/sntp/crypto.h
+++ b/contrib/ntp/sntp/crypto.h
@@ -17,16 +17,18 @@
 /* #include "sntp-opts.h" */
 
 struct key {
-	struct key *next;
-	int key_id;
-	int key_len;
-	char type[10];
-	char key_seq[64];
+	struct key *	next;
+	int		key_id;
+	int		key_len;
+	char		type[10];
+	char		key_seq[64];
 };
 
-int auth_init(const char *keyfile, struct key **keys);
-void get_key(int key_id, struct key **d_key);
-int make_mac(char *pkt_data, int pkt_size, int mac_size, struct key *cmp_key, char *digest);
-int auth_md5(char *pkt_data, int pkt_size, int mac_size, struct key *cmp_key);
+extern	int	auth_init(const char *keyfile, struct key **keys);
+extern	void	get_key(int key_id, struct key **d_key);
+extern	int	make_mac(const void *pkt_data, int pkt_size, int mac_size,
+			 const struct key *cmp_key, void *digest);
+extern	int	auth_md5(const void *pkt_data, int pkt_size, int mac_size,
+			 const struct key *cmp_key);
 
 #endif
diff --git a/contrib/ntp/sntp/include/copyright.def b/contrib/ntp/sntp/include/copyright.def
index 1cc7ad2..4fb4461 100644
--- a/contrib/ntp/sntp/include/copyright.def
+++ b/contrib/ntp/sntp/include/copyright.def
@@ -1,7 +1,7 @@
 /* -*- Mode: Text -*- */
 
 copyright = {
-    date  = "1992-2015";
+    date  = "1992-2016";
     owner = "The University of Delaware and Network Time Foundation";
     eaddr = "http://bugs.ntp.org, bugs@ntp.org";
     type  = ntp;
diff --git a/contrib/ntp/sntp/include/version.def b/contrib/ntp/sntp/include/version.def
index ddc02d4..5a08174 100644
--- a/contrib/ntp/sntp/include/version.def
+++ b/contrib/ntp/sntp/include/version.def
@@ -1 +1 @@
-version = '4.2.8p5';
+version = '4.2.8p6';
diff --git a/contrib/ntp/sntp/include/version.texi b/contrib/ntp/sntp/include/version.texi
index 28b9357..fa9aeb3 100644
--- a/contrib/ntp/sntp/include/version.texi
+++ b/contrib/ntp/sntp/include/version.texi
@@ -1,3 +1,3 @@
-@set UPDATED 07 January 2016
-@set EDITION 4.2.8p5
-@set VERSION 4.2.8p5
+@set UPDATED 20 January 2016
+@set EDITION 4.2.8p6
+@set VERSION 4.2.8p6
diff --git a/contrib/ntp/sntp/invoke-sntp.texi b/contrib/ntp/sntp/invoke-sntp.texi
index 6ca3b06..695c9eb 100644
--- a/contrib/ntp/sntp/invoke-sntp.texi
+++ b/contrib/ntp/sntp/invoke-sntp.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-sntp.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:23:24 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:06:42 AM by AutoGen 5.18.5
 # From the definitions    sntp-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -101,7 +101,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p5
+sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p6
 Usage:  sntp [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \
                 [ hostname-or-IP ...]
   Flg Arg Option-Name    Description
diff --git a/contrib/ntp/sntp/libopts/configfile.c b/contrib/ntp/sntp/libopts/configfile.c
index 03156ca..8244371e 100644
--- a/contrib/ntp/sntp/libopts/configfile.c
+++ b/contrib/ntp/sntp/libopts/configfile.c
@@ -182,9 +182,9 @@ optionFindValue(const tOptDesc * odesc, char const * name, char const * val)
     }
 
     else do {
-        tArgList * argl  = odesc->optCookie;
-        int        argct = argl->useCt;
-        void **    poptv = (void **)(argl->apzArgs);
+        tArgList *    argl  = odesc->optCookie;
+        int           argct = argl->useCt;
+        const void ** poptv = VOIDP(argl->apzArgs);
 
         if (argct == 0) {
             errno = ENOENT;
@@ -192,7 +192,7 @@ optionFindValue(const tOptDesc * odesc, char const * name, char const * val)
         }
 
         if (name == NULL) {
-            res = (tOptionValue *)*poptv;
+            res = (const tOptionValue *)*poptv;
             break;
         }
 
@@ -249,7 +249,7 @@ optionFindNextValue(const tOptDesc * odesc, const tOptionValue * pPrevVal,
                     char const * pzName, char const * pzVal)
 {
     bool old_found = false;
-    tOptionValue * res = NULL;
+    const tOptionValue * res = NULL;
 
     (void)pzName;
     (void)pzVal;
@@ -264,12 +264,12 @@ optionFindNextValue(const tOptDesc * odesc, const tOptionValue * pPrevVal,
     }
 
     else do {
-        tArgList * argl = odesc->optCookie;
-        int        ct   = argl->useCt;
-        void **   poptv = (void **)argl->apzArgs;
+        tArgList *    argl  = odesc->optCookie;
+        int           ct    = argl->useCt;
+        const void ** poptv = VOIDP(argl->apzArgs);
 
         while (--ct >= 0) {
-            tOptionValue * pOV = *(poptv++);
+            const tOptionValue * pOV = *(poptv++);
             if (old_found) {
                 res = pOV;
                 break;
@@ -315,8 +315,8 @@ optionFindNextValue(const tOptDesc * odesc, const tOptionValue * pPrevVal,
 tOptionValue const *
 optionGetValue(tOptionValue const * oov, char const * vname)
 {
-    tArgList *     arg_list;
-    tOptionValue * res = NULL;
+    tArgList *           arg_list;
+    const tOptionValue * res = NULL;
 
     if ((oov == NULL) || (oov->valType != OPARG_TYPE_HIERARCHY)) {
         errno = EINVAL;
@@ -325,14 +325,14 @@ optionGetValue(tOptionValue const * oov, char const * vname)
     arg_list = oov->v.nestVal;
 
     if (arg_list->useCt > 0) {
-        int     ct     = arg_list->useCt;
-        void ** ovlist = (void **)(arg_list->apzArgs);
+        int           ct     = arg_list->useCt;
+        const void ** ovlist = VOIDP(arg_list->apzArgs);
 
         if (vname == NULL) {
-            res = (tOptionValue *)*ovlist;
+            res = (const tOptionValue *)*ovlist;
 
         } else do {
-            tOptionValue * opt_val = *(ovlist++);
+            const tOptionValue * opt_val = *(ovlist++);
             if (strcmp(opt_val->pzName, vname) == 0) {
                 res = opt_val;
                 break;
@@ -374,9 +374,9 @@ optionGetValue(tOptionValue const * oov, char const * vname)
 tOptionValue const *
 optionNextValue(tOptionValue const * ov_list,tOptionValue const * oov )
 {
-    tArgList *     arg_list;
-    tOptionValue * res = NULL;
-    int            err = EINVAL;
+    tArgList *           arg_list;
+    const tOptionValue * res = NULL;
+    int                  err = EINVAL;
 
     if ((ov_list == NULL) || (ov_list->valType != OPARG_TYPE_HIERARCHY)) {
         errno = EINVAL;
@@ -384,18 +384,18 @@ optionNextValue(tOptionValue const * ov_list,tOptionValue const * oov )
     }
     arg_list = ov_list->v.nestVal;
     {
-        int     ct    = arg_list->useCt;
-        void ** o_list = (void **)(arg_list->apzArgs);
+        int           ct     = arg_list->useCt;
+        const void ** o_list = VOIDP(arg_list->apzArgs);
 
         while (ct-- > 0) {
-            tOptionValue * nov = *(o_list++);
+            const tOptionValue * nov = *(o_list++);
             if (nov == oov) {
                 if (ct == 0) {
                     err = ENOENT;
 
                 } else {
                     err = 0;
-                    res = (tOptionValue *)*o_list;
+                    res = (const tOptionValue *)*o_list;
                 }
                 break;
             }
diff --git a/contrib/ntp/sntp/libopts/enum.c b/contrib/ntp/sntp/libopts/enum.c
index 3345558..e9bba83 100644
--- a/contrib/ntp/sntp/libopts/enum.c
+++ b/contrib/ntp/sntp/libopts/enum.c
@@ -189,12 +189,12 @@ find_name(char const * name, tOptions * pOpts, tOptDesc * pOD,
      *  The result gets stashed in a char * pointer.
      */
     uintptr_t   res = name_ct;
-    size_t      len = strlen((char *)name);
+    size_t      len = strlen(name);
     uintptr_t   idx;
 
     if (IS_DEC_DIGIT_CHAR(*name)) {
-        char * pz = VOIDP(name);
-        unsigned long val = strtoul(pz, &pz, 0);
+        char * pz;
+        unsigned long val = strtoul(name, &pz, 0);
         if ((*pz == NUL) && (val < name_ct))
             return (uintptr_t)val;
         pz_enum_err_fmt = znum_too_large;
@@ -215,7 +215,7 @@ find_name(char const * name, tOptions * pOpts, tOptDesc * pOD,
      *  Multiple partial matches means we have an ambiguous match.
      */
     for (idx = 0; idx < name_ct; idx++) {
-        if (strncmp((char *)paz_names[idx], (char *)name, len) == 0) {
+        if (strncmp(paz_names[idx], name, len) == 0) {
             if (paz_names[idx][len] == NUL)
                 return idx;  /* full match */
 
@@ -500,7 +500,7 @@ find_member_bit(tOptions * opts, tOptDesc * od, char const * pz, int len,
         if (shift_ct >= nm_ct)
             return 0UL;
 
-        return 1UL << shift_ct;
+        return (uintptr_t)1U << shift_ct;
     }
 }
 
diff --git a/contrib/ntp/sntp/libopts/find.c b/contrib/ntp/sntp/libopts/find.c
index 90591cc..97a24df 100644
--- a/contrib/ntp/sntp/libopts/find.c
+++ b/contrib/ntp/sntp/libopts/find.c
@@ -80,7 +80,7 @@ parse_opt(char const ** nm_pp, char ** arg_pp, char * buf, size_t bufsz)
 
             buf[res] = NUL;
             *nm_pp   = buf;
-            *arg_pp  = (char *)p;
+            *arg_pp  = VOIDP(p);
             return res;
 
         default:
diff --git a/contrib/ntp/sntp/libopts/init.c b/contrib/ntp/sntp/libopts/init.c
index e02e1e1..81d4eee 100644
--- a/contrib/ntp/sntp/libopts/init.c
+++ b/contrib/ntp/sntp/libopts/init.c
@@ -97,15 +97,14 @@ validate_struct(tOptions * opts, char const * pname)
      */
     if (opts->pzProgName == NULL) {
         char const *  pz = strrchr(pname, DIRCH);
-        char const ** pp =
-            (char const **)(void **)&(opts->pzProgName);
+        char const ** pp = VOIDP(&(opts->pzProgName));
 
         if (pz != NULL)
             *pp = pz+1;
         else
             *pp = pname;
 
-        pz = pathfind(getenv("PATH"), (char *)pname, "rx");
+        pz = pathfind(getenv("PATH"), pname, "rx");
         if (pz != NULL)
             pname = VOIDP(pz);
 
diff --git a/contrib/ntp/sntp/libopts/load.c b/contrib/ntp/sntp/libopts/load.c
index b5230af..ccda5b4 100644
--- a/contrib/ntp/sntp/libopts/load.c
+++ b/contrib/ntp/sntp/libopts/load.c
@@ -225,7 +225,7 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
     if (strchr(prg_path, DIRCH) != NULL)
         path = prg_path;
     else {
-        path = pathfind(getenv("PATH"), (char *)prg_path, "rx");
+        path = pathfind(getenv("PATH"), prg_path, "rx");
 
         if (path == NULL)
             return false;
diff --git a/contrib/ntp/sntp/libopts/makeshell.c b/contrib/ntp/sntp/libopts/makeshell.c
index a61df42..fbe8e17 100644
--- a/contrib/ntp/sntp/libopts/makeshell.c
+++ b/contrib/ntp/sntp/libopts/makeshell.c
@@ -401,7 +401,7 @@ emit_usage(tOptions * opts)
 
         /* Copy the program name into the time/name buffer */
         for (;;) {
-            if ((*pzPN++ = (char)tolower(*pz++)) == NUL)
+            if ((*pzPN++ = (char)tolower((unsigned char)*pz++)) == NUL)
                 break;
         }
 
@@ -671,8 +671,8 @@ emit_match_expr(char const * name, tOptDesc * cod, tOptions * opts)
                 continue;
 
             match_ct = 0;
-            while (  toupper(od->pz_DisableName[match_ct])
-                  == toupper(name[match_ct]))
+            while (  toupper((unsigned char)od->pz_DisableName[match_ct])
+                  == toupper((unsigned char)name[match_ct]))
                 match_ct++;
             if (match_ct > min_match_ct)
                 min_match_ct = match_ct;
diff --git a/contrib/ntp/sntp/libopts/nested.c b/contrib/ntp/sntp/libopts/nested.c
index f4fb226..aaf089f 100644
--- a/contrib/ntp/sntp/libopts/nested.c
+++ b/contrib/ntp/sntp/libopts/nested.c
@@ -859,6 +859,7 @@ LOCAL int
 get_special_char(char const ** ppz, int * ct)
 {
     char const * pz = *ppz;
+    char *       rz;
 
     if (*ct < 3)
         return '&';
@@ -872,7 +873,8 @@ get_special_char(char const ** ppz, int * ct)
             base = 16;
             pz++;
         }
-        retch = (int)strtoul(pz, (char **)&pz, base);
+        retch = (int)strtoul(pz, &rz, base);
+        pz = rz;
         if (*pz != ';')
             return '&';
         base = (int)(++pz - *ppz);
diff --git a/contrib/ntp/sntp/libopts/parse-duration.c b/contrib/ntp/sntp/libopts/parse-duration.c
index e072b7d..11e3d828 100644
--- a/contrib/ntp/sntp/libopts/parse-duration.c
+++ b/contrib/ntp/sntp/libopts/parse-duration.c
@@ -60,14 +60,20 @@ typedef enum {
 static unsigned long
 str_const_to_ul (cch_t * str, cch_t ** ppz, int base)
 {
-  return strtoul (str, (char **)ppz, base);
+  char * pz;
+  int rv = strtoul (str, &pz, base);
+  *ppz = pz;
+  return rv;
 }
 
 /* Wrapper around strtol that does not require a cast.  */
 static long
 str_const_to_l (cch_t * str, cch_t ** ppz, int base)
 {
-  return strtol (str, (char **)ppz, base);
+  char * pz;
+  int rv = strtol (str, &pz, base);
+  *ppz = pz;
+  return rv;
 }
 
 /* Returns BASE + VAL * SCALE, interpreting BASE = BAD_TIME
diff --git a/contrib/ntp/sntp/libopts/reset.c b/contrib/ntp/sntp/libopts/reset.c
index 6ca2c05..97ecb52 100644
--- a/contrib/ntp/sntp/libopts/reset.c
+++ b/contrib/ntp/sntp/libopts/reset.c
@@ -113,7 +113,7 @@ optionResetOpt(tOptions * pOpts, tOptDesc * pOD)
             assert(0 == 1);
         }
     } else {
-        succ = opt_find_long(pOpts, (char *)pzArg, &opt_state);
+        succ = opt_find_long(pOpts, pzArg, &opt_state);
         if (! SUCCESSFUL(succ)) {
             fprintf(stderr, zIllOptStr, pOpts->pzProgPath, pzArg);
             pOpts->pUsageProc(pOpts, EXIT_FAILURE);
diff --git a/contrib/ntp/sntp/libopts/save.c b/contrib/ntp/sntp/libopts/save.c
index f462ced..cdab05f 100644
--- a/contrib/ntp/sntp/libopts/save.c
+++ b/contrib/ntp/sntp/libopts/save.c
@@ -453,7 +453,7 @@ prt_val_list(FILE * fp, char const * name, tArgList * al)
     if (al == NULL)
         return;
     opt_ct   = al->useCt;
-    opt_list = (void **)al->apzArgs;
+    opt_list = VOIDP(al->apzArgs);
 
     if (opt_ct <= 0) {
         fprintf(fp, OPEN_CLOSE_FMT, name);
@@ -488,7 +488,7 @@ prt_nested(FILE * fp, tOptDesc * p)
         return;
 
     opt_ct   = al->useCt;
-    opt_list = (void **)al->apzArgs;
+    opt_list = VOIDP(al->apzArgs);
 
     if (opt_ct <= 0)
         return;
diff --git a/contrib/ntp/sntp/libopts/tokenize.c b/contrib/ntp/sntp/libopts/tokenize.c
index cbff7fb..25550ea 100644
--- a/contrib/ntp/sntp/libopts/tokenize.c
+++ b/contrib/ntp/sntp/libopts/tokenize.c
@@ -57,7 +57,7 @@ copy_cooked(ch_t ** ppDest, char const ** ppSrc)
         case NUL:   *ppSrc = NULL; return;
         case '"':   goto done;
         case '\\':
-            pSrc += ao_string_cook_escape_char((char *)pSrc, (char *)&ch, 0x7F);
+            pSrc += ao_string_cook_escape_char((const char *)pSrc, (char *)&ch, 0x7F);
             if (ch == 0x7F)
                 break;
             /* FALLTHROUGH */
diff --git a/contrib/ntp/sntp/m4/version.m4 b/contrib/ntp/sntp/m4/version.m4
index b8f98b5..236cc18 100644
--- a/contrib/ntp/sntp/m4/version.m4
+++ b/contrib/ntp/sntp/m4/version.m4
@@ -1 +1 @@
-m4_define([VERSION_NUMBER],[4.2.8p5])
+m4_define([VERSION_NUMBER],[4.2.8p6])
diff --git a/contrib/ntp/sntp/main.c b/contrib/ntp/sntp/main.c
index 870db93..78ed7c2 100644
--- a/contrib/ntp/sntp/main.c
+++ b/contrib/ntp/sntp/main.c
@@ -1135,7 +1135,7 @@ generate_pkt (
 	if (pkt_key != NULL) {
 		x_pkt->exten[0] = htonl(key_id);
 		mac_size = 20; /* max room for MAC */
-		mac_size = make_mac((char *)x_pkt, pkt_len, mac_size,
+		mac_size = make_mac(x_pkt, pkt_len, mac_size,
 				    pkt_key, (char *)&x_pkt->exten[1]);
 		if (mac_size > 0)
 			pkt_len += mac_size + 4;
diff --git a/contrib/ntp/sntp/networking.c b/contrib/ntp/sntp/networking.c
index 6a176c5..21cf09a 100644
--- a/contrib/ntp/sntp/networking.c
+++ b/contrib/ntp/sntp/networking.c
@@ -184,7 +184,7 @@ process_pkt (
 		** keyfile and compare those md5sums.
 		*/
 		mac_size = exten_len << 2;
-		if (!auth_md5((char *)rpkt, pkt_len - mac_size,
+		if (!auth_md5(rpkt, pkt_len - mac_size,
 			      mac_size - 4, pkt_key)) {
 			is_authentic = FALSE;
 			break;
diff --git a/contrib/ntp/sntp/sntp-opts.c b/contrib/ntp/sntp/sntp-opts.c
index 69fb786..d11f0b2 100644
--- a/contrib/ntp/sntp/sntp-opts.c
+++ b/contrib/ntp/sntp/sntp-opts.c
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (sntp-opts.c)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:22:49 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:06:07 AM by AutoGen 5.18.5
  *  From the definitions    sntp-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The sntp program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -70,8 +70,8 @@ extern FILE * option_usage_fp;
  *  static const strings for sntp options
  */
 static char const sntp_opt_strs[2549] =
-/*     0 */ "sntp 4.2.8p5\n"
-            "Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n"
+/*     0 */ "sntp 4.2.8p6\n"
+            "Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
             "can be seen at:\n"
@@ -155,7 +155,7 @@ static char const sntp_opt_strs[2549] =
 /*  2298 */ "LOAD_OPTS\0"
 /*  2308 */ "no-load-opts\0"
 /*  2321 */ "SNTP\0"
-/*  2326 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p5\n"
+/*  2326 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p6\n"
             "Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n"
             "\t\t[ hostname-or-IP ...]\n\0"
 /*  2485 */ "$HOME\0"
@@ -163,7 +163,7 @@ static char const sntp_opt_strs[2549] =
 /*  2493 */ ".ntprc\0"
 /*  2500 */ "http://bugs.ntp.org, bugs@ntp.org\0"
 /*  2534 */ "\n\0"
-/*  2536 */ "sntp 4.2.8p5";
+/*  2536 */ "sntp 4.2.8p6";
 
 /**
  *  ipv4 option description with
@@ -1173,8 +1173,8 @@ static void bogus_function(void) {
      translate option names.
    */
   /* referenced via sntpOptions.pzCopyright */
-  puts(_("sntp 4.2.8p5\n\
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n\
+  puts(_("sntp 4.2.8p6\n\
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n\
 This is free software. It is licensed for use, modification and\n\
 redistribution under the terms of the NTP License, copies of which\n\
 can be seen at:\n"));
@@ -1263,7 +1263,7 @@ implied warranty.\n"));
   puts(_("load options from a config file"));
 
   /* referenced via sntpOptions.pzUsageTitle */
-  puts(_("sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p5\n\
+  puts(_("sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p6\n\
 Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\
 \t\t[ hostname-or-IP ...]\n"));
 
@@ -1271,7 +1271,7 @@ Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\
   puts(_("\n"));
 
   /* referenced via sntpOptions.pzFullVersion */
-  puts(_("sntp 4.2.8p5"));
+  puts(_("sntp 4.2.8p6"));
 
   /* referenced via sntpOptions.pzFullUsage */
   puts(_("<<<NOT-FOUND>>>"));
diff --git a/contrib/ntp/sntp/sntp-opts.h b/contrib/ntp/sntp/sntp-opts.h
index 78951ab..ab741c7 100644
--- a/contrib/ntp/sntp/sntp-opts.h
+++ b/contrib/ntp/sntp/sntp-opts.h
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (sntp-opts.h)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:22:48 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:06:06 AM by AutoGen 5.18.5
  *  From the definitions    sntp-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The sntp program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -91,9 +91,9 @@ typedef enum {
 /** count of all options for sntp */
 #define OPTION_CT    23
 /** sntp version */
-#define SNTP_VERSION       "4.2.8p5"
+#define SNTP_VERSION       "4.2.8p6"
 /** Full sntp version text */
-#define SNTP_FULL_VERSION  "sntp 4.2.8p5"
+#define SNTP_FULL_VERSION  "sntp 4.2.8p6"
 
 /**
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/contrib/ntp/sntp/sntp.1sntpman b/contrib/ntp/sntp/sntp.1sntpman
index 792fc52..0a83bd3 100644
--- a/contrib/ntp/sntp/sntp.1sntpman
+++ b/contrib/ntp/sntp/sntp.1sntpman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH sntp 1sntpman "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH sntp 1sntpman "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-e.aO3S/ag-r.aG2S)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-vxaitn/ag-Ixaasn)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:23:20 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:06:38 AM by AutoGen 5.18.5
 .\" From the definitions sntp-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -348,7 +348,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .NOP  "Dave Hart" 
 .br
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/sntp/sntp.1sntpmdoc b/contrib/ntp/sntp/sntp.1sntpmdoc
index 8005e9a..86b72ad 100644
--- a/contrib/ntp/sntp/sntp.1sntpmdoc
+++ b/contrib/ntp/sntp/sntp.1sntpmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt SNTP 1sntpmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (sntp-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:23:27 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:06:45 AM by AutoGen 5.18.5
 .\"  From the definitions    sntp-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -303,7 +303,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .An "Harlan Stenn"
 .An "Dave Hart"
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/sntp/sntp.html b/contrib/ntp/sntp/sntp.html
index 6aa66fb..61efd50 100644
--- a/contrib/ntp/sntp/sntp.html
+++ b/contrib/ntp/sntp/sntp.html
@@ -36,7 +36,7 @@ display the time offset of the system clock relative to the server
 clock.  Run as root, it can correct the system clock to this offset as
 well.  It can be run as an interactive command or from a cron job.
 
-  <p>This document applies to version 4.2.8p5 of <code>sntp</code>.
+  <p>This document applies to version 4.2.8p6 of <code>sntp</code>.
 
   <p>The program implements the SNTP protocol as defined by RFC 5905, the NTPv4
 IETF specification.
@@ -176,7 +176,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p5
+<pre class="example">sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p6
 Usage:  sntp [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... \
                 [ hostname-or-IP ...]
   Flg Arg Option-Name    Description
diff --git a/contrib/ntp/sntp/sntp.man.in b/contrib/ntp/sntp/sntp.man.in
index 1d5e571..c223eb5 100644
--- a/contrib/ntp/sntp/sntp.man.in
+++ b/contrib/ntp/sntp/sntp.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH sntp @SNTP_MS@ "07 Jan 2016" "4.2.8p5" "User Commands"
+.TH sntp @SNTP_MS@ "20 Jan 2016" "4.2.8p6" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-e.aO3S/ag-r.aG2S)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-vxaitn/ag-Ixaasn)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:23:20 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:06:38 AM by AutoGen 5.18.5
 .\" From the definitions sntp-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -348,7 +348,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .NOP  "Dave Hart" 
 .br
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/sntp/sntp.mdoc.in b/contrib/ntp/sntp/sntp.mdoc.in
index 5168a99..2e15332 100644
--- a/contrib/ntp/sntp/sntp.mdoc.in
+++ b/contrib/ntp/sntp/sntp.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt SNTP @SNTP_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (sntp-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:23:27 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:06:45 AM by AutoGen 5.18.5
 .\"  From the definitions    sntp-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -303,7 +303,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .An "Harlan Stenn"
 .An "Dave Hart"
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh "BUGS"
 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/contrib/ntp/sntp/tests/crypto.c b/contrib/ntp/sntp/tests/crypto.c
index 82d2859..fb2dc62 100644
--- a/contrib/ntp/sntp/tests/crypto.c
+++ b/contrib/ntp/sntp/tests/crypto.c
@@ -18,8 +18,8 @@ void test_PacketSizeNotMultipleOfFourBytes(void);
 
 
 void
-test_MakeMd5Mac(void) {
-
+test_MakeMd5Mac(void)
+{
 	const char* PKT_DATA = "abcdefgh0123";
 	const int PKT_LEN = strlen(PKT_DATA);
 	const char* EXPECTED_DIGEST =
@@ -34,15 +34,17 @@ test_MakeMd5Mac(void) {
 	memcpy(&md5.type, "MD5", 4);
 
 	TEST_ASSERT_EQUAL(MD5_LENGTH,
-			  make_mac((char*)PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual));
+			  make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual));
 
 	TEST_ASSERT_TRUE(memcmp(EXPECTED_DIGEST, actual, MD5_LENGTH) == 0);
 }
 
 
 void
-test_MakeSHA1Mac(void) {
+test_MakeSHA1Mac(void)
+{
 #ifdef OPENSSL
+
 	const char* PKT_DATA = "abcdefgh0123";
 	const int PKT_LEN = strlen(PKT_DATA);
 	const char* EXPECTED_DIGEST =
@@ -58,22 +60,26 @@ test_MakeSHA1Mac(void) {
 	memcpy(&sha1.type, "SHA1", 5);
 
 	TEST_ASSERT_EQUAL(SHA1_LENGTH,
-			  make_mac((char*)PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1, actual));
+			  make_mac(PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1, actual));
 
 	TEST_ASSERT_EQUAL_MEMORY(EXPECTED_DIGEST, actual, SHA1_LENGTH);
+	
 #else
+	
 	TEST_IGNORE_MESSAGE("OpenSSL not found, skipping...");
+	
 #endif	/* OPENSSL */
 }
 
 
 void
-test_VerifyCorrectMD5(void) {
+test_VerifyCorrectMD5(void)
+{
 	const char* PKT_DATA =
-		"sometestdata"		// Data
-		"\0\0\0\0"			// Key-ID (unused)
-		"\xc7\x58\x99\xdd\x99\x32\x0f\x71" // MAC
-		"\x2b\x7b\xfe\x4f\xa2\x32\xcf\xac";
+	    "sometestdata"			/* Data */
+	    "\0\0\0\0"				/* Key-ID (unused) */
+	    "\xc7\x58\x99\xdd\x99\x32\x0f\x71"	/* MAC */
+	    "\x2b\x7b\xfe\x4f\xa2\x32\xcf\xac";
 	const int PKT_LEN = 12;
 
 	struct key md5;
@@ -83,18 +89,20 @@ test_VerifyCorrectMD5(void) {
 	memcpy(&md5.key_seq, "md5key", md5.key_len);
 	memcpy(&md5.type, "MD5", 4);
 
-	TEST_ASSERT_TRUE(auth_md5((char*)PKT_DATA, PKT_LEN, MD5_LENGTH, &md5));
+	TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5));
 }
 
 
 void
-test_VerifySHA1(void) {
+test_VerifySHA1(void)
+{
 #ifdef OPENSSL
+
 	const char* PKT_DATA =
-		"sometestdata"		// Data
-		"\0\0\0\0"			// Key-ID (unused)
-		"\xad\x07\xde\x36\x39\xa6\x77\xfa\x5b\xce" // MAC
-		"\x2d\x8a\x7d\x06\x96\xe6\x0c\xbc\xed\xe1";
+	    "sometestdata"				/* Data */
+	    "\0\0\0\0"					/* Key-ID (unused) */
+	    "\xad\x07\xde\x36\x39\xa6\x77\xfa\x5b\xce"	/* MAC */
+	    "\x2d\x8a\x7d\x06\x96\xe6\x0c\xbc\xed\xe1";
 	const int PKT_LEN = 12;
 
 	struct key sha1;
@@ -104,21 +112,26 @@ test_VerifySHA1(void) {
 	memcpy(&sha1.key_seq, "sha1key", sha1.key_len);
 	memcpy(&sha1.type, "SHA1", 5);
 
-	TEST_ASSERT_TRUE(auth_md5((char*)PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1));
+	TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1));
+	
 #else
+	
 	TEST_IGNORE_MESSAGE("OpenSSL not found, skipping...");
+	
 #endif	/* OPENSSL */
 }
 
 void
-test_VerifyFailure(void) {
-	/* We use a copy of the MD5 verification code, but modify
-	 * the last bit to make sure verification fails. */
+test_VerifyFailure(void)
+{
+	/* We use a copy of the MD5 verification code, but modify the
+	 * last bit to make sure verification fails.
+	 */
 	const char* PKT_DATA =
-		"sometestdata"		// Data
-		"\0\0\0\0"			// Key-ID (unused)
-		"\xc7\x58\x99\xdd\x99\x32\x0f\x71"	// MAC
-		"\x2b\x7b\xfe\x4f\xa2\x32\xcf\x00"; // Last byte is wrong!
+	    "sometestdata"			/* Data */
+	    "\0\0\0\0"				/* Key-ID (unused) */
+	    "\xc7\x58\x99\xdd\x99\x32\x0f\x71"	/* MAC */
+	    "\x2b\x7b\xfe\x4f\xa2\x32\xcf\x00"; /* Last byte is wrong! */
 	const int PKT_LEN = 12;
 
 	struct key md5;
@@ -128,12 +141,13 @@ test_VerifyFailure(void) {
 	memcpy(&md5.key_seq, "md5key", md5.key_len);
 	memcpy(&md5.type, "MD5", 4);
 
-	TEST_ASSERT_FALSE(auth_md5((char*)PKT_DATA, PKT_LEN, MD5_LENGTH, &md5));
+	TEST_ASSERT_FALSE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5));
 }
 
 
 void
-test_PacketSizeNotMultipleOfFourBytes(void) {
+test_PacketSizeNotMultipleOfFourBytes(void)
+{
 	const char* PKT_DATA = "123456";
 	const int PKT_LEN = 6;
 	char actual[MD5_LENGTH];
@@ -145,5 +159,5 @@ test_PacketSizeNotMultipleOfFourBytes(void) {
 	memcpy(&md5.key_seq, "md5seq", md5.key_len);
 	memcpy(&md5.type, "MD5", 4);
 
-	TEST_ASSERT_EQUAL(0, make_mac((char*)PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual));
+	TEST_ASSERT_EQUAL(0, make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual));
 }
diff --git a/contrib/ntp/sntp/tests/fileHandlingTest.c b/contrib/ntp/sntp/tests/fileHandlingTest.c
index ce3f0de..8acad54 100644
--- a/contrib/ntp/sntp/tests/fileHandlingTest.c
+++ b/contrib/ntp/sntp/tests/fileHandlingTest.c
@@ -3,35 +3,52 @@
 #include "stdlib.h"
 #include "sntptest.h"
 
-#include "fileHandlingTest.h" //required because of the h.in thingy
+#include "fileHandlingTest.h" /* required because of the h.in thingy */
 
 #include <string.h>
 #include <unistd.h>
 
-/*
-enum DirectoryType {
-	INPUT_DIR = 0,
-	OUTPUT_DIR = 1
-};
-*/
-//extern const char srcdir[];
-
 const char *
-CreatePath(const char* filename, enum DirectoryType argument) {
-	const char srcdir[] = SRCDIR_DEF;//"@abs_srcdir@/data/";
-	char * path = emalloc (sizeof (char) * (strlen(srcdir) + 256));
-
-	//char cwd[1024];
+CreatePath(
+	const char *		filename,
+	enum DirectoryType 	argument
+	)
+{
+	const char 	srcdir[] = SRCDIR_DEF;//"@abs_srcdir@/data/";
+	size_t		plen = sizeof(srcdir) + strlen(filename) + 1;
+	char * 		path = emalloc(plen);
+	ssize_t		retc;
+
+	UNUSED_ARG(argument);
+
+	retc = snprintf(path, plen, "%s%s", srcdir, filename);
+	if (retc <= 0 || (size_t)retc >= plen)
+		exit(1);
+	return path;
+}
 
-	strcpy(path, srcdir);
-	strcat(path, filename);
 
-	return path;
+void
+DestroyPath(
+	const char *	pathname
+	)
+{
+	/* use a union to get terminally rid of the 'const' attribute */
+	union {
+		const char *ccp;
+		void       *vp;
+	} any;
+
+	any.ccp = pathname;
+	free(any.vp);
 }
 
 
 int
-GetFileSize(FILE *file) {
+GetFileSize(
+	FILE *	file
+	)
+{
 	fseek(file, 0L, SEEK_END);
 	int length = ftell(file);
 	fseek(file, 0L, SEEK_SET);
@@ -41,7 +58,11 @@ GetFileSize(FILE *file) {
 
 
 bool
-CompareFileContent(FILE* expected, FILE* actual) {
+CompareFileContent(
+	FILE *	expected,
+	FILE *	actual
+	)
+{
 	int currentLine = 1;
 
 	char actualLine[1024];
@@ -67,8 +88,10 @@ CompareFileContent(FILE* expected, FILE* actual) {
 
 
 void
-ClearFile(const char * filename) {
+ClearFile(
+	const char * filename
+	)
+{
 	if (!truncate(filename, 0))
 		exit(1);
 }
-
diff --git a/contrib/ntp/sntp/tests/fileHandlingTest.h.in b/contrib/ntp/sntp/tests/fileHandlingTest.h.in
index e7d99ee..b93ed9e 100644
--- a/contrib/ntp/sntp/tests/fileHandlingTest.h.in
+++ b/contrib/ntp/sntp/tests/fileHandlingTest.h.in
@@ -15,21 +15,12 @@ enum DirectoryType {
 };
 
 #define SRCDIR_DEF "@abs_srcdir@/data/";
-//const char srcdir[] = "@abs_srcdir@/data/";
-
-const char *
-CreatePath(const char* filename, enum DirectoryType argument);
-
-
-int
-GetFileSize(FILE *file);
-
-
-bool
-CompareFileContent(FILE* expected, FILE* actual);
-
-void
-ClearFile(const char * filename) ;
 
+extern	const char * 	CreatePath(const char* filename,
+				   enum DirectoryType argument);
+extern	void		DestroyPath(const char* pathname);
+extern	int		GetFileSize(FILE *file);
+extern	bool		CompareFileContent(FILE* expected, FILE* actual);
+extern	void		ClearFile(const char * filename) ;
 
 #endif // FILE_HANDLING_TEST_H
diff --git a/contrib/ntp/sntp/tests/keyFile.c b/contrib/ntp/sntp/tests/keyFile.c
index 883658a..395ca0d 100644
--- a/contrib/ntp/sntp/tests/keyFile.c
+++ b/contrib/ntp/sntp/tests/keyFile.c
@@ -17,24 +17,28 @@ void test_ReadKeyFileWithInvalidHex(void);
 
 
 bool
-CompareKeys(struct key expected, struct key actual) {
-	if (expected.key_id != actual.key_id){
-		printf("Expected key_id: %d", expected.key_id);
-		printf(" but was: %d\n", actual.key_id);
+CompareKeys(
+	struct key	expected,
+	struct key	actual
+	)
+{
+	if (expected.key_id != actual.key_id) {
+		printf("Expected key_id: %d but was: %d\n",
+		       expected.key_id, actual.key_id);
 		return FALSE;
 	}
-	if (expected.key_len != actual.key_len){
-		printf("Expected key_len: %d", expected.key_len);
-		printf(" but was: %d\n", actual.key_len);
+	if (expected.key_len != actual.key_len) {
+		printf("Expected key_len: %d but was: %d\n",
+		       expected.key_len, actual.key_len);
 		return FALSE;
 	}
-	if (strcmp(expected.type, actual.type) != 0){
-		printf("Expected key_type: %s", expected.type);
-		printf(" but was: %s\n", actual.type);
+	if (strcmp(expected.type, actual.type) != 0) {
+		printf("Expected key_type: %s but was: %s\n",
+		       expected.type, actual.type);
 		return FALSE;
 
 	}
-	if (memcmp(expected.key_seq, actual.key_seq, expected.key_len) != 0){
+	if (memcmp(expected.key_seq, actual.key_seq, expected.key_len) != 0) {
 		printf("Key mismatch!\n");
 		return FALSE;		
 	}
@@ -43,12 +47,15 @@ CompareKeys(struct key expected, struct key actual) {
 
 
 bool
-CompareKeysAlternative(int key_id,
-	       int key_len,
-	       const char* type,
-	       const char* key_seq,
-	       struct key actual) {
-	struct key temp;
+CompareKeysAlternative(
+	int		key_id,
+	int		key_len,
+	const char *	type,
+	const char *	key_seq,
+	struct key	actual
+	)
+{
+	struct key	temp;
 
 	temp.key_id = key_id;
 	temp.key_len = key_len;
@@ -60,30 +67,32 @@ CompareKeysAlternative(int key_id,
 
 
 void
-test_ReadEmptyKeyFile(void) {
-	struct key* keys = NULL;
-	const char *path = CreatePath("key-test-empty", INPUT_DIR);
+test_ReadEmptyKeyFile(void)
+{
+	struct key *	keys = NULL;
+	const char *	path = CreatePath("key-test-empty", INPUT_DIR);
 
 	TEST_ASSERT_NOT_NULL(path);
 	TEST_ASSERT_EQUAL(0, auth_init(path, &keys));
 	TEST_ASSERT_NULL(keys);
 
-	free((void *)path);
+	DestroyPath(path);
 }
 
 
 void
-test_ReadASCIIKeys(void) {
-	struct key* keys = NULL;
-	const char *path = CreatePath("key-test-ascii", INPUT_DIR);
+test_ReadASCIIKeys(void)
+{
+	struct key *	keys = NULL;
+	struct key *	result = NULL;
+	const char *	path = CreatePath("key-test-ascii", INPUT_DIR);
 
 	TEST_ASSERT_NOT_NULL(path);
 	TEST_ASSERT_EQUAL(2, auth_init(path, &keys));
 	TEST_ASSERT_NOT_NULL(keys);
 
-	free((void *)path);
+	DestroyPath(path);
 
-	struct key* result = NULL;
 	get_key(40, &result);
 	TEST_ASSERT_NOT_NULL(result);
 	TEST_ASSERT_TRUE(CompareKeysAlternative(40, 11, "MD5", "asciikeyTwo", *result));
@@ -96,16 +105,19 @@ test_ReadASCIIKeys(void) {
 
 
 void
-test_ReadHexKeys(void) {
-	struct key* keys = NULL;
-	const char *path = CreatePath("key-test-hex", INPUT_DIR);
+test_ReadHexKeys(void)
+{
+	struct key *	keys = NULL;
+	struct key *	result = NULL;
+	const char *	path = CreatePath("key-test-hex", INPUT_DIR);
+	char 		data1[15];
+	char 		data2[13];
 
 	TEST_ASSERT_NOT_NULL(path);
 	TEST_ASSERT_EQUAL(3, auth_init(path, &keys));
 	TEST_ASSERT_NOT_NULL(keys);
-	free((void *)path);
+	DestroyPath(path);
 
-	struct key* result = NULL;
 	get_key(10, &result);
 	TEST_ASSERT_NOT_NULL(result);
 	TEST_ASSERT_TRUE(CompareKeysAlternative(10, 13, "MD5",
@@ -114,31 +126,36 @@ test_ReadHexKeys(void) {
 	result = NULL;
 	get_key(20, &result);
 	TEST_ASSERT_NOT_NULL(result);
-	char data1[15]; memset(data1, 0x11, 15);
+
+	memset(data1, 0x11, 15);
 	TEST_ASSERT_TRUE(CompareKeysAlternative(20, 15, "MD5", data1, *result));
 
 	result = NULL;
 	get_key(30, &result);
 	TEST_ASSERT_NOT_NULL(result);
-	char data2[13]; memset(data2, 0x01, 13);
+
+	memset(data2, 0x01, 13);
 	TEST_ASSERT_TRUE(CompareKeysAlternative(30, 13, "MD5", data2, *result));
 }
 
 
 void
-test_ReadKeyFileWithComments(void) {
-	struct key* keys = NULL;
-	const char *path = CreatePath("key-test-comments", INPUT_DIR);
+test_ReadKeyFileWithComments(void)
+{
+	struct key *	keys = NULL;
+	struct key *	result = NULL;
+	const char *	path = CreatePath("key-test-comments", INPUT_DIR);
+	char 		data[15];
 
 	TEST_ASSERT_NOT_NULL(path);
 	TEST_ASSERT_EQUAL(2, auth_init(path, &keys));
 	TEST_ASSERT_NOT_NULL(keys);
-	free((void *)path);
+	DestroyPath(path);
 
-	struct key* result = NULL;
 	get_key(10, &result);
 	TEST_ASSERT_NOT_NULL(result);
-	char data[15]; memset(data, 0x01, 15);
+
+	memset(data, 0x01, 15);
 	TEST_ASSERT_TRUE(CompareKeysAlternative(10, 15, "MD5", data, *result));
 
 	result = NULL;
@@ -149,22 +166,25 @@ test_ReadKeyFileWithComments(void) {
 
 
 void
-test_ReadKeyFileWithInvalidHex(void) {
-	struct key* keys = NULL;
-	const char *path = CreatePath("key-test-invalid-hex", INPUT_DIR);
+test_ReadKeyFileWithInvalidHex(void)
+{
+	struct key *	keys = NULL;
+	struct key *	result = NULL;
+	const char *	path = CreatePath("key-test-invalid-hex", INPUT_DIR);
+	char 		data[15];
 
 	TEST_ASSERT_NOT_NULL(path);
 	TEST_ASSERT_EQUAL(1, auth_init(path, &keys));
 	TEST_ASSERT_NOT_NULL(keys);
-	free((void *)path);
+	DestroyPath(path);
 
-	struct key* result = NULL;
 	get_key(10, &result);
 	TEST_ASSERT_NOT_NULL(result);
-	char data[15]; memset(data, 0x01, 15);
+
+	memset(data, 0x01, 15);
 	TEST_ASSERT_TRUE(CompareKeysAlternative(10, 15, "MD5", data, *result));
 
 	result = NULL;
-	get_key(30, &result); // Should not exist, and result should remain NULL.
+	get_key(30, &result); /* Should not exist, and result should remain NULL. */
 	TEST_ASSERT_NULL(result);
 }
diff --git a/contrib/ntp/sntp/tests/packetHandling.c b/contrib/ntp/sntp/tests/packetHandling.c
index 1036fc3..595efa3 100644
--- a/contrib/ntp/sntp/tests/packetHandling.c
+++ b/contrib/ntp/sntp/tests/packetHandling.c
@@ -27,25 +27,29 @@ void test_HandleCorrectPacket(void);
 
 
 void
-setUp(void) { 
+setUp(void)
+{ 
 	init_lib(); 
 }
 
 
 int
-LfpEquality(const l_fp expected, const l_fp actual) {
-	if (L_ISEQU(&expected, &actual))
-		return TRUE; 
-	else
-		return FALSE;
+LfpEquality(
+	const l_fp	expected,
+	const l_fp 	actual
+	)
+{
+	return !!(L_ISEQU(&expected, &actual));
 }
 
 
 void
-test_GenerateUnauthenticatedPacket(void) {
-	struct pkt testpkt;
+test_GenerateUnauthenticatedPacket(void)
+{
+	struct pkt	testpkt;
+	struct timeval	xmt;
+	l_fp		expected_xmt, actual_xmt;
 
-	struct timeval xmt;
 	GETTIMEOFDAY(&xmt, NULL);
 	xmt.tv_sec += JAN_1970;
 
@@ -59,7 +63,6 @@ test_GenerateUnauthenticatedPacket(void) {
 	TEST_ASSERT_EQUAL(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum));
 	TEST_ASSERT_EQUAL(8, testpkt.ppoll);
 
-	l_fp expected_xmt, actual_xmt;
 	TVTOTS(&xmt, &expected_xmt);
 	NTOHL_FP(&testpkt.xmt, &actual_xmt);
 	TEST_ASSERT_TRUE(LfpEquality(expected_xmt, actual_xmt));
@@ -67,22 +70,25 @@ test_GenerateUnauthenticatedPacket(void) {
 
 
 void
-test_GenerateAuthenticatedPacket(void) {
-	struct key testkey;
+test_GenerateAuthenticatedPacket(void)
+{
+	static const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_MD5_LEN;
+	
+	struct key	testkey;
+	struct pkt	testpkt;
+	struct timeval	xmt;
+	l_fp		expected_xmt, actual_xmt;
+	char 		expected_mac[MAX_MD5_LEN];
+	
 	testkey.next = NULL;
 	testkey.key_id = 30;
 	testkey.key_len = 9;
 	memcpy(testkey.key_seq, "123456789", testkey.key_len);
 	memcpy(testkey.type, "MD5", 3);
 
-	struct pkt testpkt;
-
-	struct timeval xmt;
 	GETTIMEOFDAY(&xmt, NULL);
 	xmt.tv_sec += JAN_1970;
 
-	const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_MD5_LEN;
-
 	TEST_ASSERT_EQUAL(EXPECTED_PKTLEN,
 			  generate_pkt(&testpkt, &xmt, testkey.key_id, &testkey));
 
@@ -93,103 +99,102 @@ test_GenerateAuthenticatedPacket(void) {
 	TEST_ASSERT_EQUAL(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum));
 	TEST_ASSERT_EQUAL(8, testpkt.ppoll);
 
-	l_fp expected_xmt, actual_xmt;
 	TVTOTS(&xmt, &expected_xmt);
 	NTOHL_FP(&testpkt.xmt, &actual_xmt);
 	TEST_ASSERT_TRUE(LfpEquality(expected_xmt, actual_xmt));
 
 	TEST_ASSERT_EQUAL(testkey.key_id, ntohl(testpkt.exten[0]));
 	
-	char expected_mac[MAX_MD5_LEN];
-	TEST_ASSERT_EQUAL(MAX_MD5_LEN - 4, // Remove the key_id, only keep the mac.
-			  make_mac((char*)&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN, &testkey, expected_mac));
+	TEST_ASSERT_EQUAL(MAX_MD5_LEN - 4, /* Remove the key_id, only keep the mac. */
+			  make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN, &testkey, expected_mac));
 	TEST_ASSERT_EQUAL_MEMORY(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4);
 }
 
 
 void
-test_OffsetCalculationPositiveOffset(void) {
-	struct pkt rpkt;
-
-	rpkt.precision = -16; // 0,000015259
+test_OffsetCalculationPositiveOffset(void)
+{
+	struct pkt	rpkt;
+	l_fp		reftime, tmp;
+	struct timeval	dst;
+	double		offset, precision, synch_distance;
+
+	rpkt.precision = -16; /* 0,000015259 */
 	rpkt.rootdelay = HTONS_FP(DTOUFP(0.125));
 	rpkt.rootdisp = HTONS_FP(DTOUFP(0.25));
-	// Synch Distance: (0.125+0.25)/2.0 == 0.1875
-	l_fp reftime;
+
+	/* Synch Distance: (0.125+0.25)/2.0 == 0.1875 */
 	get_systime(&reftime);
 	HTONL_FP(&reftime, &rpkt.reftime);
 
-	l_fp tmp;
-
-	// T1 - Originate timestamp
+	/* T1 - Originate timestamp */
 	tmp.l_ui = 1000000000UL;
 	tmp.l_uf = 0UL;
 	HTONL_FP(&tmp, &rpkt.org);
 
-	// T2 - Receive timestamp
+	/* T2 - Receive timestamp */
 	tmp.l_ui = 1000000001UL;
 	tmp.l_uf = 2147483648UL;
 	HTONL_FP(&tmp, &rpkt.rec);
 
-	// T3 - Transmit timestamp
+	/* T3 - Transmit timestamp */
 	tmp.l_ui = 1000000002UL;
 	tmp.l_uf = 0UL;
 	HTONL_FP(&tmp, &rpkt.xmt);
 
-	// T4 - Destination timestamp as standard timeval
+	/* T4 - Destination timestamp as standard timeval */
 	tmp.l_ui = 1000000001UL;
 	tmp.l_uf = 0UL;
-	struct timeval dst;
 	TSTOTV(&tmp, &dst);
 	dst.tv_sec -= JAN_1970;
 
-	double offset, precision, synch_distance;
 	offset_calculation(&rpkt, LEN_PKT_NOMAC, &dst, &offset, &precision, &synch_distance);
 
 	TEST_ASSERT_EQUAL_DOUBLE(1.25, offset);
 	TEST_ASSERT_EQUAL_DOUBLE(1. / ULOGTOD(16), precision);
-	// 1.1250150000000001 ?
+	/* 1.1250150000000001 ? */
 	TEST_ASSERT_EQUAL_DOUBLE(1.125015, synch_distance);
 }
 
 
 void
-test_OffsetCalculationNegativeOffset(void) {
-	struct pkt rpkt;
+test_OffsetCalculationNegativeOffset(void)
+{
+	struct pkt	rpkt;
+	l_fp		reftime, tmp;
+	struct timeval	dst;
+	double		offset, precision, synch_distance;
 
 	rpkt.precision = -1;
 	rpkt.rootdelay = HTONS_FP(DTOUFP(0.5));
 	rpkt.rootdisp = HTONS_FP(DTOUFP(0.5));
-	// Synch Distance is (0.5+0.5)/2.0, or 0.5
-	l_fp reftime;
+	
+	/* Synch Distance is (0.5+0.5)/2.0, or 0.5 */
 	get_systime(&reftime);
 	HTONL_FP(&reftime, &rpkt.reftime);
 
-	l_fp tmp;
-
-	// T1 - Originate timestamp
+	/* T1 - Originate timestamp */
 	tmp.l_ui = 1000000001UL;
 	tmp.l_uf = 0UL;
 	HTONL_FP(&tmp, &rpkt.org);
 
-	// T2 - Receive timestamp
+	/* T2 - Receive timestamp */
 	tmp.l_ui = 1000000000UL;
 	tmp.l_uf = 2147483648UL;
 	HTONL_FP(&tmp, &rpkt.rec);
 
-	// T3 - Transmit timestamp
+	/*/ T3 - Transmit timestamp */
 	tmp.l_ui = 1000000001UL;
 	tmp.l_uf = 2147483648UL;
 	HTONL_FP(&tmp, &rpkt.xmt);
 
-	// T4 - Destination timestamp as standard timeval
+	/* T4 - Destination timestamp as standard timeval */
 	tmp.l_ui = 1000000003UL;
 	tmp.l_uf = 0UL;
-	struct timeval dst;
+
 	TSTOTV(&tmp, &dst);
 	dst.tv_sec -= JAN_1970;
 
-	double offset, precision, synch_distance;
 	offset_calculation(&rpkt, LEN_PKT_NOMAC, &dst, &offset, &precision, &synch_distance);
 
 	TEST_ASSERT_EQUAL_DOUBLE(-1, offset);
@@ -199,8 +204,9 @@ test_OffsetCalculationNegativeOffset(void) {
 
 
 void
-test_HandleUnusableServer(void) {
-	struct pkt		rpkt;
+test_HandleUnusableServer(void)
+{
+	struct pkt	rpkt;
 	sockaddr_u	host;
 	int		rpktl;
 
@@ -212,8 +218,9 @@ test_HandleUnusableServer(void) {
 
 
 void
-test_HandleUnusablePacket(void) {
-	struct pkt		rpkt;
+test_HandleUnusablePacket(void)
+{
+	struct pkt	rpkt;
 	sockaddr_u	host;
 	int		rpktl;
 
@@ -225,8 +232,9 @@ test_HandleUnusablePacket(void) {
 
 
 void
-test_HandleServerAuthenticationFailure(void) {
-	struct pkt		rpkt;
+test_HandleServerAuthenticationFailure(void)
+{
+	struct pkt	rpkt;
 	sockaddr_u	host;
 	int		rpktl;
 
@@ -238,12 +246,13 @@ test_HandleServerAuthenticationFailure(void) {
 
 
 void
-test_HandleKodDemobilize(void) {
-	const char *	HOSTNAME = "192.0.2.1";
-	const char *	REASON = "DENY";
+test_HandleKodDemobilize(void)
+{
+	static const char *	HOSTNAME = "192.0.2.1";
+	static const char *	REASON = "DENY";
 	struct pkt		rpkt;
-	sockaddr_u	host;
-	int		rpktl;
+	sockaddr_u		host;
+	int			rpktl;
 	struct kod_entry *	entry;
 
 	rpktl = KOD_DEMOBILIZE;
@@ -253,7 +262,7 @@ test_HandleKodDemobilize(void) {
 	host.sa4.sin_family = AF_INET;
 	host.sa4.sin_addr.s_addr = inet_addr(HOSTNAME);
 
-	// Test that the KOD-entry is added to the database.
+	/* Test that the KOD-entry is added to the database. */
 	kod_init_kod_db("/dev/null", TRUE);
 
 	TEST_ASSERT_EQUAL(1, handle_pkt(rpktl, &rpkt, &host, HOSTNAME));
@@ -264,8 +273,9 @@ test_HandleKodDemobilize(void) {
 
 
 void
-test_HandleKodRate(void) {
-	struct 	pkt		rpkt;
+test_HandleKodRate(void)
+{
+	struct 	pkt	rpkt;
 	sockaddr_u	host;
 	int		rpktl;
 
@@ -277,13 +287,14 @@ test_HandleKodRate(void) {
 
 
 void
-test_HandleCorrectPacket(void) {
-	struct pkt		rpkt;
+test_HandleCorrectPacket(void)
+{
+	struct pkt	rpkt;
 	sockaddr_u	host;
 	int		rpktl;
 	l_fp		now;
 
-	// We don't want our testing code to actually change the system clock.
+	/* We don't want our testing code to actually change the system clock. */
 	TEST_ASSERT_FALSE(ENABLED_OPT(STEP));
 	TEST_ASSERT_FALSE(ENABLED_OPT(SLEW));
 
diff --git a/contrib/ntp/sntp/tests/packetProcessing.c b/contrib/ntp/sntp/tests/packetProcessing.c
index 1fd649e..88e61cc 100644
--- a/contrib/ntp/sntp/tests/packetProcessing.c
+++ b/contrib/ntp/sntp/tests/packetProcessing.c
@@ -1,4 +1,10 @@
 #include "config.h"
+
+/* need autokey for some of the tests, or the will create buffer overruns. */
+#ifndef AUTOKEY
+# define AUTOKEY 1
+#endif
+
 #include "sntptest.h"
 #include "networking.h"
 #include "ntp_stdlib.h"
@@ -43,10 +49,13 @@ bool restoreKeyDb;
 
 
 void
-PrepareAuthenticationTest(int key_id,
-							   int key_len,
-							   const char* type,
-							   const void* key_seq) {
+PrepareAuthenticationTest(
+	int		key_id,
+	int		key_len,
+	const char *	type,
+	const void *	key_seq
+	)
+{
 	char str[25];
 	snprintf(str, 25, "%d", key_id);
 	ActivateOption("-a", str);
@@ -66,28 +75,34 @@ PrepareAuthenticationTest(int key_id,
 
 
 void
-PrepareAuthenticationTestMD5(int key_id,
-							   int key_len,
-							   const void* key_seq) {
+PrepareAuthenticationTestMD5(
+	int 		key_id,
+	int 		key_len,
+	const void *	key_seq
+	)
+{
 	PrepareAuthenticationTest(key_id, key_len, "MD5", key_seq);
 }
 
 
 void
-setUp(void) {
+setUp(void)
+{
 
 	sntptest();
 	restoreKeyDb = false;
 
 	/* Initialize the test packet and socket,
-	 * so they contain at least some valid data. */
+	 * so they contain at least some valid data.
+	 */
 	testpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOWARNING, NTP_VERSION,
 										MODE_SERVER);
 	testpkt.stratum = STRATUM_REFCLOCK;
 	memcpy(&testpkt.refid, "GPS\0", 4);
 
 	/* Set the origin timestamp of the received packet to the
-	 * same value as the transmit timestamp of the sent packet. */
+	 * same value as the transmit timestamp of the sent packet.
+	 */
 	l_fp tmp;
 	tmp.l_ui = 1000UL;
 	tmp.l_uf = 0UL;
@@ -98,189 +113,202 @@ setUp(void) {
 
 
 void
-tearDown(void) {
-	
+tearDown(void)
+{	
 	if (restoreKeyDb) {
 		key_cnt = 0;
 		free(key_ptr);
 		key_ptr = NULL;
 	}
 
-	sntptest_destroy(); //only on the final test!! if counter == 0 etc...
+	sntptest_destroy(); /* only on the final test!! if counter == 0 etc... */
 }
 
 
-
 void
-test_TooShortLength(void) {
+test_TooShortLength(void)
+{
 	TEST_ASSERT_EQUAL(PACKET_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC - 1,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 	TEST_ASSERT_EQUAL(PACKET_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC - 1,
-						  MODE_BROADCAST, &testspkt, "UnitTest"));
+				      MODE_BROADCAST, &testspkt, "UnitTest"));
 }
 
 
 void
-test_LengthNotMultipleOfFour(void) {
+test_LengthNotMultipleOfFour(void)
+{
 	TEST_ASSERT_EQUAL(PACKET_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC + 6,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 	TEST_ASSERT_EQUAL(PACKET_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC + 3,
-						  MODE_BROADCAST, &testspkt, "UnitTest"));
+				      MODE_BROADCAST, &testspkt, "UnitTest"));
 }
 
 
 void
-test_TooShortExtensionFieldLength(void) {
+test_TooShortExtensionFieldLength(void)
+{
 	/* The lower 16-bits are the length of the extension field.
 	 * This lengths must be multiples of 4 bytes, which gives
-	 * a minimum of 4 byte extension field length. */
-	testpkt.exten[7] = htonl(3); // 3 bytes is too short.
+	 * a minimum of 4 byte extension field length.
+	 */
+	testpkt.exten[7] = htonl(3); /* 3 bytes is too short. */
 
 	/* We send in a pkt_len of header size + 4 byte extension
 	 * header + 24 byte MAC, this prevents the length error to
-	 * be caught at an earlier stage */
+	 * be caught at an earlier stage
+	 */
 	int pkt_len = LEN_PKT_NOMAC + 4 + 24;
 
 	TEST_ASSERT_EQUAL(PACKET_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_UnauthenticatedPacketReject(void) {
-	//sntptest();
-	// Activate authentication option
+test_UnauthenticatedPacketReject(void)
+{
+	/* Activate authentication option */
 	ActivateOption("-a", "123");
 	TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
 
 	int pkt_len = LEN_PKT_NOMAC;
 
-	// We demand authentication, but no MAC header is present.
+	/* We demand authentication, but no MAC header is present. */
 	TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_CryptoNAKPacketReject(void) {
-	// Activate authentication option
+test_CryptoNAKPacketReject(void)
+{
+	/* Activate authentication option */
 	ActivateOption("-a", "123");
 	TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
 
-	int pkt_len = LEN_PKT_NOMAC + 4; // + 4 byte MAC = Crypto-NAK
+	int pkt_len = LEN_PKT_NOMAC + 4; /* + 4 byte MAC = Crypto-NAK */
 
 	TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_AuthenticatedPacketInvalid(void) {
-	// Activate authentication option
+test_AuthenticatedPacketInvalid(void)
+{
+	/* Activate authentication option */
 	PrepareAuthenticationTestMD5(50, 9, "123456789");
 	TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
 	
-	// Prepare the packet.
+	/* Prepare the packet. */
 	int pkt_len = LEN_PKT_NOMAC;
 
 	testpkt.exten[0] = htonl(50);
-	int mac_len = make_mac((char*)&testpkt, pkt_len,
-						   MAX_MD5_LEN, key_ptr,
-						   (char*)&testpkt.exten[1]);
+	int mac_len = make_mac(&testpkt, pkt_len,
+			       MAX_MD5_LEN, key_ptr,
+			       &testpkt.exten[1]);
 
 	pkt_len += 4 + mac_len;
 
-	// Now, alter the MAC so it becomes invalid.
+	/* Now, alter the MAC so it becomes invalid. */
 	testpkt.exten[1] += 1;
 
 	TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_AuthenticatedPacketUnknownKey(void) {
-	// Activate authentication option
+test_AuthenticatedPacketUnknownKey(void)
+{
+	/* Activate authentication option */
 	PrepareAuthenticationTestMD5(30, 9, "123456789");
 	TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
 	
-	// Prepare the packet. Observe that the Key-ID expected is 30,
-	// but the packet has a key id of 50.
+	/* Prepare the packet. Note that the Key-ID expected is 30, but
+	 * the packet has a key id of 50.
+	 */
 	int pkt_len = LEN_PKT_NOMAC;
 
 	testpkt.exten[0] = htonl(50);
-	int mac_len = make_mac((char*)&testpkt, pkt_len,
-						   MAX_MD5_LEN, key_ptr,
-						   (char*)&testpkt.exten[1]);
+	int mac_len = make_mac(&testpkt, pkt_len,
+			       MAX_MD5_LEN, key_ptr,
+			       &testpkt.exten[1]);
 	pkt_len += 4 + mac_len;
 
 	TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_ServerVersionTooOld(void) {
+test_ServerVersionTooOld(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	testpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOWARNING,
-										NTP_OLDVERSION - 1,
-										MODE_CLIENT);
+					    NTP_OLDVERSION - 1,
+					    MODE_CLIENT);
 	TEST_ASSERT_TRUE(PKT_VERSION(testpkt.li_vn_mode) < NTP_OLDVERSION);
 
 	int pkt_len = LEN_PKT_NOMAC;
 	
 	TEST_ASSERT_EQUAL(SERVER_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_ServerVersionTooNew(void) {
+test_ServerVersionTooNew(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	testpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOWARNING,
-										NTP_VERSION + 1,
-										MODE_CLIENT);
+					    NTP_VERSION + 1,
+					    MODE_CLIENT);
 	TEST_ASSERT_TRUE(PKT_VERSION(testpkt.li_vn_mode) > NTP_VERSION);
 
 	int pkt_len = LEN_PKT_NOMAC;
 
 	TEST_ASSERT_EQUAL(SERVER_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_NonWantedMode(void) {
+test_NonWantedMode(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	testpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOWARNING,
-										NTP_VERSION,
-										MODE_CLIENT);
-
-	// The packet has a mode of MODE_CLIENT, but process_pkt expects MODE_SERVER
+					    NTP_VERSION,
+					    MODE_CLIENT);
 
+	/* The packet has a mode of MODE_CLIENT, but process_pkt expects
+	 * MODE_SERVER
+	 */
 	TEST_ASSERT_EQUAL(SERVER_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 /* Tests bug 1597 */
 void
-test_KoDRate(void) {
+test_KoDRate(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	testpkt.stratum = STRATUM_PKT_UNSPEC;
@@ -288,12 +316,13 @@ test_KoDRate(void) {
 
 	TEST_ASSERT_EQUAL(KOD_RATE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_KoDDeny(void) {
+test_KoDDeny(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	testpkt.stratum = STRATUM_PKT_UNSPEC;
@@ -301,26 +330,28 @@ test_KoDDeny(void) {
 
 	TEST_ASSERT_EQUAL(KOD_DEMOBILIZE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_RejectUnsyncedServer(void) {
+test_RejectUnsyncedServer(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	testpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOTINSYNC,
-										NTP_VERSION,
-										MODE_SERVER);
+					    NTP_VERSION,
+					    MODE_SERVER);
 
 	TEST_ASSERT_EQUAL(SERVER_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_RejectWrongResponseServerMode(void) {
+test_RejectWrongResponseServerMode(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	l_fp tmp;
@@ -334,12 +365,13 @@ test_RejectWrongResponseServerMode(void) {
 
 	TEST_ASSERT_EQUAL(PACKET_UNUSEABLE,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_AcceptNoSentPacketBroadcastMode(void) {
+test_AcceptNoSentPacketBroadcastMode(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	testpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOWARNING,
@@ -353,53 +385,55 @@ test_AcceptNoSentPacketBroadcastMode(void) {
 
 
 void
-test_CorrectUnauthenticatedPacket(void) {
+test_CorrectUnauthenticatedPacket(void)
+{
 	TEST_ASSERT_FALSE(ENABLED_OPT(AUTHENTICATION));
 
 	TEST_ASSERT_EQUAL(LEN_PKT_NOMAC,
 			  process_pkt(&testpkt, &testsock, LEN_PKT_NOMAC,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_CorrectAuthenticatedPacketMD5(void) {
+test_CorrectAuthenticatedPacketMD5(void)
+{
 	PrepareAuthenticationTestMD5(10, 15, "123456789abcdef");
 	TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
 
 	int pkt_len = LEN_PKT_NOMAC;
 
-	// Prepare the packet.
+	/* Prepare the packet. */
 	testpkt.exten[0] = htonl(10);
-	int mac_len = make_mac((char*)&testpkt, pkt_len,
-						   MAX_MD5_LEN, key_ptr,
-						   (char*)&testpkt.exten[1]);
+	int mac_len = make_mac(&testpkt, pkt_len,
+			       MAX_MD5_LEN, key_ptr,
+			       &testpkt.exten[1]);
 
 	pkt_len += 4 + mac_len;
 
 	TEST_ASSERT_EQUAL(pkt_len,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
-
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
 
 
 void
-test_CorrectAuthenticatedPacketSHA1(void) {
+test_CorrectAuthenticatedPacketSHA1(void)
+{
 	PrepareAuthenticationTest(20, 15, "SHA1", "abcdefghijklmno");
 	TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
 
 	int pkt_len = LEN_PKT_NOMAC;
 
-	// Prepare the packet.
+	/* Prepare the packet. */
 	testpkt.exten[0] = htonl(20);
-	int mac_len = make_mac((char*)&testpkt, pkt_len,
-						   MAX_MAC_LEN, key_ptr,
-						   (char*)&testpkt.exten[1]);
+	int mac_len = make_mac(&testpkt, pkt_len,
+			       MAX_MAC_LEN, key_ptr,
+			       &testpkt.exten[1]);
 
 	pkt_len += 4 + mac_len;
 
 	TEST_ASSERT_EQUAL(pkt_len,
 			  process_pkt(&testpkt, &testsock, pkt_len,
-						  MODE_SERVER, &testspkt, "UnitTest"));
+				      MODE_SERVER, &testspkt, "UnitTest"));
 }
diff --git a/contrib/ntp/sntp/tests/run-packetProcessing.c b/contrib/ntp/sntp/tests/run-packetProcessing.c
index bf3a63e..ad02b7a 100644
--- a/contrib/ntp/sntp/tests/run-packetProcessing.c
+++ b/contrib/ntp/sntp/tests/run-packetProcessing.c
@@ -66,24 +66,24 @@ int main(int argc, char *argv[])
 {
   progname = argv[0];
   UnityBegin("packetProcessing.c");
-  RUN_TEST(test_TooShortLength, 19);
-  RUN_TEST(test_LengthNotMultipleOfFour, 20);
-  RUN_TEST(test_TooShortExtensionFieldLength, 21);
-  RUN_TEST(test_UnauthenticatedPacketReject, 22);
-  RUN_TEST(test_CryptoNAKPacketReject, 23);
-  RUN_TEST(test_AuthenticatedPacketInvalid, 24);
-  RUN_TEST(test_AuthenticatedPacketUnknownKey, 25);
-  RUN_TEST(test_ServerVersionTooOld, 26);
-  RUN_TEST(test_ServerVersionTooNew, 27);
-  RUN_TEST(test_NonWantedMode, 28);
-  RUN_TEST(test_KoDRate, 29);
-  RUN_TEST(test_KoDDeny, 30);
-  RUN_TEST(test_RejectUnsyncedServer, 31);
-  RUN_TEST(test_RejectWrongResponseServerMode, 32);
-  RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 33);
-  RUN_TEST(test_CorrectUnauthenticatedPacket, 34);
-  RUN_TEST(test_CorrectAuthenticatedPacketMD5, 35);
-  RUN_TEST(test_CorrectAuthenticatedPacketSHA1, 36);
+  RUN_TEST(test_TooShortLength, 25);
+  RUN_TEST(test_LengthNotMultipleOfFour, 26);
+  RUN_TEST(test_TooShortExtensionFieldLength, 27);
+  RUN_TEST(test_UnauthenticatedPacketReject, 28);
+  RUN_TEST(test_CryptoNAKPacketReject, 29);
+  RUN_TEST(test_AuthenticatedPacketInvalid, 30);
+  RUN_TEST(test_AuthenticatedPacketUnknownKey, 31);
+  RUN_TEST(test_ServerVersionTooOld, 32);
+  RUN_TEST(test_ServerVersionTooNew, 33);
+  RUN_TEST(test_NonWantedMode, 34);
+  RUN_TEST(test_KoDRate, 35);
+  RUN_TEST(test_KoDDeny, 36);
+  RUN_TEST(test_RejectUnsyncedServer, 37);
+  RUN_TEST(test_RejectWrongResponseServerMode, 38);
+  RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 39);
+  RUN_TEST(test_CorrectUnauthenticatedPacket, 40);
+  RUN_TEST(test_CorrectAuthenticatedPacketMD5, 41);
+  RUN_TEST(test_CorrectAuthenticatedPacketSHA1, 42);
 
   return (UnityEnd());
 }
diff --git a/contrib/ntp/sntp/unity/unity_internals.h b/contrib/ntp/sntp/unity/unity_internals.h
index bf1bf3d..f1cc400 100644
--- a/contrib/ntp/sntp/unity/unity_internals.h
+++ b/contrib/ntp/sntp/unity/unity_internals.h
@@ -614,7 +614,7 @@ extern const char UnityStrErr64[];
 
 #define UNITY_TEST_ASSERT_EQUAL_PTR(expected, actual, line, message)                             UnityAssertEqualNumber((_U_SINT)(_UP)(expected), (_U_SINT)(_UP)(actual), (message), (UNITY_LINE_TYPE)line, UNITY_DISPLAY_STYLE_POINTER)
 #define UNITY_TEST_ASSERT_EQUAL_STRING(expected, actual, line, message)                          UnityAssertEqualString((const char*)(expected), (const char*)(actual), (message), (UNITY_LINE_TYPE)line)
-#define UNITY_TEST_ASSERT_EQUAL_MEMORY(expected, actual, len, line, message)                     UnityAssertEqualMemory((UNITY_PTR_ATTRIBUTE void*)(expected), (UNITY_PTR_ATTRIBUTE void*)(actual), (_UU32)(len), 1, (message), (UNITY_LINE_TYPE)line)
+#define UNITY_TEST_ASSERT_EQUAL_MEMORY(expected, actual, len, line, message)                     UnityAssertEqualMemory((UNITY_PTR_ATTRIBUTE const void*)(expected), (UNITY_PTR_ATTRIBUTE const void*)(actual), (_UU32)(len), 1, (message), (UNITY_LINE_TYPE)line)
 
 #define UNITY_TEST_ASSERT_EQUAL_INT_ARRAY(expected, actual, num_elements, line, message)         UnityAssertEqualIntArray((UNITY_PTR_ATTRIBUTE const void*)(expected), (UNITY_PTR_ATTRIBUTE const void*)(actual), (_UU32)(num_elements), (message), (UNITY_LINE_TYPE)line, UNITY_DISPLAY_STYLE_INT)
 #define UNITY_TEST_ASSERT_EQUAL_INT8_ARRAY(expected, actual, num_elements, line, message)        UnityAssertEqualIntArray((UNITY_PTR_ATTRIBUTE const void*)(expected), (UNITY_PTR_ATTRIBUTE const void*)(actual), (_UU32)(num_elements), (message), (UNITY_LINE_TYPE)line, UNITY_DISPLAY_STYLE_INT8)
diff --git a/contrib/ntp/sntp/version.c b/contrib/ntp/sntp/version.c
index eb0e92b..762eeb7 100644
--- a/contrib/ntp/sntp/version.c
+++ b/contrib/ntp/sntp/version.c
@@ -2,4 +2,4 @@
  * version file for sntp
  */
 #include <config.h>
-const char * Version = "sntp 4.2.8p4@1.3265-o Thu Jan  7 23:23:18 UTC 2016 (26)";
+const char * Version = "sntp 4.2.8p5@1.3265-o Wed Jan 20 09:06:36 UTC 2016 (27)";
diff --git a/contrib/ntp/tests/libntp/authkeys.c b/contrib/ntp/tests/libntp/authkeys.c
index 2ddbce5..fd11ef6 100644
--- a/contrib/ntp/tests/libntp/authkeys.c
+++ b/contrib/ntp/tests/libntp/authkeys.c
@@ -13,6 +13,7 @@
 # include "openssl/rand.h"
 # include "openssl/evp.h"
 #endif
+#include <limits.h>
 
 u_long current_time = 4;
 int counter = 0;
@@ -27,6 +28,7 @@ void test_HaveKeyCorrect(void);
 void test_HaveKeyIncorrect(void);
 void test_AddWithAuthUseKey(void);
 void test_EmptyKey(void);
+void test_auth_log2(void);
 
 
 void
@@ -70,7 +72,7 @@ AddTrustedKey(keyid_t keyno)
 	 * We need to add a MD5-key in addition to setting the
 	 * trust, because authhavekey() requires type != 0.
 	 */
-	MD5auth_setkey(keyno, KEYTYPE, NULL, 0);
+	MD5auth_setkey(keyno, KEYTYPE, NULL, 0, NULL);
 
 	authtrust(keyno, TRUE);
 
@@ -158,3 +160,39 @@ test_EmptyKey(void)
 
 	return;
 }
+
+/* test the implementation of 'auth_log2' -- use a local copy of the code */
+
+static u_short
+auth_log2(
+	size_t x)
+{
+	int	s;
+	int	r = 0;
+	size_t  m = ~(size_t)0;
+
+	for (s = sizeof(size_t) / 2 * CHAR_BIT; s != 0; s >>= 1) {
+		m <<= s;
+		if (x & m)
+			r += s;
+		else
+			x <<= s;
+	}
+	return (u_short)r;
+}
+
+void
+test_auth_log2(void)
+{
+	int	l2;
+	size_t	tv;
+	
+	TEST_ASSERT_EQUAL_INT(0, auth_log2(0));
+	TEST_ASSERT_EQUAL_INT(0, auth_log2(1));
+	for (l2 = 1; l2 < sizeof(size_t)*CHAR_BIT; ++l2) {
+		tv = (size_t)1 << l2;
+		TEST_ASSERT_EQUAL_INT(l2, auth_log2(   tv   ));
+		TEST_ASSERT_EQUAL_INT(l2, auth_log2( tv + 1 ));
+		TEST_ASSERT_EQUAL_INT(l2, auth_log2(2*tv - 1));
+	}
+}
diff --git a/contrib/ntp/tests/libntp/decodenetnum.c b/contrib/ntp/tests/libntp/decodenetnum.c
index 0d2b0b5..64980fc 100644
--- a/contrib/ntp/tests/libntp/decodenetnum.c
+++ b/contrib/ntp/tests/libntp/decodenetnum.c
@@ -7,25 +7,30 @@
 void setUp(void);
 extern void test_IPv4AddressOnly(void);
 extern void test_IPv4AddressWithPort(void);
-//#ifdef ISC_PLATFORM_HAVEIPV6
 extern void test_IPv6AddressOnly(void);
 extern void test_IPv6AddressWithPort(void);
-//#endif /* ISC_PLATFORM_HAVEIPV6 */
 extern void test_IllegalAddress(void);
 extern void test_IllegalCharInPort(void);
 
-
+/*
+ * NOTE: The IPv6 specific tests are reduced to stubs when IPv6 is
+ * disabled.
+ *
+ * ISC_PLATFORM_HAVEIPV6 checks if system has IPV6 capabilies. WANTIPV6
+ * ISC_PLATFORM_WANTIPV6 can be changed with build --disable-ipv6.
+ *
+ * If we want IPv6 but don't have it, the tests should fail, I think.
+ */
 void
 setUp(void)
 {
 	init_lib();
-
-	return;
 }
 
 
 void
-test_IPv4AddressOnly(void) {
+test_IPv4AddressOnly(void)
+{
 	const char *str = "192.0.2.1";
 	sockaddr_u actual;
 
@@ -39,7 +44,8 @@ test_IPv4AddressOnly(void) {
 }
 
 void
-test_IPv4AddressWithPort(void) {
+test_IPv4AddressWithPort(void)
+{
 	const char *str = "192.0.2.2:2000";
 	sockaddr_u actual;
 
@@ -54,15 +60,15 @@ test_IPv4AddressWithPort(void) {
 
 
 void
-test_IPv6AddressOnly(void) {
-
-//#ifdef ISC_PLATFORM_HAVEIPV6 //looks like HAVEIPV6 checks if system has IPV6 capabilies. WANTIPV6 can be changed with build --disable-ipv6
+test_IPv6AddressOnly(void)
+{
 #ifdef ISC_PLATFORM_WANTIPV6
+
 	const struct in6_addr address = {
 		0x20, 0x01, 0x0d, 0xb8,
-        0x85, 0xa3, 0x08, 0xd3,
-        0x13, 0x19, 0x8a, 0x2e,
-        0x03, 0x70, 0x73, 0x34
+		0x85, 0xa3, 0x08, 0xd3,
+		0x13, 0x19, 0x8a, 0x2e,
+		0x03, 0x70, 0x73, 0x34
 	};
 
 	const char *str = "2001:0db8:85a3:08d3:1319:8a2e:0370:7334";
@@ -77,24 +83,23 @@ test_IPv6AddressOnly(void) {
 	TEST_ASSERT_TRUE(IsEqual(expected, actual));
 
 #else
+	
 	TEST_IGNORE_MESSAGE("IPV6 disabled in build, skipping.");
+	
 #endif /* ISC_PLATFORM_HAVEIPV6 */
-
-
 }
 
 
-
 void
-test_IPv6AddressWithPort(void) {
-
+test_IPv6AddressWithPort(void)
+{
 #ifdef ISC_PLATFORM_WANTIPV6
 
 	const struct in6_addr address = {
 		0x20, 0x01, 0x0d, 0xb8,
-        0x85, 0xa3, 0x08, 0xd3,
-        0x13, 0x19, 0x8a, 0x2e,
-        0x03, 0x70, 0x73, 0x34
+		0x85, 0xa3, 0x08, 0xd3,
+		0x13, 0x19, 0x8a, 0x2e,
+		0x03, 0x70, 0x73, 0x34
 	};
 
 	const char *str = "[2001:0db8:85a3:08d3:1319:8a2e:0370:7334]:3000";
@@ -109,21 +114,26 @@ test_IPv6AddressWithPort(void) {
 	TEST_ASSERT_TRUE(IsEqual(expected, actual));
 
 #else
+	
 	TEST_IGNORE_MESSAGE("IPV6 disabled in build, skipping.");
+	
 #endif /* ISC_PLATFORM_HAVEIPV6 */
 }
 
 
 void
-test_IllegalAddress(void) {
+test_IllegalAddress(void)
+{
 	const char *str = "192.0.2.270:2000";
 	sockaddr_u actual;
 
 	TEST_ASSERT_FALSE(decodenetnum(str, &actual));
 }
 
+
 void
-test_IllegalCharInPort(void) {
+test_IllegalCharInPort(void)
+{
 	/* An illegal port does not make the decodenetnum fail, but instead
 	 * makes it use the standard port.
 	 */
diff --git a/contrib/ntp/tests/libntp/run-authkeys.c b/contrib/ntp/tests/libntp/run-authkeys.c
index 6a2b670..cc91876 100644
--- a/contrib/ntp/tests/libntp/run-authkeys.c
+++ b/contrib/ntp/tests/libntp/run-authkeys.c
@@ -26,6 +26,7 @@
 #include "ntp.h"
 #include "ntp_stdlib.h"
 #include "ntp_calendar.h"
+#include <limits.h>
 
 //=======External Functions This Runner Calls=====
 extern void setUp(void);
@@ -36,6 +37,7 @@ extern void test_HaveKeyCorrect(void);
 extern void test_HaveKeyIncorrect(void);
 extern void test_AddWithAuthUseKey(void);
 extern void test_EmptyKey(void);
+extern void test_auth_log2(void);
 
 
 //=======Test Reset Option=====
@@ -54,12 +56,13 @@ int main(int argc, char *argv[])
 {
   progname = argv[0];
   UnityBegin("authkeys.c");
-  RUN_TEST(test_AddTrustedKeys, 24);
-  RUN_TEST(test_AddUntrustedKey, 25);
-  RUN_TEST(test_HaveKeyCorrect, 26);
-  RUN_TEST(test_HaveKeyIncorrect, 27);
-  RUN_TEST(test_AddWithAuthUseKey, 28);
-  RUN_TEST(test_EmptyKey, 29);
+  RUN_TEST(test_AddTrustedKeys, 25);
+  RUN_TEST(test_AddUntrustedKey, 26);
+  RUN_TEST(test_HaveKeyCorrect, 27);
+  RUN_TEST(test_HaveKeyIncorrect, 28);
+  RUN_TEST(test_AddWithAuthUseKey, 29);
+  RUN_TEST(test_EmptyKey, 30);
+  RUN_TEST(test_auth_log2, 31);
 
   return (UnityEnd());
 }
diff --git a/contrib/ntp/tests/libntp/run-decodenetnum.c b/contrib/ntp/tests/libntp/run-decodenetnum.c
index 57b955c..d41f93e 100644
--- a/contrib/ntp/tests/libntp/run-decodenetnum.c
+++ b/contrib/ntp/tests/libntp/run-decodenetnum.c
@@ -55,10 +55,10 @@ int main(int argc, char *argv[])
   UnityBegin("decodenetnum.c");
   RUN_TEST(test_IPv4AddressOnly, 8);
   RUN_TEST(test_IPv4AddressWithPort, 9);
-  RUN_TEST(test_IPv6AddressOnly, 11);
-  RUN_TEST(test_IPv6AddressWithPort, 12);
-  RUN_TEST(test_IllegalAddress, 14);
-  RUN_TEST(test_IllegalCharInPort, 15);
+  RUN_TEST(test_IPv6AddressOnly, 10);
+  RUN_TEST(test_IPv6AddressWithPort, 11);
+  RUN_TEST(test_IllegalAddress, 12);
+  RUN_TEST(test_IllegalCharInPort, 13);
 
   return (UnityEnd());
 }
diff --git a/contrib/ntp/tests/libntp/run-socktoa.c b/contrib/ntp/tests/libntp/run-socktoa.c
index df6ec9c..bde07ed 100644
--- a/contrib/ntp/tests/libntp/run-socktoa.c
+++ b/contrib/ntp/tests/libntp/run-socktoa.c
@@ -55,11 +55,11 @@ int main(int argc, char *argv[])
   progname = argv[0];
   UnityBegin("socktoa.c");
   RUN_TEST(test_IPv4AddressWithPort, 11);
-  RUN_TEST(test_IPv6AddressWithPort, 13);
-  RUN_TEST(test_IgnoreIPv6Fields, 14);
-  RUN_TEST(test_ScopedIPv6AddressWithPort, 16);
-  RUN_TEST(test_HashEqual, 17);
-  RUN_TEST(test_HashNotEqual, 18);
+  RUN_TEST(test_IPv6AddressWithPort, 12);
+  RUN_TEST(test_IgnoreIPv6Fields, 13);
+  RUN_TEST(test_ScopedIPv6AddressWithPort, 14);
+  RUN_TEST(test_HashEqual, 15);
+  RUN_TEST(test_HashNotEqual, 16);
 
   return (UnityEnd());
 }
diff --git a/contrib/ntp/tests/libntp/socktoa.c b/contrib/ntp/tests/libntp/socktoa.c
index 8423106..e9be182 100644
--- a/contrib/ntp/tests/libntp/socktoa.c
+++ b/contrib/ntp/tests/libntp/socktoa.c
@@ -9,10 +9,8 @@
 
 void setUp(void);
 void test_IPv4AddressWithPort(void);
-//#ifdef ISC_PLATFORM_HAVEIPV6
 void test_IPv6AddressWithPort(void);
 void test_IgnoreIPv6Fields(void);
-//#endif /* ISC_PLATFORM_HAVEIPV6 */
 void test_ScopedIPv6AddressWithPort(void);
 void test_HashEqual(void);
 void test_HashNotEqual(void);
@@ -22,13 +20,12 @@ void
 setUp(void)
 {
 	init_lib();
-
-	return;
 }
 
 
 void 
-test_IPv4AddressWithPort(void) {
+test_IPv4AddressWithPort(void)
+{
 	sockaddr_u input = CreateSockaddr4("192.0.2.10", 123);
 
 	TEST_ASSERT_EQUAL_STRING("192.0.2.10", socktoa(&input));
@@ -37,8 +34,8 @@ test_IPv4AddressWithPort(void) {
 
 
 void 
-test_IPv6AddressWithPort(void) {
-
+test_IPv6AddressWithPort(void)
+{
 #ifdef ISC_PLATFORM_WANTIPV6
 
 	const struct in6_addr address = {
@@ -63,16 +60,18 @@ test_IPv6AddressWithPort(void) {
 	TEST_ASSERT_EQUAL_STRING(expected_port, sockporttoa(&input));
 
 #else
+
 	TEST_IGNORE_MESSAGE("IPV6 disabled in build, skipping.");
 
 #endif /* ISC_PLATFORM_HAVEIPV6 */
-
 }
 
 
 void 
-test_ScopedIPv6AddressWithPort(void) {
+test_ScopedIPv6AddressWithPort(void)
+{
 #ifdef ISC_PLATFORM_HAVESCOPEID
+    
 	const struct in6_addr address = { { {
 		0xfe, 0x80, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00,
@@ -95,12 +94,16 @@ test_ScopedIPv6AddressWithPort(void) {
 	TEST_ASSERT_EQUAL_STRING(expected, socktoa(&input));
 	TEST_ASSERT_EQUAL_STRING(expected_port, sockporttoa(&input));
 #else
+	
 	TEST_IGNORE_MESSAGE("Skipping because ISC_PLATFORM does not have Scope ID");
+	
 #endif
 }
 
+
 void 
-test_HashEqual(void) {
+test_HashEqual(void)
+{
 	sockaddr_u input1 = CreateSockaddr4("192.00.2.2", 123);
 	sockaddr_u input2 = CreateSockaddr4("192.0.2.2", 123);
 
@@ -108,8 +111,10 @@ test_HashEqual(void) {
 	TEST_ASSERT_EQUAL(sock_hash(&input1), sock_hash(&input2));
 }
 
+
 void 
-test_HashNotEqual(void) {
+test_HashNotEqual(void)
+{
 	/* These two addresses should not generate the same hash. */
 	sockaddr_u input1 = CreateSockaddr4("192.0.2.1", 123);
 	sockaddr_u input2 = CreateSockaddr4("192.0.2.2", 123);
@@ -120,15 +125,15 @@ test_HashNotEqual(void) {
 
 
 void 
-test_IgnoreIPv6Fields(void) {
-
+test_IgnoreIPv6Fields(void)
+{
 #ifdef ISC_PLATFORM_WANTIPV6
 
 	const struct in6_addr address = {
 		0x20, 0x01, 0x0d, 0xb8,
-        0x85, 0xa3, 0x08, 0xd3, 
-        0x13, 0x19, 0x8a, 0x2e,
-        0x03, 0x70, 0x73, 0x34
+		0x85, 0xa3, 0x08, 0xd3, 
+		0x13, 0x19, 0x8a, 0x2e,
+		0x03, 0x70, 0x73, 0x34
 	};
 
 	sockaddr_u input1, input2;
@@ -146,7 +151,8 @@ test_IgnoreIPv6Fields(void) {
 	TEST_ASSERT_EQUAL(sock_hash(&input1), sock_hash(&input2));
 
 #else
+
 	TEST_IGNORE_MESSAGE("IPV6 disabled in build, skipping.");
+
 #endif /* ISC_PLATFORM_HAVEIPV6 */
 }
-
diff --git a/contrib/ntp/tests/ntpd/t-ntp_signd.c b/contrib/ntp/tests/ntpd/t-ntp_signd.c
index 534c940..40e7ac0 100644
--- a/contrib/ntp/tests/ntpd/t-ntp_signd.c
+++ b/contrib/ntp/tests/ntpd/t-ntp_signd.c
@@ -139,6 +139,7 @@ test_send_packet(void)
 void
 test_recv_packet(void)
 {
+#if 0
 	int fd = ux_socket_connect("/socket");
 
 	TEST_ASSERT_TRUE(isGE(fd, 0));
@@ -152,6 +153,9 @@ test_recv_packet(void)
 	TEST_ASSERT_EQUAL(0,temp); //0 because nobody sent us anything (yet!)
 
 	(void)close(fd);
+#else
+	TEST_IGNORE_MESSAGE("test_recv_packet() needs work");
+#endif
 	return;
 }
 
diff --git a/contrib/ntp/util/invoke-ntp-keygen.texi b/contrib/ntp/util/invoke-ntp-keygen.texi
index 36a1a42..f152453 100644
--- a/contrib/ntp/util/invoke-ntp-keygen.texi
+++ b/contrib/ntp/util/invoke-ntp-keygen.texi
@@ -6,7 +6,7 @@
 #
 # EDIT THIS FILE WITH CAUTION  (invoke-ntp-keygen.texi)
 #
-# It has been AutoGen-ed  January  7, 2016 at 11:32:40 PM by AutoGen 5.18.5
+# It has been AutoGen-ed  January 20, 2016 at 04:19:48 AM by AutoGen 5.18.5
 # From the definitions    ntp-keygen-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -886,7 +886,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p5
+ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p6
 Usage:  ntp-keygen [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
   Flg Arg Option-Name    Description
    -b Num imbits         identity modulus bits
diff --git a/contrib/ntp/util/ntp-keygen-opts.c b/contrib/ntp/util/ntp-keygen-opts.c
index f41bff4..ee4f440 100644
--- a/contrib/ntp/util/ntp-keygen-opts.c
+++ b/contrib/ntp/util/ntp-keygen-opts.c
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.c)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:32:25 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:19:33 AM by AutoGen 5.18.5
  *  From the definitions    ntp-keygen-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntp-keygen program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -72,8 +72,8 @@ extern FILE * option_usage_fp;
  *  static const strings for ntp-keygen options
  */
 static char const ntp_keygen_opt_strs[2419] =
-/*     0 */ "ntp-keygen (ntp) 4.2.8p5\n"
-            "Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n"
+/*     0 */ "ntp-keygen (ntp) 4.2.8p6\n"
+            "Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
             "can be seen at:\n"
@@ -164,14 +164,14 @@ static char const ntp_keygen_opt_strs[2419] =
 /*  2202 */ "no-load-opts\0"
 /*  2215 */ "no\0"
 /*  2218 */ "NTP_KEYGEN\0"
-/*  2229 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p5\n"
+/*  2229 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p6\n"
             "Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
 /*  2343 */ "$HOME\0"
 /*  2349 */ ".\0"
 /*  2351 */ ".ntprc\0"
 /*  2358 */ "http://bugs.ntp.org, bugs@ntp.org\0"
 /*  2392 */ "\n\0"
-/*  2394 */ "ntp-keygen (ntp) 4.2.8p5";
+/*  2394 */ "ntp-keygen (ntp) 4.2.8p6";
 
 /**
  *  imbits option description:
@@ -1309,8 +1309,8 @@ static void bogus_function(void) {
      translate option names.
    */
   /* referenced via ntp_keygenOptions.pzCopyright */
-  puts(_("ntp-keygen (ntp) 4.2.8p5\n\
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.\n\
+  puts(_("ntp-keygen (ntp) 4.2.8p6\n\
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.\n\
 This is free software. It is licensed for use, modification and\n\
 redistribution under the terms of the NTP License, copies of which\n\
 can be seen at:\n"));
@@ -1408,14 +1408,14 @@ implied warranty.\n"));
   puts(_("load options from a config file"));
 
   /* referenced via ntp_keygenOptions.pzUsageTitle */
-  puts(_("ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p5\n\
+  puts(_("ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p6\n\
 Usage:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n"));
 
   /* referenced via ntp_keygenOptions.pzExplain */
   puts(_("\n"));
 
   /* referenced via ntp_keygenOptions.pzFullVersion */
-  puts(_("ntp-keygen (ntp) 4.2.8p5"));
+  puts(_("ntp-keygen (ntp) 4.2.8p6"));
 
   /* referenced via ntp_keygenOptions.pzFullUsage */
   puts(_("<<<NOT-FOUND>>>"));
diff --git a/contrib/ntp/util/ntp-keygen-opts.h b/contrib/ntp/util/ntp-keygen-opts.h
index 1205494..35e507f 100644
--- a/contrib/ntp/util/ntp-keygen-opts.h
+++ b/contrib/ntp/util/ntp-keygen-opts.h
@@ -1,7 +1,7 @@
 /*
  *  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.h)
  *
- *  It has been AutoGen-ed  January  7, 2016 at 11:32:24 PM by AutoGen 5.18.5
+ *  It has been AutoGen-ed  January 20, 2016 at 04:19:32 AM by AutoGen 5.18.5
  *  From the definitions    ntp-keygen-opts.def
  *  and the template file   options
  *
@@ -18,7 +18,7 @@
  * The ntp-keygen program is copyrighted and licensed
  * under the following terms:
  *
- *  Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation, all rights reserved.
+ *  Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation, all rights reserved.
  *  This is free software. It is licensed for use, modification and
  *  redistribution under the terms of the NTP License, copies of which
  *  can be seen at:
@@ -94,9 +94,9 @@ typedef enum {
 /** count of all options for ntp-keygen */
 #define OPTION_CT    26
 /** ntp-keygen version */
-#define NTP_KEYGEN_VERSION       "4.2.8p5"
+#define NTP_KEYGEN_VERSION       "4.2.8p6"
 /** Full ntp-keygen version text */
-#define NTP_KEYGEN_FULL_VERSION  "ntp-keygen (ntp) 4.2.8p5"
+#define NTP_KEYGEN_FULL_VERSION  "ntp-keygen (ntp) 4.2.8p6"
 
 /**
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/contrib/ntp/util/ntp-keygen.1ntp-keygenman b/contrib/ntp/util/ntp-keygen.1ntp-keygenman
index 195e3d2..7bd53bc 100644
--- a/contrib/ntp/util/ntp-keygen.1ntp-keygenman
+++ b/contrib/ntp/util/ntp-keygen.1ntp-keygenman
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntp-keygen 1ntp-keygenman "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntp-keygen 1ntp-keygenman "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LNaiiw/ag-XNaahw)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Dua4pY/ag-PuaWoY)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:32:36 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:44 AM by AutoGen 5.18.5
 .\" From the definitions ntp-keygen-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -1197,7 +1197,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 It can take quite a while to generate some cryptographic values,
diff --git a/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc b/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc
index 18c38fb..1c69520 100644
--- a/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc
+++ b/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_KEYGEN 1ntp-keygenmdoc User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:32:43 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:19:51 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp-keygen-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -1053,7 +1053,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 It can take quite a while to generate some cryptographic values,
diff --git a/contrib/ntp/util/ntp-keygen.html b/contrib/ntp/util/ntp-keygen.html
index f7a6073..76a7c09 100644
--- a/contrib/ntp/util/ntp-keygen.html
+++ b/contrib/ntp/util/ntp-keygen.html
@@ -70,7 +70,7 @@ All other files are in PEM-encoded
 printable ASCII format so they can be embedded as MIME attachments in
 mail to other sites.
 
-  <p>This document applies to version 4.2.8p5 of <code>ntp-keygen</code>.
+  <p>This document applies to version 4.2.8p6 of <code>ntp-keygen</code>.
 
 <div class="node">
 <p><hr>
@@ -1085,7 +1085,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to <span class="file">more</span>.  Both will exit
 with a status code of 0.
 
-<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p4
+<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p5
 Usage:  ntp-keygen [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
   Flg Arg Option-Name    Description
    -b Num imbits         identity modulus bits
diff --git a/contrib/ntp/util/ntp-keygen.man.in b/contrib/ntp/util/ntp-keygen.man.in
index c76c4df..b5a741d 100644
--- a/contrib/ntp/util/ntp-keygen.man.in
+++ b/contrib/ntp/util/ntp-keygen.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntp-keygen @NTP_KEYGEN_MS@ "07 Jan 2016" "ntp (4.2.8p5)" "User Commands"
+.TH ntp-keygen @NTP_KEYGEN_MS@ "20 Jan 2016" "ntp (4.2.8p6)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LNaiiw/ag-XNaahw)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Dua4pY/ag-PuaWoY)
 .\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:32:36 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:44 AM by AutoGen 5.18.5
 .\" From the definitions ntp-keygen-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -1197,7 +1197,7 @@ it to autogen-users@lists.sourceforge.net.  Thank you.
 .SH "AUTHORS"
 The University of Delaware and Network Time Foundation
 .SH "COPYRIGHT"
-Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .SH BUGS
 It can take quite a while to generate some cryptographic values,
diff --git a/contrib/ntp/util/ntp-keygen.mdoc.in b/contrib/ntp/util/ntp-keygen.mdoc.in
index 9e6675b..37ecafb 100644
--- a/contrib/ntp/util/ntp-keygen.mdoc.in
+++ b/contrib/ntp/util/ntp-keygen.mdoc.in
@@ -1,9 +1,9 @@
-.Dd January 7 2016
+.Dd January 20 2016
 .Dt NTP_KEYGEN @NTP_KEYGEN_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  January  7, 2016 at 11:32:43 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  January 20, 2016 at 04:19:51 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp-keygen-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -1053,7 +1053,7 @@ it to autogen\-users@lists.sourceforge.net.  Thank you.
 .Sh "AUTHORS"
 The University of Delaware and Network Time Foundation
 .Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
 This program is released under the terms of the NTP license, <http://ntp.org/license>.
 .Sh BUGS
 It can take quite a while to generate some cryptographic values,
diff --git a/contrib/openpam/CREDITS b/contrib/openpam/CREDITS
index 0a22fc4..c14f7ea 100644
--- a/contrib/openpam/CREDITS
+++ b/contrib/openpam/CREDITS
@@ -21,6 +21,7 @@ ideas:
 	Christos Zoulas <christos@netbsd.org>
 	Daniel Richard G. <skunk@iskunk.org>
 	Darren J. Moffat <darren.moffat@sun.com>
+	Dimitry Andric <dim@freebsd.org>
 	Dmitry V. Levin <ldv@altlinux.org>
 	Don Lewis <truckman@freebsd.org>
 	Emmanuel Dreyfus <manu@netbsd.org>
@@ -32,9 +33,9 @@ ideas:
 	Hubert Feyrer <hubert@feyrer.de>
 	Jason Evans <jasone@freebsd.org>
 	Joe Marcus Clarke <marcus@freebsd.org>
-	Juli Mallett <jmallett@freebsd.org>
-	Ankita Pal <pal.ankita.ankita@gmail.com>
 	Jörg Sonnenberger <joerg@britannica.bec.de>
+	Juli Mallett <jmallett@freebsd.org>
+	Larry Baird <lab@gta.com>
 	Maëlle Lesage <lesage.maelle@gmail.com>
 	Mark Murray <markm@freebsd.org>
 	Matthias Drochner <drochner@netbsd.org>
diff --git a/contrib/openpam/configure.ac b/contrib/openpam/configure.ac
index 1412b7a..bf7f905 100644
--- a/contrib/openpam/configure.ac
+++ b/contrib/openpam/configure.ac
@@ -110,7 +110,7 @@ AC_SUBST(CRYPTO_LIBS)
 
 AC_ARG_ENABLE([developer-warnings],
     AS_HELP_STRING([--enable-developer-warnings], [enable strict warnings (default is NO)]),
-    [CFLAGS="${CFLAGS} -Wall -Wextra"])
+    [CFLAGS="${CFLAGS} -Wall -Wextra -Wcast-qual"])
 AC_ARG_ENABLE([debugging-symbols],
     AS_HELP_STRING([--enable-debugging-symbols], [enable debugging symbols (default is NO)]),
     [CFLAGS="${CFLAGS} -O0 -g -fno-inline"])
diff --git a/contrib/openpam/lib/libpam/openpam_constants.c b/contrib/openpam/lib/libpam/openpam_constants.c
index 1cdd810..b718af9 100644
--- a/contrib/openpam/lib/libpam/openpam_constants.c
+++ b/contrib/openpam/lib/libpam/openpam_constants.c
@@ -137,6 +137,9 @@ const char *openpam_policy_path[] = {
 const char *openpam_module_path[] = {
 #ifdef OPENPAM_MODULES_DIRECTORY
 	OPENPAM_MODULES_DIRECTORY,
+#elif COMPAT_32BIT
+	"/usr/lib32",
+	"/usr/local/lib32",
 #else
 	"/usr/lib",
 	"/usr/local/lib",
diff --git a/contrib/openpam/lib/libpam/openpam_ctype.h b/contrib/openpam/lib/libpam/openpam_ctype.h
index 5c62185..d99d34b 100644
--- a/contrib/openpam/lib/libpam/openpam_ctype.h
+++ b/contrib/openpam/lib/libpam/openpam_ctype.h
@@ -39,10 +39,18 @@
 	(ch >= '0' && ch <= '9')
 
 /*
+ * Evaluates to non-zero if the argument is a hex digit.
+ */
+#define is_xdigit(ch)				\
+	((ch >= '0' && ch <= '9') ||		\
+	 (ch >= 'a' && ch <= 'f') ||		\
+	 (ch >= 'A' && ch <= 'F'))
+
+/*
  * Evaluates to non-zero if the argument is an uppercase letter.
  */
 #define is_upper(ch)				\
-	(ch >= 'A' && ch <= 'A')
+	(ch >= 'A' && ch <= 'Z')
 
 /*
  * Evaluates to non-zero if the argument is a lowercase letter.
diff --git a/contrib/openpam/lib/libpam/openpam_dispatch.c b/contrib/openpam/lib/libpam/openpam_dispatch.c
index 5fa068f..0cff631 100644
--- a/contrib/openpam/lib/libpam/openpam_dispatch.c
+++ b/contrib/openpam/lib/libpam/openpam_dispatch.c
@@ -117,7 +117,7 @@ openpam_dispatch(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
 			    pam_sm_func_name[primitive], chain->module->path);
 			r = (chain->module->func[primitive])(pamh, flags,
-			    chain->optc, (const char **)chain->optv);
+			    chain->optc, (const char **)(intptr_t)chain->optv);
 			pamh->current = NULL;
 			openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
 			    chain->module->path, pam_sm_func_name[primitive],
diff --git a/contrib/openpam/modules/pam_unix/pam_unix.c b/contrib/openpam/modules/pam_unix/pam_unix.c
index ad7dd1b..f76651d 100644
--- a/contrib/openpam/modules/pam_unix/pam_unix.c
+++ b/contrib/openpam/modules/pam_unix/pam_unix.c
@@ -74,7 +74,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 #endif
 	struct passwd *pwd;
 	const char *user;
-	char *crypt_password, *password;
+	const char *crypt_password, *password;
 	int pam_err, retry;
 
 	(void)argc;
@@ -98,7 +98,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 	for (retry = 0; retry < 3; ++retry) {
 #ifdef OPENPAM
 		pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
-		    (const char **)&password, NULL);
+		    &password, NULL);
 #else
 		resp = NULL;
 		pam_err = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
diff --git a/contrib/openpam/t/Makefile.am b/contrib/openpam/t/Makefile.am
index 5f6a251..bf3801b 100644
--- a/contrib/openpam/t/Makefile.am
+++ b/contrib/openpam/t/Makefile.am
@@ -6,6 +6,7 @@ noinst_HEADERS = t.h
 
 # tests
 TESTS =
+TESTS += t_openpam_ctype
 TESTS += t_openpam_readword
 TESTS += t_openpam_readlinev
 check_PROGRAMS = $(TESTS)
diff --git a/contrib/openpam/t/t_openpam_ctype.c b/contrib/openpam/t/t_openpam_ctype.c
new file mode 100644
index 0000000..e97a446
--- /dev/null
+++ b/contrib/openpam/t/t_openpam_ctype.c
@@ -0,0 +1,122 @@
+/*-
+ * Copyright (c) 2014 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#include "openpam_ctype.h"
+
+#include "t.h"
+
+#define OC_DIGIT	"0123456789"
+#define OC_XDIGIT	OC_DIGIT "ABCDEFabcdef"
+#define OC_UPPER	"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+#define OC_LOWER	"abcdefghijklmnopqrstuvwxyz"
+#define OC_LETTER	OC_UPPER OC_LOWER
+#define OC_LWS		" \t\f\r"
+#define OC_WS		OC_LWS "\n"
+#define OC_P		"!\"#$%&'()*+,-./" OC_DIGIT ":;<=>?@" OC_UPPER "[\\]^_`" OC_LOWER "{|}~"
+#define OC_PFCS		OC_DIGIT OC_LETTER "._-"
+
+static const char oc_digit[] = OC_DIGIT;
+static const char oc_xdigit[] = OC_XDIGIT;
+static const char oc_upper[] = OC_UPPER;
+static const char oc_lower[] = OC_LOWER;
+static const char oc_letter[] = OC_LETTER;
+static const char oc_lws[] = OC_LWS;
+static const char oc_ws[] = OC_WS;
+static const char oc_p[] = OC_P;
+static const char oc_pfcs[] = OC_PFCS;
+
+#define T_OC(set)							\
+	T_FUNC(t_oc_##set, "is_" #set)					\
+	{								\
+		char crib[256];						\
+		unsigned int i, ret;					\
+									\
+		memset(crib, 0, sizeof crib);				\
+		for (i = 0; oc_##set[i]; ++i)				\
+			crib[(int)oc_##set[i]] = 1;			\
+		for (i = ret = 0; i < sizeof crib; ++i) {		\
+			if (is_##set(i) != crib[i]) {			\
+				t_verbose("is_%s() incorrect "		\
+				    "for %#02x\n", #set, i);		\
+				++ret;					\
+			}						\
+		}							\
+		return (ret == 0);					\
+	}
+
+T_OC(digit)
+T_OC(xdigit)
+T_OC(upper)
+T_OC(lower)
+T_OC(letter)
+T_OC(lws)
+T_OC(ws)
+T_OC(p)
+T_OC(pfcs)
+
+
+/***************************************************************************
+ * Boilerplate
+ */
+
+static const struct t_test *t_plan[] = {
+	T(t_oc_digit),
+	T(t_oc_xdigit),
+	T(t_oc_upper),
+	T(t_oc_lower),
+	T(t_oc_letter),
+	T(t_oc_lws),
+	T(t_oc_ws),
+	T(t_oc_p),
+	T(t_oc_pfcs),
+	NULL
+};
+
+const struct t_test **
+t_prepare(int argc, char *argv[])
+{
+
+	(void)argc;
+	(void)argv;
+	return (t_plan);
+}
+
+void
+t_cleanup(void)
+{
+}
diff --git a/contrib/openpam/t/t_openpam_readlinev.c b/contrib/openpam/t/t_openpam_readlinev.c
index 59f2b10..9820f6e 100644
--- a/contrib/openpam/t/t_openpam_readlinev.c
+++ b/contrib/openpam/t/t_openpam_readlinev.c
@@ -255,7 +255,7 @@ T_FUNC(unterminated_line, "unterminated line")
  * Boilerplate
  */
 
-const struct t_test *t_plan[] = {
+static const struct t_test *t_plan[] = {
 	T(empty_input),
 	T(empty_line),
 	T(unterminated_empty_line),
diff --git a/contrib/openpam/t/t_openpam_readword.c b/contrib/openpam/t/t_openpam_readword.c
index d2d6bd5..804c745 100644
--- a/contrib/openpam/t/t_openpam_readword.c
+++ b/contrib/openpam/t/t_openpam_readword.c
@@ -823,7 +823,7 @@ T_FUNC(escaped_double_quote_within_double_quotes,
  * Boilerplate
  */
 
-const struct t_test *t_plan[] = {
+static const struct t_test *t_plan[] = {
 	T(empty_input),
 	T(empty_line),
 	T(single_whitespace),
diff --git a/contrib/smbfs/lib/smb/nb_name.c b/contrib/smbfs/lib/smb/nb_name.c
index 2346ec7..a953ce0 100644
--- a/contrib/smbfs/lib/smb/nb_name.c
+++ b/contrib/smbfs/lib/smb/nb_name.c
@@ -143,15 +143,13 @@ nb_encname_len(const char *str)
 	return len;
 }
 
-#define	NBENCODE(c)	(htole16((u_short)(((u_char)(c) >> 4) | \
-			 (((u_char)(c) & 0xf) << 8)) + 0x4141))
-
-static void
-memsetw(char *dst, int n, u_short word)
+static inline void
+nb_char_encode(u_char **ptr, u_char c, int n)
 {
+
 	while (n--) {
-		*(u_short*)dst = word;
-		dst += 2;
+		*(*ptr)++ = 0x41 + (c >> 4);
+		*(*ptr)++ = 0x41 + (c & 0x0f);
 	}
 }
 
@@ -165,19 +163,15 @@ nb_name_encode(struct nb_name *np, u_char *dst)
 	*cp++ = NB_ENCNAMELEN;
 	name = np->nn_name;
 	if (name[0] == '*' && name[1] == 0) {
-		*(u_short*)cp = NBENCODE('*');
-		memsetw(cp + 2, NB_NAMELEN - 1, NBENCODE(' '));
-		cp += NB_ENCNAMELEN;
+		nb_char_encode(&cp, '*', 1);
+		nb_char_encode(&cp, ' ', NB_NAMELEN - 1);
 	} else {
-		for (i = 0; *name && i < NB_NAMELEN - 1; i++, cp += 2, name++)
-			*(u_short*)cp = NBENCODE(toupper(*name));
-		i = NB_NAMELEN - i - 1;
-		if (i > 0) {
-			memsetw(cp, i, NBENCODE(' '));
-			cp += i * 2;
-		}
-		*(u_short*)cp = NBENCODE(np->nn_type);
-		cp += 2;
+		for (i = 0; i < NB_NAMELEN - 1; i++)
+			if (*name != 0)
+				nb_char_encode(&cp, toupper(*name++), 1);
+			else
+				nb_char_encode(&cp, ' ', 1);
+		nb_char_encode(&cp, np->nn_type, 1);
 	}
 	*cp = 0;
 	if (np->nn_scope == NULL)
diff --git a/contrib/unbound/.gitignore b/contrib/unbound/.gitignore
new file mode 100644
index 0000000..7fed8d7
--- /dev/null
+++ b/contrib/unbound/.gitignore
@@ -0,0 +1,38 @@
+*.lo
+*.o
+/.libs/
+/Makefile
+/autom4te.cache/
+/config.h
+/config.log
+/config.status
+/dnstap/dnstap_config.h
+/doc/example.conf
+/doc/libunbound.3
+/doc/unbound-anchor.8
+/doc/unbound-checkconf.8
+/doc/unbound-control.8
+/doc/unbound-host.1
+/doc/unbound.8
+/doc/unbound.conf.5
+/libtool
+/libunbound.la
+/smallapp/unbound-control-setup.sh
+/unbound
+/unbound-anchor
+/unbound-checkconf
+/unbound-control
+/unbound-control-setup
+/unbound-host
+/unbound.h
+/asynclook
+/delayer
+/lock-verify
+/memstats
+/perf
+/petal
+/pktview
+/streamtcp
+/testbound
+/unittest
+
diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in
index 20829d8..282c7d6 100644
--- a/contrib/unbound/Makefile.in
+++ b/contrib/unbound/Makefile.in
@@ -38,6 +38,7 @@ UNBOUND_VERSION_MINOR=@UNBOUND_VERSION_MINOR@
 UNBOUND_VERSION_MICRO=@UNBOUND_VERSION_MICRO@
 ALLTARGET=@ALLTARGET@
 INSTALLTARGET=@INSTALLTARGET@
+SSLLIB=@SSLLIB@
 
 # _unbound.la if pyunbound enabled.
 PYUNBOUND_TARGET=@PYUNBOUND_TARGET@
@@ -132,7 +133,7 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \
 compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \
 compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \
 compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \
-compat/arc4_lock.c compat/sha512.c compat/reallocarray.c
+compat/arc4_lock.c compat/sha512.c compat/reallocarray.c compat/isblank.c
 COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo)
 COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo)
@@ -295,22 +296,22 @@ longtest:	tests
 lib:	libunbound.la unbound.h
 
 libunbound.la:	$(LIBUNBOUND_OBJ_LINK)
-	$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) -lssl $(LIBS)
+	$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) $(SSLLIB) $(LIBS)
 
 unbound$(EXEEXT):	$(DAEMON_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 
 unbound-checkconf$(EXEEXT):	$(CHECKCONF_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 
 unbound-control$(EXEEXT):	$(CONTROL_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 
 unbound-host$(EXEEXT):	$(HOST_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
 
 unbound-anchor$(EXEEXT):	$(UBANCHOR_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat -lssl $(LIBS)
+	$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
 
 unbound-service-install$(EXEEXT):	$(SVCINST_OBJ_LINK)
 	$(LINK) -o $@ $(SVCINST_OBJ_LINK) $(LIBS)
@@ -322,37 +323,37 @@ anchor-update$(EXEEXT):  $(ANCHORUPD_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
 
 unittest$(EXEEXT):	$(UNITTEST_OBJ_LINK)
-	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 testbound$(EXEEXT):	$(TESTBOUND_OBJ_LINK)
-	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 lock-verify$(EXEEXT):	$(LOCKVERIFY_OBJ_LINK)
-	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 petal$(EXEEXT):	$(PETAL_OBJ_LINK)
-	$(LINK) -o $@ $(PETAL_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 pktview$(EXEEXT):	$(PKTVIEW_OBJ_LINK)
-	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 memstats$(EXEEXT):	$(MEMSTATS_OBJ_LINK)
-	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
 
 streamtcp$(EXEEXT):	$(STREAMTCP_OBJ_LINK)
-	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 perf$(EXEEXT):	$(PERF_OBJ_LINK)
-	$(LINK) -o $@ $(PERF_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 delayer$(EXEEXT):	$(DELAYER_OBJ_LINK)
-	$(LINK) -o $@ $(DELAYER_OBJ_LINK) -lssl $(LIBS)
+	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 signit$(EXEEXT):	testcode/signit.c
-	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns -lssl $(LIBS)
+	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
 
 unbound.h:	$(srcdir)/libunbound/unbound.h
 	sed -e 's/@''UNBOUND_VERSION_MAJOR@/$(UNBOUND_VERSION_MAJOR)/' -e 's/@''UNBOUND_VERSION_MINOR@/$(UNBOUND_VERSION_MINOR)/' -e 's/@''UNBOUND_VERSION_MICRO@/$(UNBOUND_VERSION_MICRO)/' < $(srcdir)/libunbound/unbound.h > $@
@@ -644,7 +645,7 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
  $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
 iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
  $(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
@@ -727,8 +728,7 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
- 
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -776,14 +776,12 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
  $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnstap/dnstap.h  \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/wire2str.h
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -818,8 +816,7 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
  $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
  $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/services/modstack.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
- 
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
@@ -844,18 +841,16 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- 
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
-val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/validator.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
@@ -867,17 +862,15 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
  $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h \
- 
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/sbuffer.h
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -895,11 +888,6 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
  $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
 checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/checklocks.h
-dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c  config.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/dnstap/dnstap.pb-c.h
-dnstap.pb-c.lo dnstap.pb-c.o: $(srcdir)/dnstap/dnstap.pb-c.c $(srcdir)/dnstap/dnstap.pb-c.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -908,8 +896,7 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
  $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
@@ -947,38 +934,35 @@ unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/lo
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
- $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
-  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
  $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
  $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1002,35 +986,33 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
  $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
  $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h \
- $(srcdir)/util/rbtree.h
+ $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/libworker.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
+ $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
   $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1046,12 +1028,12 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
@@ -1059,14 +1041,13 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
@@ -1141,19 +1122,18 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
  $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/netevent.h  $(srcdir)/services/mesh.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
+  $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@@ -1164,21 +1144,18 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
- $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
- 
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
- 
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
 pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
@@ -1191,8 +1168,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h
@@ -1200,14 +1176,11 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
  $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/rrdef.h \
- 
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h \
- 
+ $(srcdir)/sldns/keyraw.h
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1227,8 +1200,7 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
 strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
- 
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
 getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
@@ -1238,3 +1210,4 @@ arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.
 arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/locks.h
 sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
 reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
+isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
diff --git a/contrib/unbound/acx_nlnetlabs.m4 b/contrib/unbound/acx_nlnetlabs.m4
index c9ca755..26513e4 100644
--- a/contrib/unbound/acx_nlnetlabs.m4
+++ b/contrib/unbound/acx_nlnetlabs.m4
@@ -2,7 +2,9 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 28
+# Version 30
+# 2015-11-18 spelling check fix.
+# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
 # 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
 # 2015-03-17 AHX_CONFIG_REALLOCARRAY added
 # 2013-09-19 FLTO help text improved.
@@ -24,7 +26,7 @@
 # 2010-07-02 Add check for ss_family (for minix).
 # 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
 # 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
-# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl
+# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl
 # 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN
 # 2010-01-20 added AHX_COONFIG_STRLCAT
 # 2009-07-14 U_CHAR detection improved for windows crosscompile.
@@ -715,12 +717,6 @@ AC_DEFUN([ACX_SSL_CHECKS], [
         fi
         AC_SUBST(HAVE_SSL)
         AC_SUBST(RUNTIME_PATH)
-	# openssl engine functionality needs dlopen().
-	BAKLIBS="$LIBS"
-	AC_SEARCH_LIBS([dlopen], [dl])
-	if test "$LIBS" != "$BAKLIBS"; then
-		LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-	fi
     fi
 AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
diff --git a/contrib/unbound/compat/arc4random.c b/contrib/unbound/compat/arc4random.c
index 27a626b..2c859f1 100644
--- a/contrib/unbound/compat/arc4random.c
+++ b/contrib/unbound/compat/arc4random.c
@@ -26,7 +26,9 @@
 #include <fcntl.h>
 #include <limits.h>
 #include <signal.h>
+#ifdef HAVE_STDINT_H
 #include <stdint.h>
+#endif
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
diff --git a/contrib/unbound/compat/getentropy_linux.c b/contrib/unbound/compat/getentropy_linux.c
index 76f0f9d..37d86a8 100644
--- a/contrib/unbound/compat/getentropy_linux.c
+++ b/contrib/unbound/compat/getentropy_linux.c
@@ -46,7 +46,12 @@
 #include <errno.h>
 #include <unistd.h>
 #include <time.h>
+
+#if defined(HAVE_SSL)
 #include <openssl/sha.h>
+#elif defined(HAVE_NETTLE)
+#include <nettle/sha.h>
+#endif
 
 #include <linux/types.h>
 #include <linux/random.h>
@@ -67,9 +72,21 @@
 			HD(b); \
 	} while (0)
 
+#if defined(HAVE_SSL)
+#define CRYPTO_SHA512_CTX		SHA512_CTX
+#define CRYPTO_SHA512_INIT(x)		SHA512_Init(x)
+#define CRYPTO_SHA512_FINAL(r, c)	SHA512_Final(r, c)
 #define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
 #define HD(x)	 (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
 #define HF(x)    (SHA512_Update(&ctx, (char *)&(x), sizeof (void*)))
+#elif defined(HAVE_NETTLE)
+#define CRYPTO_SHA512_CTX		struct sha512_ctx
+#define CRYPTO_SHA512_INIT(x)		sha512_init(x)
+#define CRYPTO_SHA512_FINAL(r, c)	sha512_digest(c, SHA512_DIGEST_SIZE, r)
+#define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
+#define HD(x)	 (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
+#define HF(x)    (sha512_update(&ctx, sizeof (void*), (uint8_t *)&(x)))
+#endif
 
 int	getentropy(void *buf, size_t len);
 
@@ -122,7 +139,7 @@ getentropy(void *buf, size_t len)
 	 * Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
 	 * sysctl is a failsafe API, so it guarantees a result.  This
 	 * should work inside a chroot, or when file descriptors are
-	 * exhuasted.
+	 * exhausted.
 	 *
 	 * However this can fail if the Linux kernel removes support
 	 * for sysctl.  Starting in 2007, there have been efforts to
@@ -337,7 +354,7 @@ getentropy_fallback(void *buf, size_t len)
 	struct rusage ru;
 	sigset_t sigset;
 	struct stat st;
-	SHA512_CTX ctx;
+	CRYPTO_SHA512_CTX ctx;
 	static pid_t lastpid;
 	pid_t pid;
 	size_t i, ii, m;
@@ -354,7 +371,7 @@ getentropy_fallback(void *buf, size_t len)
 	}
 	for (i = 0; i < len; ) {
 		int j;
-		SHA512_Init(&ctx);
+		CRYPTO_SHA512_INIT(&ctx);
 		for (j = 0; j < repeat; j++) {
 			HX((e = gettimeofday(&tv, NULL)) == -1, tv);
 			if (e != -1) {
@@ -526,7 +543,7 @@ getentropy_fallback(void *buf, size_t len)
 #  endif
 #endif /* HAVE_GETAUXVAL */
 
-		SHA512_Final(results, &ctx);
+		CRYPTO_SHA512_FINAL(results, &ctx);
 		memcpy((char*)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
diff --git a/contrib/unbound/compat/getentropy_solaris.c b/contrib/unbound/compat/getentropy_solaris.c
index 8389573..810098a 100644
--- a/contrib/unbound/compat/getentropy_solaris.c
+++ b/contrib/unbound/compat/getentropy_solaris.c
@@ -30,7 +30,9 @@
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <stdlib.h>
+#ifdef HAVE_STDINT_H
 #include <stdint.h>
+#endif
 #include <stdio.h>
 #include <termios.h>
 #include <fcntl.h>
@@ -39,10 +41,14 @@
 #include <errno.h>
 #include <unistd.h>
 #include <time.h>
+#ifdef HAVE_SYS_SHA2_H
 #include <sys/sha2.h>
 #define SHA512_Init SHA512Init
 #define SHA512_Update SHA512Update
 #define SHA512_Final SHA512Final
+#else
+#include "openssl/sha.h"
+#endif
 
 #include <sys/vfs.h>
 #include <sys/statfs.h>
diff --git a/contrib/unbound/compat/isblank.c b/contrib/unbound/compat/isblank.c
new file mode 100644
index 0000000..8feabed
--- /dev/null
+++ b/contrib/unbound/compat/isblank.c
@@ -0,0 +1,45 @@
+/* isblank - compatibility implementation of isblank
+ *
+ * Copyright (c) 2015, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+/* return true for a blank character: space or tab */
+int isblank(int c);
+
+/* implementation of isblank. unsigned char is the argument */
+int
+isblank(int c)
+{
+	return (c==' ' || c=='\t');
+}
diff --git a/contrib/unbound/compat/reallocarray.c b/contrib/unbound/compat/reallocarray.c
index 04d5d71..c969bd0 100644
--- a/contrib/unbound/compat/reallocarray.c
+++ b/contrib/unbound/compat/reallocarray.c
@@ -18,7 +18,10 @@
 #include "config.h"
 #include <sys/types.h>
 #include <errno.h>
+#ifdef HAVE_STDINT_H
 #include <stdint.h>
+#endif
+#include <limits.h>
 #include <stdlib.h>
 
 /*
diff --git a/contrib/unbound/compat/sha512.c b/contrib/unbound/compat/sha512.c
index ac046ab..744b7ac7b 100644
--- a/contrib/unbound/compat/sha512.c
+++ b/contrib/unbound/compat/sha512.c
@@ -70,7 +70,7 @@ unsigned char *SHA512(void *data, unsigned int data_len, unsigned char *digest);
  * Please make sure that your system defines BYTE_ORDER.  If your
  * architecture is little-endian, make sure it also defines
  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivilent.
+ * equivalent.
  *
  * If your system does not define the above, then you can do so by
  * hand like this:
diff --git a/contrib/unbound/compat/snprintf.c b/contrib/unbound/compat/snprintf.c
index 0663557..97cd706 100644
--- a/contrib/unbound/compat/snprintf.c
+++ b/contrib/unbound/compat/snprintf.c
@@ -42,6 +42,7 @@
 #ifdef HAVE_STDINT_H
 #include <stdint.h>
 #endif
+#include <limits.h>
 
 /* for test */
 /* #define SNPRINTF_TEST 1 */
@@ -428,7 +429,7 @@ print_num_llp(char** at, size_t* left, int* ret, void* value,
 	char buf[PRINT_DEC_BUFSZ];
 	int negative = 0;
 	int zero = (value == 0);
-#if defined(UINTPTR_MAX) && defined(UINT32_MAX) && (UINTPTR_MAX == UINT32_MAX)
+#if defined(SIZE_MAX) && defined(UINT32_MAX) && (UINT32_MAX == SIZE_MAX || INT32_MAX == SIZE_MAX)
 	/* avoid warning about upcast on 32bit systems */
 	unsigned long long llvalue = (unsigned long)value;
 #else
diff --git a/contrib/unbound/config.h b/contrib/unbound/config.h
index 6e322ea..5b38868 100644
--- a/contrib/unbound/config.h
+++ b/contrib/unbound/config.h
@@ -95,6 +95,10 @@
    don't. */
 /* #undef HAVE_DECL_STRLCPY */
 
+/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
+   you don't. */
+#define HAVE_DECL_XML_STOPPARSER 1
+
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #define HAVE_DLFCN_H 1
 
@@ -152,6 +156,9 @@
 /* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
 #define HAVE_FSEEKO 1
 
+/* Define to 1 if you have the `fsync' function. */
+#define HAVE_FSYNC 1
+
 /* Whether getaddrinfo is available */
 #define HAVE_GETADDRINFO 1
 
@@ -206,6 +213,9 @@
 /* Define to 1 if you have the <iphlpapi.h> header file. */
 /* #undef HAVE_IPHLPAPI_H */
 
+/* Define to 1 if you have the `isblank' function. */
+#define HAVE_ISBLANK 1
+
 /* Define to 1 if you have the `kill' function. */
 #define HAVE_KILL 1
 
@@ -233,6 +243,9 @@
 /* Define to 1 if you have the <netinet/in.h> header file. */
 #define HAVE_NETINET_IN_H 1
 
+/* Use libnettle for crypto */
+/* #undef HAVE_NETTLE */
+
 /* Use libnss for crypto */
 /* #undef HAVE_NSS */
 
@@ -497,7 +510,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.5.5"
+#define PACKAGE_STRING "unbound 1.5.7"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -506,7 +519,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.5.5"
+#define PACKAGE_VERSION "1.5.7"
 
 /* default pidfile location */
 #define PIDFILE "/var/unbound/unbound.pid"
@@ -525,7 +538,7 @@
 #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,5,5,0
+#define RSRC_PACKAGE_VERSION 1,5,7,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound"
@@ -536,6 +549,9 @@
 /* The size of `time_t', as computed by sizeof. */
 #define SIZEOF_TIME_T 8
 
+/* define if (v)snprintf does not return length needed, (but length used) */
+/* #undef SNPRINTF_RET_BROKEN */
+
 /* Define to 1 if you have the ANSI C header files. */
 #define STDC_HEADERS 1
 
@@ -570,7 +586,7 @@
 /* #undef USE_ECDSA_EVP_WORKAROUND */
 
 /* Define this to enable GOST support. */
-/* #undef USE_GOST */
+#define USE_GOST 1
 
 /* Define if you want to use internal select based events */
 #define USE_MINI_EVENT 1
@@ -849,15 +865,13 @@
 #define MAXHOSTNAMELEN 256
 #endif
 
-
-#ifndef HAVE_SNPRINTF
+#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
 #define snprintf snprintf_unbound
 #define vsnprintf vsnprintf_unbound
 #include <stdarg.h>
 int snprintf (char *str, size_t count, const char *fmt, ...);
 int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
-#endif /* HAVE_SNPRINTF */
-
+#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
 
 #ifndef HAVE_INET_PTON
 #define inet_pton inet_pton_unbound
@@ -953,6 +967,11 @@ int memcmp(const void *x, const void *y, size_t n);
 char *ctime_r(const time_t *timep, char *buf);
 #endif
 
+#ifndef HAVE_ISBLANK
+#define isblank unbound_isblank
+int isblank(int c);
+#endif
+
 #if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
 #define strptime unbound_strptime
 struct tm;
diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in
index 7576e15..e90f036 100644
--- a/contrib/unbound/config.h.in
+++ b/contrib/unbound/config.h.in
@@ -94,6 +94,10 @@
    don't. */
 #undef HAVE_DECL_STRLCPY
 
+/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
+   you don't. */
+#undef HAVE_DECL_XML_STOPPARSER
+
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
@@ -151,6 +155,9 @@
 /* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
 #undef HAVE_FSEEKO
 
+/* Define to 1 if you have the `fsync' function. */
+#undef HAVE_FSYNC
+
 /* Whether getaddrinfo is available */
 #undef HAVE_GETADDRINFO
 
@@ -205,6 +212,9 @@
 /* Define to 1 if you have the <iphlpapi.h> header file. */
 #undef HAVE_IPHLPAPI_H
 
+/* Define to 1 if you have the `isblank' function. */
+#undef HAVE_ISBLANK
+
 /* Define to 1 if you have the `kill' function. */
 #undef HAVE_KILL
 
@@ -232,6 +242,9 @@
 /* Define to 1 if you have the <netinet/in.h> header file. */
 #undef HAVE_NETINET_IN_H
 
+/* Use libnettle for crypto */
+#undef HAVE_NETTLE
+
 /* Use libnss for crypto */
 #undef HAVE_NSS
 
@@ -535,6 +548,9 @@
 /* The size of `time_t', as computed by sizeof. */
 #undef SIZEOF_TIME_T
 
+/* define if (v)snprintf does not return length needed, (but length used) */
+#undef SNPRINTF_RET_BROKEN
+
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 
@@ -848,15 +864,13 @@
 #define MAXHOSTNAMELEN 256
 #endif
 
-
-#ifndef HAVE_SNPRINTF
+#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
 #define snprintf snprintf_unbound
 #define vsnprintf vsnprintf_unbound
 #include <stdarg.h>
 int snprintf (char *str, size_t count, const char *fmt, ...);
 int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
-#endif /* HAVE_SNPRINTF */
-
+#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
 
 #ifndef HAVE_INET_PTON
 #define inet_pton inet_pton_unbound
@@ -952,6 +966,11 @@ int memcmp(const void *x, const void *y, size_t n);
 char *ctime_r(const time_t *timep, char *buf);
 #endif
 
+#ifndef HAVE_ISBLANK
+#define isblank unbound_isblank
+int isblank(int c);
+#endif
+
 #if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
 #define strptime unbound_strptime
 struct tm;
diff --git a/contrib/unbound/configure b/contrib/unbound/configure
index 7b0a7e6..acfb107 100755
--- a/contrib/unbound/configure
+++ b/contrib/unbound/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
+# Generated by GNU Autoconf 2.69 for unbound 1.5.7.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.5.5'
-PACKAGE_STRING='unbound 1.5.5'
+PACKAGE_VERSION='1.5.7'
+PACKAGE_STRING='unbound 1.5.7'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -661,6 +661,7 @@ CHECKLOCK_OBJ
 staticexe
 UNBOUND_EVENT_UNINSTALL
 UNBOUND_EVENT_INSTALL
+SSLLIB
 HAVE_SSL
 CONFIG_DATE
 NETBSD_LINTFLAGS
@@ -823,6 +824,7 @@ with_solaris_threads
 with_pyunbound
 with_pythonmodule
 with_nss
+with_nettle
 with_ssl
 enable_sha2
 enable_gost
@@ -1391,7 +1393,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
+\`configure' configures unbound 1.5.7 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1456,7 +1458,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.5.5:";;
+     short | recursive ) echo "Configuration of unbound 1.5.7:";;
    esac
   cat <<\_ACEOF
 
@@ -1534,6 +1536,7 @@ Optional Packages:
   --with-pythonmodule     build Python module, or --without-pythonmodule to
                           disable script engine. (default=no)
   --with-nss=path         use libnss instead of openssl, installed at path.
+  --with-nettle=path      use libnettle as crypto library, installed at path.
   --with-ssl=pathname     enable SSL (will check /usr/local/ssl /usr/lib/ssl
                           /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
                           /usr)
@@ -1635,7 +1638,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.5.5
+unbound configure 1.5.7
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2344,7 +2347,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.5.5, which was
+It was created by unbound $as_me 1.5.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2696,11 +2699,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=5
 
-UNBOUND_VERSION_MICRO=5
+UNBOUND_VERSION_MICRO=7
 
 
 LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=8
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=3
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2745,6 +2748,8 @@ LIBUNBOUND_AGE=3
 # 1.5.3 had 5:6:3
 # 1.5.4 had 5:7:3
 # 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
+# 1.5.7 had 5:10:3
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -16406,13 +16411,44 @@ $as_echo "#define HAVE_NSS 1" >>confdefs.h
 		CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
 	fi
         LIBS="$LIBS -lnss3 -lnspr4"
+	SSLLIB=""
+
+
+fi
+
+
+# libnettle
+USE_NETTLE="no"
+
+# Check whether --with-nettle was given.
+if test "${with_nettle+set}" = set; then :
+  withval=$with_nettle;
+	USE_NETTLE="yes"
+
+$as_echo "#define HAVE_NETTLE 1" >>confdefs.h
+
+	if test "$withval" != "" -a "$withval" != "yes"; then
+		CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+		LDFLAGS="$LDFLAGS -L$withval/lib"
+
+	if test "x$enable_rpath" = xyes; then
+		if echo "$withval/lib" | grep "^/" >/dev/null; then
+			RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
+		fi
+	fi
+
+	else
+		CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+	fi
+        LIBS="$LIBS -lhogweed -lnettle -lgmp"
+	SSLLIB=""
 
 
 fi
 
 
 # openssl
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 
 
 # Check whether --with-ssl was given.
@@ -16581,67 +16617,6 @@ rm -f core conftest.err conftest.$ac_objext \
         fi
 
 
-	# openssl engine functionality needs dlopen().
-	BAKLIBS="$LIBS"
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
-$as_echo_n "checking for library containing dlopen... " >&6; }
-if ${ac_cv_search_dlopen+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-for ac_lib in '' dl; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_dlopen=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search_dlopen+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search_dlopen+:} false; then :
-
-else
-  ac_cv_search_dlopen=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
-$as_echo "$ac_cv_search_dlopen" >&6; }
-ac_res=$ac_cv_search_dlopen
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-fi
-
-	if test "$LIBS" != "$BAKLIBS"; then
-		LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-	fi
     fi
 for ac_header in openssl/ssl.h
 do :
@@ -16779,6 +16754,7 @@ fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
+SSLLIB="-lssl"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
 $as_echo_n "checking for LibreSSL... " >&6; }
 if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
@@ -16976,6 +16952,7 @@ _ACEOF
 fi
 
 
+
 # Check whether --enable-sha2 was given.
 if test "${enable_sha2+set}" = set; then :
   enableval=$enable_sha2;
@@ -16999,7 +16976,7 @@ if test "${enable_gost+set}" = set; then :
 fi
 
 use_gost="no"
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 case "$enable_gost" in
 	no)
 	;;
@@ -17152,7 +17129,7 @@ case "$enable_ecdsa" in
     no)
       ;;
     *)
-      if test $USE_NSS = "no"; then
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 	      ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
 if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
 
@@ -17643,6 +17620,20 @@ fi
 
 done
 
+ac_fn_c_check_decl "$LINENO" "XML_StopParser" "ac_cv_have_decl_XML_StopParser" "$ac_includes_default
+#include <expat.h>
+
+"
+if test "x$ac_cv_have_decl_XML_StopParser" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_XML_STOPPARSER $ac_have_decl
+_ACEOF
+
 
 # set static linking if requested
 
@@ -18100,7 +18091,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent
+for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18221,6 +18212,48 @@ esac
 fi
 
 
+# test if snprintf return the proper length
+if test "x$ac_cv_func_snprintf" = xyes; then
+    if test c${cross_compiling} = cno; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for correct snprintf return value" >&5
+$as_echo_n "checking for correct snprintf return value... " >&6; }
+	if test "$cross_compiling" = yes; then :
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot run test program while cross compiling
+See \`config.log' for more details" "$LINENO" 5; }
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$ac_includes_default
+
+int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+$as_echo "#define SNPRINTF_RET_BROKEN /**/" >>confdefs.h
+
+		case " $LIBOBJS " in
+  *" snprintf.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS snprintf.$ac_objext"
+ ;;
+esac
+
+
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+    fi
+fi
 ac_fn_c_check_func "$LINENO" "strlcat" "ac_cv_func_strlcat"
 if test "x$ac_cv_func_strlcat" = xyes; then :
   $as_echo "#define HAVE_STRLCAT 1" >>confdefs.h
@@ -18277,6 +18310,20 @@ esac
 fi
 
 
+ac_fn_c_check_func "$LINENO" "isblank" "ac_cv_func_isblank"
+if test "x$ac_cv_func_isblank" = xyes; then :
+  $as_echo "#define HAVE_ISBLANK 1" >>confdefs.h
+
+else
+  case " $LIBOBJS " in
+  *" isblank.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS isblank.$ac_objext"
+ ;;
+esac
+
+fi
+
+
 LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
 
 ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
@@ -19017,7 +19064,7 @@ _ACEOF
 
 
 
-version=1.5.5
+version=1.5.7
 
 date=`date +'%b %e, %Y'`
 
@@ -19532,7 +19579,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.5.5, which was
+This file was extended by unbound $as_me 1.5.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19598,7 +19645,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.5.5
+unbound config.status 1.5.7
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac
index 871ea7c..13d8304 100644
--- a/contrib/unbound/configure.ac
+++ b/contrib/unbound/configure.ac
@@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[5])
-m4_define([VERSION_MICRO],[5])
+m4_define([VERSION_MICRO],[7])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=8
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=3
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -62,6 +62,8 @@ LIBUNBOUND_AGE=3
 # 1.5.3 had 5:6:3
 # 1.5.4 had 5:7:3
 # 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
+# 1.5.7 had 5:10:3
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -561,13 +563,34 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
 		CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
 	fi
         LIBS="$LIBS -lnss3 -lnspr4"
+	SSLLIB=""
+	]
+)
+
+# libnettle
+USE_NETTLE="no"
+AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+	[use libnettle as crypto library, installed at path.]),
+	[
+	USE_NETTLE="yes"
+	AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
+	if test "$withval" != "" -a "$withval" != "yes"; then
+		CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+		LDFLAGS="$LDFLAGS -L$withval/lib"
+		ACX_RUNTIME_PATH_ADD([$withval/lib])
+	else
+		CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+	fi
+        LIBS="$LIBS -lhogweed -lnettle -lgmp"
+	SSLLIB=""
 	]
 )
 
 # openssl
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 ACX_WITH_SSL
 ACX_LIB_SSL
+SSLLIB="-lssl"
 AC_MSG_CHECKING([for LibreSSL])
 if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	AC_MSG_RESULT([yes])
@@ -602,6 +625,7 @@ AC_INCLUDES_DEFAULT
 #include <openssl/evp.h>
 ])
 fi
+AC_SUBST(SSLLIB)
 
 
 AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
@@ -713,7 +737,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
 
 AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
 use_gost="no"
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 case "$enable_gost" in
 	no)
 	;;
@@ -727,7 +751,7 @@ case "$enable_gost" in
 	fi
 	;;
 esac
-fi dnl !USE_NSS
+fi dnl !USE_NSS && !USE_NETTLE
 
 AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
 use_ecdsa="no"
@@ -735,7 +759,7 @@ case "$enable_ecdsa" in
     no)
       ;;
     *)
-      if test $USE_NSS = "no"; then
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 	      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
 	      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
 	      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
@@ -881,6 +905,9 @@ if test x_$found_libexpat != x_yes; then
 	AC_ERROR([Could not find libexpat, expat.h])
 fi
 AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
+#include <expat.h>
+])
 
 # set static linking if requested
 AC_SUBST(staticexe)
@@ -985,7 +1012,7 @@ AC_INCLUDES_DEFAULT
 #endif
 ])
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
@@ -997,10 +1024,25 @@ AC_REPLACE_FUNCS(inet_aton)
 AC_REPLACE_FUNCS(inet_pton)
 AC_REPLACE_FUNCS(inet_ntop)
 AC_REPLACE_FUNCS(snprintf)
+# test if snprintf return the proper length
+if test "x$ac_cv_func_snprintf" = xyes; then
+    if test c${cross_compiling} = cno; then
+	AC_MSG_CHECKING([for correct snprintf return value])
+	AC_RUN_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
+[[
+int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
+]])], [AC_MSG_RESULT(yes)], [
+		AC_MSG_RESULT(no)
+		AC_DEFINE([SNPRINTF_RET_BROKEN], [], [define if (v)snprintf does not return length needed, (but length used)])
+		AC_LIBOBJ(snprintf)
+	  ])
+    fi
+fi
 AC_REPLACE_FUNCS(strlcat)
 AC_REPLACE_FUNCS(strlcpy)
 AC_REPLACE_FUNCS(memmove)
 AC_REPLACE_FUNCS(gmtime_r)
+AC_REPLACE_FUNCS(isblank)
 dnl without CTIME, ARC4-functions and without reallocarray.
 LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
 AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
@@ -1235,7 +1277,13 @@ AHX_CONFIG_FORMAT_ATTRIBUTE
 AHX_CONFIG_UNUSED_ATTRIBUTE
 AHX_CONFIG_FSEEKO
 AHX_CONFIG_MAXHOSTNAMELEN
-AHX_CONFIG_SNPRINTF(unbound)
+#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
+#define snprintf snprintf_unbound
+#define vsnprintf vsnprintf_unbound
+#include <stdarg.h>
+int snprintf (char *str, size_t count, const char *fmt, ...);
+int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
+#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
 AHX_CONFIG_INET_PTON(unbound)
 AHX_CONFIG_INET_NTOP(unbound)
 AHX_CONFIG_INET_ATON(unbound)
@@ -1258,6 +1306,11 @@ AHX_MEMCMP_BROKEN(unbound)
 char *ctime_r(const time_t *timep, char *buf);
 #endif
 
+#ifndef HAVE_ISBLANK
+#define isblank unbound_isblank
+int isblank(int c);
+#endif
+
 #if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
 #define strptime unbound_strptime
 struct tm;
diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c
index c16e4e5..d533e08 100644
--- a/contrib/unbound/daemon/remote.c
+++ b/contrib/unbound/daemon/remote.c
@@ -208,12 +208,14 @@ daemon_remote_create(struct config_file* cfg)
 		return NULL;
 	}
 	/* no SSLv2, SSLv3 because has defects */
-	if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2){
 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
 		daemon_remote_delete(rc);
 		return NULL;
 	}
-	if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+		!= SSL_OP_NO_SSLv3){
 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
 		daemon_remote_delete(rc);
 		return NULL;
diff --git a/contrib/unbound/daemon/unbound.c b/contrib/unbound/daemon/unbound.c
index 8e07c38..0ceee53 100644
--- a/contrib/unbound/daemon/unbound.c
+++ b/contrib/unbound/daemon/unbound.c
@@ -180,6 +180,8 @@ static void usage()
 		SSLeay_version(SSLEAY_VERSION)
 #elif defined(HAVE_NSS)
 		NSS_GetVersion()
+#elif defined(HAVE_NETTLE)
+		"nettle"
 #endif
 		);
 	printf("linked modules:");
@@ -450,6 +452,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 		/* endpwent below, in case we need pwd for setusercontext */
 	}
 #endif
+#ifdef UB_ON_WINDOWS
+	w_config_adjust_directory(cfg);
+#endif
 
 	/* init syslog (as root) if needed, before daemonize, otherwise
 	 * a fork error could not be printed since daemonize closed stderr.*/
diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c
index 79aec4d..c90a659 100644
--- a/contrib/unbound/daemon/worker.c
+++ b/contrib/unbound/daemon/worker.c
@@ -866,11 +866,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		goto send_reply;
 	}
 	if((ret=parse_edns_from_pkt(c->buffer, &edns)) != 0) {
+		struct edns_data reply_edns;
 		verbose(VERB_ALGO, "worker parse edns: formerror.");
 		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
-		sldns_buffer_rewind(c->buffer);
-		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+		memset(&reply_edns, 0, sizeof(reply_edns));
+		reply_edns.edns_present = 1;
+		reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
 		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
+		error_encode(c->buffer, ret, &qinfo,
+			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+			sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
diff --git a/contrib/unbound/dns64/dns64.c b/contrib/unbound/dns64/dns64.c
index 63cc808..0de3f66 100644
--- a/contrib/unbound/dns64/dns64.c
+++ b/contrib/unbound/dns64/dns64.c
@@ -618,8 +618,10 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 	dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
 	for(i = 0; i < fd->count; ++i) {
 		if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
-		    || fd->rr_data[i][1] != 4)
+		    || fd->rr_data[i][1] != 4) {
+			*dd_out = NULL;
 			return;
+		}
 		dd->rr_len[i] = 18;
 		dd->rr_data[i] =
 		    (uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
@@ -638,6 +640,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 	 */
 	if(!dk) {
 		log_err("no key");
+		*dd_out = NULL;
 		return;
 	}
 
@@ -646,6 +649,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 
 	if(!dk->rk.dname) {
 		log_err("out of memory");
+		*dd_out = NULL;
 		return;
 	}
 
diff --git a/contrib/unbound/dnstap/dnstap.proto b/contrib/unbound/dnstap/dnstap.proto
index 3504d99e..32871f4 100644
--- a/contrib/unbound/dnstap/dnstap.proto
+++ b/contrib/unbound/dnstap/dnstap.proto
@@ -105,7 +105,7 @@ message Message {
 
     enum Type {
         // AUTH_QUERY is a DNS query message received from a resolver by an
-        // authoritative name server, from the perspective of the authorative
+        // authoritative name server, from the perspective of the authoritative
         // name server.
         AUTH_QUERY = 1;
 
diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog
index 3f3b245..6824b1d 100644
--- a/contrib/unbound/doc/Changelog
+++ b/contrib/unbound/doc/Changelog
@@ -1,3 +1,121 @@
+8 December 2015: Wouter
+	- Fixup 724 for unbound-control.
+
+7 December 2015: Ralph
+	- Do not minimise forwarded requests.
+
+4 December 2015: Wouter
+	- Removed unneeded whitespace from example.conf.
+
+3 December 2015: Ralph
+	- (after rc1 tag)
+	- Committed fix to qname minimisation and unit test case for it.
+	
+3 December 2015: Wouter
+	- iana portlist update.
+	- 1.5.7rc1 prerelease tag.
+
+2 December 2015: Wouter
+	- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
+	  re-enable stdout printout.
+	- For 724: Add Changelog to windows binary dist.
+
+1 December 2015: Ralph
+	- Qname minimisation review fixes
+
+1 December 2015: Wouter
+	- Fixup 724 fix for fname_after_chroot() calls.
+	- Remove stdout printout for unbound-service-install.exe
+	- .gitignore for git users.
+
+30 November 2015: Ralph
+	- Implemented qname minimisation
+
+30 November 2015: Wouter
+	- Fix for #724: conf syntax to read files from run dir (on Windows).
+
+25 November 2015: Wouter
+	- Fix for #720, fix unbound-control-setup windows batch file.
+
+24 November 2015: Wouter
+	- Fix #720: add windows scripts to zip bundle.
+	- iana portlist update.
+
+20 November 2015: Wouter
+	- Added assert on rrset cache correctness.
+	- Fix that malformed EDNS query gets a response without malformed EDNS.
+
+18 November 2015: Wouter
+	- newer acx_nlnetlabs.m4.
+	- spelling fixes from Igor Sobrado Delgado.
+
+17 November 2015: Wouter
+	- Fix #594. libunbound: optionally use libnettle for crypto.
+	  Contributed by Luca Bruno.  Added --with-nettle for use with
+	  --with-libunbound-only.
+	- refactor nsec3 hash implementation to be more library-portable.
+	- iana portlist update.
+	- Fixup DER encoded DSA signatures for libnettle.
+
+16 November 2015: Wouter
+	- Fix for lenient accept of reverse order DNAME and CNAME.
+
+6 November 2015: Wouter
+	- Change example.conf: ftp.internic.net to https://www.internic.net
+
+5 November 2015: Wouter
+	- ACX_SSL_CHECKS no longer adds -ldl needlessly.
+
+3 November 2015: Wouter
+	- Fix #718: Fix unbound-control-setup with support for env
+	  without HEREDOC bash support.
+
+29 October 2015: Wouter
+	- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
+	- Fix #716: nodata proof with empty non-terminals and wildcards.
+
+28 October 2015: Wouter
+	- Fix checklock testcode for linux threads on exit.
+
+27 October 2015: Wouter
+	- isblank() compat implementation.
+	- detect libexpat without xml_StopParser function.
+	- portability fixes.
+	- portability, replace snprintf if return value broken.
+
+23 October 2015: Wouter
+	- Fix #714: Document config to block private-address for IPv4
+	  mapped IPv6 addresses.
+
+22 October 2015: Wouter
+	- Fix #712: unbound-anchor appears to not fsync root.key.
+
+20 October 2015: Wouter
+	- 1.5.6 release.
+	- trunk tracks development of 1.5.7.
+
+15 October 2015: Wouter
+	- Fix segfault in the dns64 module in the formaterror error path.
+	- Fix sldns_wire2str_rdata_scan for malformed RRs.
+	- tag for 1.5.6rc1 release.
+
+14 October 2015: Wouter
+	- ANY responses include DNAME records if present, as per Evan Hunt's
+	  remark in dnsop.
+	- Fix manpage to suggest using SIGTERM to terminate the server.
+
+9 October 2015: Wouter
+	- Default for ssl-port is port 853, the temporary port assignment
+	  for secure domain name system traffic.
+	  If you used to rely on the older default of port 443, you have
+	  to put a clause in unbound.conf for that.  The new value is likely
+	  going to be the standardised port number for this traffic.
+	- iana portlist update.
+
+6 October 2015: Wouter
+	- 1.5.5 release.
+	- trunk tracks the development of 1.5.6.
+
 28 September 2015: Wouter
 	- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
 	  failures.
@@ -731,7 +849,7 @@
 	  existence in 4592.  NSEC empty non-terminals exist and thus the
 	  RCODE should have been NOERROR. If this occurs, and the RRsets
 	  are secure, we set the RCODE to NOERROR and the security status
-	  of the reponse is also considered secure.
+	  of the response is also considered secure.
 
 14 February 2014: Wouter
 	- Works on Minix (3.2.1).
@@ -1503,7 +1621,7 @@
 	- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
 	- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
 	- Fix warning unused in compat/strptime.c.
-	- Fix malloc detection and double defintion.
+	- Fix malloc detection and double definition.
 
 2 December 2011: Wouter
 	- configure generated with autoconf 2.68.
@@ -4948,7 +5066,7 @@
 	- Advertise builtin select libevent alternative when no libevent
 	  is found.
 	- signit can generate NSEC3 hashes, for generating tests.
-	- multiple nsec3 paramaters in message test.
+	- multiple nsec3 parameters in message test.
 	- too high nsec3 iterations becomes insecure test.
 
 21 September 2007: Wouter
@@ -5019,7 +5137,7 @@
 	- testbound can replay a TCP query (set MATCH TCP in the QUERY).
 	- DS and noDS referral validation test.
 	- if you configure many trust anchors, parent trust anchors can
-	  securely deny existance of child trust anchors, if validated.
+	  securely deny existence of child trust anchors, if validated.
 	- not all *.name NSECs are present because a wildcard was matched,
 	  and *.name NSECs can prove nodata for empty nonterminals.
 	  Also, for wildcard name NSECs, check they are not from the parent
@@ -5326,7 +5444,7 @@
 
 17 July 2007: Wouter
 	- forward zone options in config file.
-	- forward per zone in iterator. takes precendence over stubs.
+	- forward per zone in iterator. takes precedence over stubs.
 	- fixup commithooks.
 	- removed forward-to and forward-to-port features, subsumed by
 	  new forward zones.
@@ -5427,7 +5545,7 @@
 	  ldns and libevent are linked statically. Default is off.
 	- make install and make uninstall. Works with static-exe and without.
 	  installation of unbound binary and manual pages.
-	- alignement problem fix on solaris 64.
+	- alignment problem fix on solaris 64.
 	- fixup address in case of TCP error.
 
 12 June 2007: Wouter
@@ -5510,7 +5628,7 @@
 	- removed FLAG_CD from message and rrset caches. This was useful for
 	  an agnostic forwarder, but not for a sophisticated (trust value per
 	  rrset enabled) cache.
-	- iterator reponse typing.
+	- iterator response typing.
 	- iterator cname handle.
 	- iterator prime start.
 	- subquery work.
@@ -5530,7 +5648,7 @@
 	- Acknowledge use of unbound-java code in iterator. Nicer readme.
 	- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
 	  rrset cache from module environment.
-	- packed rrset key has type and class as easily accessable struct
+	- packed rrset key has type and class as easily accessible struct
 	  members. They are still kept in network format for fast msg encode.
 	- dns cache find_delegation routine.
 	- iterator main functions setup.
@@ -5614,7 +5732,7 @@
 	- EDNS read from query, used to make reply smaller.
 	- advertised edns value constants.
 	- EDNS BADVERS response, if asked for too high edns version.
-	- EDNS extended error reponses once the EDNS record from the query
+	- EDNS extended error responses once the EDNS record from the query
 	  has successfully been parsed.
 
 4 May 2007: Wouter
diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README
index c8bddcc..8235ea2 100644
--- a/contrib/unbound/doc/README
+++ b/contrib/unbound/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.5
+README for Unbound 1.5.7
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf
index 87bbebe..11c3ba9 100644
--- a/contrib/unbound/doc/example.conf
+++ b/contrib/unbound/doc/example.conf
@@ -1,14 +1,14 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.5.
+# See unbound.conf(5) man page, version 1.5.7.
 #
 # this is a comment.
 
 #Use this to include other text into the file.
 #include: "otherfile.conf"
 
-# The server clause sets the main parameters. 
+# The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
 
@@ -40,7 +40,7 @@ server:
 	# interface: 2001:DB8::5
 
 	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental. 
+	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: no
 
 	# port to answer queries from
@@ -84,10 +84,10 @@ server:
 	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
 	# 0 is system default.  Use 4m to handle spikes on very busy servers.
 	# so-sndbuf: 0
-	
+
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
-	
+
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# ip-transparent: no
@@ -105,7 +105,7 @@ server:
 	# msg-buffer-size: 65552
 
 	# the amount of memory to use for the message cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# msg-cache-size: 4m
 
 	# the number of slabs to use for the message cache.
@@ -118,12 +118,12 @@ server:
 
 	# if very busy, 50% queries run to completion, 50% get timeout in msec
 	# jostle-timeout: 200
-	
+
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
 	# the amount of memory to use for the RRset cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
 
 	# the number of slabs to use for the RRset cache.
@@ -145,7 +145,7 @@ server:
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
-	
+
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50
 
@@ -195,8 +195,8 @@ server:
 	#
 	# If chroot is enabled, you should pass the configfile (from the
 	# commandline) as a full path from the original root. After the
-	# chroot has been performed the now defunct portion of the config 
-	# file path is removed to be able to reread the config after a reload. 
+	# chroot has been performed the now defunct portion of the config
+	# file path is removed to be able to reread the config after a reload.
 	#
 	# All other file paths (working dir, logfile, roothints, and
 	# key files) can be specified in several ways:
@@ -205,7 +205,7 @@ server:
 	# 	o as an absolute path relative to the original root.
 	# In the last case the path is adjusted to remove the unused portion.
 	#
-	# The pid file can be absolute and outside of the chroot, it is 
+	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
 	# Additionally, unbound may need to access /dev/random (for entropy).
@@ -219,22 +219,22 @@ server:
 	# If you give "" no privileges are dropped.
 	# username: "unbound"
 
-	# the working directory. The relative files in this config are 
+	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
 	# directory: "/var/unbound"
 
-	# the log file, "" means log to stderr. 
+	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""
 
-	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
 	# log to, with identity "unbound". If yes, it overrides the logfile.
-	# use-syslog: yes 
+	# use-syslog: yes
 
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	# log-time-ascii: no
-	
+
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
 
@@ -242,7 +242,7 @@ server:
 	# pidfile: "/var/unbound/unbound.pid"
 
 	# file to read root hints from.
-	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+	# get one from https://www.internic.net/domain/named.cache
 	# root-hints: ""
 
 	# enable to not answer id.server and hostname.bind queries.
@@ -258,8 +258,8 @@ server:
 	# version: ""
 
 	# the target fetch policy.
-	# series of integers describing the policy per dependency depth. 
-	# The number of values in the list determines the maximum dependency 
+	# series of integers describing the policy per dependency depth.
+	# The number of values in the list determines the maximum dependency
 	# depth the recursor will pursue before giving up. Each integer means:
 	# 	-1 : fetch all targets opportunistically,
 	# 	0: fetch on demand,
@@ -267,17 +267,17 @@ server:
 	# Enclose the list of numbers between quotes ("").
 	# target-fetch-policy: "3 2 1 0 0"
 
-	# Harden against very small EDNS buffer sizes. 
+	# Harden against very small EDNS buffer sizes.
 	# harden-short-bufsize: no
 
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
 
-	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	# Harden against out of zone rrsets, to avoid spoofing attempts.
 	# harden-glue: yes
 
 	# Harden against receiving dnssec-stripped data. If you turn it
-	# off, failing to validate dnskey data for a trustanchor will 
+	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
@@ -287,7 +287,7 @@ server:
 
         # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
-	# Default off, because the lookups burden the server.  Experimental 
+	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 
@@ -296,18 +296,23 @@ server:
 	# to validate the zone.
 	# harden-algo-downgrade: no
 
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to NS when possible.
+	# qname-minimisation: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
-	
+
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
 
-	# Enforce privacy of these addresses. Strips them away from answers. 
-	# It may cause DNSSEC validation to additionally mark it as bogus. 
-	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
-	# Only 'private-domain' and 'local-data' names are allowed to have 
+	# Enforce privacy of these addresses. Strips them away from answers.
+	# It may cause DNSSEC validation to additionally mark it as bogus.
+	# Protects against 'DNS Rebinding' (uses browser as network proxy).
+	# Only 'private-domain' and 'local-data' names are allowed to have
 	# these private addresses. No default.
 	# private-address: 10.0.0.0/8
 	# private-address: 172.16.0.0/12
@@ -315,6 +320,7 @@ server:
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
+	# private-address: ::ffff:0:0/96
 
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
@@ -373,7 +379,7 @@ server:
 	# Zone file format, with DS and DNSKEY entries.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# trust-anchor-file: ""
-	
+
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
@@ -383,7 +389,7 @@ server:
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry. Like trust-anchor-file
-	# but has a different file format. Format is BIND-9 style format, 
+	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
@@ -408,7 +414,7 @@ server:
 
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
-	# potential bogus data in the additional section. All unsigned data 
+	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 	# val-clean-additional: yes
 
@@ -433,7 +439,7 @@ server:
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
 	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-	
+
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days
 
@@ -448,7 +454,7 @@ server:
 	# permit-small-holddown: no
 
 	# the amount of memory to use for the key cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# key-cache-size: 4m
 
 	# the number of slabs to use for the key cache.
@@ -457,7 +463,7 @@ server:
 	# key-cache-slabs: 4
 
 	# the amount of memory to use for the negative cache (used for DLV).
-	# plain value in bytes or you can append k, m or G. default is "1Mb". 
+	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
 	# By default, for a number of zones a small default 'nothing here'
@@ -501,7 +507,7 @@ server:
 	# local-zone: "b.e.f.ip6.arpa." nodefault
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-	
+
 	# if unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
@@ -512,7 +518,7 @@ server:
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"
-	# o deny serves local data (if any), else, drops queries. 
+	# o deny serves local data (if any), else, drops queries.
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
 	# o transparent gives local data, but resolves normally for other names
@@ -525,7 +531,7 @@ server:
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
 	# the default content is omitted, or you can omit it with 'nodefault'.
-	# 
+	#
 	# If you configure local-data without specifying local-zone, by
 	# default a transparent local-zone is created for the data.
 	#
@@ -552,7 +558,7 @@ server:
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
-	# ssl-port: 443
+	# ssl-port: 853
 
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
@@ -571,7 +577,7 @@ server:
 	# ratelimit-size: 4m
 	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
 	# ratelimit-slabs: 4
-	
+
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
@@ -590,7 +596,7 @@ python:
 	# Script file to load
 	# python-script: "/var/unbound/ubmodule-tst.py"
 
-# Remote control config section. 
+# Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
@@ -621,9 +627,9 @@ remote-control:
 	# control-cert-file: "/var/unbound/unbound_control.pem"
 
 # Stub zones.
-# Create entries like below, to make all queries for 'example.com' and 
-# 'example.org' go to the given list of nameservers. list zero or more 
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
 # Consider adding domain-insecure: name and local-zone: name nodefault
diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in
index 399aa80..ff90e3b 100644
--- a/contrib/unbound/doc/example.conf.in
+++ b/contrib/unbound/doc/example.conf.in
@@ -1,14 +1,14 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.5.
+# See unbound.conf(5) man page, version 1.5.7.
 #
 # this is a comment.
 
 #Use this to include other text into the file.
 #include: "otherfile.conf"
 
-# The server clause sets the main parameters. 
+# The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
 
@@ -40,7 +40,7 @@ server:
 	# interface: 2001:DB8::5
 
 	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental. 
+	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: no
 
 	# port to answer queries from
@@ -84,10 +84,10 @@ server:
 	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
 	# 0 is system default.  Use 4m to handle spikes on very busy servers.
 	# so-sndbuf: 0
-	
+
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
-	
+
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# ip-transparent: no
@@ -105,7 +105,7 @@ server:
 	# msg-buffer-size: 65552
 
 	# the amount of memory to use for the message cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# msg-cache-size: 4m
 
 	# the number of slabs to use for the message cache.
@@ -118,12 +118,12 @@ server:
 
 	# if very busy, 50% queries run to completion, 50% get timeout in msec
 	# jostle-timeout: 200
-	
+
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
 	# the amount of memory to use for the RRset cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
 
 	# the number of slabs to use for the RRset cache.
@@ -145,7 +145,7 @@ server:
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
-	
+
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50
 
@@ -195,8 +195,8 @@ server:
 	#
 	# If chroot is enabled, you should pass the configfile (from the
 	# commandline) as a full path from the original root. After the
-	# chroot has been performed the now defunct portion of the config 
-	# file path is removed to be able to reread the config after a reload. 
+	# chroot has been performed the now defunct portion of the config
+	# file path is removed to be able to reread the config after a reload.
 	#
 	# All other file paths (working dir, logfile, roothints, and
 	# key files) can be specified in several ways:
@@ -205,7 +205,7 @@ server:
 	# 	o as an absolute path relative to the original root.
 	# In the last case the path is adjusted to remove the unused portion.
 	#
-	# The pid file can be absolute and outside of the chroot, it is 
+	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
 	# Additionally, unbound may need to access /dev/random (for entropy).
@@ -219,22 +219,22 @@ server:
 	# If you give "" no privileges are dropped.
 	# username: "@UNBOUND_USERNAME@"
 
-	# the working directory. The relative files in this config are 
+	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
 	# directory: "@UNBOUND_RUN_DIR@"
 
-	# the log file, "" means log to stderr. 
+	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""
 
-	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
 	# log to, with identity "unbound". If yes, it overrides the logfile.
-	# use-syslog: yes 
+	# use-syslog: yes
 
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	# log-time-ascii: no
-	
+
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
 
@@ -242,7 +242,7 @@ server:
 	# pidfile: "@UNBOUND_PIDFILE@"
 
 	# file to read root hints from.
-	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+	# get one from https://www.internic.net/domain/named.cache
 	# root-hints: ""
 
 	# enable to not answer id.server and hostname.bind queries.
@@ -258,8 +258,8 @@ server:
 	# version: ""
 
 	# the target fetch policy.
-	# series of integers describing the policy per dependency depth. 
-	# The number of values in the list determines the maximum dependency 
+	# series of integers describing the policy per dependency depth.
+	# The number of values in the list determines the maximum dependency
 	# depth the recursor will pursue before giving up. Each integer means:
 	# 	-1 : fetch all targets opportunistically,
 	# 	0: fetch on demand,
@@ -267,17 +267,17 @@ server:
 	# Enclose the list of numbers between quotes ("").
 	# target-fetch-policy: "3 2 1 0 0"
 
-	# Harden against very small EDNS buffer sizes. 
+	# Harden against very small EDNS buffer sizes.
 	# harden-short-bufsize: no
 
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
 
-	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	# Harden against out of zone rrsets, to avoid spoofing attempts.
 	# harden-glue: yes
 
 	# Harden against receiving dnssec-stripped data. If you turn it
-	# off, failing to validate dnskey data for a trustanchor will 
+	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
@@ -287,7 +287,7 @@ server:
 
         # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
-	# Default off, because the lookups burden the server.  Experimental 
+	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 
@@ -296,18 +296,23 @@ server:
 	# to validate the zone.
 	# harden-algo-downgrade: no
 
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to NS when possible.
+	# qname-minimisation: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
-	
+
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
 
-	# Enforce privacy of these addresses. Strips them away from answers. 
-	# It may cause DNSSEC validation to additionally mark it as bogus. 
-	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
-	# Only 'private-domain' and 'local-data' names are allowed to have 
+	# Enforce privacy of these addresses. Strips them away from answers.
+	# It may cause DNSSEC validation to additionally mark it as bogus.
+	# Protects against 'DNS Rebinding' (uses browser as network proxy).
+	# Only 'private-domain' and 'local-data' names are allowed to have
 	# these private addresses. No default.
 	# private-address: 10.0.0.0/8
 	# private-address: 172.16.0.0/12
@@ -315,6 +320,7 @@ server:
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
+	# private-address: ::ffff:0:0/96
 
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
@@ -373,7 +379,7 @@ server:
 	# Zone file format, with DS and DNSKEY entries.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# trust-anchor-file: ""
-	
+
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
@@ -383,7 +389,7 @@ server:
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry. Like trust-anchor-file
-	# but has a different file format. Format is BIND-9 style format, 
+	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
@@ -408,7 +414,7 @@ server:
 
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
-	# potential bogus data in the additional section. All unsigned data 
+	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 	# val-clean-additional: yes
 
@@ -433,7 +439,7 @@ server:
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
 	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-	
+
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days
 
@@ -448,7 +454,7 @@ server:
 	# permit-small-holddown: no
 
 	# the amount of memory to use for the key cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# key-cache-size: 4m
 
 	# the number of slabs to use for the key cache.
@@ -457,7 +463,7 @@ server:
 	# key-cache-slabs: 4
 
 	# the amount of memory to use for the negative cache (used for DLV).
-	# plain value in bytes or you can append k, m or G. default is "1Mb". 
+	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
 	# By default, for a number of zones a small default 'nothing here'
@@ -501,7 +507,7 @@ server:
 	# local-zone: "b.e.f.ip6.arpa." nodefault
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-	
+
 	# if unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
@@ -512,7 +518,7 @@ server:
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"
-	# o deny serves local data (if any), else, drops queries. 
+	# o deny serves local data (if any), else, drops queries.
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
 	# o transparent gives local data, but resolves normally for other names
@@ -525,7 +531,7 @@ server:
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
 	# the default content is omitted, or you can omit it with 'nodefault'.
-	# 
+	#
 	# If you configure local-data without specifying local-zone, by
 	# default a transparent local-zone is created for the data.
 	#
@@ -552,7 +558,7 @@ server:
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
-	# ssl-port: 443
+	# ssl-port: 853
 
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
@@ -571,7 +577,7 @@ server:
 	# ratelimit-size: 4m
 	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
 	# ratelimit-slabs: 4
-	
+
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
@@ -590,7 +596,7 @@ python:
 	# Script file to load
 	# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
 
-# Remote control config section. 
+# Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
@@ -621,9 +627,9 @@ remote-control:
 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
 
 # Stub zones.
-# Create entries like below, to make all queries for 'example.com' and 
-# 'example.org' go to the given list of nameservers. list zero or more 
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
 # Consider adding domain-insecure: name and local-zone: name nodefault
diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3
index 9ef367f..d299330 100644
--- a/contrib/unbound/doc/libunbound.3
+++ b/contrib/unbound/doc/libunbound.3
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.5 functions.
+\- Unbound DNS validating resolver 1.5.7 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in
index 9ef367f..d299330 100644
--- a/contrib/unbound/doc/libunbound.3.in
+++ b/contrib/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.5 functions.
+\- Unbound DNS validating resolver 1.5.7 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8
index 7fbb0a7..5200d18 100644
--- a/contrib/unbound/doc/unbound-anchor.8
+++ b/contrib/unbound/doc/unbound-anchor.8
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in
index e89be5b..e5e6364 100644
--- a/contrib/unbound/doc/unbound-anchor.8.in
+++ b/contrib/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8
index eaa406b..19ecb1e 100644
--- a/contrib/unbound/doc/unbound-checkconf.8
+++ b/contrib/unbound/doc/unbound-checkconf.8
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in
index 234a04a..2d3c4ae 100644
--- a/contrib/unbound/doc/unbound-checkconf.8.in
+++ b/contrib/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8
index 5de37cf..e1fa36ab 100644
--- a/contrib/unbound/doc/unbound-control.8
+++ b/contrib/unbound/doc/unbound-control.8
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -169,7 +169,7 @@ therefore not flushed.  The option must end with a ':' and whitespace
 must be between the option and the value.  Some values may not have an
 effect if set this way, the new values are not written to the config file,
 not all options are supported.  This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
 .IP
 The values that work are: statistics\-interval, statistics\-cumulative,
 do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in
index eefd207..57742ae 100644
--- a/contrib/unbound/doc/unbound-control.8.in
+++ b/contrib/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -169,7 +169,7 @@ therefore not flushed.  The option must end with a ':' and whitespace
 must be between the option and the value.  Some values may not have an
 effect if set this way, the new values are not written to the config file,
 not all options are supported.  This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
 .IP
 The values that work are: statistics\-interval, statistics\-cumulative,
 do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1
index d600ee6..70b697f 100644
--- a/contrib/unbound/doc/unbound-host.1
+++ b/contrib/unbound/doc/unbound-host.1
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in
index a4742d7..eeb25f0 100644
--- a/contrib/unbound/doc/unbound-host.1.in
+++ b/contrib/unbound/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8
index 3935e61..86fcb59 100644
--- a/contrib/unbound/doc/unbound.8
+++ b/contrib/unbound/doc/unbound.8
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.5.
+\- Unbound DNS validating resolver 1.5.7.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in
index df9baa0..ed139a7 100644
--- a/contrib/unbound/doc/unbound.8.in
+++ b/contrib/unbound/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.5.
+\- Unbound DNS validating resolver 1.5.7.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5
index 990a0a6..16155de 100644
--- a/contrib/unbound/doc/unbound.conf.5
+++ b/contrib/unbound/doc/unbound.conf.5
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service.  Default is "",
 turned off.
 .TP
 .B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
 .B do\-daemonize: \fI<yes or no>
@@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
 .TP
 .B directory: \fI<directory>
 Sets the working directory for the program. Default is "/var/unbound".
+On Windows the string "%EXECUTABLE%" tries to change to the directory
+that unbound.exe resides in.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -585,23 +587,30 @@ queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
+.B qname\-minimisation: \fI<yes or no>
+Send minimum amount of information to upstream servers to enhance privacy.
+Only sent minimum required labels of the QNAME and set QTYPE to NS when 
+possible. Best effort approach, full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR. Default is off.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names.  Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network.  Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR.  No private addresses are enabled
-by default.  We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private 
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
-fd00::/8 and fe80::/10, since the RFC standards say these addresses 
-should not be visible on the public internet.  Turning on 127.0.0.0/8 
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names.  Any occurrence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network.  Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR.  No private addresses are
+enabled by default.  We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet.  Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that.  Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.
@@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
 messages that are not signed properly. Messages that are insecure, bogus,
 indeterminate or unchecked are not affected. Default is yes. Use this setting
 to protect the users that rely on this validator for authentication from 
-protentially bad data in the additional section.
+potentially bad data in the additional section.
 .TP
 .B val\-log\-level: \fI<number>
 Have the validator print validation failures to the log.  Regardless of
@@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
 exceeded.  If set to another value, 1 in that number is allowed through
 to complete.  Default is 10, allowing 1/10 traffic to flow normally.
 This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
 .B ratelimit\-for\-domain: \fI<domain> <number qps>
diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in
index 42653a5..51f7c4e 100644
--- a/contrib/unbound/doc/unbound.conf.5.in
+++ b/contrib/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service.  Default is "",
 turned off.
 .TP
 .B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
 .B do\-daemonize: \fI<yes or no>
@@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
 .TP
 .B directory: \fI<directory>
 Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
+On Windows the string "%EXECUTABLE%" tries to change to the directory
+that unbound.exe resides in.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -585,23 +587,30 @@ queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
+.B qname\-minimisation: \fI<yes or no>
+Send minimum amount of information to upstream servers to enhance privacy.
+Only sent minimum required labels of the QNAME and set QTYPE to NS when 
+possible. Best effort approach, full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR. Default is off.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names.  Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network.  Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR.  No private addresses are enabled
-by default.  We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private 
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
-fd00::/8 and fe80::/10, since the RFC standards say these addresses 
-should not be visible on the public internet.  Turning on 127.0.0.0/8 
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names.  Any occurrence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network.  Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR.  No private addresses are
+enabled by default.  We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet.  Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that.  Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.
@@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
 messages that are not signed properly. Messages that are insecure, bogus,
 indeterminate or unchecked are not affected. Default is yes. Use this setting
 to protect the users that rely on this validator for authentication from 
-protentially bad data in the additional section.
+potentially bad data in the additional section.
 .TP
 .B val\-log\-level: \fI<number>
 Have the validator print validation failures to the log.  Regardless of
@@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
 exceeded.  If set to another value, 1 in that number is allowed through
 to complete.  Default is 10, allowing 1/10 traffic to flow normally.
 This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
 .B ratelimit\-for\-domain: \fI<domain> <number qps>
diff --git a/contrib/unbound/freebsd-configure.sh b/contrib/unbound/freebsd-configure.sh
index c8852e7..e698878 100755
--- a/contrib/unbound/freebsd-configure.sh
+++ b/contrib/unbound/freebsd-configure.sh
@@ -24,6 +24,9 @@ ldnsobj=$(realpath $(make -C$ldnsbld -V.OBJDIR))
 [ -f $ldnsobj/libldns.a ] || error "can't find LDNS object directory"
 export LDFLAGS="-L$ldnsobj"
 
+export CC=$(echo ".include <bsd.lib.mk>" | make -f /dev/stdin -VCC)
+export CPP=$(echo ".include <bsd.lib.mk>" | make -f /dev/stdin -VCPP)
+
 autoconf
 autoheader
 ./configure \
diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c
index cc05867..8a3fc17 100644
--- a/contrib/unbound/iterator/iter_scrub.c
+++ b/contrib/unbound/iterator/iter_scrub.c
@@ -405,7 +405,43 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 
 		/* Follow the CNAME chain. */
 		if(rrset->type == LDNS_RR_TYPE_CNAME) {
+			struct rrset_parse* nx = rrset->rrset_all_next;
 			uint8_t* oldsname = sname;
+			/* see if the next one is a DNAME, if so, swap them */
+			if(nx && nx->section == LDNS_SECTION_ANSWER &&
+				nx->type == LDNS_RR_TYPE_DNAME &&
+				nx->rr_count == 1 &&
+				pkt_strict_sub(pkt, sname, nx->dname)) {
+				/* there is a DNAME after this CNAME, it 
+				 * is in the ANSWER section, and the DNAME
+				 * applies to the name we cover */
+				/* check if the alias of the DNAME equals
+				 * this CNAME */
+				uint8_t alias[LDNS_MAX_DOMAINLEN+1];
+				size_t aliaslen = 0;
+				uint8_t* t = NULL;
+				size_t tlen = 0;
+				if(synth_cname(sname, snamelen, nx, alias,
+					&aliaslen, pkt) &&
+					parse_get_cname_target(rrset, &t, &tlen) &&
+			   		dname_pkt_compare(pkt, alias, t) == 0) {
+					/* the synthesized CNAME equals the
+					 * current CNAME.  This CNAME is the
+					 * one that the DNAME creates, and this
+					 * CNAME is better capitalised */
+					verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME");
+					if(prev) prev->rrset_all_next = nx;
+					else msg->rrset_first = nx;
+					if(nx->rrset_all_next == NULL)
+						msg->rrset_last = rrset;
+					rrset->rrset_all_next =
+						nx->rrset_all_next;
+					nx->rrset_all_next = rrset;
+					prev = nx;
+				}
+			}
+
+			/* move to next name in CNAME chain */
 			if(!parse_get_cname_target(rrset, &sname, &snamelen))
 				return 0;
 			prev = rrset;
@@ -638,7 +674,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 	 * children of the originating zone. The idea here is that, 
 	 * as far as we know, the server that we contacted is ONLY 
 	 * authoritative for the originating zone. It, of course, MAY 
-	 * be authoriative for any other zones, and of course, MAY 
+	 * be authoritative for any other zones, and of course, MAY 
 	 * NOT be authoritative for some subdomains of the originating 
 	 * zone. */
 	prev = NULL;
diff --git a/contrib/unbound/iterator/iter_utils.c b/contrib/unbound/iterator/iter_utils.c
index bc94ef6..58e62fb 100644
--- a/contrib/unbound/iterator/iter_utils.c
+++ b/contrib/unbound/iterator/iter_utils.c
@@ -255,7 +255,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 			return -1; /* server is lame */
 		else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT)
 			/* server is unresponsive,
-			 * we used to return TOP_TIMOUT, but fairly useless,
+			 * we used to return TOP_TIMEOUT, but fairly useless,
 			 * because if == TOP_TIMEOUT is dropped because
 			 * blacklisted later, instead, remove it here, so
 			 * other choices (that are not blacklisted) can be
@@ -306,7 +306,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
 	return got_it;
 }
 
-/** filter the addres list, putting best targets at front,
+/** filter the address list, putting best targets at front,
  * returns number of best targets (or 0, no suitable targets) */
 static int
 iter_filter_order(struct iter_env* iter_env, struct module_env* env,
diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c
index 96918fa..b1bf902 100644
--- a/contrib/unbound/iterator/iterator.c
+++ b/contrib/unbound/iterator/iterator.c
@@ -64,6 +64,7 @@
 #include "util/random.h"
 #include "sldns/rrdef.h"
 #include "sldns/wire2str.h"
+#include "sldns/str2wire.h"
 #include "sldns/parseutil.h"
 #include "sldns/sbuffer.h"
 
@@ -81,6 +82,21 @@ iter_init(struct module_env* env, int id)
 		log_err("iterator: could not apply configuration settings.");
 		return 0;
 	}
+	if(env->cfg->qname_minimisation) {
+		uint8_t dname[LDNS_MAX_DOMAINLEN+1];
+		size_t len = sizeof(dname);
+		if(sldns_str2wire_dname_buf("ip6.arpa.", dname, &len) != 0) {
+			log_err("ip6.arpa. parse error");
+			return 0;
+		}
+		iter_env->ip6arpa_dname = (uint8_t*)malloc(len);
+		if(!iter_env->ip6arpa_dname) {
+			log_err("malloc failure");
+			return 0;
+		}
+		memcpy(iter_env->ip6arpa_dname, dname, len);
+	}
+
 	return 1;
 }
 
@@ -101,6 +117,7 @@ iter_deinit(struct module_env* env, int id)
 	if(!env || !env->modinfo[id])
 		return;
 	iter_env = (struct iter_env*)env->modinfo[id];
+	free(iter_env->ip6arpa_dname);
 	free(iter_env->target_fetch_policy);
 	priv_delete(iter_env->priv);
 	donotq_delete(iter_env->donotq);
@@ -145,6 +162,12 @@ iter_new(struct module_qstate* qstate, int id)
 	/* Start with the (current) qname. */
 	iq->qchase = qstate->qinfo;
 	outbound_list_init(&iq->outlist);
+	if (qstate->env->cfg->qname_minimisation)
+		iq->minimisation_state = INIT_MINIMISE_STATE;
+	else
+		iq->minimisation_state = DONOT_MINIMISE_STATE;
+	
+	memset(&iq->qinfo_out, 0, sizeof(struct query_info));
 	return 1;
 }
 
@@ -176,7 +199,7 @@ next_state(struct iter_qstate* iq, enum iter_state nextstate)
 /**
  * Transition an event to its final state. Final states always either return
  * a result up the module chain, or reactivate a dependent event. Which
- * final state to transtion to is set in the module state for the event when
+ * final state to transition to is set in the module state for the event when
  * it was created, and depends on the original purpose of the event.
  *
  * The response is stored in the qstate->buf buffer.
@@ -506,7 +529,7 @@ target_count_increase(struct iter_qstate* iq, int num)
 /**
  * Generate a subrequest.
  * Generate a local request event. Local events are tied to this module, and
- * have a correponding (first tier) event that is waiting for this event to
+ * have a corresponding (first tier) event that is waiting for this event to
  * resolve to continue.
  *
  * @param qname The query name for this request.
@@ -590,6 +613,11 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 		subiq->qchase = subq->qinfo;
 		subiq->chase_flags = subq->query_flags;
 		subiq->refetch_glue = 0;
+		if(qstate->env->cfg->qname_minimisation)
+			subiq->minimisation_state = INIT_MINIMISE_STATE;
+		else
+			subiq->minimisation_state = DONOT_MINIMISE_STATE;
+		memset(&subiq->qinfo_out, 0, sizeof(struct query_info));
 	}
 	return 1;
 }
@@ -1042,6 +1070,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->query_restart_count++;
 			iq->sent_count = 0;
 			sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
+			if(qstate->env->cfg->qname_minimisation)
+				iq->minimisation_state = INIT_MINIMISE_STATE;
 			return next_state(iq, INIT_REQUEST_STATE);
 		}
 
@@ -1062,6 +1092,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
 		}
 		iq->refetch_glue = 0;
+		iq->minimisation_state = DONOT_MINIMISE_STATE;
 		/* the request has been forwarded.
 		 * forwarded requests need to be immediately sent to the 
 		 * next state, QUERYTARGETS. */
@@ -1599,6 +1630,8 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->refetch_glue = 1;
 			iq->query_restart_count++;
 			iq->sent_count = 0;
+			if(qstate->env->cfg->qname_minimisation)
+				iq->minimisation_state = INIT_MINIMISE_STATE;
 			return next_state(iq, INIT_REQUEST_STATE);
 		}
 	}
@@ -1975,9 +2008,78 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 	}
 
+	if(iq->minimisation_state == INIT_MINIMISE_STATE) {
+		/* (Re)set qinfo_out to (new) delegation point, except
+ 		 * when qinfo_out is already a subdomain of dp. This happens
+		 * when resolving ip6.arpa dnames. */
+		if(!(iq->qinfo_out.qname_len 
+			&& dname_subdomain_c(iq->qchase.qname, 
+				iq->qinfo_out.qname)
+			&& dname_subdomain_c(iq->qinfo_out.qname, 
+				iq->dp->name))) {
+			iq->qinfo_out.qname = iq->dp->name;
+			iq->qinfo_out.qname_len = iq->dp->namelen;
+			iq->qinfo_out.qtype = LDNS_RR_TYPE_NS;
+			iq->qinfo_out.qclass = iq->qchase.qclass;
+		}
+
+		iq->minimisation_state = MINIMISE_STATE;
+	}
+	if(iq->minimisation_state == MINIMISE_STATE) {
+		int labdiff = dname_count_labels(iq->qchase.qname) -
+			dname_count_labels(iq->qinfo_out.qname);
+
+		iq->qinfo_out.qname = iq->qchase.qname;
+		iq->qinfo_out.qname_len = iq->qchase.qname_len;
+
+		/* Special treatment for ip6.arpa lookups.
+		 * Reverse IPv6 dname has 34 labels, increment the IP part 
+		 * (usually first 32 labels) by 8 labels (7 more than the 
+		 * default 1 label increment). */
+		if(labdiff <= 32 &&
+			dname_subdomain_c(iq->qchase.qname, ie->ip6arpa_dname)) {
+			labdiff -= 7;
+			/* Small chance of zone cut after first label. Stop
+			 * minimising */
+			if(labdiff <= 1)
+				labdiff = 0;
+		}
+
+		if(labdiff > 1) {
+			verbose(VERB_QUERY, "removing %d labels", labdiff-1);
+			dname_remove_labels(&iq->qinfo_out.qname, 
+				&iq->qinfo_out.qname_len, 
+				labdiff-1);
+		}
+		if(labdiff < 1 || 
+			(labdiff < 2 && iq->qchase.qtype == LDNS_RR_TYPE_DS))
+			/* Stop minimising this query, resolve "as usual" */
+			iq->minimisation_state = DONOT_MINIMISE_STATE;
+		else {
+			struct dns_msg* msg = dns_cache_lookup(qstate->env, 
+				iq->qinfo_out.qname, iq->qinfo_out.qname_len, 
+				iq->qinfo_out.qtype, iq->qinfo_out.qclass, 
+				qstate->query_flags, qstate->region, 
+				qstate->env->scratch);
+			if(msg && msg->rep->an_numrrsets == 0
+				&& FLAGS_GET_RCODE(msg->rep->flags) == 
+				LDNS_RCODE_NOERROR)
+				/* no need to send query if it is already 
+				 * cached as NOERROR/NODATA */
+				return 1;
+		}
+		
+	}
+	if(iq->minimisation_state == SKIP_MINIMISE_STATE)
+		/* Do not increment qname, continue incrementing next 
+		 * iteration */
+		iq->minimisation_state = MINIMISE_STATE;
+	if(iq->minimisation_state == DONOT_MINIMISE_STATE)
+		iq->qinfo_out = iq->qchase;
+
 	/* We have a valid target. */
 	if(verbosity >= VERB_QUERY) {
-		log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
+		log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
 		log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name, 
 			&target->addr, target->addrlen);
 		verbose(VERB_ALGO, "dnssec status: %s%s",
@@ -1986,8 +2088,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 	fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
 	outq = (*qstate->env->send_query)(
-		iq->qchase.qname, iq->qchase.qname_len, 
-		iq->qchase.qtype, iq->qchase.qclass, 
+		iq->qinfo_out.qname, iq->qinfo_out.qname_len, 
+		iq->qinfo_out.qtype, iq->qinfo_out.qclass, 
 		iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD, 
 		iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
 		ie, iq), &target->addr, target->addrlen, iq->dp->name,
@@ -2042,6 +2144,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	enum response_type type;
 	iq->num_current_queries--;
 	if(iq->response == NULL) {
+		/* Don't increment qname when QNAME minimisation is enabled */
+		if (qstate->env->cfg->qname_minimisation)
+			iq->minimisation_state = SKIP_MINIMISE_STATE;
 		iq->chase_to_rd = 0;
 		iq->dnssec_lame_query = 0;
 		verbose(VERB_ALGO, "query response was timeout");
@@ -2142,6 +2247,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			sock_list_insert(&qstate->reply_origin, 
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
+		if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
+			/* Best effort qname-minimisation. 
+			 * Stop minimising and send full query when RCODE
+			 * is not NOERROR */
+			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
+				LDNS_RCODE_NOERROR)
+				iq->minimisation_state = DONOT_MINIMISE_STATE;
+			return next_state(iq, QUERYTARGETS_STATE);
+		}
 		return final_state(iq);
 	} else if(type == RESPONSE_TYPE_REFERRAL) {
 		/* REFERRAL type responses get a reset of the 
@@ -2201,6 +2315,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * point to the referral. */
 		iq->deleg_msg = iq->response;
 		iq->dp = delegpt_from_message(iq->response, qstate->region);
+		if (qstate->env->cfg->qname_minimisation)
+			iq->minimisation_state = INIT_MINIMISE_STATE;
 		if(!iq->dp)
 			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
 		if(!cache_fill_missing(qstate->env, iq->qchase.qclass, 
@@ -2280,6 +2396,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* set the current request's qname to the new value. */
 		iq->qchase.qname = sname;
 		iq->qchase.qname_len = snamelen;
+		if (qstate->env->cfg->qname_minimisation)
+			iq->minimisation_state = INIT_MINIMISE_STATE;
 		/* Clear the query state, since this is a query restart. */
 		iq->deleg_msg = NULL;
 		iq->dp = NULL;
@@ -2353,6 +2471,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* LAME, THROWAWAY and "unknown" all end up here.
 	 * Recycle to the QUERYTARGETS state to hopefully try a 
 	 * different target. */
+	if (qstate->env->cfg->qname_minimisation)
+		iq->minimisation_state = DONOT_MINIMISE_STATE;
 	return next_state(iq, QUERYTARGETS_STATE);
 }
 
@@ -2968,7 +3088,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	prs->flags &= ~BIT_CD;
 
 	/* normalize and sanitize: easy to delete items from linked lists */
-	if(!scrub_message(pkt, prs, &iq->qchase, iq->dp->name, 
+	if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name, 
 		qstate->env->scratch, qstate->env, ie)) {
 		/* if 0x20 enabled, start fallback, but we have no message */
 		if(event == module_event_capsfail && !iq->caps_fallback) {
diff --git a/contrib/unbound/iterator/iterator.h b/contrib/unbound/iterator/iterator.h
index 9cf53b2..b7aa82e 100644
--- a/contrib/unbound/iterator/iterator.h
+++ b/contrib/unbound/iterator/iterator.h
@@ -112,6 +112,32 @@ struct iter_env {
 	 * array of max_dependency_depth+1 size.
 	 */
 	int* target_fetch_policy;
+
+	/** ip6.arpa dname in wireformat, used for qname-minimisation */
+	uint8_t* ip6arpa_dname;
+};
+
+/**
+ * QNAME minimisation state
+ */
+enum minimisation_state {
+	/**
+	 * (Re)start minimisation. Outgoing QNAME should be set to dp->name.
+	 * State entered on new query or after following refferal or CNAME.
+	 */
+	INIT_MINIMISE_STATE = 0,
+	/**
+	 * QNAME minimisataion ongoing. Increase QNAME on every iteration.
+	 */
+	MINIMISE_STATE,
+	/**
+	 * Don't increment QNAME this iteration
+	 */
+	SKIP_MINIMISE_STATE,
+	/**
+	 * Send out full QNAME + original QTYPE
+	 */
+	DONOT_MINIMISE_STATE,
 };
 
 /**
@@ -322,6 +348,15 @@ struct iter_qstate {
 
 	/** list of pending queries to authoritative servers. */
 	struct outbound_list outlist;
+
+	/** QNAME minimisation state */
+	enum minimisation_state minimisation_state;
+
+	/**
+	 * The query info that is sent upstream. Will be a subset of qchase
+	 * when qname minimisation is enabled.
+	 */
+	struct query_info qinfo_out;
 };
 
 /**
diff --git a/contrib/unbound/libunbound/libunbound.c b/contrib/unbound/libunbound/libunbound.c
index 7c2509b..17f50e8 100644
--- a/contrib/unbound/libunbound/libunbound.c
+++ b/contrib/unbound/libunbound/libunbound.c
@@ -68,6 +68,9 @@
 #ifdef HAVE_SYS_WAIT_H
 #include <sys/wait.h>
 #endif
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
 
 #if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
 #include <windows.h>
diff --git a/contrib/unbound/libunbound/python/Makefile b/contrib/unbound/libunbound/python/Makefile
index 01b0577..9a98ef5 100644
--- a/contrib/unbound/libunbound/python/Makefile
+++ b/contrib/unbound/libunbound/python/Makefile
@@ -36,7 +36,7 @@
 help:
 	@echo "Please use \`make <target>' where <target> is one of"
 	@echo "  testenv   to make test environment and run bash "
-	@echo "            usefull in case you don't want to install unbound but want to test examples"
+	@echo "            useful in case you don't want to install unbound but want to test examples"
 	@echo "  doc       to make documentation"
 	@echo "  clean     clean all"
 
diff --git a/contrib/unbound/libunbound/python/doc/install.rst b/contrib/unbound/libunbound/python/doc/install.rst
index f638ed1..a073a5c 100644
--- a/contrib/unbound/libunbound/python/doc/install.rst
+++ b/contrib/unbound/libunbound/python/doc/install.rst
@@ -22,7 +22,7 @@ You need GNU make to compile sources; SWIG and Python devel libraries to compile
 
 **Testing**
 
-If the compilation is successfull, you can test the python LDNS extension module by::
+If the compilation is successful, you can test the python LDNS extension module by::
 
 	> cd contrib/python
 	> make testenv
diff --git a/contrib/unbound/libunbound/python/doc/modules/unbound.rst b/contrib/unbound/libunbound/python/doc/modules/unbound.rst
index 21f4a12..77e4cd1 100644
--- a/contrib/unbound/libunbound/python/doc/modules/unbound.rst
+++ b/contrib/unbound/libunbound/python/doc/modules/unbound.rst
@@ -42,7 +42,7 @@ Class ub_result
 	 	False, if validation failed or domain queried has no security info.
 	 
 	  	It is possible to get a result with no data (havedata is false),
-	  	and secure is true. This means that the non-existance of the data
+	  	and secure is true. This means that the non-existence of the data
 	  	was cryptographically proven (with signatures).
 
 	.. attribute:: bogus
diff --git a/contrib/unbound/libunbound/python/examples/dnssec-valid.py b/contrib/unbound/libunbound/python/examples/dnssec-valid.py
index 386f4c2..c5517ef 100644
--- a/contrib/unbound/libunbound/python/examples/dnssec-valid.py
+++ b/contrib/unbound/libunbound/python/examples/dnssec-valid.py
@@ -44,7 +44,7 @@ ctx.debugout(fw)
 ctx.debuglevel(2)
 
 if os.path.isfile("keys"):
-    ctx.add_ta_file("keys") #read public keys for DNSSEC verificatio
+    ctx.add_ta_file("keys") #read public keys for DNSSEC verification
 
 status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN)
 if status == 0 and result.havedata:
diff --git a/contrib/unbound/libunbound/python/libunbound.i b/contrib/unbound/libunbound/python/libunbound.i
index 3c0e45b..50a9b67 100644
--- a/contrib/unbound/libunbound/python/libunbound.i
+++ b/contrib/unbound/libunbound/python/libunbound.i
@@ -1,5 +1,5 @@
 /*
- * libounbound.i: pyUnbound module (libunbound wrapper for Python)
+ * libunbound.i: pyUnbound module (libunbound wrapper for Python)
  * 
  * Copyright (c) 2009, Zdenek Vasicek (vasicek AT fit.vutbr.cz)
  *                     Marek Vavrusa  (xvavru00 AT stud.fit.vutbr.cz)
@@ -455,7 +455,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
         #_UB_CTX_METHODS#   
         
         def zone_print(self):
-            """Print local zones using debougout"""            
+            """Print local zones using debugout"""            
             _unbound.ub_ctx_print_local_zones(self)
 
         def zone_add(self,zonename,zonetype):
diff --git a/contrib/unbound/ltmain.sh b/contrib/unbound/ltmain.sh
index 63ae69d..6fdf4ba 100755
--- a/contrib/unbound/ltmain.sh
+++ b/contrib/unbound/ltmain.sh
@@ -4394,7 +4394,7 @@ EOF
         {
           /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
              namespace, but it is not one of the ones we know about and
-             have already dealt with, above (inluding dump-script), then
+             have already dealt with, above (including dump-script), then
              report an error. Otherwise, targets might begin to believe
              they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
              namespace. The first time any user complains about this, we'll
diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c
index ba81afd..e14e636 100644
--- a/contrib/unbound/services/cache/dns.c
+++ b/contrib/unbound/services/cache/dns.c
@@ -656,8 +656,9 @@ fill_any(struct module_env* env,
 	time_t now = *env->now;
 	struct dns_msg* msg = NULL;
 	uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA,
-		LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0};
-	int i, num=5; /* number of RR types to look up */
+		LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS,
+		LDNS_RR_TYPE_DNAME, 0};
+	int i, num=6; /* number of RR types to look up */
 	log_assert(lookup[num] == 0);
 
 	for(i=0; i<num; i++) {
diff --git a/contrib/unbound/services/cache/rrset.c b/contrib/unbound/services/cache/rrset.c
index 2c85529..2f6a1b5 100644
--- a/contrib/unbound/services/cache/rrset.c
+++ b/contrib/unbound/services/cache/rrset.c
@@ -190,6 +190,7 @@ rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
 	uint16_t rrset_type = ntohs(k->rk.type);
 	int equal = 0;
 	log_assert(ref->id != 0 && k->id != 0);
+	log_assert(k->rk.dname != NULL);
 	/* looks up item with a readlock - no editing! */
 	if((e=slabhash_lookup(&r->table, h, k, 0)) != 0) {
 		/* return id and key as they will be used in the cache
diff --git a/contrib/unbound/sldns/parseutil.h b/contrib/unbound/sldns/parseutil.h
index dfa1c2a..c5238bc 100644
--- a/contrib/unbound/sldns/parseutil.h
+++ b/contrib/unbound/sldns/parseutil.h
@@ -56,13 +56,13 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
 
 /**
  * The function interprets time as the number of seconds since epoch
- * with respect to now using serial arithmitics (rfc1982).
+ * with respect to now using serial arithmetics (rfc1982).
  * That number of seconds is then converted to broken-out time information.
  * This is especially usefull when converting the inception and expiration
  * fields of RRSIG records.
  *
  * \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
- *            to be intepreted as a serial arithmitics number relative to now.
+ *            to be intepreted as a serial arithmetics number relative to now.
  * \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
  *            to which the time value is compared to determine the final value.
  * \param[out] result the struct with the broken-out time information
diff --git a/contrib/unbound/sldns/wire2str.c b/contrib/unbound/sldns/wire2str.c
index cec3bc7..5cbd78e 100644
--- a/contrib/unbound/sldns/wire2str.c
+++ b/contrib/unbound/sldns/wire2str.c
@@ -697,6 +697,9 @@ int sldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
 		}
 		w += n;
 	}
+	if(*dlen != 0) {
+		goto failed;
+	}
 	return w;
 }
 
diff --git a/contrib/unbound/smallapp/unbound-anchor.c b/contrib/unbound/smallapp/unbound-anchor.c
index 92bfa84..81bb896 100644
--- a/contrib/unbound/smallapp/unbound-anchor.c
+++ b/contrib/unbound/smallapp/unbound-anchor.c
@@ -95,7 +95,7 @@
  * signed yet; avoids attacks on system clock).  The
  * last-successful-RFC5011-probe (if available) has to be more than 30 days
  * in the past (otherwise, RFC5011 should have worked).  This keeps
- * unneccesary https traffic down.  If the main certificate is expired, it
+ * unnecessary https traffic down.  If the main certificate is expired, it
  * fails.
  *
  * The dates on the keys in the xml are checked (uses the libexpat xml
@@ -1520,7 +1520,11 @@ xml_entitydeclhandler(void *userData,
 	const XML_Char *ATTR_UNUSED(publicId),
 	const XML_Char *ATTR_UNUSED(notationName))
 {
+#if HAVE_DECL_XML_STOPPARSER
 	(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
+#else
+	(void)userData;
+#endif
 }
 
 /**
@@ -1828,6 +1832,12 @@ write_unsigned_root(const char* root_anchor_file)
 			root_anchor_file);
 		if(verb && errno != 0) printf("%s\n", strerror(errno));
 	}
+	fflush(out);
+#ifdef HAVE_FSYNC
+	fsync(fileno(out));
+#else
+	FlushFileBuffers((HANDLE)_fileno(out));
+#endif
 	fclose(out);
 }
 
@@ -1854,6 +1864,12 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
 			root_anchor_file);
 		if(verb && errno != 0) printf("%s\n", strerror(errno));
 	}
+	fflush(out);
+#ifdef HAVE_FSYNC
+	fsync(fileno(out));
+#else
+	FlushFileBuffers((HANDLE)_fileno(out));
+#endif
 	fclose(out);
 }
 
diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c
index 0524ede..ec07713 100644
--- a/contrib/unbound/smallapp/unbound-checkconf.c
+++ b/contrib/unbound/smallapp/unbound-checkconf.c
@@ -335,7 +335,9 @@ morechecks(struct config_file* cfg, const char* fname)
 	if(cfg->edns_buffer_size > cfg->msg_buffer_size)
 		fatal_exit("edns-buffer-size larger than msg-buffer-size, "
 			"answers will not fit in processing buffer");
-
+#ifdef UB_ON_WINDOWS
+	w_config_adjust_directory(cfg);
+#endif
 	if(cfg->chrootdir && cfg->chrootdir[0] && 
 		cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
 		fatal_exit("chootdir %s has trailing slash '/' please remove.",
diff --git a/contrib/unbound/smallapp/unbound-control-setup.sh b/contrib/unbound/smallapp/unbound-control-setup.sh
index 816b4f5..28690b3 100755
--- a/contrib/unbound/smallapp/unbound-control-setup.sh
+++ b/contrib/unbound/smallapp/unbound-control-setup.sh
@@ -107,16 +107,15 @@ else
 fi
 
 # create self-signed cert for server
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$SERVERNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$SERVERNAME\n" >> request.cfg
+
 test -f request.cfg || error "could not create request.cfg"
 
 echo "create $SVR_BASE.pem (self signed certificate)"
@@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out
 openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
 
 # create client request and sign it, piped
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$CLIENTNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$CLIENTNAME" >> request.cfg
+
 test -f request.cfg || error "could not create request.cfg"
 
 echo "create $CTL_BASE.pem (signed client certificate)"
diff --git a/contrib/unbound/smallapp/unbound-control-setup.sh.in b/contrib/unbound/smallapp/unbound-control-setup.sh.in
index 682ab26..f99d7bc 100755
--- a/contrib/unbound/smallapp/unbound-control-setup.sh.in
+++ b/contrib/unbound/smallapp/unbound-control-setup.sh.in
@@ -107,16 +107,15 @@ else
 fi
 
 # create self-signed cert for server
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$SERVERNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$SERVERNAME\n" >> request.cfg
+
 test -f request.cfg || error "could not create request.cfg"
 
 echo "create $SVR_BASE.pem (self signed certificate)"
@@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out
 openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
 
 # create client request and sign it, piped
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$CLIENTNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$CLIENTNAME" >> request.cfg
+
 test -f request.cfg || error "could not create request.cfg"
 
 echo "create $CTL_BASE.pem (signed client certificate)"
diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c
index 571b4d0..fac73b0 100644
--- a/contrib/unbound/smallapp/unbound-control.c
+++ b/contrib/unbound/smallapp/unbound-control.c
@@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
         ctx = SSL_CTX_new(SSLv23_client_method());
 	if(!ctx)
 		ssl_err("could not allocate SSL_CTX pointer");
-        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
+        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2)
 		ssl_err("could not set SSL_OP_NO_SSLv2");
         if(cfg->remote_control_use_cert) {
-		if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+		if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+			!= SSL_OP_NO_SSLv3)
 			ssl_err("could not set SSL_OP_NO_SSLv3");
 		if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
 		    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
@@ -361,6 +363,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
 		fatal_exit("could not read config file");
 	if(!cfg->remote_control_enable)
 		log_warn("control-enable is 'no' in the config file.");
+#ifdef UB_ON_WINDOWS
+	w_config_adjust_directory(cfg);
+#endif
 	ctx = setup_ctx(cfg);
 
 	/* contact server */
diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c
index 062d12d..6354e99 100644
--- a/contrib/unbound/util/config_file.c
+++ b/contrib/unbound/util/config_file.c
@@ -100,7 +100,7 @@ config_create(void)
 	cfg->tcp_upstream = 0;
 	cfg->ssl_service_key = NULL;
 	cfg->ssl_service_pem = NULL;
-	cfg->ssl_port = 443;
+	cfg->ssl_port = 853;
 	cfg->ssl_upstream = 0;
 	cfg->use_syslog = 1;
 	cfg->log_time_ascii = 0;
@@ -240,6 +240,7 @@ config_create(void)
 	cfg->ratelimit_for_domain = NULL;
 	cfg->ratelimit_below_domain = NULL;
 	cfg->ratelimit_factor = 10;
+	cfg->qname_minimisation = 0;
 	return cfg;
 error_exit:
 	config_delete(cfg); 
@@ -473,6 +474,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_MEMSIZE("ratelimit-size:", ratelimit_size)
 	else S_POW2("ratelimit-slabs:", ratelimit_slabs)
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
+	else S_YNO("qname-minimisation:", qname_minimisation)
 	/* val_sig_skew_min and max are copied into val_env during init,
 	 * so this does not update val_env with set_option */
 	else if(strcmp(opt, "val-sig-skew-min:") == 0)
@@ -747,6 +749,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
 	else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
+	else O_YNO(opt, "qname-minimisation", qname_minimisation)
 	/* not here:
 	 * outgoing-permit, outgoing-avoid - have list of ports
 	 * local-zone - zones and nodefault variables
@@ -1555,6 +1558,28 @@ w_lookup_reg_str(const char* key, const char* name)
 	}
 	return result;
 }
+
+void w_config_adjust_directory(struct config_file* cfg)
+{
+	if(cfg->directory && cfg->directory[0]) {
+		TCHAR dirbuf[2*MAX_PATH+4];
+		if(strcmp(cfg->directory, "%EXECUTABLE%") == 0) {
+			/* get executable path, and if that contains
+			 * directories, snip off the filename part */
+			dirbuf[0] = 0;
+			if(!GetModuleFileName(NULL, dirbuf, MAX_PATH))
+				log_err("could not GetModuleFileName");
+			if(strrchr(dirbuf, '\\')) {
+				(strrchr(dirbuf, '\\'))[0] = 0;
+			} else log_err("GetModuleFileName had no path");
+			if(dirbuf[0]) {
+				/* adjust directory for later lookups to work*/
+				free(cfg->directory);
+				cfg->directory = memdup(dirbuf, strlen(dirbuf)+1);
+			}
+		}
+	}
+}
 #endif /* UB_ON_WINDOWS */
 
 void errinf(struct module_qstate* qstate, const char* str)
diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h
index 99b15e0..8fa163e 100644
--- a/contrib/unbound/util/config_file.h
+++ b/contrib/unbound/util/config_file.h
@@ -283,7 +283,7 @@ struct config_file {
 	struct config_str2list* local_zones;
 	/** local zones nodefault list */
 	struct config_strlist* local_zones_nodefault;
-	/** local data RRs configged */
+	/** local data RRs configured */
 	struct config_strlist* local_data;
 	/** unblock lan zones (reverse lookups for 10/8 and so on) */
 	int unblock_lan_zones;
@@ -364,6 +364,8 @@ struct config_file {
 	struct config_str2list* ratelimit_below_domain;
 	/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
 	int ratelimit_factor;
+	/** minimise outgoing QNAME and hide original QTYPE if possible */
+	int qname_minimisation;
 };
 
 /** from cfg username, after daemonise setup performed */
@@ -739,6 +741,9 @@ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2);
  * 	exist on an error (logged with log_err) was encountered.
  */
 char* w_lookup_reg_str(const char* key, const char* name);
+
+/** Modify directory in options for module file name */
+void w_config_adjust_directory(struct config_file* cfg);
 #endif /* UB_ON_WINDOWS */
 
 #endif /* UTIL_CONFIG_FILE_H */
diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex
index 1aea22e..a368066 100644
--- a/contrib/unbound/util/configlexer.lex
+++ b/contrib/unbound/util/configlexer.lex
@@ -207,6 +207,7 @@ SQANY     [^\'\n\r\\]|\\.
 	/* note that flex makes the longest match and '.' is any but not nl */
 	LEXOUT(("comment(%s) ", ub_c_text)); /* ignore */ }
 server{COLON}			{ YDVAR(0, VAR_SERVER) }
+qname-minimisation{COLON}	{ YDVAR(1, VAR_QNAME_MINIMISATION) }
 num-threads{COLON}		{ YDVAR(1, VAR_NUM_THREADS) }
 verbosity{COLON}		{ YDVAR(1, VAR_VERBOSITY) }
 port{COLON}			{ YDVAR(1, VAR_PORT) }
diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y
index d6db3c8..abc0bb0 100644
--- a/contrib/unbound/util/configparser.y
+++ b/contrib/unbound/util/configparser.y
@@ -122,6 +122,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
+%token VAR_QNAME_MINIMISATION
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -186,7 +187,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ratelimit_size | server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
 	server_caps_whitelist | server_cache_max_negative_ttl |
-	server_permit_small_holddown
+	server_permit_small_holddown | server_qname_minimisation
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -1318,6 +1319,16 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
 		free($2);
 	}
 	;
+server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
+	{
+		OUTYY(("P(server_qname_minimisation:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->qname_minimisation = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 stub_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));
diff --git a/contrib/unbound/util/iana_ports.inc b/contrib/unbound/util/iana_ports.inc
index 64edf0b..b09a9ad 100644
--- a/contrib/unbound/util/iana_ports.inc
+++ b/contrib/unbound/util/iana_ports.inc
@@ -660,6 +660,7 @@
 833,
 847,
 848,
+853,
 860,
 861,
 862,
@@ -3842,6 +3843,7 @@
 4406,
 4412,
 4413,
+4416,
 4425,
 4426,
 4430,
@@ -4572,6 +4574,7 @@
 7070,
 7071,
 7080,
+7088,
 7095,
 7099,
 7100,
@@ -5383,6 +5386,7 @@
 38203,
 39681,
 40000,
+40023,
 40841,
 40842,
 40843,
diff --git a/contrib/unbound/util/locks.c b/contrib/unbound/util/locks.c
index 509895d..adfb6c0 100644
--- a/contrib/unbound/util/locks.c
+++ b/contrib/unbound/util/locks.c
@@ -232,7 +232,7 @@ void ub_thread_create(ub_thread_t* thr, void* (*func)(void*), void* arg)
 		0, /* default flags, run immediately */
 		NULL); /* do not store thread identifier anywhere */
 #else
-	/* the begintheadex routine setups for the C lib; aligns stack */
+	/* the beginthreadex routine setups for the C lib; aligns stack */
 	*thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL);
 #endif
 	if(*thr == NULL) {
diff --git a/contrib/unbound/util/net_help.c b/contrib/unbound/util/net_help.c
index 07605b1..eb03cd0 100644
--- a/contrib/unbound/util/net_help.c
+++ b/contrib/unbound/util/net_help.c
@@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		return NULL;
 	}
 	/* no SSLv2, SSLv3 because has defects */
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2){
 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+		!= SSL_OP_NO_SSLv3){
 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
 		SSL_CTX_free(ctx);
 		return NULL;
@@ -690,12 +692,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
 		log_crypto_err("could not allocate SSL_CTX pointer");
 		return NULL;
 	}
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2) {
 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+		!= SSL_OP_NO_SSLv3) {
 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
 		SSL_CTX_free(ctx);
 		return NULL;
diff --git a/contrib/unbound/util/random.c b/contrib/unbound/util/random.c
index 71f0ba5..684464e 100644
--- a/contrib/unbound/util/random.c
+++ b/contrib/unbound/util/random.c
@@ -68,6 +68,8 @@
 /* nss3 */
 #include "secport.h"
 #include "pk11pub.h"
+#elif defined(HAVE_NETTLE)
+#include "yarrow.h"
 #endif
 
 /** 
@@ -76,7 +78,7 @@
  */
 #define MAX_VALUE 0x7fffffff
 
-#ifndef HAVE_NSS
+#if defined(HAVE_SSL)
 void
 ub_systemseed(unsigned int ATTR_UNUSED(seed))
 {
@@ -110,7 +112,7 @@ ub_random_max(struct ub_randstate* state, long int x)
 	return (long)arc4random_uniform((uint32_t)x);
 }
 
-#else
+#elif defined(HAVE_NSS)
 
 /* not much to remember for NSS since we use its pk11_random, placeholder */
 struct ub_randstate {
@@ -144,6 +146,72 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
 	return x & MAX_VALUE;
 }
 
+#elif defined(HAVE_NETTLE)
+
+/**
+ * libnettle implements a Yarrow-256 generator (SHA256 + AES),
+ * and we have to ensure it is seeded before use.
+ */
+struct ub_randstate {
+	struct yarrow256_ctx ctx;
+	int seeded;
+};
+
+void ub_systemseed(unsigned int ATTR_UNUSED(seed))
+{
+/**
+ * We seed on init and not here, as we need the ctx to re-seed.
+ * This also means that re-seeding is not supported.
+ */
+	log_err("Re-seeding not supported, generator untouched");
+}
+
+struct ub_randstate* ub_initstate(unsigned int seed,
+	struct ub_randstate* ATTR_UNUSED(from))
+{
+	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
+	uint8_t buf[YARROW256_SEED_FILE_SIZE];
+	if(!s) {
+		log_err("malloc failure in random init");
+		return NULL;
+	}
+	/* Setup Yarrow context */
+	yarrow256_init(&s->ctx, 0, NULL);
+
+	if(getentropy(buf, sizeof(buf)) != -1) {
+		/* got entropy */
+		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
+		s->seeded = yarrow256_is_seeded(&s->ctx);
+	} else {
+		/* Stretch the uint32 input seed and feed it to Yarrow */
+		uint32_t v = seed;
+		size_t i;
+		for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
+			memmove(buf+i*sizeof(seed), &v, sizeof(seed));
+			v = v*seed + (uint32_t)i;
+		}
+		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
+		s->seeded = yarrow256_is_seeded(&s->ctx);
+	}
+
+	return s;
+}
+
+long int ub_random(struct ub_randstate* s)
+{
+	/* random 31 bit value. */
+	long int x = 0;
+	if (!s || !s->seeded) {
+		log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded");
+	} else {
+		yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x);
+	}
+	return x & MAX_VALUE;
+}
+#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
+
+
+#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
 long int
 ub_random_max(struct ub_randstate* state, long int x)
 {
@@ -155,7 +223,7 @@ ub_random_max(struct ub_randstate* state, long int x)
 		v = ub_random(state);
 	return (v % x);
 }
-#endif /* HAVE_NSS */
+#endif /* HAVE_NSS or HAVE_NETTLE */
 
 void 
 ub_randfree(struct ub_randstate* s)
diff --git a/contrib/unbound/util/rbtree.c b/contrib/unbound/util/rbtree.c
index a898f13..ee5446f 100644
--- a/contrib/unbound/util/rbtree.c
+++ b/contrib/unbound/util/rbtree.c
@@ -68,7 +68,7 @@ static void rbtree_insert_fixup(rbtree_t *rbtree, rbnode_t *node);
 static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent);
 
 /*
- * Creates a new red black tree, intializes and returns a pointer to it.
+ * Creates a new red black tree, initializes and returns a pointer to it.
  *
  * Return NULL on failure.
  *
diff --git a/contrib/unbound/util/rtt.h b/contrib/unbound/util/rtt.h
index d6da986..07e65ee 100644
--- a/contrib/unbound/util/rtt.h
+++ b/contrib/unbound/util/rtt.h
@@ -96,7 +96,7 @@ int rtt_notimeout(const struct rtt_info* rtt);
 void rtt_update(struct rtt_info* rtt, int ms);
 
 /**
- * Update the statistics with a new timout expired observation.
+ * Update the statistics with a new timeout expired observation.
  * @param rtt: round trip statistics structure.
  * @param orig: original rtt time given for the query that timed out.
  * 	Used to calculate the maximum responsible backed off time that
diff --git a/contrib/unbound/util/storage/lookup3.c b/contrib/unbound/util/storage/lookup3.c
index de28858..ddcb56e 100644
--- a/contrib/unbound/util/storage/lookup3.c
+++ b/contrib/unbound/util/storage/lookup3.c
@@ -356,7 +356,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
      * rest of the string.  Every machine with memory protection I've seen
      * does it on word boundaries, so is OK with this.  But VALGRIND will
      * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * noticeably faster for short strings (like English words).
      */
 #ifndef VALGRIND
 
@@ -544,7 +544,7 @@ void hashlittle2(
      * rest of the string.  Every machine with memory protection I've seen
      * does it on word boundaries, so is OK with this.  But VALGRIND will
      * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * noticeably faster for short strings (like English words).
      */
 #ifndef VALGRIND
 
@@ -725,7 +725,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval)
      * rest of the string.  Every machine with memory protection I've seen
      * does it on word boundaries, so is OK with this.  But VALGRIND will
      * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * noticeably faster for short strings (like English words).
      */
 #ifndef VALGRIND
 
@@ -858,7 +858,7 @@ void driver2()
     {
       for (j=0; j<8; ++j)   /*------------------------ for each input bit, */
       {
-	for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */
+	for (m=1; m<8; ++m) /*------------ for several possible initvals, */
 	{
 	  for (l=0; l<HASHSTATE; ++l)
 	    e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);
diff --git a/contrib/unbound/util/tube.h b/contrib/unbound/util/tube.h
index 9ec50af..6cc6050 100644
--- a/contrib/unbound/util/tube.h
+++ b/contrib/unbound/util/tube.h
@@ -83,7 +83,7 @@ struct tube {
 
 	/** background write queue, commpoint to write results back */
 	struct comm_point* res_com;
-	/** are we curently writing a result, 0 if not, else bytecount into
+	/** are we currently writing a result, 0 if not, else bytecount into
 	 * the res_list first entry. */
 	size_t res_write;
 	/** list of outstanding results to be written back */
diff --git a/contrib/unbound/util/winsock_event.h b/contrib/unbound/util/winsock_event.h
index f642657..d386a69 100644
--- a/contrib/unbound/util/winsock_event.h
+++ b/contrib/unbound/util/winsock_event.h
@@ -201,7 +201,7 @@ struct event {
 	int stick_events;
 
 	/** true if this event is a signaling WSAEvent by the user. 
-	 * User created and user closed WSAEvent. Only signaled/unsigneled,
+	 * User created and user closed WSAEvent. Only signaled/unsignaled,
 	 * no read/write/distinctions needed. */
 	int is_signal;
 	/** used during callbacks to see which events were just checked */
diff --git a/contrib/unbound/validator/autotrust.c b/contrib/unbound/validator/autotrust.c
index e63b086..f8c9c8c 100644
--- a/contrib/unbound/validator/autotrust.c
+++ b/contrib/unbound/validator/autotrust.c
@@ -1195,6 +1195,14 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
 		fatal_exit("could not completely write: %s", fname);
 		return;
 	}
+	if(fflush(out) != 0)
+		log_err("could not fflush(%s): %s", fname, strerror(errno));
+#ifdef HAVE_FSYNC
+	if(fsync(fileno(out)) != 0)
+		log_err("could not fsync(%s): %s", fname, strerror(errno));
+#else
+	FlushFileBuffers((HANDLE)_fileno(out));
+#endif
 	if(fclose(out) != 0) {
 		fatal_exit("could not complete write: %s: %s",
 			fname, strerror(errno));
@@ -2162,7 +2170,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
 	if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
 		verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
 		/* only increase failure count if this is not the first prime,
-		 * this means there was a previous succesful probe */
+		 * this means there was a previous successful probe */
 		if(tp->autr->last_success) {
 			tp->autr->query_failed += 1;
 			autr_write_file(env, tp);
diff --git a/contrib/unbound/validator/val_neg.c b/contrib/unbound/validator/val_neg.c
index b1ff8d9..ab31f48 100644
--- a/contrib/unbound/validator/val_neg.c
+++ b/contrib/unbound/validator/val_neg.c
@@ -38,7 +38,7 @@
  *
  * This file contains helper functions for the validator module.
  * The functions help with aggressive negative caching.
- * This creates new denials of existance, and proofs for absence of types
+ * This creates new denials of existence, and proofs for absence of types
  * from cached NSEC records.
  */
 #include "config.h"
diff --git a/contrib/unbound/validator/val_neg.h b/contrib/unbound/validator/val_neg.h
index 967d1a7..bf3a247 100644
--- a/contrib/unbound/validator/val_neg.h
+++ b/contrib/unbound/validator/val_neg.h
@@ -38,7 +38,7 @@
  *
  * This file contains helper functions for the validator module.
  * The functions help with aggressive negative caching.
- * This creates new denials of existance, and proofs for absence of types
+ * This creates new denials of existence, and proofs for absence of types
  * from cached NSEC records.
  */
 
diff --git a/contrib/unbound/validator/val_nsec.c b/contrib/unbound/validator/val_nsec.c
index bdfe3c8..f104a34 100644
--- a/contrib/unbound/validator/val_nsec.c
+++ b/contrib/unbound/validator/val_nsec.c
@@ -1,5 +1,5 @@
 /*
- * validator/val_nsec.c - validator NSEC denial of existance functions.
+ * validator/val_nsec.c - validator NSEC denial of existence functions.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
@@ -38,7 +38,7 @@
  *
  * This file contains helper functions for the validator module.
  * The functions help with NSEC checking, the different NSEC proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
  */
 #include "config.h"
 #include "validator/val_nsec.h"
@@ -279,7 +279,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
 		return sec_status_insecure;
 	}
 
-	/* NSEC proof did not conlusively point to DS or no DS */
+	/* NSEC proof did not conclusively point to DS or no DS */
 	return sec_status_unchecked;
 }
 
@@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
 				*wc = ce;
 				return 1;
 			}
+		} else {
+			/* See if the next owner name covers a wildcard
+			 * empty non-terminal. */
+			while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
+				/* wildcard does not apply if qname below
+				 * the name that exists under the '*' */
+				if (dname_subdomain_c(qinfo->qname, nm))
+					break;
+				/* but if it is a wildcard and qname is below
+				 * it, then the wildcard applies. The wildcard
+				 * is an empty nonterminal. nodata proven. */
+				if (dname_is_wild(nm)) {
+					size_t ce_len = ln;
+					uint8_t* ce = nm;
+					dname_remove_label(&ce, &ce_len);
+					if(dname_strict_subdomain_c(qinfo->qname, ce)) {
+						*wc = ce;
+						return 1;
+					}
+				}
+				dname_remove_label(&nm, &ln);
+			}
 		}
 
 		/* Otherwise, this NSEC does not prove ENT and is not a 
diff --git a/contrib/unbound/validator/val_nsec.h b/contrib/unbound/validator/val_nsec.h
index f680d08..c031c9a 100644
--- a/contrib/unbound/validator/val_nsec.h
+++ b/contrib/unbound/validator/val_nsec.h
@@ -1,5 +1,5 @@
 /*
- * validator/val_nsec.h - validator NSEC denial of existance functions.
+ * validator/val_nsec.h - validator NSEC denial of existence functions.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
@@ -38,7 +38,7 @@
  *
  * This file contains helper functions for the validator module.
  * The functions help with NSEC checking, the different NSEC proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
  */
 
 #ifndef VALIDATOR_VAL_NSEC_H
@@ -54,7 +54,7 @@ struct key_entry_key;
 /**
  * Check DS absence.
  * There is a NODATA reply to a DS that needs checking.
- * NSECs can prove this is not a delegation point, or sucessfully prove
+ * NSECs can prove this is not a delegation point, or successfully prove
  * that there is no DS. Or this fails.
  *
  * @param env: module env for rrsig verification routines.
diff --git a/contrib/unbound/validator/val_nsec3.c b/contrib/unbound/validator/val_nsec3.c
index 80ca4d0..22867d1 100644
--- a/contrib/unbound/validator/val_nsec3.c
+++ b/contrib/unbound/validator/val_nsec3.c
@@ -1,5 +1,5 @@
 /*
- * validator/val_nsec3.c - validator NSEC3 denial of existance functions.
+ * validator/val_nsec3.c - validator NSEC3 denial of existence functions.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
@@ -38,18 +38,12 @@
  *
  * This file contains helper functions for the validator module.
  * The functions help with NSEC3 checking, the different NSEC3 proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
  */
 #include "config.h"
 #include <ctype.h>
-#ifdef HAVE_OPENSSL_SSL_H
-#include "openssl/ssl.h"
-#endif
-#ifdef HAVE_NSS
-/* nss3 */
-#include "sechash.h"
-#endif
 #include "validator/val_nsec3.h"
+#include "validator/val_secalgo.h"
 #include "validator/validator.h"
 #include "validator/val_kentry.h"
 #include "services/cache/rrset.h"
@@ -370,8 +364,8 @@ filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
 /**
  * Start iterating over NSEC3 records.
  * @param filter: the filter structure, must have been filter_init-ed.
- * @param rrsetnum: can be undefined on call, inited.
- * @param rrnum: can be undefined on call, inited.
+ * @param rrsetnum: can be undefined on call, initialised.
+ * @param rrnum: can be undefined on call, initialised.
  * @return first rrset of an NSEC3, together with rrnum this points to
  *	the first RR to examine. Is NULL on empty list.
  */
@@ -545,46 +539,24 @@ nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
 	query_dname_tolower(sldns_buffer_begin(buf));
 	sldns_buffer_write(buf, salt, saltlen);
 	sldns_buffer_flip(buf);
-	switch(algo) {
-#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
-		case NSEC3_HASH_SHA1:
-#ifdef HAVE_SSL
-			hash_len = SHA_DIGEST_LENGTH;
-#else
-			hash_len = SHA1_LENGTH;
-#endif
-			if(hash_len > max)
-				return 0;
-#  ifdef HAVE_SSL
-			(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
-				(unsigned long)sldns_buffer_limit(buf),
-				(unsigned char*)res);
-#  else
-			(void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res,
-				(unsigned char*)sldns_buffer_begin(buf),
-				(unsigned long)sldns_buffer_limit(buf));
-#  endif
-			for(i=0; i<iter; i++) {
-				sldns_buffer_clear(buf);
-				sldns_buffer_write(buf, res, hash_len);
-				sldns_buffer_write(buf, salt, saltlen);
-				sldns_buffer_flip(buf);
-#  ifdef HAVE_SSL
-				(void)SHA1(
-					(unsigned char*)sldns_buffer_begin(buf),
-					(unsigned long)sldns_buffer_limit(buf),
-					(unsigned char*)res);
-#  else
-				(void)HASH_HashBuf(HASH_AlgSHA1,
-					(unsigned char*)res,
-					(unsigned char*)sldns_buffer_begin(buf),
-					(unsigned long)sldns_buffer_limit(buf));
-#  endif
-			}
-			break;
-#endif /* HAVE_EVP_SHA1 or NSS */
-		default:
-			log_err("nsec3 hash of unknown algo %d", algo);
+	hash_len = nsec3_hash_algo_size_supported(algo);
+	if(hash_len == 0) {
+		log_err("nsec3 hash of unknown algo %d", algo);
+		return 0;
+	}
+	if(hash_len > max)
+		return 0;
+	if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
+		sldns_buffer_limit(buf), (unsigned char*)res))
+		return 0;
+	for(i=0; i<iter; i++) {
+		sldns_buffer_clear(buf);
+		sldns_buffer_write(buf, res, hash_len);
+		sldns_buffer_write(buf, salt, saltlen);
+		sldns_buffer_flip(buf);
+		if(!secalgo_nsec3_hash(algo,
+			(unsigned char*)sldns_buffer_begin(buf),
+			sldns_buffer_limit(buf), (unsigned char*)res))
 			return 0;
 	}
 	return hash_len;
@@ -607,50 +579,24 @@ nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
 	query_dname_tolower(sldns_buffer_begin(buf));
 	sldns_buffer_write(buf, salt, saltlen);
 	sldns_buffer_flip(buf);
-	switch(algo) {
-#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
-		case NSEC3_HASH_SHA1:
-#ifdef HAVE_SSL
-			c->hash_len = SHA_DIGEST_LENGTH;
-#else
-			c->hash_len = SHA1_LENGTH;
-#endif
-			c->hash = (uint8_t*)regional_alloc(region, 
-				c->hash_len);
-			if(!c->hash)
-				return 0;
-#  ifdef HAVE_SSL
-			(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
-				(unsigned long)sldns_buffer_limit(buf),
-				(unsigned char*)c->hash);
-#  else
-			(void)HASH_HashBuf(HASH_AlgSHA1,
-				(unsigned char*)c->hash,
-				(unsigned char*)sldns_buffer_begin(buf),
-				(unsigned long)sldns_buffer_limit(buf));
-#  endif
-			for(i=0; i<iter; i++) {
-				sldns_buffer_clear(buf);
-				sldns_buffer_write(buf, c->hash, c->hash_len);
-				sldns_buffer_write(buf, salt, saltlen);
-				sldns_buffer_flip(buf);
-#  ifdef HAVE_SSL
-				(void)SHA1(
-					(unsigned char*)sldns_buffer_begin(buf),
-					(unsigned long)sldns_buffer_limit(buf),
-					(unsigned char*)c->hash);
-#  else
-				(void)HASH_HashBuf(HASH_AlgSHA1,
-					(unsigned char*)c->hash,
-					(unsigned char*)sldns_buffer_begin(buf),
-					(unsigned long)sldns_buffer_limit(buf));
-#  endif
-			}
-			break;
-#endif /* HAVE_EVP_SHA1 or NSS */
-		default:
-			log_err("nsec3 hash of unknown algo %d", algo);
-			return -1;
+	c->hash_len = nsec3_hash_algo_size_supported(algo);
+	if(c->hash_len == 0) {
+		log_err("nsec3 hash of unknown algo %d", algo);
+		return -1;
+	}
+	c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
+	if(!c->hash)
+		return 0;
+	(void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
+		sldns_buffer_limit(buf), (unsigned char*)c->hash);
+	for(i=0; i<iter; i++) {
+		sldns_buffer_clear(buf);
+		sldns_buffer_write(buf, c->hash, c->hash_len);
+		sldns_buffer_write(buf, salt, saltlen);
+		sldns_buffer_flip(buf);
+		(void)secalgo_nsec3_hash(algo,
+			(unsigned char*)sldns_buffer_begin(buf),
+			sldns_buffer_limit(buf), (unsigned char*)c->hash);
 	}
 	return 1;
 }
diff --git a/contrib/unbound/validator/val_nsec3.h b/contrib/unbound/validator/val_nsec3.h
index d619d67..69ba78d 100644
--- a/contrib/unbound/validator/val_nsec3.h
+++ b/contrib/unbound/validator/val_nsec3.h
@@ -1,5 +1,5 @@
 /*
- * validator/val_nsec3.h - validator NSEC3 denial of existance functions.
+ * validator/val_nsec3.h - validator NSEC3 denial of existence functions.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
@@ -38,7 +38,7 @@
  *
  * This file contains helper functions for the validator module.
  * The functions help with NSEC3 checking, the different NSEC3 proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
  *
  * NSEC3
  *                      1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
@@ -256,7 +256,7 @@ int nsec3_hash_cmp(const void* c1, const void* c2);
  * Used internally by the nsec3 proof functions in this file.
  * published to enable unit testing of hash algorithms and cache.
  *
- * @param table: the cache table. Must be inited at start.
+ * @param table: the cache table. Must be initialised at start.
  * @param region: scratch region to use for allocation.
  * 	This region holds the tree, if you wipe the region, reinit the tree.
  * @param buf: temporary buffer.
diff --git a/contrib/unbound/validator/val_secalgo.c b/contrib/unbound/validator/val_secalgo.c
index 8ed403d..7c8d7b2 100644
--- a/contrib/unbound/validator/val_secalgo.c
+++ b/contrib/unbound/validator/val_secalgo.c
@@ -44,12 +44,13 @@
 /* packed_rrset on top to define enum types (forced by c99 standard) */
 #include "util/data/packed_rrset.h"
 #include "validator/val_secalgo.h"
+#include "validator/val_nsec3.h"
 #include "util/log.h"
 #include "sldns/rrdef.h"
 #include "sldns/keyraw.h"
 #include "sldns/sbuffer.h"
 
-#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
 #error "Need crypto library to do digital signature cryptography"
 #endif
 
@@ -71,10 +72,36 @@
 #include <openssl/engine.h>
 #endif
 
+/* return size of digest if supported, or 0 otherwise */
+size_t
+nsec3_hash_algo_size_supported(int id)
+{
+	switch(id) {
+	case NSEC3_HASH_SHA1:
+		return SHA_DIGEST_LENGTH;
+	default:
+		return 0;
+	}
+}
+
+/* perform nsec3 hash. return false on failure */
+int
+secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+        unsigned char* res)
+{
+	switch(algo) {
+	case NSEC3_HASH_SHA1:
+		(void)SHA1(buf, len, res);
+		return 1;
+	default:
+		return 0;
+	}
+}
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.
- * @return size in bytes of digest, or 0 if not supported. 
+ * @return size in bytes of digest, or 0 if not supported.
  */
 size_t
 ds_digest_size_supported(int algo)
@@ -565,6 +592,32 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 /* nspr4 */
 #include "prerror.h"
 
+/* return size of digest if supported, or 0 otherwise */
+size_t
+nsec3_hash_algo_size_supported(int id)
+{
+	switch(id) {
+	case NSEC3_HASH_SHA1:
+		return SHA1_LENGTH;
+	default:
+		return 0;
+	}
+}
+
+/* perform nsec3 hash. return false on failure */
+int
+secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+        unsigned char* res)
+{
+	switch(algo) {
+	case NSEC3_HASH_SHA1:
+		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
+		return 1;
+	default:
+		return 0;
+	}
+}
+
 size_t
 ds_digest_size_supported(int algo)
 {
@@ -1069,5 +1122,466 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 	return sec_status_bogus;
 }
 
+#elif defined(HAVE_NETTLE)
+
+#include "sha.h"
+#include "bignum.h"
+#include "macros.h"
+#include "rsa.h"
+#include "dsa.h"
+#include "asn1.h"
+#ifdef USE_ECDSA
+#include "ecdsa.h"
+#include "ecc-curve.h"
+#endif
+
+static int
+_digest_nettle(int algo, uint8_t* buf, size_t len,
+	unsigned char* res)
+{
+	switch(algo) {
+		case SHA1_DIGEST_SIZE:
+		{
+			struct sha1_ctx ctx;
+			sha1_init(&ctx);
+			sha1_update(&ctx, len, buf);
+			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
+			return 1;
+		}
+		case SHA256_DIGEST_SIZE:
+		{
+			struct sha256_ctx ctx;
+			sha256_init(&ctx);
+			sha256_update(&ctx, len, buf);
+			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
+			return 1;
+		}
+		case SHA384_DIGEST_SIZE:
+		{
+			struct sha384_ctx ctx;
+			sha384_init(&ctx);
+			sha384_update(&ctx, len, buf);
+			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
+			return 1;
+		}
+		case SHA512_DIGEST_SIZE:
+		{
+			struct sha512_ctx ctx;
+			sha512_init(&ctx);
+			sha512_update(&ctx, len, buf);
+			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
+			return 1;
+		}
+		default:
+			break;
+	}
+	return 0;
+}
+
+/* return size of digest if supported, or 0 otherwise */
+size_t
+nsec3_hash_algo_size_supported(int id)
+{
+	switch(id) {
+	case NSEC3_HASH_SHA1:
+		return SHA1_DIGEST_SIZE;
+	default:
+		return 0;
+	}
+}
+
+/* perform nsec3 hash. return false on failure */
+int
+secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+        unsigned char* res)
+{
+	switch(algo) {
+	case NSEC3_HASH_SHA1:
+		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
+			res);
+	default:
+		return 0;
+	}
+}
+
+/**
+ * Return size of DS digest according to its hash algorithm.
+ * @param algo: DS digest algo.
+ * @return size in bytes of digest, or 0 if not supported.
+ */
+size_t
+ds_digest_size_supported(int algo)
+{
+	switch(algo) {
+		case LDNS_SHA1:
+			return SHA1_DIGEST_SIZE;
+#ifdef USE_SHA2
+		case LDNS_SHA256:
+			return SHA256_DIGEST_SIZE;
+#endif
+#ifdef USE_ECDSA
+		case LDNS_SHA384:
+			return SHA384_DIGEST_SIZE;
+#endif
+		/* GOST not supported */
+		case LDNS_HASH_GOST:
+		default:
+			break;
+	}
+	return 0;
+}
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+	unsigned char* res)
+{
+	switch(algo) {
+		case LDNS_SHA1:
+			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
+#if defined(USE_SHA2)
+		case LDNS_SHA256:
+			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
+#endif
+#ifdef USE_ECDSA
+		case LDNS_SHA384:
+			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
+
+#endif
+		case LDNS_HASH_GOST:
+		default:
+			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
+				algo);
+			break;
+	}
+	return 0;
+}
+
+int
+dnskey_algo_id_is_supported(int id)
+{
+	/* uses libnettle */
+	switch(id) {
+	case LDNS_DSA:
+	case LDNS_DSA_NSEC3:
+	case LDNS_RSASHA1:
+	case LDNS_RSASHA1_NSEC3:
+#ifdef USE_SHA2
+	case LDNS_RSASHA256:
+	case LDNS_RSASHA512:
+#endif
+#ifdef USE_ECDSA
+	case LDNS_ECDSAP256SHA256:
+	case LDNS_ECDSAP384SHA384:
+#endif
+		return 1;
+	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
+	case LDNS_ECC_GOST:
+	default:
+		return 0;
+	}
+}
+
+static char *
+_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
+	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
+{
+	uint8_t digest[SHA1_DIGEST_SIZE];
+	uint8_t key_t;
+	int res = 0;
+	size_t offset;
+	struct dsa_public_key pubkey;
+	struct dsa_signature signature;
+	unsigned int expected_len;
+
+	/* Extract DSA signature from the record */
+	nettle_dsa_signature_init(&signature);
+	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
+	if(sigblock_len == 41) {
+		if(key[0] != sigblock[0])
+			return "invalid T value in DSA signature or pubkey";
+		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
+		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
+	} else {
+		/* DER encoded, decode the ASN1 notated R and S bignums */
+		/* SEQUENCE { r INTEGER, s INTEGER } */
+		struct asn1_der_iterator i, seq;
+		if(asn1_der_iterator_first(&i, sigblock_len,
+			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
+			|| i.type != ASN1_SEQUENCE)
+			return "malformed DER encoded DSA signature";
+		/* decode this element of i using the seq iterator */
+		if(asn1_der_decode_constructed(&i, &seq) !=
+			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
+			return "malformed DER encoded DSA signature";
+		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
+			return "malformed DER encoded DSA signature";
+		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
+			|| seq.type != ASN1_INTEGER)
+			return "malformed DER encoded DSA signature";
+		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
+			return "malformed DER encoded DSA signature";
+		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
+			return "malformed DER encoded DSA signature";
+	}
+
+	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
+	key_t = key[0];
+	if (key_t > 8) {
+		return "invalid T value in DSA pubkey";
+	}
+
+	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
+	if (keylen < 21) {
+		return "DSA pubkey too short";
+	}
+
+	expected_len =   1 +		/* T */
+		        20 +		/* Q */
+		       (64 + key_t*8) +	/* P */
+		       (64 + key_t*8) +	/* G */
+		       (64 + key_t*8);	/* Y */
+	if (keylen != expected_len ) {
+		return "invalid DSA pubkey length";
+	}
+
+	/* Extract DSA pubkey from the record */
+	nettle_dsa_public_key_init(&pubkey);
+	offset = 1;
+	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
+	offset += 20;
+	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
+	offset += (64 + key_t*8);
+	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
+	offset += (64 + key_t*8);
+	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
+
+	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
+	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
+
+	/* Clear and return */
+	nettle_dsa_signature_clear(&signature);
+	nettle_dsa_public_key_clear(&pubkey);
+	if (!res)
+		return "DSA signature verification failed";
+	else
+		return NULL;
+}
+
+static char *
+_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
+	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
+{
+	uint16_t exp_len = 0;
+	size_t exp_offset = 0, mod_offset = 0;
+	struct rsa_public_key pubkey;
+	mpz_t signature;
+	int res = 0;
+
+	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
+	if( keylen <= 1) {
+		return "null RSA key";
+	}
+	if (key[0] != 0) {
+		/* 1-byte length */
+		exp_len = key[0];
+		exp_offset = 1;
+	} else {
+		/* 1-byte NUL + 2-bytes exponent length */
+		if (keylen < 3) {
+			return "incorrect RSA key length";
+		}
+		exp_len = READ_UINT16(key+1);
+		if (exp_len == 0)
+			return "null RSA exponent length";
+		exp_offset = 3;
+	}
+	/* Check that we are not over-running input length */
+	if (keylen < exp_offset + exp_len + 1) {
+		return "RSA key content shorter than expected";
+	}
+	mod_offset = exp_offset + exp_len;
+	nettle_rsa_public_key_init(&pubkey);
+	pubkey.size = keylen - mod_offset;
+	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
+	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
+
+	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
+	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
+	switch (digest_size) {
+		case SHA1_DIGEST_SIZE:
+		{
+			uint8_t digest[SHA1_DIGEST_SIZE];
+			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
+			break;
+		}
+		case SHA256_DIGEST_SIZE:
+		{
+			uint8_t digest[SHA256_DIGEST_SIZE];
+			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
+			break;
+		}
+		case SHA512_DIGEST_SIZE:
+		{
+			uint8_t digest[SHA512_DIGEST_SIZE];
+			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
+			break;
+		}
+		default:
+			break;
+	}
+
+	/* Clear and return */
+	nettle_rsa_public_key_clear(&pubkey);
+	mpz_clear(signature);
+	if (!res) {
+		return "RSA signature verification failed";
+	} else {
+		return NULL;
+	}
+}
+
+#ifdef USE_ECDSA
+static char *
+_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
+	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
+{
+	int res = 0;
+	struct ecc_point pubkey;
+	struct dsa_signature signature;
+
+	/* Always matched strength, as per RFC 6605 sec. 1 */
+	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
+		return "wrong ECDSA signature length";
+	}
+
+	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
+	nettle_dsa_signature_init(&signature);
+	switch (digest_size) {
+		case SHA256_DIGEST_SIZE:
+		{
+			uint8_t digest[SHA256_DIGEST_SIZE];
+			mpz_t x, y;
+			nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
+			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
+			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
+			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
+			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
+			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+			res &= nettle_ecc_point_set(&pubkey, x, y);
+			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
+			mpz_clear(x);
+			mpz_clear(y);
+			break;
+		}
+		case SHA384_DIGEST_SIZE:
+		{
+			uint8_t digest[SHA384_DIGEST_SIZE];
+			mpz_t x, y;
+			nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
+			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
+			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
+			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
+			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
+			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+			res &= nettle_ecc_point_set(&pubkey, x, y);
+			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
+			mpz_clear(x);
+			mpz_clear(y);
+			nettle_ecc_point_clear(&pubkey);
+			break;
+		}
+		default:
+			return "unknown ECDSA algorithm";
+	}
+
+	/* Clear and return */
+	nettle_dsa_signature_clear(&signature);
+	if (!res)
+		return "ECDSA signature verification failed";
+	else
+		return NULL;
+}
+#endif
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ *	canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ *	unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
+	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+	char** reason)
+{
+	unsigned int digest_size = 0;
+
+	if (sigblock_len == 0 || keylen == 0) {
+		*reason = "null signature";
+		return sec_status_bogus;
+	}
+
+	switch(algo) {
+	case LDNS_DSA:
+	case LDNS_DSA_NSEC3:
+		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
+		if (*reason != NULL)
+			return sec_status_bogus;
+		else
+			return sec_status_secure;
+
+	case LDNS_RSASHA1:
+	case LDNS_RSASHA1_NSEC3:
+		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
+#ifdef USE_SHA2
+	case LDNS_RSASHA256:
+		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+	case LDNS_RSASHA512:
+		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
+
+#endif
+		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
+						sigblock_len, key, keylen);
+		if (*reason != NULL)
+			return sec_status_bogus;
+		else
+			return sec_status_secure;
+
+#ifdef USE_ECDSA
+	case LDNS_ECDSAP256SHA256:
+		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+	case LDNS_ECDSAP384SHA384:
+		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
+		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
+						sigblock_len, key, keylen);
+		if (*reason != NULL)
+			return sec_status_bogus;
+		else
+			return sec_status_secure;
+#endif
+	case LDNS_RSAMD5:
+	case LDNS_ECC_GOST:
+	default:
+		*reason = "unable to verify signature, unknown algorithm";
+		return sec_status_bogus;
+	}
+}
 
-#endif /* HAVE_SSL or HAVE_NSS */
+#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
diff --git a/contrib/unbound/validator/val_secalgo.h b/contrib/unbound/validator/val_secalgo.h
index 085fbc5..589f1f1 100644
--- a/contrib/unbound/validator/val_secalgo.h
+++ b/contrib/unbound/validator/val_secalgo.h
@@ -44,6 +44,21 @@
 #define VALIDATOR_VAL_SECALGO_H
 struct sldns_buffer;
 
+/** Return size of nsec3 hash algorithm, 0 if not supported */
+size_t nsec3_hash_algo_size_supported(int id);
+
+/**
+ * Hash a single hash call of an NSEC3 hash algorithm.
+ * Iterations and salt are done by the caller.
+ * @param algo: nsec3 hash algorithm.
+ * @param buf: the buffer to digest
+ * @param len: length of buffer to digest.
+ * @param res: result stored here (must have sufficient space).
+ * @return false on failure.
+*/
+int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+        unsigned char* res);
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.
diff --git a/contrib/unbound/validator/val_sigcrypt.c b/contrib/unbound/validator/val_sigcrypt.c
index a2f1265..1dd07b4 100644
--- a/contrib/unbound/validator/val_sigcrypt.c
+++ b/contrib/unbound/validator/val_sigcrypt.c
@@ -57,7 +57,7 @@
 #include "sldns/wire2str.h"
 
 #include <ctype.h>
-#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
 #error "Need crypto library to do digital signature cryptography"
 #endif
 
diff --git a/contrib/unbound/validator/val_utils.h b/contrib/unbound/validator/val_utils.h
index cdb8769..051824a 100644
--- a/contrib/unbound/validator/val_utils.h
+++ b/contrib/unbound/validator/val_utils.h
@@ -391,7 +391,7 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset);
  * Find DS denial message in cache.  Saves new qstate allocation and allows
  * the validator to use partial content which is not enough to construct a
  * message for network (or user) consumption.  Without SOA for example,
- * which is a common occurence in the unbound code since the referrals contain
+ * which is a common occurrence in the unbound code since the referrals contain
  * NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
  * full negative reply, but do allow synthesis of sufficient proof.
  * @param env: query env with caches and time.
diff --git a/contrib/unbound/validator/validator.c b/contrib/unbound/validator/validator.c
index f8b429e..db4383b 100644
--- a/contrib/unbound/validator/validator.c
+++ b/contrib/unbound/validator/validator.c
@@ -749,7 +749,7 @@ validate_nodata_response(struct module_env* env, struct val_env* ve,
 	/* Since we are here, there must be nothing in the ANSWER section to
 	 * validate. */
 	/* (Note: CNAME/DNAME responses will not directly get here --
-	 * instead, they are chased down into indiviual CNAME validations,
+	 * instead, they are chased down into individual CNAME validations,
 	 * and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER 
 	 * validation.) */
 	
@@ -1597,7 +1597,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
 		target_key_name) != 0) {
 		/* check if there is a cache entry : pick up an NSEC if
 		 * there is no DS, check if that NSEC has DS-bit unset, and
-		 * thus can disprove the secure delagation we seek.
+		 * thus can disprove the secure delegation we seek.
 		 * We can then use that NSEC even in the absence of a SOA
 		 * record that would be required by the iterator to supply
 		 * a completely protocol-correct response. 
@@ -1829,7 +1829,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
  * @return  true if there is no DLV.
  * 	false: processing is finished for the validator operate().
  * 	This function may exit in three ways:
- *         o	no DLV (agressive cache), so insecure. (true)
+ *         o	no DLV (aggressive cache), so insecure. (true)
  *         o	error - stop processing (false)
  *         o	DLV lookup was started, stop processing (false)
  */
author	Renato Botelho <renato@netgate.com>	2016-01-25 08:56:15 -0200
committer	Renato Botelho <renato@netgate.com>	2016-01-25 08:56:15 -0200
commit	eb84e0723f3b4bc5e40024f66fe21c14b09e9ec4 (patch)
tree	fec6b99d018e13f1fccbe31478aaf29a28a55642 /contrib
parent	c50df8e1b90c4f9b8bbffa592477c129854776ce (diff)
parent	94b1bbbd44bd88b6db1c00d795cdf7675b3ae254 (diff)
download	FreeBSD-src-eb84e0723f3b4bc5e40024f66fe21c14b09e9ec4.zip FreeBSD-src-eb84e0723f3b4bc5e40024f66fe21c14b09e9ec4.tar.gz