diff --git a/ChangeLog b/ChangeLog
index a6fc3d82634560ba901a6fc37bb467e80cf56d35..81f103778fa937c0b03b221a87993b8bcbd1155e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,27 @@
+2000-09-11  Niels M�ller  <nisse@cuckoo.localdomain>
+
+	* src/symmetric/rijndael.c: Use static const for all lookup
+	tables. 
+
+	* src/parse.c (parse_bignum): Fixed off-by-one error when sanity
+	checking string length.
+
+	* src/symmetric/serpent.c: Replaced the AES "All rights reserved"
+	copyright blurb with the vanilla GPL blurb, after confirming with
+	the authors that the code really is GPL:ed.
+	* src/symmetric/serpentsboxes.h: Likewise.
+	
+	* src/symmetric/serpentsboxes.h: Replaced unsigned long with
+	UINT32.
+
+	* src/symmetric/serpent.c (serpent_setup): Don't use array syntax
+	for function argument types.
+	
+2000-09-10  Niels M�ller  <nisse@cuckoo.localdomain>
+
+	* doc/lsh.texinfo (Algorithm options): Updated the default
+	algorithm list.
+
 2000-09-05  Rafael R. Sevilla  <dido@pacific.net.ph>
 
 	* src/symmetric/rijndael.c, src/symmetric/include/rijndael.h: New. 
diff --git a/doc/TODO b/doc/TODO
index ca2917f2fb8aeabd6e24ec54d59163db2236ba3d..f5d910361bb826a4168670dd28490bbaaa0709ae 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -234,3 +234,11 @@ and sexp_get_un().
 There are dsa-specific details in many places, lsh.c
 server_publickey.c, server_authorization.c, server_keyexchange.c. Try
 to write more generic functions that can deal with both dsa and rsa.
+
+Review the default algorithm preference list in
+algorithms.c:default_crypto_algorithms(). Perhaps make the list more
+conservative, and add a "pseudo-algorithm" all to include all
+supported algorithms in the list?
+
+Use static objects for crypto algorithms with fixed key sizes and
+other parameters.
diff --git a/src/algorithms.c b/src/algorithms.c
index b73fec39d3a375e68093618186c6b70f475a117d..a1acecc43d01a3d048b08ed6cb68b25ad7898229 100644
--- a/src/algorithms.c
+++ b/src/algorithms.c
@@ -248,7 +248,9 @@ lookup_hash(struct alist *algorithms, const char *name,
   }
 }
 
-struct int_list *default_crypto_algorithms(void)
+/* FIXME: Review the default list. */
+struct int_list *
+default_crypto_algorithms(void)
 {
   return make_int_list(7
 #if WITH_IDEA
@@ -265,12 +267,14 @@ struct int_list *default_crypto_algorithms(void)
 		       ATOM_TWOFISH_CBC, ATOM_ARCFOUR, -1);
 }
 
-struct int_list *default_mac_algorithms(void)
+struct int_list *
+default_mac_algorithms(void)
 {
   return make_int_list(2, ATOM_HMAC_SHA1, ATOM_HMAC_MD5, -1);
 }
 
-struct int_list *default_compression_algorithms(void)
+struct int_list *
+default_compression_algorithms(void)
 {
 #if WITH_ZLIB
   return make_int_list(2, ATOM_NONE, ATOM_ZLIB, -1);
diff --git a/src/atoms.in b/src/atoms.in
index fa4b9ebca2139381a538bd1958959d43d62665cf..35151f9b813e1c4cbba5d6c7604cc86bfd04d513 100644
--- a/src/atoms.in
+++ b/src/atoms.in
@@ -11,12 +11,12 @@ zlib
 3des-cbc         REQUIRED          three-key 3DES in CBC mode
 blowfish-cbc     RECOMMENDED       Blowfish in CBC mode
 twofish-cbc      RECOMMENDED       TwoFish cipher in CBC mode
-rijndael-cbc     RECOMMENDED       Rijndael cipher in CBC mode
-serpent-cbc      RECOMMENDED       Serpent cipher in CBC mode
+rijndael-cbc     EXPERIMENTAL      Rijndael cipher in CBC mode
+serpent-cbc      EXPERIMENTAL      Serpent cipher in CBC mode
 arcfour          OPTIONAL          the ARCFOUR stream cipher
 idea-cbc         OPTIONAL          IDEA in CBC mode
 cast128-cbc      OPTIONAL          CAST-128 in CBC mode
-# none             OPTIONAL          no encryption; NOT RECOMMENDED
+# none           OPTIONAL          no encryption; NOT RECOMMENDED
 
 ## The following are not in the current secsh draft, but are in SSH 2.0.11;
 ## some of them will probably be included in an updated secsh draft. 
diff --git a/src/blowfish.c b/src/blowfish.c
index 0816b9351432229e01d385125d3d58eeecab18c7..c2c6db98e18cc5211a9e3522f1c6455de0eb76a6 100644
--- a/src/blowfish.c
+++ b/src/blowfish.c
@@ -41,8 +41,9 @@
        (ctx . "BLOWFISH_context")))
 */
 
-static void do_blowfish_encrypt(struct crypto_instance *s,
-				UINT32 length, const UINT8 *src, UINT8 *dst)
+static void
+do_blowfish_encrypt(struct crypto_instance *s,
+		    UINT32 length, const UINT8 *src, UINT8 *dst)
 {
   CAST(blowfish_instance, self, s);
 
@@ -50,8 +51,9 @@ static void do_blowfish_encrypt(struct crypto_instance *s,
     bf_encrypt_block(&self->ctx, dst, src);
 }
 
-static void do_blowfish_decrypt(struct crypto_instance *s,
-				UINT32 length, const UINT8 *src, UINT8 *dst)
+static void
+do_blowfish_decrypt(struct crypto_instance *s,
+		    UINT32 length, const UINT8 *src, UINT8 *dst)
 {
   CAST(blowfish_instance, self, s);
 
@@ -81,7 +83,8 @@ make_blowfish_instance(struct crypto_algorithm *algorithm, int mode,
     }
 }
 
-struct crypto_algorithm *make_blowfish_algorithm(UINT32 key_size)
+struct crypto_algorithm *
+make_blowfish_algorithm(UINT32 key_size)
 {
   NEW(crypto_algorithm, algorithm);
 
@@ -96,7 +99,8 @@ struct crypto_algorithm *make_blowfish_algorithm(UINT32 key_size)
   return algorithm;
 }
 
-struct crypto_algorithm *make_blowfish(void)
+struct crypto_algorithm *
+make_blowfish(void)
 {
   return make_blowfish_algorithm(BLOWFISH_KEYSIZE);
 }
diff --git a/src/crypto.h b/src/crypto.h
index 48eee5d7b74a5b17582fc13f2a10b48ed515b5db..1a49bf11ac54c86827a763a5d1f6dcaaad1b5c11 100644
--- a/src/crypto.h
+++ b/src/crypto.h
@@ -69,4 +69,4 @@ pkcs5_derive_key(struct mac_algorithm *prf,
 		 UINT32 iterations,
 		 UINT32 key_length, UINT8 *key);
 
-#endif
+#endif /* LSH_CRYPTO_H_INCLUDED */
diff --git a/src/rijndael.c b/src/rijndael.c
index c567d9ecdb82ffbf62dc00c3abc8c66e3e02b6d9..9848bd83e229b9f53450f813101733b9ef84dd50 100644
--- a/src/rijndael.c
+++ b/src/rijndael.c
@@ -22,10 +22,12 @@
  */
 #include "crypto.h"
 
+#include "rijndael.h"
 #include "werror.h"
 #include "xalloc.h"
-#include "rijndael.h"
+
 #include <assert.h>
+
 #include "rijndael.c.x"
 
 /* Rijndael */
@@ -38,8 +40,9 @@
        (ctx . "RIJNDAEL_context")))
 */
 
-static void do_rijndael_encrypt(struct crypto_instance *s,
-				UINT32 length, const UINT8 *src, UINT8 *dst)
+static void
+do_rijndael_encrypt(struct crypto_instance *s,
+		    UINT32 length, const UINT8 *src, UINT8 *dst)
 {
   CAST(rijndael_instance, self, s);
 
@@ -47,8 +50,9 @@ static void do_rijndael_encrypt(struct crypto_instance *s,
     rijndael_encrypt(&self->ctx, src, dst);
 }
 
-static void do_rijndael_decrypt(struct crypto_instance *s,
-				UINT32 length, const UINT8 *src, UINT8 *dst)
+static void
+do_rijndael_decrypt(struct crypto_instance *s,
+		    UINT32 length, const UINT8 *src, UINT8 *dst)
 {
   CAST(rijndael_instance, self, s);
 
@@ -67,8 +71,8 @@ make_rijndael_instance(struct crypto_algorithm *algorithm, int mode,
 			? do_rijndael_encrypt
 			: do_rijndael_decrypt);
 
-  /* We don't have to deal with weak keys - as a second round AES candidate,
-     Rijndael doesn't have any. */
+  /* We don't have to deal with weak keys - as a second round AES
+   * candidate, Rijndael doesn't have any. */
   rijndael_setup(&self->ctx, algorithm->key_size, key);
 
   return(&self->super);
@@ -90,7 +94,8 @@ make_rijndael_algorithm(UINT32 key_size)
   return algorithm;
 }
 
-struct crypto_algorithm *make_rijndael(void)
+struct crypto_algorithm *
+make_rijndael(void)
 {
   return(make_rijndael_algorithm(RIJNDAEL_KEYSIZE));
 }
diff --git a/src/serpent.c b/src/serpent.c
index 9000a1bca83deffa49737a7c6b50dcadc4d47ec3..96368f16db6e0b975a9eda2ee3f1ce8bab9b2eca 100644
--- a/src/serpent.c
+++ b/src/serpent.c
@@ -1,6 +1,7 @@
 /* serpent.c
  *
  * $Id$ */
+
 /* lsh, an implementation of the ssh protocol
  *
  * Copyright (C) 1999, 2000 Niels M�ller, Rafael R. Sevilla
@@ -19,12 +20,15 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
+
 #include "crypto.h"
 
+#include "serpent.h"
 #include "werror.h"
 #include "xalloc.h"
-#include "serpent.h"
+
 #include <assert.h>
+
 #include "serpent.c.x"
 
 /* Serpent */
@@ -36,8 +40,9 @@
        (ctx . "SERPENT_context")))
 */
 
-static void do_serpent_encrypt(struct crypto_instance *s,
-			       UINT32 length, const UINT8 *src, UINT8 *dst)
+static void
+do_serpent_encrypt(struct crypto_instance *s,
+		   UINT32 length, const UINT8 *src, UINT8 *dst)
 {
   CAST(serpent_instance, self, s);
 
@@ -45,8 +50,9 @@ static void do_serpent_encrypt(struct crypto_instance *s,
     serpent_encrypt(&self->ctx, src, dst);
 }
 
-static void do_serpent_decrypt(struct crypto_instance *s,
-			       UINT32 length, const UINT8 *src, UINT8 *dst)
+static void
+do_serpent_decrypt(struct crypto_instance *s,
+		   UINT32 length, const UINT8 *src, UINT8 *dst)
 {
   CAST(serpent_instance, self, s);
 
@@ -65,15 +71,17 @@ make_serpent_instance(struct crypto_algorithm *algorithm, int mode,
 			? do_serpent_encrypt
 			: do_serpent_decrypt);
 
-  /* We don't have to deal with weak keys - as a second round AES candidate,
-     Serpent doesn't have any, but it can only use 256 bit keys so we do
-     an assertion check. */
+  /* We don't have to deal with weak keys - as a second round AES
+   * candidate, Serpent doesn't have any, but it can only use 256 bit
+   * keys so we do an assertion check. */
   assert(algorithm->key_size == SERPENT_KEYSIZE);
   serpent_setup(&self->ctx, key);
 
   return(&self->super);
 }
 
+/* FIXME: This function seems a little redundant, when we don't
+ * support variable key size for serpent. */
 struct crypto_algorithm *
 make_serpent_algorithm(UINT32 key_size)
 {
@@ -89,7 +97,8 @@ make_serpent_algorithm(UINT32 key_size)
   return algorithm;
 }
 
-struct crypto_algorithm *make_serpent(void)
+struct crypto_algorithm *
+make_serpent(void)
 {
   return(make_serpent_algorithm(SERPENT_KEYSIZE));
 }
diff --git a/src/symmetric/arcfour.c b/src/symmetric/arcfour.c
index f5d7054003113225ea2d6b14d9f7df222a8dbfa0..100f9cc01447f88638e91cd61d6adee172da8783 100644
--- a/src/symmetric/arcfour.c
+++ b/src/symmetric/arcfour.c
@@ -7,6 +7,25 @@
  *   
  */
 
+/* lsh, an implementation of the ssh protocol
+ *
+ * Copyright (C) 1998 Niels M�ller
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
 #include "arcfour.h"
 
 #ifdef RCSID