Merge pull request #49 from fperrad/20170812_lint

Some linting, const parameters
2025-06-26 18:17:32 +00:00 · 2018-01-25 21:55:25 +08:00
parent ba23b823dc 598056d168
commit e64e25e4d6
51 changed files with 195 additions and 195 deletions
--- a/agentfwd.h
+++ b/agentfwd.h
@@ -40,8 +40,8 @@
 /* client functions */
 void cli_load_agent_keys(m_list * ret_list);
 void agent_buf_sign(buffer *sigblob, sign_key *key, 
-	buffer *data_buf);
+	const buffer *data_buf);
-void cli_setup_agent(struct Channel *channel);
+void cli_setup_agent(const struct Channel *channel);
 #ifdef __hpux
 #define seteuid(a)       setresuid(-1, (a), -1)
@@ -56,7 +56,7 @@ extern const struct ChanType cli_chan_agent;
 int svr_agentreq(struct ChanSess * chansess);
 void svr_agentcleanup(struct ChanSess * chansess);
-void svr_agentset(struct ChanSess *chansess);
+void svr_agentset(const struct ChanSess *chansess);
 #endif /* DROPBEAR_SVR_AGENTFWD */
--- a/algo.h
+++ b/algo.h
@@ -112,8 +112,8 @@ struct dropbear_kex {
 	const struct ltc_hash_descriptor *hash_desc;
 };
-int have_algo(char* algo, size_t algolen, algo_type algos[]);
+int have_algo(const char* algo, size_t algolen, const algo_type algos[]);
-void buf_put_algolist(buffer * buf, algo_type localalgos[]);
+void buf_put_algolist(buffer * buf, const algo_type localalgos[]);
 enum kexguess2_used {
 	KEXGUESS2_LOOK,
@@ -131,7 +131,7 @@ algo_type * buf_match_algo(buffer* buf, algo_type localalgos[],
 #if DROPBEAR_USER_ALGO_LIST
 int check_user_algos(const char* user_algo_list, algo_type * algos, 
 		const char *algo_desc);
-char * algolist_string(algo_type algos[]);
+char * algolist_string(const algo_type algos[]);
 #endif
 enum {
--- a/auth.h
+++ b/auth.h
@@ -36,7 +36,7 @@ void cli_authinitialise(void);
 void recv_msg_userauth_request(void);
 void send_msg_userauth_failure(int partial, int incrfail);
 void send_msg_userauth_success(void);
-void send_msg_userauth_banner(buffer *msg);
+void send_msg_userauth_banner(const buffer *msg);
 void svr_auth_password(void);
 void svr_auth_pubkey(void);
 void svr_auth_pam(void);
@@ -74,7 +74,7 @@ void cli_pubkeyfail(void);
 void cli_auth_password(void);
 int cli_auth_pubkey(void);
 void cli_auth_interactive(void);
-char* getpass_or_cancel(char* prompt);
+char* getpass_or_cancel(const char* prompt);
 void cli_auth_pubkey_cleanup(void);
--- a/buffer.c
+++ b/buffer.c
@@ -67,7 +67,7 @@ void buf_free(buffer* buf) {
 }
 /* overwrite the contents of the buffer to clear it */
-void buf_burn(buffer* buf) {
+void buf_burn(const buffer* buf) {
 	m_burn(buf->data, buf->size);
@@ -91,7 +91,7 @@ buffer* buf_resize(buffer *buf, unsigned int newsize) {
 /* Create a copy of buf, allocating required memory etc. */
 /* The new buffer is sized the same as the length of the source buffer. */
-buffer* buf_newcopy(buffer* buf) {
+buffer* buf_newcopy(const buffer* buf) {
 	buffer* ret;
@@ -184,7 +184,7 @@ void buf_putbyte(buffer* buf, unsigned char val) {
 /* returns an in-place pointer to the buffer, checking that
 * the next len bytes from that position can be used */
-unsigned char* buf_getptr(buffer* buf, unsigned int len) {
+unsigned char* buf_getptr(const buffer* buf, unsigned int len) {
 	if (len > BUF_MAX_INCR || buf->pos + len > buf->len) {
 		dropbear_exit("Bad buf_getptr");
@@ -194,7 +194,7 @@ unsigned char* buf_getptr(buffer* buf, unsigned int len) {
 /* like buf_getptr, but checks against total size, not used length.
 * This allows writing past the used length, but not past the size */
-unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
+unsigned char* buf_getwriteptr(const buffer* buf, unsigned int len) {
 	if (len > BUF_MAX_INCR || buf->pos + len > buf->size) {
 		dropbear_exit("Bad buf_getwriteptr");
--- a/buffer.h
+++ b/buffer.h
@@ -44,8 +44,8 @@ buffer * buf_new(unsigned int size);
 /* Possibly returns a new buffer*, like realloc() */
 buffer * buf_resize(buffer *buf, unsigned int newsize);
 void buf_free(buffer* buf);
-void buf_burn(buffer* buf);
+void buf_burn(const buffer* buf);
-buffer* buf_newcopy(buffer* buf);
+buffer* buf_newcopy(const buffer* buf);
 void buf_setlen(buffer* buf, unsigned int len);
 void buf_incrlen(buffer* buf, unsigned int incr);
 void buf_setpos(buffer* buf, unsigned int pos);
@@ -54,8 +54,8 @@ void buf_incrwritepos(buffer* buf, unsigned int incr);
 unsigned char buf_getbyte(buffer* buf);
 unsigned char buf_getbool(buffer* buf);
 void buf_putbyte(buffer* buf, unsigned char val);
-unsigned char* buf_getptr(buffer* buf, unsigned int len);
+unsigned char* buf_getptr(const buffer* buf, unsigned int len);
-unsigned char* buf_getwriteptr(buffer* buf, unsigned int len);
+unsigned char* buf_getwriteptr(const buffer* buf, unsigned int len);
 char* buf_getstring(buffer* buf, unsigned int *retlen);
 buffer * buf_getstringbuf(buffer *buf);
 void buf_eatstring(buffer *buf);
--- a/channel.h
+++ b/channel.h
@@ -84,7 +84,7 @@ struct Channel {
 	int flushing;
 	/* Used by client chansession to handle ~ escaping, NULL ignored otherwise */
-	void (*read_mangler)(struct Channel*, unsigned char* bytes, int *len);
+	void (*read_mangler)(const struct Channel*, const unsigned char* bytes, int *len);
 	const struct ChanType* type;
@@ -98,7 +98,7 @@ struct ChanType {
 	int (*inithandler)(struct Channel*);
 	int (*check_close)(struct Channel*);
 	void (*reqhandler)(struct Channel*);
-	void (*closehandler)(struct Channel*);
+	void (*closehandler)(const struct Channel*);
 };
 /* Callback for connect_remote */
@@ -107,7 +107,7 @@ void channel_connect_done(int result, int sock, void* user_data, const char* err
 void chaninitialise(const struct ChanType *chantypes[]);
 void chancleanup(void);
 void setchannelfds(fd_set *readfds, fd_set *writefds, int allow_reads);
-void channelio(fd_set *readfd, fd_set *writefd);
+void channelio(const fd_set *readfd, const fd_set *writefd);
 struct Channel* getchannel(void);
 /* Returns an arbitrary channel that is in a ready state - not
 being initialised and no EOF in either direction. NULL if none. */
@@ -115,8 +115,8 @@ struct Channel* get_any_ready_channel(void);
 void recv_msg_channel_open(void);
 void recv_msg_channel_request(void);
-void send_msg_channel_failure(struct Channel *channel);
+void send_msg_channel_failure(const struct Channel *channel);
-void send_msg_channel_success(struct Channel *channel);
+void send_msg_channel_success(const struct Channel *channel);
 void recv_msg_channel_data(void);
 void recv_msg_channel_extended_data(void);
 void recv_msg_channel_window_adjust(void);
@@ -135,7 +135,7 @@ int send_msg_channel_open_init(int fd, const struct ChanType *type);
 void recv_msg_channel_open_confirmation(void);
 void recv_msg_channel_open_failure(void);
 #endif
-void start_send_channel_request(struct Channel *channel, char *type);
+void start_send_channel_request(const struct Channel *channel, const char *type);
 void send_msg_request_success(void);
 void send_msg_request_failure(void);
--- a/circbuffer.c
+++ b/circbuffer.c
@@ -56,19 +56,19 @@ void cbuf_free(circbuffer * cbuf) {
 	m_free(cbuf);
 }
-unsigned int cbuf_getused(circbuffer * cbuf) {
+unsigned int cbuf_getused(const circbuffer * cbuf) {
 	return cbuf->used;
 }
-unsigned int cbuf_getavail(circbuffer * cbuf) {
+unsigned int cbuf_getavail(const circbuffer * cbuf) {
 	return cbuf->size - cbuf->used;
 }
-unsigned int cbuf_writelen(circbuffer *cbuf) {
+unsigned int cbuf_writelen(const circbuffer *cbuf) {
 	dropbear_assert(cbuf->used <= cbuf->size);
 	dropbear_assert(((2*cbuf->size)+cbuf->writepos-cbuf->readpos)%cbuf->size == cbuf->used%cbuf->size);
@@ -86,7 +86,7 @@ unsigned int cbuf_writelen(circbuffer *cbuf) {
 	return cbuf->size - cbuf->writepos;
 }
-void cbuf_readptrs(circbuffer *cbuf, 
+void cbuf_readptrs(const circbuffer *cbuf,
 	unsigned char **p1, unsigned int *len1, 
 	unsigned char **p2, unsigned int *len2) {
 	*p1 = &cbuf->data[cbuf->readpos];
--- a/circbuffer.h
+++ b/circbuffer.h
@@ -38,12 +38,12 @@ typedef struct circbuf circbuffer;
 circbuffer * cbuf_new(unsigned int size);
 void cbuf_free(circbuffer * cbuf);
-unsigned int cbuf_getused(circbuffer * cbuf); /* how much data stored */
+unsigned int cbuf_getused(const circbuffer * cbuf); /* how much data stored */
-unsigned int cbuf_getavail(circbuffer * cbuf); /* how much we can write */
+unsigned int cbuf_getavail(const circbuffer * cbuf); /* how much we can write */
-unsigned int cbuf_writelen(circbuffer *cbuf); /* max linear write len */
+unsigned int cbuf_writelen(const circbuffer *cbuf); /* max linear write len */
 /* returns pointers to the two portions of the circular buffer that can be read */
-void cbuf_readptrs(circbuffer *cbuf, 
+void cbuf_readptrs(const circbuffer *cbuf,
 	unsigned char **p1, unsigned int *len1, 
 	unsigned char **p2, unsigned int *len2);
 unsigned char* cbuf_writeptr(circbuffer *cbuf, unsigned int len);
--- a/cli-agentfwd.c
+++ b/cli-agentfwd.c
@@ -108,7 +108,7 @@ static int new_agent_chan(struct Channel * channel) {
   data        Any data, depending on packet type.  Encoding as in the ssh packet
               protocol.
 */
-static buffer * agent_request(unsigned char type, buffer *data) {
+static buffer * agent_request(unsigned char type, const buffer *data) {
 	buffer * payload = NULL;
 	buffer * inbuf = NULL;
@@ -230,7 +230,7 @@ out:
 	}
 }
-void cli_setup_agent(struct Channel *channel) {
+void cli_setup_agent(const struct Channel *channel) {
 	if (!getenv("SSH_AUTH_SOCK")) {
 		return;
 	}
@@ -254,7 +254,7 @@ void cli_load_agent_keys(m_list *ret_list) {
 }
 void agent_buf_sign(buffer *sigblob, sign_key *key, 
-		buffer *data_buf) {
+		const buffer *data_buf) {
 	buffer *request_data = NULL;
 	buffer *response = NULL;
 	unsigned int siglen;
--- a/cli-auth.c
+++ b/cli-auth.c
@@ -331,7 +331,7 @@ int cli_auth_try() {
 #if DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_INTERACT_AUTH
 /* A helper for getpass() that exits if the user cancels. The returned
 * password is statically allocated by getpass() */
-char* getpass_or_cancel(char* prompt)
+char* getpass_or_cancel(const char* prompt)
 {
 	char* password = NULL;
--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
@@ -121,7 +121,7 @@ void recv_msg_userauth_pk_ok() {
 }
 void cli_buf_put_sign(buffer* buf, sign_key *key, int type, 
-			buffer *data_buf) {
+			const buffer *data_buf) {
 #if DROPBEAR_CLI_AGENTFWD
 	if (key->source == SIGNKEY_SOURCE_AGENT) {
 		/* Format the agent signature ourselves, as buf_put_sign would. */
--- a/cli-chansession.c
+++ b/cli-chansession.c
@@ -35,12 +35,12 @@
 #include "chansession.h"
 #include "agentfwd.h"
-static void cli_closechansess(struct Channel *channel);
+static void cli_closechansess(const struct Channel *channel);
 static int cli_initchansess(struct Channel *channel);
 static void cli_chansessreq(struct Channel *channel);
-static void send_chansess_pty_req(struct Channel *channel);
+static void send_chansess_pty_req(const struct Channel *channel);
-static void send_chansess_shell_req(struct Channel *channel);
+static void send_chansess_shell_req(const struct Channel *channel);
-static void cli_escape_handler(struct Channel *channel, unsigned char* buf, int *len);
+static void cli_escape_handler(const struct Channel *channel, const unsigned char* buf, int *len);
 static int cli_init_netcat(struct Channel *channel);
 static void cli_tty_setup(void);
@@ -83,7 +83,7 @@ out:
 /* If the main session goes, we close it up */
-static void cli_closechansess(struct Channel *UNUSED(channel)) {
+static void cli_closechansess(const struct Channel *UNUSED(channel)) {
 	cli_tty_cleanup(); /* Restore tty modes etc */
 	/* This channel hasn't gone yet, so we have > 1 */
@@ -270,7 +270,7 @@ void cli_chansess_winchange() {
 	cli_ses.winchange = 0;
 }
-static void send_chansess_pty_req(struct Channel *channel) {
+static void send_chansess_pty_req(const struct Channel *channel) {
 	char* term = NULL;
@@ -303,7 +303,7 @@ static void send_chansess_pty_req(struct Channel *channel) {
 	TRACE(("leave send_chansess_pty_req"))
 }
-static void send_chansess_shell_req(struct Channel *channel) {
+static void send_chansess_shell_req(const struct Channel *channel) {
 	char* reqtype = NULL;
@@ -452,7 +452,7 @@ do_escape(unsigned char c) {
 }
 static
-void cli_escape_handler(struct Channel* UNUSED(channel), unsigned char* buf, int *len) {
+void cli_escape_handler(const struct Channel* UNUSED(channel), const unsigned char* buf, int *len) {
 	char c;
 	int skip_char = 0;
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -39,7 +39,7 @@
 #include "ecc.h"
-static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen);
+static void checkhostkey(const unsigned char* keyblob, unsigned int keybloblen);
 #define MAX_KNOWNHOSTS_LINE 4500
 void send_msg_kexdh_init() {
@@ -185,7 +185,7 @@ void recv_msg_kexdh_reply() {
 	TRACE(("leave recv_msg_kexdh_init"))
 }
-static void ask_to_confirm(unsigned char* keyblob, unsigned int keybloblen,
+static void ask_to_confirm(const unsigned char* keyblob, unsigned int keybloblen,
 	const char* algoname) {
 	char* fp = NULL;
@@ -282,7 +282,7 @@ out:
 	return hostsfile;
 }
-static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen) {
+static void checkhostkey(const unsigned char* keyblob, unsigned int keybloblen) {
 	FILE *hostsfile = NULL;
 	int readonly = 0;
--- a/cli-main.c
+++ b/cli-main.c
@@ -142,7 +142,7 @@ static void cli_dropbear_log(int priority,
 	fflush(stderr);
 }
-static void exec_proxy_cmd(void *user_data_cmd) {
+static void exec_proxy_cmd(const void *user_data_cmd) {
 	const char *cmd = user_data_cmd;
 	char *usershell;
--- a/common-algo.c
+++ b/common-algo.c
@@ -314,7 +314,7 @@ algo_type sshkex[] = {
 * against.
 * Returns DROPBEAR_SUCCESS if we have a match for algo, DROPBEAR_FAILURE
 * otherwise */
-int have_algo(char* algo, size_t algolen, algo_type algos[]) {
+int have_algo(const char* algo, size_t algolen, const algo_type algos[]) {
 	int i;
@@ -329,7 +329,7 @@ int have_algo(char* algo, size_t algolen, algo_type algos[]) {
 }
 /* Output a comma separated list of algorithms to a buffer */
-void buf_put_algolist(buffer * buf, algo_type localalgos[]) {
+void buf_put_algolist(buffer * buf, const algo_type localalgos[]) {
 	unsigned int i, len;
 	unsigned int donefirst = 0;
@@ -501,7 +501,7 @@ get_algo_usable(algo_type algos[], const char * algo_name)
 #if DROPBEAR_USER_ALGO_LIST
 char *
-algolist_string(algo_type algos[])
+algolist_string(const algo_type algos[])
 {
 	char *ret_list;
 	buffer *b = buf_new(200);
--- a/common-channel.c
+++ b/common-channel.c
@@ -38,18 +38,18 @@
 static void send_msg_channel_open_failure(unsigned int remotechan, int reason,
 		const char *text, const char *lang);
-static void send_msg_channel_open_confirmation(struct Channel* channel,
+static void send_msg_channel_open_confirmation(const struct Channel* channel,
 		unsigned int recvwindow, 
 		unsigned int recvmaxpacket);
 static int writechannel(struct Channel* channel, int fd, circbuffer *cbuf,
 	const unsigned char *moredata, unsigned int *morelen);
-static void send_msg_channel_window_adjust(struct Channel *channel, 
+static void send_msg_channel_window_adjust(const struct Channel *channel,
 		unsigned int incr);
 static void send_msg_channel_data(struct Channel *channel, int isextended);
 static void send_msg_channel_eof(struct Channel *channel);
 static void send_msg_channel_close(struct Channel *channel);
 static void remove_channel(struct Channel *channel);
-static unsigned int write_pending(struct Channel * channel);
+static unsigned int write_pending(const struct Channel * channel);
 static void check_close(struct Channel *channel);
 static void close_chan_fd(struct Channel *channel, int fd, int how);
@@ -198,7 +198,7 @@ struct Channel* getchannel() {
 }
 /* Iterate through the channels, performing IO if available */
-void channelio(fd_set *readfds, fd_set *writefds) {
+void channelio(const fd_set *readfds, const fd_set *writefds) {
 	/* Listeners such as TCP, X11, agent-auth */
 	struct Channel *channel;
@@ -262,7 +262,7 @@ void channelio(fd_set *readfds, fd_set *writefds) {
 /* Returns true if there is data remaining to be written to stdin or
 * stderr of a channel's endpoint. */
-static unsigned int write_pending(struct Channel * channel) {
+static unsigned int write_pending(const struct Channel * channel) {
 	if (channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0) {
 		return 1;
@@ -903,7 +903,7 @@ void recv_msg_channel_window_adjust() {
 /* Increment the incoming data window for a channel, and let the remote
 * end know */
-static void send_msg_channel_window_adjust(struct Channel* channel, 
+static void send_msg_channel_window_adjust(const struct Channel* channel,
 		unsigned int incr) {
 	TRACE(("sending window adjust %d", incr))
@@ -1008,7 +1008,7 @@ cleanup:
 }
 /* Send a failure message */
-void send_msg_channel_failure(struct Channel *channel) {
+void send_msg_channel_failure(const struct Channel *channel) {
 	TRACE(("enter send_msg_channel_failure"))
 	CHECKCLEARTOWRITE();
@@ -1021,7 +1021,7 @@ void send_msg_channel_failure(struct Channel *channel) {
 }
 /* Send a success message */
-void send_msg_channel_success(struct Channel *channel) {
+void send_msg_channel_success(const struct Channel *channel) {
 	TRACE(("enter send_msg_channel_success"))
 	CHECKCLEARTOWRITE();
@@ -1053,7 +1053,7 @@ static void send_msg_channel_open_failure(unsigned int remotechan,
 /* Confirm a channel open, and let the remote end know what number we've
 * allocated and the receive parameters */
-static void send_msg_channel_open_confirmation(struct Channel* channel,
+static void send_msg_channel_open_confirmation(const struct Channel* channel,
 		unsigned int recvwindow, 
 		unsigned int recvmaxpacket) {
@@ -1239,8 +1239,8 @@ struct Channel* get_any_ready_channel() {
 	return NULL;
 }
-void start_send_channel_request(struct Channel *channel, 
+void start_send_channel_request(const struct Channel *channel,
-		char *type) {
+		const char *type) {
 	CHECKCLEARTOWRITE();
 	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
--- a/common-kex.c
+++ b/common-kex.c
@@ -714,7 +714,7 @@ void free_kexcurve25519_param(struct kex_curve25519_param *param)
 	m_free(param);
 }
-void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *buf_pub_them,
+void kexcurve25519_comb_key(const struct kex_curve25519_param *param, const buffer *buf_pub_them,
 	sign_key *hostkey) {
 	unsigned char out[CURVE25519_LEN];
 	const unsigned char* Q_C = NULL;
--- a/dbrandom.c
+++ b/dbrandom.c
@@ -141,7 +141,7 @@ out:
 	return ret;
 }
-void addrandom(unsigned char * buf, unsigned int len)
+void addrandom(const unsigned char * buf, unsigned int len)
 {
 	hash_state hs;
--- a/dbrandom.h
+++ b/dbrandom.h
@@ -29,7 +29,7 @@
 void seedrandom(void);
 void genrandom(unsigned char* buf, unsigned int len);
-void addrandom(unsigned char * buf, unsigned int len);
+void addrandom(const unsigned char * buf, unsigned int len);
 void gen_random_mpint(mp_int *max, mp_int *rand);
 #endif /* DROPBEAR_RANDOM_H_ */
--- a/dbutil.c
+++ b/dbutil.c
@@ -241,7 +241,7 @@ int connect_unix(const char* path) {
 * it will be run after the child has fork()ed, and is passed exec_data.
 * If ret_errfd == NULL then stderr will not be captured.
 * ret_pid can be passed as  NULL to discard the pid. */
-int spawn_command(void(*exec_fn)(void *user_data), void *exec_data,
+int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data,
 		int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) {
 	int infds[2];
 	int outfds[2];
--- a/dbutil.h
+++ b/dbutil.h
@@ -56,7 +56,7 @@ extern int debug_trace;
 char * stripcontrol(const char * text);
-int spawn_command(void(*exec_fn)(void *user_data), void *exec_data,
+int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data,
 		int *writefd, int *readfd, int *errfd, pid_t *pid);
 void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell);
 #ifdef ENABLE_CONNECT_UNIX
--- a/dropbearkey.c
+++ b/dropbearkey.c
@@ -241,7 +241,7 @@ int main(int argc, char ** argv) {
 	}
 	genbits = signkey_generate_get_bits(keytype, bits);
-	fprintf(stderr, "Generating %d bit %s key, this may take a while...\n", genbits, typetext);
+	fprintf(stderr, "Generating %u bit %s key, this may take a while...\n", genbits, typetext);
 	if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE)
 	{
 		dropbear_exit("Failed to generate key.\n");
--- a/dss.c
+++ b/dss.c
@@ -127,7 +127,7 @@ void dss_key_free(dropbear_dss_key *key) {
 * mpint	g
 * mpint	y
 */
-void buf_put_dss_pub_key(buffer* buf, dropbear_dss_key *key) {
+void buf_put_dss_pub_key(buffer* buf, const dropbear_dss_key *key) {
 	dropbear_assert(key != NULL);
 	buf_putstring(buf, SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN);
@@ -139,7 +139,7 @@ void buf_put_dss_pub_key(buffer* buf, dropbear_dss_key *key) {
 }
 /* Same as buf_put_dss_pub_key, but with the private "x" key appended */
-void buf_put_dss_priv_key(buffer* buf, dropbear_dss_key *key) {
+void buf_put_dss_priv_key(buffer* buf, const dropbear_dss_key *key) {
 	dropbear_assert(key != NULL);
 	buf_put_dss_pub_key(buf, key);
@@ -150,7 +150,7 @@ void buf_put_dss_priv_key(buffer* buf, dropbear_dss_key *key) {
 #if DROPBEAR_SIGNKEY_VERIFY
 /* Verify a DSS signature (in buf) made on data by the key given. 
 * returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf) {
+int buf_dss_verify(buffer* buf, const dropbear_dss_key *key, const buffer *data_buf) {
 	unsigned char msghash[SHA1_HASH_SIZE];
 	hash_state hs;
 	int ret = DROPBEAR_FAILURE;
@@ -255,7 +255,7 @@ out:
 /* Sign the data presented with key, writing the signature contents
 * to the buffer */
-void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, buffer *data_buf) {
+void buf_put_dss_sign(buffer* buf, const dropbear_dss_key *key, const buffer *data_buf) {
 	unsigned char msghash[SHA1_HASH_SIZE];
 	unsigned int writelen;
 	unsigned int i;
--- a/dss.h
+++ b/dss.h
@@ -44,14 +44,14 @@ typedef struct {
 #define DSS_P_BITS 1024
 #define DSS_Q_BITS 160
-void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, buffer *data_buf);
+void buf_put_dss_sign(buffer* buf, const dropbear_dss_key *key, const buffer *data_buf);
 #if DROPBEAR_SIGNKEY_VERIFY
-int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf);
+int buf_dss_verify(buffer* buf, const dropbear_dss_key *key, const buffer *data_buf);
 #endif
 int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key);
 int buf_get_dss_priv_key(buffer* buf, dropbear_dss_key *key);
-void buf_put_dss_pub_key(buffer* buf, dropbear_dss_key *key);
+void buf_put_dss_pub_key(buffer* buf, const dropbear_dss_key *key);
-void buf_put_dss_priv_key(buffer* buf, dropbear_dss_key *key);
+void buf_put_dss_priv_key(buffer* buf, const dropbear_dss_key *key);
 void dss_key_free(dropbear_dss_key *key);
 #endif /* DROPBEAR_DSS */
--- a/ecc.c
+++ b/ecc.c
@@ -82,7 +82,7 @@ ecc_key * new_ecc_key(void) {
 /* Copied from libtomcrypt ecc_import.c (version there is static), modified
   for different mp_int pointer without LTC_SOURCE */
-static int ecc_is_point(ecc_key *key)
+static int ecc_is_point(const ecc_key *key)
 {
 	mp_int *prime, *b, *t1, *t2;
 	int err;
@@ -213,7 +213,7 @@ ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *c
 /* a modified version of libtomcrypt's "ecc_shared_secret" to output
   a mp_int instead. */
-mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key)
+mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, const ecc_key *private_key)
 {
 	ecc_point *result = NULL;
 	mp_int *prime = NULL, *shared_secret = NULL;
--- a/ecc.h
+++ b/ecc.h
@@ -29,7 +29,7 @@ void buf_put_ecc_raw_pubkey_string(buffer *buf, ecc_key *key);
 ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve);
 int buf_get_ecc_privkey_string(buffer *buf, ecc_key *key);
-mp_int * dropbear_ecc_shared_secret(ecc_key *pub_key, ecc_key *priv_key);
+mp_int * dropbear_ecc_shared_secret(ecc_key *pub_key, const ecc_key *priv_key);
 #endif
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -15,7 +15,7 @@ int signkey_is_ecdsa(enum signkey_type type)
 		|| type == DROPBEAR_SIGNKEY_ECDSA_NISTP521;
 }
-enum signkey_type ecdsa_signkey_type(ecc_key * key) {
+enum signkey_type ecdsa_signkey_type(const ecc_key * key) {
 #if DROPBEAR_ECC_256
 	if (key->dp == ecc_curve_nistp256.dp) {
 		return DROPBEAR_SIGNKEY_ECDSA_NISTP256;
@@ -154,7 +154,7 @@ void buf_put_ecdsa_priv_key(buffer *buf, ecc_key *key) {
 	buf_putmpint(buf, key->k);
 }
-void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf) {
+void buf_put_ecdsa_sign(buffer *buf, const ecc_key *key, const buffer *data_buf) {
 	/* Based on libtomcrypt's ecc_sign_hash but without the asn1 */
 	int err = DROPBEAR_FAILURE;
 	struct dropbear_ecc_curve *curve = NULL;
@@ -272,7 +272,7 @@ out:
 }
-int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf) {
+int buf_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf) {
 	/* Based on libtomcrypt's ecc_verify_hash but without the asn1 */
 	int ret = DROPBEAR_FAILURE;
 	hash_state hs;
--- a/ecdsa.h
+++ b/ecdsa.h
@@ -23,10 +23,10 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* buf);
 ecc_key *buf_get_ecdsa_priv_key(buffer *buf);
 void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key);
 void buf_put_ecdsa_priv_key(buffer *buf, ecc_key *key);
-enum signkey_type ecdsa_signkey_type(ecc_key * key);
+enum signkey_type ecdsa_signkey_type(const ecc_key * key);
-void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf);
+void buf_put_ecdsa_sign(buffer *buf, const ecc_key *key, const buffer *data_buf);
-int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf);
+int buf_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf);
 /* Returns 1 on success */
 int signkey_is_ecdsa(enum signkey_type type);
--- a/gendss.c
+++ b/gendss.c
@@ -37,11 +37,11 @@
 #if DROPBEAR_DSS
-static void getq(dropbear_dss_key *key);
+static void getq(const dropbear_dss_key *key);
-static void getp(dropbear_dss_key *key, unsigned int size);
+static void getp(const dropbear_dss_key *key, unsigned int size);
-static void getg(dropbear_dss_key *key);
+static void getg(const dropbear_dss_key *key);
-static void getx(dropbear_dss_key *key);
+static void getx(const dropbear_dss_key *key);
-static void gety(dropbear_dss_key *key);
+static void gety(const dropbear_dss_key *key);
 dropbear_dss_key * gen_dss_priv_key(unsigned int size) {
@@ -65,7 +65,7 @@ dropbear_dss_key * gen_dss_priv_key(unsigned int size) {
 }
-static void getq(dropbear_dss_key *key) {
+static void getq(const dropbear_dss_key *key) {
 	unsigned char buf[QSIZE];
@@ -83,7 +83,7 @@ static void getq(dropbear_dss_key *key) {
 	}
 }
-static void getp(dropbear_dss_key *key, unsigned int size) {
+static void getp(const dropbear_dss_key *key, unsigned int size) {
 	DEF_MP_INT(tempX);
 	DEF_MP_INT(tempC);
@@ -142,7 +142,7 @@ static void getp(dropbear_dss_key *key, unsigned int size) {
 	m_free(buf);
 }
-static void getg(dropbear_dss_key * key) {
+static void getg(const dropbear_dss_key * key) {
 	DEF_MP_INT(div);
 	DEF_MP_INT(h);
@@ -179,12 +179,12 @@ static void getg(dropbear_dss_key * key) {
 	mp_clear_multi(&div, &h, &val, NULL);
 }
-static void getx(dropbear_dss_key *key) {
+static void getx(const dropbear_dss_key *key) {
 	gen_random_mpint(key->q, key->x);
 }
-static void gety(dropbear_dss_key *key) {
+static void gety(const dropbear_dss_key *key) {
 	if (mp_exptmod(key->g, key->x, key->p, key->y) != MP_OKAY) {
 		fprintf(stderr, "DSS key generation failed\n");
--- a/kex.h
+++ b/kex.h
@@ -50,7 +50,7 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
 #if DROPBEAR_CURVE25519
 struct kex_curve25519_param *gen_kexcurve25519_param(void);
 void free_kexcurve25519_param(struct kex_curve25519_param *param);
-void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *pub_them,
+void kexcurve25519_comb_key(const struct kex_curve25519_param *param, const buffer *pub_them,
 		sign_key *hostkey);
 #endif
--- a/keyimport.c
+++ b/keyimport.c
@@ -55,9 +55,9 @@ static const unsigned char OID_SEC521R1_BLOB[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
 	((unsigned long)(unsigned char)(cp)[3]))
 static int openssh_encrypted(const char *filename);
-static sign_key *openssh_read(const char *filename, char *passphrase);
+static sign_key *openssh_read(const char *filename, const char *passphrase);
 static int openssh_write(const char *filename, sign_key *key,
-				  char *passphrase);
+				  const char *passphrase);
 static int dropbear_write(const char*filename, sign_key * key);
 static sign_key *dropbear_read(const char* filename);
@@ -83,7 +83,7 @@ int import_encrypted(const char* filename, int filetype) {
 	return 0;
 }
-sign_key *import_read(const char *filename, char *passphrase, int filetype) {
+sign_key *import_read(const char *filename, const char *passphrase, int filetype) {
 	if (filetype == KEYFILE_OPENSSH) {
 		return openssh_read(filename, passphrase);
@@ -97,7 +97,7 @@ sign_key *import_read(const char *filename, char *passphrase, int filetype) {
 	return NULL;
 }
-int import_write(const char *filename, sign_key *key, char *passphrase,
+int import_write(const char *filename, sign_key *key, const char *passphrase,
 		int filetype) {
 	if (filetype == KEYFILE_OPENSSH) {
@@ -194,7 +194,7 @@ out:
 						 )
 /* cpl has to be less than 100 */
-static void base64_encode_fp(FILE * fp, unsigned char *data,
+static void base64_encode_fp(FILE * fp, const unsigned char *data,
 		int datalen, int cpl)
 {
 	unsigned char out[100];
@@ -509,7 +509,7 @@ static int openssh_encrypted(const char *filename)
 	return ret;
 }
-static sign_key *openssh_read(const char *filename, char * UNUSED(passphrase))
+static sign_key *openssh_read(const char *filename, const char * UNUSED(passphrase))
 {
 	struct openssh_key *key;
 	unsigned char *p;
@@ -828,7 +828,7 @@ static sign_key *openssh_read(const char *filename, char * UNUSED(passphrase))
 }
 static int openssh_write(const char *filename, sign_key *key,
-				  char *passphrase)
+				  const char *passphrase)
 {
 	buffer * keyblob = NULL;
 	buffer * extrablob = NULL; /* used for calculated values to write */
--- a/keyimport.h
+++ b/keyimport.h
@@ -34,9 +34,9 @@ enum {
 	KEYFILE_SSHCOM
 };
-int import_write(const char *filename, sign_key *key, char *passphrase,
+int import_write(const char *filename, sign_key *key, const char *passphrase,
 		int filetype);
-sign_key *import_read(const char *filename, char *passphrase, int filetype);
+sign_key *import_read(const char *filename, const char *passphrase, int filetype);
 int import_encrypted(const char* filename, int filetype);
 #endif /* DROPBEAR_KEYIMPORT_H_ */
--- a/listener.c
+++ b/listener.c
@@ -53,7 +53,7 @@ void set_listener_fds(fd_set * readfds) {
 }
-void handle_listeners(fd_set * readfds) {
+void handle_listeners(const fd_set * readfds) {
 	unsigned int i, j;
 	struct Listener *listener;
@@ -76,10 +76,10 @@ void handle_listeners(fd_set * readfds) {
 /* acceptor(int fd, void* typedata) is a function to accept connections, 
 * cleanup(void* typedata) happens when cleaning up */
-struct Listener* new_listener(int socks[], unsigned int nsocks,
+struct Listener* new_listener(const int socks[], unsigned int nsocks,
 		int type, void* typedata, 
-		void (*acceptor)(struct Listener* listener, int sock), 
+		void (*acceptor)(const struct Listener* listener, int sock),
-		void (*cleanup)(struct Listener*)) {
+		void (*cleanup)(const struct Listener*)) {
 	unsigned int i, j;
 	struct Listener *newlisten = NULL;
@@ -132,8 +132,8 @@ struct Listener* new_listener(int socks[], unsigned int nsocks,
 /* Return the first listener which matches the type-specific comparison
 * function. Particularly needed for global requests, like tcp */
-struct Listener * get_listener(int type, void* typedata,
+struct Listener * get_listener(int type, const void* typedata,
-		int (*match)(void*, void*)) {
+		int (*match)(const void*, const void*)) {
 	unsigned int i;
 	struct Listener* listener;
--- a/listener.h
+++ b/listener.h
@@ -35,8 +35,8 @@ struct Listener {
 	int index; /* index in the array of listeners */
-	void (*acceptor)(struct Listener*, int sock);
+	void (*acceptor)(const struct Listener*, int sock);
-	void (*cleanup)(struct Listener*);
+	void (*cleanup)(const struct Listener*);
 	int type; /* CHANNEL_ID_X11, CHANNEL_ID_AGENT, 
 				 CHANNEL_ID_TCPDIRECT (for clients),
@@ -47,16 +47,16 @@ struct Listener {
 };
 void listeners_initialise(void);
-void handle_listeners(fd_set * readfds);
+void handle_listeners(const fd_set * readfds);
 void set_listener_fds(fd_set * readfds);
-struct Listener* new_listener(int socks[], unsigned int nsocks, 
+struct Listener* new_listener(const int socks[], unsigned int nsocks,
 		int type, void* typedata, 
-		void (*acceptor)(struct Listener* listener, int sock), 
+		void (*acceptor)(const struct Listener* listener, int sock),
-		void (*cleanup)(struct Listener*));
+		void (*cleanup)(const struct Listener*));
-struct Listener * get_listener(int type, void* typedata,
+struct Listener * get_listener(int type, const void* typedata,
-		int (*match)(void*, void*));
+		int (*match)(const void*, const void*));
 void remove_listener(struct Listener* listener);
--- a/netio.c
+++ b/netio.c
@@ -197,7 +197,7 @@ void set_connect_fds(fd_set *writefd) {
 	}
 }
-void handle_connect_fds(fd_set *writefd) {
+void handle_connect_fds(const fd_set *writefd) {
 	m_list_elem *iter;
 	TRACE(("enter handle_connect_fds"))
 	for (iter = ses.conn_pending.first; iter; iter = iter->next) {
@@ -240,7 +240,7 @@ void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue
 	c->writequeue = writequeue;
 }
-void packet_queue_to_iovec(struct Queue *queue, struct iovec *iov, unsigned int *iov_count) {
+void packet_queue_to_iovec(const struct Queue *queue, struct iovec *iov, unsigned int *iov_count) {
 	struct Link *l;
 	unsigned int i;
 	int len;
--- a/netio.h
+++ b/netio.h
@@ -34,7 +34,7 @@ struct dropbear_progress_connection * connect_remote (const char* remotehost, co
 /* Sets up for select() */
 void set_connect_fds(fd_set *writefd);
 /* Handles ready sockets after select() */
-void handle_connect_fds(fd_set *writefd);
+void handle_connect_fds(const fd_set *writefd);
 /* Cleanup */
 void remove_connect_pending(void);
@@ -45,7 +45,7 @@ void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue
 /* TODO: writev #ifdef guard */
 /* Fills out iov which contains iov_count slots, returning the number filled in iov_count */
-void packet_queue_to_iovec(struct Queue *queue, struct iovec *iov, unsigned int *iov_count);
+void packet_queue_to_iovec(const struct Queue *queue, struct iovec *iov, unsigned int *iov_count);
 void packet_queue_consume(struct Queue *queue, ssize_t written);
 #if DROPBEAR_SERVER_TCP_FAST_OPEN
--- a/packet.c
+++ b/packet.c
@@ -49,7 +49,7 @@ static int checkmac(void);
 #define ZLIB_COMPRESS_EXPANSION (((RECV_MAX_PAYLOAD_LEN/16384)+1)*5 + 6)
 #define ZLIB_DECOMPRESS_INCR 1024
 #ifndef DISABLE_ZLIB
-static buffer* buf_decompress(buffer* buf, unsigned int len);
+static buffer* buf_decompress(const buffer* buf, unsigned int len);
 static void buf_compress(buffer * dest, buffer * src, unsigned int len);
 #endif
@@ -367,7 +367,7 @@ static int checkmac() {
 #ifndef DISABLE_ZLIB
 /* returns a pointer to a newly created buffer */
-static buffer* buf_decompress(buffer* buf, unsigned int len) {
+static buffer* buf_decompress(const buffer* buf, unsigned int len) {
 	int result;
 	buffer * ret;
--- a/queue.c
+++ b/queue.c
@@ -33,7 +33,7 @@ void initqueue(struct Queue* queue) {
 	queue->count = 0;
 }
-int isempty(struct Queue* queue) {
+int isempty(const struct Queue* queue) {
 	return (queue->head == NULL);
 }
@@ -60,7 +60,7 @@ void* dequeue(struct Queue* queue) {
 	return ret;
 }
-void *examine(struct Queue* queue) {
+void *examine(const struct Queue* queue) {
 	dropbear_assert(!isempty(queue));
 	return queue->head->item;
--- a/queue.h
+++ b/queue.h
@@ -41,9 +41,9 @@ struct Queue {
 };
 void initqueue(struct Queue* queue);
-int isempty(struct Queue* queue);
+int isempty(const struct Queue* queue);
 void* dequeue(struct Queue* queue);
-void *examine(struct Queue* queue);
+void *examine(const struct Queue* queue);
 void enqueue(struct Queue* queue, void* item);
 #endif
--- a/rsa.c
+++ b/rsa.c
@@ -38,8 +38,8 @@
 #if DROPBEAR_RSA 
-static void rsa_pad_em(dropbear_rsa_key * key,
+static void rsa_pad_em(const dropbear_rsa_key * key,
-	buffer *data_buf, mp_int * rsa_em);
+	const buffer *data_buf, mp_int * rsa_em);
 /* Load a public rsa key from a buffer, initialising the values.
 * The key will have the same format as buf_put_rsa_key.
@@ -147,7 +147,7 @@ void rsa_key_free(dropbear_rsa_key *key) {
 * mp_int	e
 * mp_int	n
 */
-void buf_put_rsa_pub_key(buffer* buf, dropbear_rsa_key *key) {
+void buf_put_rsa_pub_key(buffer* buf, const dropbear_rsa_key *key) {
 	TRACE(("enter buf_put_rsa_pub_key"))
 	dropbear_assert(key != NULL);
@@ -161,7 +161,7 @@ void buf_put_rsa_pub_key(buffer* buf, dropbear_rsa_key *key) {
 }
 /* Same as buf_put_rsa_pub_key, but with the private "x" key appended */
-void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) {
+void buf_put_rsa_priv_key(buffer* buf, const dropbear_rsa_key *key) {
 	TRACE(("enter buf_put_rsa_priv_key"))
@@ -185,7 +185,7 @@ void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) {
 #if DROPBEAR_SIGNKEY_VERIFY
 /* Verify a signature in buf, made on data by the key given.
 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf) {
+int buf_rsa_verify(buffer * buf, const dropbear_rsa_key *key, const buffer *data_buf) {
 	unsigned int slen;
 	DEF_MP_INT(rsa_s);
 	DEF_MP_INT(rsa_mdash);
@@ -240,7 +240,7 @@ out:
 /* Sign the data presented with key, writing the signature contents
 * to the buffer */
-void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf) {
+void buf_put_rsa_sign(buffer* buf, const dropbear_rsa_key *key, const buffer *data_buf) {
 	unsigned int nsize, ssize;
 	unsigned int i;
 	DEF_MP_INT(rsa_s);
@@ -346,8 +346,8 @@ void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf) {
 *
 * rsa_em must be a pointer to an initialised mp_int.
 */
-static void rsa_pad_em(dropbear_rsa_key * key,
+static void rsa_pad_em(const dropbear_rsa_key * key,
-	buffer *data_buf, mp_int * rsa_em) {
+	const buffer *data_buf, mp_int * rsa_em) {
 	/* ASN1 designator (including the 0x00 preceding) */
 	const unsigned char rsa_asn1_magic[] = 
--- a/rsa.h
+++ b/rsa.h
@@ -43,14 +43,14 @@ typedef struct {
 } dropbear_rsa_key;
-void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf);
+void buf_put_rsa_sign(buffer* buf, const dropbear_rsa_key *key, const buffer *data_buf);
 #if DROPBEAR_SIGNKEY_VERIFY
-int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf);
+int buf_rsa_verify(buffer * buf, const dropbear_rsa_key *key, const buffer *data_buf);
 #endif
 int buf_get_rsa_pub_key(buffer* buf, dropbear_rsa_key *key);
 int buf_get_rsa_priv_key(buffer* buf, dropbear_rsa_key *key);
-void buf_put_rsa_pub_key(buffer* buf, dropbear_rsa_key *key);
+void buf_put_rsa_pub_key(buffer* buf, const dropbear_rsa_key *key);
-void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key);
+void buf_put_rsa_priv_key(buffer* buf, const dropbear_rsa_key *key);
 void rsa_key_free(dropbear_rsa_key *key);
 #endif /* DROPBEAR_RSA */
--- a/signkey.c
+++ b/signkey.c
@@ -400,7 +400,7 @@ static char hexdig(unsigned char x) {
 /* Since we're not sure if we'll have md5 or sha1, we present both.
 * MD5 is used in preference, but sha1 could still be useful */
 #if DROPBEAR_MD5_HMAC
-static char * sign_key_md5_fingerprint(unsigned char* keyblob,
+static char * sign_key_md5_fingerprint(const unsigned char* keyblob,
 		unsigned int keybloblen) {
 	char * ret;
@@ -435,7 +435,7 @@ static char * sign_key_md5_fingerprint(unsigned char* keyblob,
 }
 #else /* use SHA1 rather than MD5 for fingerprint */
-static char * sign_key_sha1_fingerprint(unsigned char* keyblob, 
+static char * sign_key_sha1_fingerprint(const unsigned char* keyblob,
 		unsigned int keybloblen) {
 	char * ret;
@@ -472,7 +472,7 @@ static char * sign_key_sha1_fingerprint(unsigned char* keyblob,
 /* This will return a freshly malloced string, containing a fingerprint
 * in either sha1 or md5 */
-char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) {
+char * sign_key_fingerprint(const unsigned char* keyblob, unsigned int keybloblen) {
 #if DROPBEAR_MD5_HMAC
 	return sign_key_md5_fingerprint(keyblob, keybloblen);
@@ -482,7 +482,7 @@ char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) {
 }
 void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, 
-	buffer *data_buf) {
+	const buffer *data_buf) {
 	buffer *sigblob;
 	sigblob = buf_new(MAX_PUBKEY_SIZE);
@@ -517,7 +517,7 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type,
 * If FAILURE is returned, the position of
 * buf is undefined. If SUCCESS is returned, buf will be positioned after the
 * signature blob */
-int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
+int buf_verify(buffer * buf, sign_key *key, const buffer *data_buf) {
 	char *type_name = NULL;
 	unsigned int type_name_len = 0;
@@ -570,7 +570,7 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
   of the key if it is successfully decoded */
 int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, 
 					const unsigned char* algoname, unsigned int algolen, 
-					buffer * line, char ** fingerprint) {
+					const buffer * line, char ** fingerprint) {
 	buffer * decodekey = NULL;
 	int ret = DROPBEAR_FAILURE;
--- a/signkey.h
+++ b/signkey.h
@@ -90,14 +90,14 @@ int buf_get_priv_key(buffer* buf, sign_key *key, enum signkey_type *type);
 void buf_put_pub_key(buffer* buf, sign_key *key, enum signkey_type type);
 void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type);
 void sign_key_free(sign_key *key);
-void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, buffer *data_buf);
+void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, const buffer *data_buf);
 #if DROPBEAR_SIGNKEY_VERIFY
-int buf_verify(buffer * buf, sign_key *key, buffer *data_buf);
+int buf_verify(buffer * buf, sign_key *key, const buffer *data_buf);
-char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen);
+char * sign_key_fingerprint(const unsigned char* keyblob, unsigned int keybloblen);
 #endif
 int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, 
 					const unsigned char* algoname, unsigned int algolen, 
-					buffer * line, char ** fingerprint);
+					const buffer * line, char ** fingerprint);
 void** signkey_key_ptr(sign_key *key, enum signkey_type type);
--- a/svr-agentfwd.c
+++ b/svr-agentfwd.c
@@ -45,7 +45,7 @@
 static int send_msg_channel_open_agent(int fd);
 static int bindagent(int fd, struct ChanSess * chansess);
-static void agentaccept(struct Listener * listener, int sock);
+static void agentaccept(const struct Listener * listener, int sock);
 /* Handles client requests to start agent forwarding, sets up listening socket.
 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
@@ -100,7 +100,7 @@ fail:
 /* accepts a connection on the forwarded socket and opens a new channel for it
 * back to the client */
 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-static void agentaccept(struct Listener *UNUSED(listener), int sock) {
+static void agentaccept(const struct Listener *UNUSED(listener), int sock) {
 	int fd;
@@ -118,7 +118,7 @@ static void agentaccept(struct Listener *UNUSED(listener), int sock) {
 /* set up the environment variable pointing to the socket. This is called
 * just before command/shell execution, after dropping privileges */
-void svr_agentset(struct ChanSess * chansess) {
+void svr_agentset(const struct ChanSess * chansess) {
 	char *path = NULL;
 	int len;
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -81,7 +81,7 @@ static void authclear() {
 /* Send a banner message if specified to the client. The client might
 * ignore this, but possibly serves as a legal "no trespassing" sign */
-void send_msg_userauth_banner(buffer *banner) {
+void send_msg_userauth_banner(const buffer *banner) {
 	TRACE(("enter send_msg_userauth_banner"))
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -70,11 +70,11 @@
 #define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */
 #define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */
-static int checkpubkey(char* algo, unsigned int algolen,
+static int checkpubkey(const char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen);
+		const unsigned char* keyblob, unsigned int keybloblen);
 static int checkpubkeyperms(void);
-static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen,
+static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen);
+		const unsigned char* keyblob, unsigned int keybloblen);
 static int checkfileperm(char * filename);
 /* process a pubkey auth request, sending success or failure message as
@@ -173,8 +173,8 @@ out:
 /* Reply that the key is valid for auth, this is sent when the user sends
 * a straight copy of their pubkey to test, to avoid having to perform
 * expensive signing operations with a worthless key */
-static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen,
+static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen) {
+		const unsigned char* keyblob, unsigned int keybloblen) {
 	TRACE(("enter send_msg_userauth_pk_ok"))
 	CHECKCLEARTOWRITE();
@@ -188,7 +188,7 @@ static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen,
 }
-static int checkpubkey_line(buffer* line, int line_num, char* filename,
+static int checkpubkey_line(buffer* line, int line_num, const char* filename,
 		const char* algo, unsigned int algolen,
 		const unsigned char* keyblob, unsigned int keybloblen) {
 	buffer *options_buf = NULL;
@@ -292,8 +292,8 @@ out:
 /* Checks whether a specified publickey (and associated algorithm) is an
 * acceptable key for authentication */
 /* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
-static int checkpubkey(char* algo, unsigned int algolen,
+static int checkpubkey(const char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen) {
+		const unsigned char* keyblob, unsigned int keybloblen) {
 	FILE * authfile = NULL;
 	char * filename = NULL;
--- a/svr-chansession.c
+++ b/svr-chansession.c
@@ -43,24 +43,24 @@
 static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
 		int iscmd, int issubsys);
 static int sessionpty(struct ChanSess * chansess);
-static int sessionsignal(struct ChanSess *chansess);
+static int sessionsignal(const struct ChanSess *chansess);
 static int noptycommand(struct Channel *channel, struct ChanSess *chansess);
 static int ptycommand(struct Channel *channel, struct ChanSess *chansess);
-static int sessionwinchange(struct ChanSess *chansess);
+static int sessionwinchange(const struct ChanSess *chansess);
-static void execchild(void *user_data_chansess);
+static void execchild(const void *user_data_chansess);
 static void addchildpid(struct ChanSess *chansess, pid_t pid);
 static void sesssigchild_handler(int val);
-static void closechansess(struct Channel *channel);
+static void closechansess(const struct Channel *channel);
 static int newchansess(struct Channel *channel);
 static void chansessionrequest(struct Channel *channel);
-static int sesscheckclose(struct Channel *channel);
+static int sesscheckclose(const struct Channel *channel);
-static void send_exitsignalstatus(struct Channel *channel);
+static void send_exitsignalstatus(const struct Channel *channel);
-static void send_msg_chansess_exitstatus(struct Channel * channel,
+static void send_msg_chansess_exitstatus(const struct Channel * channel,
-		struct ChanSess * chansess);
+		const struct ChanSess * chansess);
-static void send_msg_chansess_exitsignal(struct Channel * channel,
+static void send_msg_chansess_exitsignal(const struct Channel * channel,
-		struct ChanSess * chansess);
+		const struct ChanSess * chansess);
-static void get_termmodes(struct ChanSess *chansess);
+static void get_termmodes(const struct ChanSess *chansess);
 const struct ChanType svrchansess = {
 	0, /* sepfds */
@@ -74,7 +74,7 @@ const struct ChanType svrchansess = {
 /* required to clear environment */
 extern char** environ;
-static int sesscheckclose(struct Channel *channel) {
+static int sesscheckclose(const struct Channel *channel) {
 	struct ChanSess *chansess = (struct ChanSess*)channel->typedata;
 	TRACE(("sesscheckclose, pid is %d", chansess->exit.exitpid))
 	return chansess->exit.exitpid != -1;
@@ -159,7 +159,7 @@ static void sesssigchild_handler(int UNUSED(dummy)) {
 }
 /* send the exit status or the signal causing termination for a session */
-static void send_exitsignalstatus(struct Channel *channel) {
+static void send_exitsignalstatus(const struct Channel *channel) {
 	struct ChanSess *chansess = (struct ChanSess*)channel->typedata;
@@ -173,8 +173,8 @@ static void send_exitsignalstatus(struct Channel *channel) {
 }
 /* send the exitstatus to the client */
-static void send_msg_chansess_exitstatus(struct Channel * channel,
+static void send_msg_chansess_exitstatus(const struct Channel * channel,
-		struct ChanSess * chansess) {
+		const struct ChanSess * chansess) {
 	dropbear_assert(chansess->exit.exitpid != -1);
 	dropbear_assert(chansess->exit.exitsignal == -1);
@@ -192,8 +192,8 @@ static void send_msg_chansess_exitstatus(struct Channel * channel,
 }
 /* send the signal causing the exit to the client */
-static void send_msg_chansess_exitsignal(struct Channel * channel,
+static void send_msg_chansess_exitsignal(const struct Channel * channel,
-		struct ChanSess * chansess) {
+		const struct ChanSess * chansess) {
 	int i;
 	char* signame = NULL;
@@ -273,7 +273,7 @@ static int newchansess(struct Channel *channel) {
 }
 static struct logininfo* 
-chansess_login_alloc(struct ChanSess *chansess) {
+chansess_login_alloc(const struct ChanSess *chansess) {
 	struct logininfo * li;
 	li = login_alloc_entry(chansess->pid, ses.authstate.username,
 			svr_ses.remotehost, chansess->tty);
@@ -281,7 +281,7 @@ chansess_login_alloc(struct ChanSess *chansess) {
 }
 /* clean a session channel */
-static void closechansess(struct Channel *channel) {
+static void closechansess(const struct Channel *channel) {
 	struct ChanSess *chansess;
 	unsigned int i;
@@ -403,7 +403,7 @@ out:
 /* Send a signal to a session's process as requested by the client*/
-static int sessionsignal(struct ChanSess *chansess) {
+static int sessionsignal(const struct ChanSess *chansess) {
 	int sig = 0;
 	char* signame = NULL;
@@ -441,7 +441,7 @@ static int sessionsignal(struct ChanSess *chansess) {
 /* Let the process know that the window size has changed, as notified from the
 * client. Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-static int sessionwinchange(struct ChanSess *chansess) {
+static int sessionwinchange(const struct ChanSess *chansess) {
 	int termc, termr, termw, termh;
@@ -460,7 +460,7 @@ static int sessionwinchange(struct ChanSess *chansess) {
 	return DROPBEAR_SUCCESS;
 }
-static void get_termmodes(struct ChanSess *chansess) {
+static void get_termmodes(const struct ChanSess *chansess) {
 	struct termios termio;
 	unsigned char opcode;
@@ -898,7 +898,7 @@ static void addchildpid(struct ChanSess *chansess, pid_t pid) {
 /* Clean up, drop to user privileges, set up the environment and execute
 * the command/shell. This function does not return. */
-static void execchild(void *user_data) {
+static void execchild(const void *user_data) {
 	struct ChanSess *chansess = user_data;
 	char *usershell = NULL;
--- a/svr-tcpfwd.c
+++ b/svr-tcpfwd.c
@@ -107,7 +107,7 @@ out:
 	TRACE(("leave recv_msg_global_request"))
 }
-static int matchtcp(void* typedata1, void* typedata2) {
+static int matchtcp(const void* typedata1, const void* typedata2) {
 	const struct TCPListener *info1 = (struct TCPListener*)typedata1;
 	const struct TCPListener *info2 = (struct TCPListener*)typedata2;
--- a/svr-x11fwd.c
+++ b/svr-x11fwd.c
@@ -38,9 +38,9 @@
 #define X11BASEPORT 6000
 #define X11BINDBASE 6010
-static void x11accept(struct Listener* listener, int sock);
+static void x11accept(const struct Listener* listener, int sock);
 static int bindport(int fd);
-static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr);
+static int send_msg_channel_open_x11(int fd, const struct sockaddr_in* addr);
 /* Check untrusted xauth strings for metacharacters */
 /* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */
@@ -126,7 +126,7 @@ fail:
 /* accepts a new X11 socket */
 /* returns DROPBEAR_FAILURE or DROPBEAR_SUCCESS */
-static void x11accept(struct Listener* listener, int sock) {
+static void x11accept(const struct Listener* listener, int sock) {
 	int fd;
 	struct sockaddr_in addr;
@@ -154,7 +154,7 @@ static void x11accept(struct Listener* listener, int sock) {
 /* This is called after switching to the user, and sets up the xauth
 * and environment variables.  */
-void x11setauth(struct ChanSess *chansess) {
+void x11setauth(const struct ChanSess *chansess) {
 	char display[20]; /* space for "localhost:12345.123" */
 	FILE * authprog = NULL;
@@ -220,7 +220,7 @@ static const struct ChanType chan_x11 = {
 };
-static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr) {
+static int send_msg_channel_open_x11(int fd, const struct sockaddr_in* addr) {
 	char* ipstring = NULL;
--- a/tcp-accept.c
+++ b/tcp-accept.c
@@ -35,7 +35,7 @@
 #if DROPBEAR_TCP_ACCEPT
-static void cleanup_tcp(struct Listener *listener) {
+static void cleanup_tcp(const struct Listener *listener) {
 	struct TCPListener *tcpinfo = (struct TCPListener*)(listener->typedata);
@@ -52,7 +52,7 @@ int tcp_prio_inithandler(struct Channel* channel)
 	return 0;
 }
-static void tcp_acceptor(struct Listener *listener, int sock) {
+static void tcp_acceptor(const struct Listener *listener, int sock) {
 	int fd;
 	struct sockaddr_storage sa;
--- a/x11fwd.h
+++ b/x11fwd.h
@@ -30,7 +30,7 @@
 #include "channel.h"
 int x11req(struct ChanSess * chansess);
-void x11setauth(struct ChanSess *chansess);
+void x11setauth(const struct ChanSess *chansess);
 void x11cleanup(struct ChanSess *chansess);
 #endif /* DROPBEAR_X11FWD */