packet.c

@@ -49,7 +49,7 @@ static int checkmac(void);
 #define ZLIB_COMPRESS_EXPANSION (((RECV_MAX_PAYLOAD_LEN/16384)+1)*5 + 6)
 #define ZLIB_DECOMPRESS_INCR 1024
 #ifndef DISABLE_ZLIB
-static buffer* buf_decompress(buffer* buf, unsigned int len);
+static buffer* buf_decompress(const buffer* buf, unsigned int len);
 static void buf_compress(buffer * dest, buffer * src, unsigned int len);
 #endif
@@ -367,7 +367,7 @@ static int checkmac() {
 #ifndef DISABLE_ZLIB
 /* returns a pointer to a newly created buffer */
-static buffer* buf_decompress(buffer* buf, unsigned int len) {
+static buffer* buf_decompress(const buffer* buf, unsigned int len) {
 	int result;
 	buffer * ret;

queue.c

@@ -33,7 +33,7 @@ void initqueue(struct Queue* queue) {
 	queue->count = 0;
 }
-int isempty(struct Queue* queue) {
+int isempty(const struct Queue* queue) {
 	return (queue->head == NULL);
 }
@@ -60,7 +60,7 @@ void* dequeue(struct Queue* queue) {
 	return ret;
 }
-void *examine(struct Queue* queue) {
+void *examine(const struct Queue* queue) {
 	dropbear_assert(!isempty(queue));
 	return queue->head->item;

queue.h

@@ -41,9 +41,9 @@ struct Queue {
 };
 void initqueue(struct Queue* queue);
-int isempty(struct Queue* queue);
+int isempty(const struct Queue* queue);
 void* dequeue(struct Queue* queue);
-void *examine(struct Queue* queue);
+void *examine(const struct Queue* queue);
 void enqueue(struct Queue* queue, void* item);
 #endif

rsa.c

@@ -38,8 +38,8 @@
 #if DROPBEAR_RSA 
-static void rsa_pad_em(dropbear_rsa_key * key,
-	buffer *data_buf, mp_int * rsa_em);
+static void rsa_pad_em(const dropbear_rsa_key * key,
+	const buffer *data_buf, mp_int * rsa_em);
 /* Load a public rsa key from a buffer, initialising the values.
  * The key will have the same format as buf_put_rsa_key.
@@ -147,7 +147,7 @@ void rsa_key_free(dropbear_rsa_key *key) {
  * mp_int	e
  * mp_int	n
  */
-void buf_put_rsa_pub_key(buffer* buf, dropbear_rsa_key *key) {
+void buf_put_rsa_pub_key(buffer* buf, const dropbear_rsa_key *key) {
 	TRACE(("enter buf_put_rsa_pub_key"))
 	dropbear_assert(key != NULL);
@@ -161,7 +161,7 @@ void buf_put_rsa_pub_key(buffer* buf, dropbear_rsa_key *key) {
 }
 /* Same as buf_put_rsa_pub_key, but with the private "x" key appended */
-void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) {
+void buf_put_rsa_priv_key(buffer* buf, const dropbear_rsa_key *key) {
 	TRACE(("enter buf_put_rsa_priv_key"))
@@ -185,7 +185,7 @@ void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) {
 #if DROPBEAR_SIGNKEY_VERIFY
 /* Verify a signature in buf, made on data by the key given.
  * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf) {
+int buf_rsa_verify(buffer * buf, const dropbear_rsa_key *key, const buffer *data_buf) {
 	unsigned int slen;
 	DEF_MP_INT(rsa_s);
 	DEF_MP_INT(rsa_mdash);
@@ -240,7 +240,7 @@ out:
 /* Sign the data presented with key, writing the signature contents
  * to the buffer */
-void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf) {
+void buf_put_rsa_sign(buffer* buf, const dropbear_rsa_key *key, const buffer *data_buf) {
 	unsigned int nsize, ssize;
 	unsigned int i;
 	DEF_MP_INT(rsa_s);
@@ -346,8 +346,8 @@ void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf) {
  *
  * rsa_em must be a pointer to an initialised mp_int.
  */
-static void rsa_pad_em(dropbear_rsa_key * key,
-	buffer *data_buf, mp_int * rsa_em) {
+static void rsa_pad_em(const dropbear_rsa_key * key,
+	const buffer *data_buf, mp_int * rsa_em) {
 	/* ASN1 designator (including the 0x00 preceding) */
 	const unsigned char rsa_asn1_magic[] = 

rsa.h

@@ -43,14 +43,14 @@ typedef struct {
 } dropbear_rsa_key;
-void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf);
+void buf_put_rsa_sign(buffer* buf, const dropbear_rsa_key *key, const buffer *data_buf);
 #if DROPBEAR_SIGNKEY_VERIFY
-int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf);
+int buf_rsa_verify(buffer * buf, const dropbear_rsa_key *key, const buffer *data_buf);
 #endif
 int buf_get_rsa_pub_key(buffer* buf, dropbear_rsa_key *key);
 int buf_get_rsa_priv_key(buffer* buf, dropbear_rsa_key *key);
-void buf_put_rsa_pub_key(buffer* buf, dropbear_rsa_key *key);
-void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key);
+void buf_put_rsa_pub_key(buffer* buf, const dropbear_rsa_key *key);
+void buf_put_rsa_priv_key(buffer* buf, const dropbear_rsa_key *key);
 void rsa_key_free(dropbear_rsa_key *key);
 #endif /* DROPBEAR_RSA */

runopts.h

@@ -167,6 +167,8 @@ typedef struct cli_runopts {
 #if DROPBEAR_CLI_PROXYCMD
 	char *proxycmd;
 #endif
+	char *bind_address;
+	char *bind_port;
 } cli_runopts;
 extern cli_runopts cli_opts;

signkey.c

@@ -400,7 +400,7 @@ static char hexdig(unsigned char x) {
 /* Since we're not sure if we'll have md5 or sha1, we present both.
  * MD5 is used in preference, but sha1 could still be useful */
 #if DROPBEAR_MD5_HMAC
-static char * sign_key_md5_fingerprint(unsigned char* keyblob,
+static char * sign_key_md5_fingerprint(const unsigned char* keyblob,
 		unsigned int keybloblen) {
 	char * ret;
@@ -435,7 +435,7 @@ static char * sign_key_md5_fingerprint(unsigned char* keyblob,
 }
 #else /* use SHA1 rather than MD5 for fingerprint */
-static char * sign_key_sha1_fingerprint(unsigned char* keyblob, 
+static char * sign_key_sha1_fingerprint(const unsigned char* keyblob,
 		unsigned int keybloblen) {
 	char * ret;
@@ -472,7 +472,7 @@ static char * sign_key_sha1_fingerprint(unsigned char* keyblob,
 /* This will return a freshly malloced string, containing a fingerprint
  * in either sha1 or md5 */
-char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) {
+char * sign_key_fingerprint(const unsigned char* keyblob, unsigned int keybloblen) {
 #if DROPBEAR_MD5_HMAC
 	return sign_key_md5_fingerprint(keyblob, keybloblen);
@@ -482,7 +482,7 @@ char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) {
 }
 void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, 
-	buffer *data_buf) {
+	const buffer *data_buf) {
 	buffer *sigblob;
 	sigblob = buf_new(MAX_PUBKEY_SIZE);
@@ -517,7 +517,7 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type,
  * If FAILURE is returned, the position of
  * buf is undefined. If SUCCESS is returned, buf will be positioned after the
  * signature blob */
-int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
+int buf_verify(buffer * buf, sign_key *key, const buffer *data_buf) {
 	
 	char *type_name = NULL;
 	unsigned int type_name_len = 0;
@@ -570,7 +570,7 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
    of the key if it is successfully decoded */
 int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, 
 					const unsigned char* algoname, unsigned int algolen, 
-					buffer * line, char ** fingerprint) {
+					const buffer * line, char ** fingerprint) {
 	buffer * decodekey = NULL;
 	int ret = DROPBEAR_FAILURE;

signkey.h

@@ -90,14 +90,14 @@ int buf_get_priv_key(buffer* buf, sign_key *key, enum signkey_type *type);
 void buf_put_pub_key(buffer* buf, sign_key *key, enum signkey_type type);
 void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type);
 void sign_key_free(sign_key *key);
-void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, buffer *data_buf);
+void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, const buffer *data_buf);
 #if DROPBEAR_SIGNKEY_VERIFY
-int buf_verify(buffer * buf, sign_key *key, buffer *data_buf);
-char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen);
+int buf_verify(buffer * buf, sign_key *key, const buffer *data_buf);
+char * sign_key_fingerprint(const unsigned char* keyblob, unsigned int keybloblen);
 #endif
 int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, 
 					const unsigned char* algoname, unsigned int algolen, 
-					buffer * line, char ** fingerprint);
+					const buffer * line, char ** fingerprint);
 void** signkey_key_ptr(sign_key *key, enum signkey_type type);

svr-agentfwd.c

@@ -45,7 +45,7 @@
 static int send_msg_channel_open_agent(int fd);
 static int bindagent(int fd, struct ChanSess * chansess);
-static void agentaccept(struct Listener * listener, int sock);
+static void agentaccept(const struct Listener * listener, int sock);
 /* Handles client requests to start agent forwarding, sets up listening socket.
  * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
@@ -100,7 +100,7 @@ fail:
 /* accepts a connection on the forwarded socket and opens a new channel for it
  * back to the client */
 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-static void agentaccept(struct Listener *UNUSED(listener), int sock) {
+static void agentaccept(const struct Listener *UNUSED(listener), int sock) {
 	int fd;
@@ -118,7 +118,7 @@ static void agentaccept(struct Listener *UNUSED(listener), int sock) {
 /* set up the environment variable pointing to the socket. This is called
  * just before command/shell execution, after dropping privileges */
-void svr_agentset(struct ChanSess * chansess) {
+void svr_agentset(const struct ChanSess * chansess) {
 	char *path = NULL;
 	int len;

svr-auth.c

@@ -81,7 +81,7 @@ static void authclear() {
 /* Send a banner message if specified to the client. The client might
  * ignore this, but possibly serves as a legal "no trespassing" sign */
-void send_msg_userauth_banner(buffer *banner) {
+void send_msg_userauth_banner(const buffer *banner) {
 	TRACE(("enter send_msg_userauth_banner"))

svr-authpubkey.c

@@ -70,11 +70,11 @@
 #define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */
 #define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */
-static int checkpubkey(char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen);
+static int checkpubkey(const char* algo, unsigned int algolen,
+		const unsigned char* keyblob, unsigned int keybloblen);
 static int checkpubkeyperms(void);
-static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen);
+static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen,
+		const unsigned char* keyblob, unsigned int keybloblen);
 static int checkfileperm(char * filename);
 /* process a pubkey auth request, sending success or failure message as
@@ -173,8 +173,8 @@ out:
 /* Reply that the key is valid for auth, this is sent when the user sends
  * a straight copy of their pubkey to test, to avoid having to perform
  * expensive signing operations with a worthless key */
-static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen) {
+static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen,
+		const unsigned char* keyblob, unsigned int keybloblen) {
 	TRACE(("enter send_msg_userauth_pk_ok"))
 	CHECKCLEARTOWRITE();
@@ -188,7 +188,7 @@ static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen,
 }
-static int checkpubkey_line(buffer* line, int line_num, char* filename,
+static int checkpubkey_line(buffer* line, int line_num, const char* filename,
 		const char* algo, unsigned int algolen,
 		const unsigned char* keyblob, unsigned int keybloblen) {
 	buffer *options_buf = NULL;
@@ -292,8 +292,8 @@ out:
 /* Checks whether a specified publickey (and associated algorithm) is an
  * acceptable key for authentication */
 /* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
-static int checkpubkey(char* algo, unsigned int algolen,
-		unsigned char* keyblob, unsigned int keybloblen) {
+static int checkpubkey(const char* algo, unsigned int algolen,
+		const unsigned char* keyblob, unsigned int keybloblen) {
 	FILE * authfile = NULL;
 	char * filename = NULL;

svr-chansession.c

@@ -43,24 +43,24 @@
 static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
 		int iscmd, int issubsys);
 static int sessionpty(struct ChanSess * chansess);
-static int sessionsignal(struct ChanSess *chansess);
+static int sessionsignal(const struct ChanSess *chansess);
 static int noptycommand(struct Channel *channel, struct ChanSess *chansess);
 static int ptycommand(struct Channel *channel, struct ChanSess *chansess);
-static int sessionwinchange(struct ChanSess *chansess);
-static void execchild(void *user_data_chansess);
+static int sessionwinchange(const struct ChanSess *chansess);
+static void execchild(const void *user_data_chansess);
 static void addchildpid(struct ChanSess *chansess, pid_t pid);
 static void sesssigchild_handler(int val);
-static void closechansess(struct Channel *channel);
+static void closechansess(const struct Channel *channel);
 static int newchansess(struct Channel *channel);
 static void chansessionrequest(struct Channel *channel);
-static int sesscheckclose(struct Channel *channel);
-static void send_exitsignalstatus(struct Channel *channel);
-static void send_msg_chansess_exitstatus(struct Channel * channel,
-		struct ChanSess * chansess);
-static void send_msg_chansess_exitsignal(struct Channel * channel,
-		struct ChanSess * chansess);
-static void get_termmodes(struct ChanSess *chansess);
+static int sesscheckclose(const struct Channel *channel);
+static void send_exitsignalstatus(const struct Channel *channel);
+static void send_msg_chansess_exitstatus(const struct Channel * channel,
+		const struct ChanSess * chansess);
+static void send_msg_chansess_exitsignal(const struct Channel * channel,
+		const struct ChanSess * chansess);
+static void get_termmodes(const struct ChanSess *chansess);
 const struct ChanType svrchansess = {
 	0, /* sepfds */
@@ -74,7 +74,7 @@ const struct ChanType svrchansess = {
 /* required to clear environment */
 extern char** environ;
-static int sesscheckclose(struct Channel *channel) {
+static int sesscheckclose(const struct Channel *channel) {
 	struct ChanSess *chansess = (struct ChanSess*)channel->typedata;
 	TRACE(("sesscheckclose, pid is %d", chansess->exit.exitpid))
 	return chansess->exit.exitpid != -1;
@@ -159,7 +159,7 @@ static void sesssigchild_handler(int UNUSED(dummy)) {
 }
 /* send the exit status or the signal causing termination for a session */
-static void send_exitsignalstatus(struct Channel *channel) {
+static void send_exitsignalstatus(const struct Channel *channel) {
 	struct ChanSess *chansess = (struct ChanSess*)channel->typedata;
@@ -173,8 +173,8 @@ static void send_exitsignalstatus(struct Channel *channel) {
 }
 /* send the exitstatus to the client */
-static void send_msg_chansess_exitstatus(struct Channel * channel,
-		struct ChanSess * chansess) {
+static void send_msg_chansess_exitstatus(const struct Channel * channel,
+		const struct ChanSess * chansess) {
 	dropbear_assert(chansess->exit.exitpid != -1);
 	dropbear_assert(chansess->exit.exitsignal == -1);
@@ -192,8 +192,8 @@ static void send_msg_chansess_exitstatus(struct Channel * channel,
 }
 /* send the signal causing the exit to the client */
-static void send_msg_chansess_exitsignal(struct Channel * channel,
-		struct ChanSess * chansess) {
+static void send_msg_chansess_exitsignal(const struct Channel * channel,
+		const struct ChanSess * chansess) {
 	int i;
 	char* signame = NULL;
@@ -273,7 +273,7 @@ static int newchansess(struct Channel *channel) {
 }
 static struct logininfo* 
-chansess_login_alloc(struct ChanSess *chansess) {
+chansess_login_alloc(const struct ChanSess *chansess) {
 	struct logininfo * li;
 	li = login_alloc_entry(chansess->pid, ses.authstate.username,
 			svr_ses.remotehost, chansess->tty);
@@ -281,7 +281,7 @@ chansess_login_alloc(struct ChanSess *chansess) {
 }
 /* clean a session channel */
-static void closechansess(struct Channel *channel) {
+static void closechansess(const struct Channel *channel) {
 	struct ChanSess *chansess;
 	unsigned int i;
@@ -403,7 +403,7 @@ out:
 /* Send a signal to a session's process as requested by the client*/
-static int sessionsignal(struct ChanSess *chansess) {
+static int sessionsignal(const struct ChanSess *chansess) {
 	int sig = 0;
 	char* signame = NULL;
@@ -441,7 +441,7 @@ static int sessionsignal(struct ChanSess *chansess) {
 /* Let the process know that the window size has changed, as notified from the
  * client. Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-static int sessionwinchange(struct ChanSess *chansess) {
+static int sessionwinchange(const struct ChanSess *chansess) {
 	int termc, termr, termw, termh;
@@ -460,7 +460,7 @@ static int sessionwinchange(struct ChanSess *chansess) {
 	return DROPBEAR_SUCCESS;
 }
-static void get_termmodes(struct ChanSess *chansess) {
+static void get_termmodes(const struct ChanSess *chansess) {
 	struct termios termio;
 	unsigned char opcode;
@@ -898,7 +898,7 @@ static void addchildpid(struct ChanSess *chansess, pid_t pid) {
 /* Clean up, drop to user privileges, set up the environment and execute
  * the command/shell. This function does not return. */
-static void execchild(void *user_data) {
+static void execchild(const void *user_data) {
 	struct ChanSess *chansess = user_data;
 	char *usershell = NULL;

svr-tcpfwd.c

@@ -47,7 +47,7 @@ void recv_msg_global_request_remotetcp() {
 #endif /* !DROPBEAR_SVR_REMOTETCPFWD */
 static int svr_cancelremotetcp(void);
-static int svr_remotetcpreq(void);
+static int svr_remotetcpreq(int *allocated_listen_port);
 static int newtcpdirect(struct Channel * channel);
 #if DROPBEAR_SVR_REMOTETCPFWD
@@ -86,7 +86,16 @@ void recv_msg_global_request_remotetcp() {
 	}
 	if (strcmp("tcpip-forward", reqname) == 0) {
-		ret = svr_remotetcpreq();
+		int allocated_listen_port;
+		ret = svr_remotetcpreq(&allocated_listen_port);
+		/* client expects-port-number-to-make-use-of-server-allocated-ports */
+		if (DROPBEAR_SUCCESS == ret) {
+			CHECKCLEARTOWRITE();
+			buf_putbyte(ses.writepayload, SSH_MSG_REQUEST_SUCCESS);
+			buf_putint(ses.writepayload, allocated_listen_port);
+			encrypt_packet();
+			wantreply = 0; //so out does not do so
+	  }
 	} else if (strcmp("cancel-tcpip-forward", reqname) == 0) {
 		ret = svr_cancelremotetcp();
 	} else {
@@ -107,7 +116,7 @@ out:
 	TRACE(("leave recv_msg_global_request"))
 }
-static int matchtcp(void* typedata1, void* typedata2) {
+static int matchtcp(const void* typedata1, const void* typedata2) {
 	const struct TCPListener *info1 = (struct TCPListener*)typedata1;
 	const struct TCPListener *info2 = (struct TCPListener*)typedata2;
@@ -152,7 +161,7 @@ out:
 	return ret;
 }
-static int svr_remotetcpreq() {
+static int svr_remotetcpreq(int *allocated_listen_port) {
 	int ret = DROPBEAR_FAILURE;
 	char * request_addr = NULL;
@@ -170,19 +179,16 @@ static int svr_remotetcpreq() {
 	port = buf_getint(ses.payload);
-	if (port == 0) {
-		dropbear_log(LOG_INFO, "Server chosen tcpfwd ports are unsupported");
-		goto out;
-	}
-
-	if (port < 1 || port > 65535) {
-		TRACE(("invalid port: %d", port))
-		goto out;
-	}
-	if (!ses.allowprivport && port < IPPORT_RESERVED) {
-		TRACE(("can't assign port < 1024 for non-root"))
-		goto out;
+	if (port != 0) {
+		if (port < 1 || port > 65535) {
+			TRACE(("invalid port: %d", port))
+			goto out;
+		}
+		if (!ses.allowprivport && port < IPPORT_RESERVED) {
+			TRACE(("can't assign port < 1024 for non-root"))
+			goto out;
+		}
 	}
 	tcpinfo = (struct TCPListener*)m_malloc(sizeof(struct TCPListener));
@@ -203,6 +209,13 @@ static int svr_remotetcpreq() {
 	}
 	ret = listen_tcpfwd(tcpinfo);
+	if (DROPBEAR_SUCCESS == ret) {
+		tcpinfo->listenport = get_sock_port(ses.listeners[0]->socks[0]);
+		*allocated_listen_port = tcpinfo->listenport;
+		dropbear_log(LOG_INFO, "tcpip-forward %s:%d '%s'", 
+			((NULL == tcpinfo->listenaddr)?"localhost":tcpinfo->listenaddr), 
+			tcpinfo->listenport, ses.authstate.pw_name);
+	}
 out:
 	if (ret == DROPBEAR_FAILURE) {
@@ -211,7 +224,9 @@ out:
 		m_free(request_addr);
 		m_free(tcpinfo);
 	}
+
 	TRACE(("leave remotetcpreq"))
+
 	return ret;
 }
@@ -270,7 +285,7 @@ static int newtcpdirect(struct Channel * channel) {
 	}
 	snprintf(portstring, sizeof(portstring), "%u", destport);
-	channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel);
+	channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel, NULL, NULL);
 	channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
 	

svr-x11fwd.c

@@ -38,9 +38,9 @@
 #define X11BASEPORT 6000
 #define X11BINDBASE 6010
-static void x11accept(struct Listener* listener, int sock);
+static void x11accept(const struct Listener* listener, int sock);
 static int bindport(int fd);
-static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr);
+static int send_msg_channel_open_x11(int fd, const struct sockaddr_in* addr);
 /* Check untrusted xauth strings for metacharacters */
 /* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */
@@ -126,7 +126,7 @@ fail:
 /* accepts a new X11 socket */
 /* returns DROPBEAR_FAILURE or DROPBEAR_SUCCESS */
-static void x11accept(struct Listener* listener, int sock) {
+static void x11accept(const struct Listener* listener, int sock) {
 	int fd;
 	struct sockaddr_in addr;
@@ -154,7 +154,7 @@ static void x11accept(struct Listener* listener, int sock) {
 /* This is called after switching to the user, and sets up the xauth
  * and environment variables.  */
-void x11setauth(struct ChanSess *chansess) {
+void x11setauth(const struct ChanSess *chansess) {
 	char display[20]; /* space for "localhost:12345.123" */
 	FILE * authprog = NULL;
@@ -220,7 +220,7 @@ static const struct ChanType chan_x11 = {
 };
-static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr) {
+static int send_msg_channel_open_x11(int fd, const struct sockaddr_in* addr) {
 	char* ipstring = NULL;

tcp-accept.c

@@ -35,7 +35,7 @@
 #if DROPBEAR_TCP_ACCEPT
-static void cleanup_tcp(struct Listener *listener) {
+static void cleanup_tcp(const struct Listener *listener) {
 	struct TCPListener *tcpinfo = (struct TCPListener*)(listener->typedata);
@@ -52,7 +52,7 @@ int tcp_prio_inithandler(struct Channel* channel)
 	return 0;
 }
-static void tcp_acceptor(struct Listener *listener, int sock) {
+static void tcp_acceptor(const struct Listener *listener, int sock) {
 	int fd;
 	struct sockaddr_storage sa;

x11fwd.h

@@ -30,7 +30,7 @@
 #include "channel.h"
 int x11req(struct ChanSess * chansess);
-void x11setauth(struct ChanSess *chansess);
+void x11setauth(const struct ChanSess *chansess);
 void x11cleanup(struct ChanSess *chansess);
 #endif /* DROPBEAR_X11FWD */