changeset 1122:aaf576b27a10

Merge pull request #13 from gazoo74/fix-warnings Fix warnings
author Matt Johnston <matt@ucc.asn.au>
date Thu, 04 Jun 2015 23:08:50 +0800
parents 1e486f368ec3 (diff) 391bb7d560c6 (current diff)
children 6aeadee3f16b
files buffer.c buffer.h cli-auth.c cli-authinteract.c cli-authpasswd.c cli-authpubkey.c cli-chansession.c cli-kex.c cli-session.c common-algo.c common-channel.c common-kex.c common-session.c dss.c ecdsa.c keyimport.c netio.c signkey.c svr-auth.c svr-authpam.c svr-authpasswd.c svr-authpubkey.c svr-chansession.c svr-kex.c svr-service.c svr-tcpfwd.c svr-x11fwd.c
diffstat 56 files changed, 201 insertions(+), 191 deletions(-) [+]
line wrap: on
line diff
--- a/algo.h	Tue May 05 20:42:38 2015 +0200
+++ b/algo.h	Thu Jun 04 23:08:50 2015 +0800
@@ -35,7 +35,7 @@
 
 struct Algo_Type {
 
-	const char *name; /* identifying name */
+	const unsigned char *name; /* identifying name */
 	char val; /* a value for this cipher, or -1 for invalid */
 	const void *data; /* algorithm specific data */
 	char usable; /* whether we can use this algorithm */
--- a/auth.h	Tue May 05 20:42:38 2015 +0200
+++ b/auth.h	Thu Jun 04 23:08:50 2015 +0800
@@ -133,7 +133,7 @@
 	int no_x11_forwarding_flag;
 	int no_pty_flag;
 	/* "command=" option. */
-	char * forced_command;
+	unsigned char * forced_command;
 };
 #endif
 
--- a/buffer.c	Tue May 05 20:42:38 2015 +0200
+++ b/buffer.c	Thu Jun 04 23:08:50 2015 +0800
@@ -203,10 +203,10 @@
 /* Return a null-terminated string, it is malloced, so must be free()ed
  * Note that the string isn't checked for null bytes, hence the retlen
  * may be longer than what is returned by strlen */
-unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) {
+char* buf_getstring(buffer* buf, unsigned int *retlen) {
 
 	unsigned int len;
-	unsigned char* ret;
+	char* ret;
 	len = buf_getint(buf);
 	if (len > MAX_STRING_LEN) {
 		dropbear_exit("String too long");
@@ -262,16 +262,16 @@
 }
 
 /* put a SSH style string into the buffer, increasing buffer len if required */
-void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) {
+void buf_putstring(buffer* buf, const char* str, unsigned int len) {
 	
 	buf_putint(buf, len);
-	buf_putbytes(buf, str, len);
+	buf_putbytes(buf, (const unsigned char*)str, len);
 
 }
 
 /* puts an entire buffer as a SSH string. ignore pos of buf_str. */
 void buf_putbufstring(buffer *buf, const buffer* buf_str) {
-	buf_putstring(buf, buf_str->data, buf_str->len);
+	buf_putstring(buf, (const char*)buf_str->data, buf_str->len);
 }
 
 /* put the set of len bytes into the buffer, incrementing the pos, increasing
--- a/buffer.h	Tue May 05 20:42:38 2015 +0200
+++ b/buffer.h	Thu Jun 04 23:08:50 2015 +0800
@@ -56,11 +56,11 @@
 void buf_putbyte(buffer* buf, unsigned char val);
 unsigned char* buf_getptr(buffer* buf, unsigned int len);
 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len);
-unsigned char* buf_getstring(buffer* buf, unsigned int *retlen);
+char* buf_getstring(buffer* buf, unsigned int *retlen);
 buffer * buf_getstringbuf(buffer *buf);
 void buf_eatstring(buffer *buf);
 void buf_putint(buffer* buf, unsigned int val);
-void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len);
+void buf_putstring(buffer* buf, const char* str, unsigned int len);
 void buf_putbufstring(buffer *buf, const buffer* buf_str);
 void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len);
 void buf_putmpint(buffer* buf, mp_int * mp);
--- a/channel.h	Tue May 05 20:42:38 2015 +0200
+++ b/channel.h	Thu Jun 04 23:08:50 2015 +0800
@@ -135,7 +135,7 @@
 void recv_msg_channel_open_confirmation();
 void recv_msg_channel_open_failure();
 #endif
-void start_send_channel_request(struct Channel *channel, char *type);
+void start_send_channel_request(struct Channel *channel, unsigned char *type);
 
 void send_msg_request_success();
 void send_msg_request_failure();
--- a/chansession.h	Tue May 05 20:42:38 2015 +0200
+++ b/chansession.h	Thu Jun 04 23:08:50 2015 +0800
@@ -39,14 +39,14 @@
 
 struct ChanSess {
 
-	char * cmd; /* command to exec */
+	unsigned char * cmd; /* command to exec */
 	pid_t pid; /* child process pid */
 
 	/* pty details */
 	int master; /* the master terminal fd*/
 	int slave;
-	char * tty;
-	char * term;
+	unsigned char * tty;
+	unsigned char * term;
 
 	/* exit details */
 	struct exitinfo exit;
--- a/cli-auth.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-auth.c	Thu Jun 04 23:08:50 2015 +0800
@@ -43,11 +43,11 @@
 	TRACE(("enter cli_auth_getmethods"))
 	CHECKCLEARTOWRITE();
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
-	buf_putstring(ses.writepayload, (const unsigned char *)cli_opts.username,
+	buf_putstring(ses.writepayload, cli_opts.username,
 			strlen(cli_opts.username));
-	buf_putstring(ses.writepayload, (const unsigned char *)SSH_SERVICE_CONNECTION,
+	buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION,
 			SSH_SERVICE_CONNECTION_LEN);
-	buf_putstring(ses.writepayload, (const unsigned char *)"none", 4); /* 'none' method */
+	buf_putstring(ses.writepayload, "none", 4); /* 'none' method */
 
 	encrypt_packet();
 
@@ -85,7 +85,7 @@
 		return;
 	}
 
-	banner = (char *)buf_getstring(ses.payload, &bannerlen);
+	banner = buf_getstring(ses.payload, &bannerlen);
 	buf_eatstring(ses.payload); /* The language string */
 
 	if (bannerlen > MAX_BANNER_SIZE) {
@@ -201,7 +201,7 @@
 		cli_ses.lastauthtype = AUTH_TYPE_NONE;
 	}
 
-	methods = (char *)buf_getstring(ses.payload, &methlen);
+	methods = buf_getstring(ses.payload, &methlen);
 
 	partial = buf_getbool(ses.payload);
 
--- a/cli-authinteract.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-authinteract.c	Thu Jun 04 23:08:50 2015 +0800
@@ -84,8 +84,8 @@
 	}
 	cli_ses.interact_request_received = 1;
 
-	name = (char *)buf_getstring(ses.payload, NULL);
-	instruction = (char *)buf_getstring(ses.payload, NULL);
+	name = buf_getstring(ses.payload, NULL);
+	instruction = buf_getstring(ses.payload, NULL);
 
 	/* language tag */
 	buf_eatstring(ses.payload);
@@ -115,7 +115,7 @@
 
 	for (i = 0; i < num_prompts; i++) {
 		unsigned int response_len = 0;
-		prompt = (char *)buf_getstring(ses.payload, NULL);
+		prompt = buf_getstring(ses.payload, NULL);
 		cleantext(prompt);
 
 		echo = buf_getbool(ses.payload);
@@ -129,7 +129,7 @@
 		}
 
 		response_len = strlen(response);
-		buf_putstring(ses.writepayload, (const unsigned char *)response, response_len);
+		buf_putstring(ses.writepayload, response, response_len);
 		m_burn(response, response_len);
 		m_free(prompt);
 		m_free(response);
@@ -149,22 +149,22 @@
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
 
 	/* username */
-	buf_putstring(ses.writepayload, (const unsigned char *)cli_opts.username,
+	buf_putstring(ses.writepayload, cli_opts.username,
 			strlen(cli_opts.username));
 
 	/* service name */
-	buf_putstring(ses.writepayload, (const unsigned char *)SSH_SERVICE_CONNECTION,
+	buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION,
 			SSH_SERVICE_CONNECTION_LEN);
 
 	/* method */
-	buf_putstring(ses.writepayload, (const unsigned char *)AUTH_METHOD_INTERACT,
+	buf_putstring(ses.writepayload, AUTH_METHOD_INTERACT,
 			AUTH_METHOD_INTERACT_LEN);
 
 	/* empty language tag */
-	buf_putstring(ses.writepayload, (const unsigned char *)"", 0);
+	buf_putstring(ses.writepayload, "", 0);
 
 	/* empty submethods */
-	buf_putstring(ses.writepayload, (const unsigned char *)"", 0);
+	buf_putstring(ses.writepayload, "", 0);
 
 	encrypt_packet();
 	cli_ses.interact_request_received = 0;
--- a/cli-authpasswd.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-authpasswd.c	Thu Jun 04 23:08:50 2015 +0800
@@ -140,18 +140,18 @@
 
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
 
-	buf_putstring(ses.writepayload, (const unsigned char *)cli_opts.username,
+	buf_putstring(ses.writepayload, cli_opts.username,
 			strlen(cli_opts.username));
 
-	buf_putstring(ses.writepayload, (const unsigned char *)SSH_SERVICE_CONNECTION,
+	buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION,
 			SSH_SERVICE_CONNECTION_LEN);
 
-	buf_putstring(ses.writepayload, (const unsigned char *)AUTH_METHOD_PASSWORD,
+	buf_putstring(ses.writepayload, AUTH_METHOD_PASSWORD,
 			AUTH_METHOD_PASSWORD_LEN);
 
 	buf_putbyte(ses.writepayload, 0); /* FALSE - so says the spec */
 
-	buf_putstring(ses.writepayload, (const unsigned char *)password, strlen(password));
+	buf_putstring(ses.writepayload, password, strlen(password));
 
 	encrypt_packet();
 	m_burn(password, strlen(password));
--- a/cli-authpubkey.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-authpubkey.c	Thu Jun 04 23:08:50 2015 +0800
@@ -63,7 +63,7 @@
 
 	TRACE(("enter recv_msg_userauth_pk_ok"))
 
-	algotype = (char *)buf_getstring(ses.payload, &algolen);
+	algotype = buf_getstring(ses.payload, &algolen);
 	keytype = signkey_type_from_name(algotype, algolen);
 	TRACE(("recv_msg_userauth_pk_ok: type %d", keytype))
 	m_free(algotype);
@@ -149,20 +149,20 @@
 
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
 
-	buf_putstring(ses.writepayload, (const unsigned char *)cli_opts.username,
+	buf_putstring(ses.writepayload, cli_opts.username,
 			strlen(cli_opts.username));
 
-	buf_putstring(ses.writepayload, (const unsigned char *)SSH_SERVICE_CONNECTION,
+	buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION,
 			SSH_SERVICE_CONNECTION_LEN);
 
-	buf_putstring(ses.writepayload, (const unsigned char *)AUTH_METHOD_PUBKEY,
+	buf_putstring(ses.writepayload, AUTH_METHOD_PUBKEY,
 			AUTH_METHOD_PUBKEY_LEN);
 
 	buf_putbyte(ses.writepayload, realsign);
 
 	algoname = signkey_name_from_type(type, &algolen);
 
-	buf_putstring(ses.writepayload, (const unsigned char *)algoname, algolen);
+	buf_putstring(ses.writepayload, algoname, algolen);
 	buf_put_pub_key(ses.writepayload, key, type);
 
 	if (realsign) {
--- a/cli-chansession.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-chansession.c	Thu Jun 04 23:08:50 2015 +0800
@@ -61,7 +61,7 @@
 
 	TRACE(("enter cli_chansessreq"))
 
-	type = (char *) buf_getstring(ses.payload, NULL);
+	type = buf_getstring(ses.payload, NULL);
 	wantreply = buf_getbool(ses.payload);
 
 	if (strcmp(type, "exit-status") == 0) {
@@ -261,7 +261,7 @@
 			CHECKCLEARTOWRITE();
 			buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
 			buf_putint(ses.writepayload, channel->remotechan);
-			buf_putstring(ses.writepayload, (const unsigned char *) "window-change", 13);
+			buf_putstring(ses.writepayload, "window-change", 13);
 			buf_putbyte(ses.writepayload, 0); /* FALSE says the spec */
 			put_winsize();
 			encrypt_packet();
@@ -286,7 +286,7 @@
 	if (term == NULL) {
 		term = "vt100"; /* Seems a safe default */
 	}
-	buf_putstring(ses.writepayload, (const unsigned char *)term, strlen(term));
+	buf_putstring(ses.writepayload, term, strlen(term));
 
 	/* Window size */
 	put_winsize();
@@ -324,7 +324,7 @@
 	/* XXX TODO */
 	buf_putbyte(ses.writepayload, 0); /* Don't want replies */
 	if (cli_opts.cmd) {
-		buf_putstring(ses.writepayload, (const unsigned char *)cli_opts.cmd, strlen(cli_opts.cmd));
+		buf_putstring(ses.writepayload, cli_opts.cmd, strlen(cli_opts.cmd));
 	}
 
 	encrypt_packet();
@@ -403,12 +403,12 @@
 		dropbear_exit("Couldn't open initial channel");
 	}
 
-	buf_putstring(ses.writepayload, (const unsigned char *)cli_opts.netcat_host,
+	buf_putstring(ses.writepayload, cli_opts.netcat_host,
 			strlen(cli_opts.netcat_host));
 	buf_putint(ses.writepayload, cli_opts.netcat_port);
 
 	/* originator ip - localhost is accurate enough */
-	buf_putstring(ses.writepayload, (const unsigned char *)source_host, strlen(source_host));
+	buf_putstring(ses.writepayload, source_host, strlen(source_host));
 	buf_putint(ses.writepayload, source_port);
 
 	encrypt_packet();
--- a/cli-kex.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-kex.c	Thu Jun 04 23:08:50 2015 +0800
@@ -79,7 +79,7 @@
 				}
 				cli_ses.curve25519_param = gen_kexcurve25519_param();
 			}
-			buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, (const char*)cli_ses.curve25519_param->pub, CURVE25519_LEN);
 #endif
 			break;
 	}
@@ -322,7 +322,7 @@
 		}
 
 		/* Compare hostnames */
-		if (strncmp(cli_opts.remotehost, (const char *) buf_getptr(line, hostlen),
+		if (strncmp(cli_opts.remotehost, buf_getptr(line, hostlen),
 					hostlen) != 0) {
 			continue;
 		}
@@ -334,7 +334,7 @@
 			continue;
 		}
 
-		if (strncmp((const char *) buf_getptr(line, algolen), algoname, algolen) != 0) {
+		if (strncmp(buf_getptr(line, algolen), algoname, algolen) != 0) {
 			TRACE(("algo doesn't match"))
 			continue;
 		}
@@ -346,7 +346,7 @@
 		}
 
 		/* Now we're at the interesting hostkey */
-		ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algoname, algolen,
+		ret = cmp_base64_key(keyblob, keybloblen, algoname, algolen,
 						line, &fingerprint);
 
 		if (ret == DROPBEAR_SUCCESS) {
@@ -382,9 +382,9 @@
 		fseek(hostsfile, 0, SEEK_END); /* In case it wasn't opened append */
 		buf_setpos(line, 0);
 		buf_setlen(line, 0);
-		buf_putbytes(line, (const unsigned char *) cli_opts.remotehost, hostlen);
+		buf_putbytes(line, cli_opts.remotehost, hostlen);
 		buf_putbyte(line, ' ');
-		buf_putbytes(line, (const unsigned char *) algoname, algolen);
+		buf_putbytes(line, algoname, algolen);
 		buf_putbyte(line, ' ');
 		len = line->size - line->pos;
 		/* The only failure with base64 is buffer_overflow, but buf_getwriteptr
--- a/cli-runopts.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-runopts.c	Thu Jun 04 23:08:50 2015 +0800
@@ -447,7 +447,7 @@
 	}
 #endif
 
-#ifdef DROPBEAR_DEFAULT_CLI_AUTHKEY
+#if defined(DROPBEAR_DEFAULT_CLI_AUTHKEY) && defined(ENABLE_CLI_PUBKEY_AUTH)
 	{
 		char *expand_path = expand_tilde(DROPBEAR_DEFAULT_CLI_AUTHKEY);
 		loadidentityfile(expand_path, 0);
@@ -498,11 +498,14 @@
 	m_list_elem *iter;
 	/* Fill out -i, -y, -W options that make sense for all
 	 * the intermediate processes */
+#ifdef ENABLE_CLI_PUBKEY_AUTH
 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
 	{
 		sign_key * key = (sign_key*)iter->item;
 		len += 3 + strlen(key->filename);
 	}
+#endif /* ENABLE_CLI_PUBKEY_AUTH */
+
 	len += 30; /* space for -W <size>, terminator. */
 	ret = m_malloc(len);
 	total = 0;
@@ -524,6 +527,7 @@
 		total += written;
 	}
 
+#ifdef ENABLE_CLI_PUBKEY_AUTH
 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
 	{
 		sign_key * key = (sign_key*)iter->item;
@@ -532,6 +536,7 @@
 		dropbear_assert((unsigned int)written < size);
 		total += written;
 	}
+#endif /* ENABLE_CLI_PUBKEY_AUTH */
 
 	/* if args were passed, total will be not zero, and it will have a space at the end, so remove that */
 	if (total > 0) 
--- a/cli-session.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-session.c	Thu Jun 04 23:08:50 2015 +0800
@@ -124,6 +124,8 @@
 	/* Exchange identification */
 	send_session_identification();
 
+	kexfirstinitialise(); /* initialise the kex state */
+
 	send_msg_kexinit();
 
 	session_loop(cli_sessionloop);
@@ -192,7 +194,7 @@
 	CHECKCLEARTOWRITE();
 
 	buf_putbyte(ses.writepayload, SSH_MSG_SERVICE_REQUEST);
-	buf_putstring(ses.writepayload, (const unsigned char *)servicename, strlen(servicename));
+	buf_putstring(ses.writepayload, servicename, strlen(servicename));
 
 	encrypt_packet();
 	TRACE(("leave send_msg_service_request"))
--- a/cli-tcpfwd.c	Tue May 05 20:42:38 2015 +0200
+++ b/cli-tcpfwd.c	Thu Jun 04 23:08:50 2015 +0800
@@ -136,9 +136,9 @@
 
 	CHECKCLEARTOWRITE();
 	buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST);
-	buf_putstring(ses.writepayload, (const unsigned char *)"tcpip-forward", 13);
+	buf_putstring(ses.writepayload, "tcpip-forward", 13);
 	buf_putbyte(ses.writepayload, 1); /* want_reply */
-	buf_putstring(ses.writepayload, (const unsigned char *)addr, strlen(addr));
+	buf_putstring(ses.writepayload, addr, strlen(addr));
 	buf_putint(ses.writepayload, port);
 
 	encrypt_packet();
@@ -218,7 +218,7 @@
 	char portstring[NI_MAXSERV];
 	int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
 
-	origaddr = (char *)buf_getstring(ses.payload, NULL);
+	origaddr = buf_getstring(ses.payload, NULL);
 	origport = buf_getint(ses.payload);
 
 	/* Find which port corresponds. First try and match address as well as port,
--- a/common-algo.c	Tue May 05 20:42:38 2015 +0200
+++ b/common-algo.c	Thu Jun 04 23:08:50 2015 +0800
@@ -144,12 +144,15 @@
 #ifdef DROPBEAR_AES256
 	{"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr},
 #endif
+#ifdef DROPBEAR_TWOFISH_CTR
+/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */
 #ifdef DROPBEAR_TWOFISH256
 	{"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr},
 #endif
 #ifdef DROPBEAR_TWOFISH128
 	{"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr},
 #endif
+#endif /* DROPBEAR_TWOFISH_CTR */
 #endif /* DROPBEAR_ENABLE_CTR_MODE */
 
 #ifdef DROPBEAR_ENABLE_CBC_MODE
@@ -325,7 +328,7 @@
 			buf_putbytes(algolist, (const unsigned char *) localalgos[i].name, len);
 		}
 	}
-	buf_putstring(buf, algolist->data, algolist->len);
+	buf_putstring(buf, (const char*)algolist->data, algolist->len);
 	buf_free(algolist);
 }
 
@@ -350,7 +353,7 @@
 	}
 
 	/* get the comma-separated list from the buffer ie "algo1,algo2,algo3" */
-	algolist = (char *) buf_getstring(buf, &len);
+	algolist = buf_getstring(buf, &len);
 	TRACE(("buf_match_algo: %s", algolist))
 	if (len > MAX_PROPOSED_ALGO*(MAX_NAME_LEN+1)) {
 		goto out;
--- a/common-channel.c	Tue May 05 20:42:38 2015 +0200
+++ b/common-channel.c	Thu Jun 04 23:08:50 2015 +0800
@@ -934,7 +934,7 @@
 	TRACE(("enter recv_msg_channel_open"))
 
 	/* get the packet contents */
-	type = (char *) buf_getstring(ses.payload, &typelen);
+	type = buf_getstring(ses.payload, &typelen);
 
 	remotechan = buf_getint(ses.payload);
 	transwindow = buf_getint(ses.payload);
@@ -1047,8 +1047,8 @@
 	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_OPEN_FAILURE);
 	buf_putint(ses.writepayload, remotechan);
 	buf_putint(ses.writepayload, reason);
-	buf_putstring(ses.writepayload, (const unsigned char *) text, strlen(text));
-	buf_putstring(ses.writepayload, (const unsigned char *) lang, strlen(lang));
+	buf_putstring(ses.writepayload, text, strlen(text));
+	buf_putstring(ses.writepayload, lang, strlen(lang));
 
 	encrypt_packet();
 	TRACE(("leave send_msg_channel_open_failure"))
@@ -1149,7 +1149,7 @@
 	CHECKCLEARTOWRITE();
 
 	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_OPEN);
-	buf_putstring(ses.writepayload, (const unsigned char *) type->name, strlen(type->name));
+	buf_putstring(ses.writepayload, type->name, strlen(type->name));
 	buf_putint(ses.writepayload, chan->index);
 	buf_putint(ses.writepayload, opts.recv_window);
 	buf_putint(ses.writepayload, RECV_MAX_CHANNEL_DATA_LEN);
@@ -1250,6 +1250,6 @@
 	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
 	buf_putint(ses.writepayload, channel->remotechan);
 
-	buf_putstring(ses.writepayload, (const unsigned char *) type, strlen(type));
+	buf_putstring(ses.writepayload, type, strlen(type));
 
 }
--- a/common-kex.c	Tue May 05 20:42:38 2015 +0200
+++ b/common-kex.c	Thu Jun 04 23:08:50 2015 +0800
@@ -128,10 +128,10 @@
 	buf_put_algolist(ses.writepayload, ses.compress_algos);
 
 	/* languages_client_to_server */
-	buf_putstring(ses.writepayload, (const unsigned char *) "", 0);
+	buf_putstring(ses.writepayload, "", 0);
 
 	/* languages_server_to_client */
-	buf_putstring(ses.writepayload, (const unsigned char *) "", 0);
+	buf_putstring(ses.writepayload, "", 0);
 
 	/* first_kex_packet_follows */
 	buf_putbyte(ses.writepayload, (ses.send_kex_first_guess != NULL));
@@ -511,7 +511,7 @@
 
 	/* start the kex hash */
 	local_ident_len = strlen(LOCAL_IDENT);
-	remote_ident_len = strlen(ses.remoteident);
+	remote_ident_len = strlen((char*)ses.remoteident);
 
 	kexhashbuf_len = local_ident_len + remote_ident_len
 		+ ses.transkexinit->len + ses.payload->len
@@ -525,18 +525,17 @@
 		read_kex_algos();
 
 		/* V_C, the client's version string (CR and NL excluded) */
-	    buf_putstring(ses.kexhashbuf,
-			(unsigned char*)LOCAL_IDENT, local_ident_len);
+	    buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len);
 		/* V_S, the server's version string (CR and NL excluded) */
-	    buf_putstring(ses.kexhashbuf, (unsigned char*)ses.remoteident, remote_ident_len);
+	    buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
 
 		/* I_C, the payload of the client's SSH_MSG_KEXINIT */
 	    buf_putstring(ses.kexhashbuf,
-			ses.transkexinit->data, ses.transkexinit->len);
+			(const char*)ses.transkexinit->data, ses.transkexinit->len);
 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
 	    buf_setpos(ses.payload, ses.payload_beginning);
 	    buf_putstring(ses.kexhashbuf, 
-	    	buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
+	    	(const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
 	    	ses.payload->len-ses.payload->pos);
 		ses.requirenext = SSH_MSG_KEXDH_REPLY;
 	} else {
@@ -545,20 +544,19 @@
 		/* read the peer's choice of algos */
 		read_kex_algos();
 		/* V_C, the client's version string (CR and NL excluded) */
-	    buf_putstring(ses.kexhashbuf, (unsigned char*)ses.remoteident, remote_ident_len);
+	    buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
 		/* V_S, the server's version string (CR and NL excluded) */
-	    buf_putstring(ses.kexhashbuf, 
-				(unsigned char*)LOCAL_IDENT, local_ident_len);
+	    buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len);
 
 		/* I_C, the payload of the client's SSH_MSG_KEXINIT */
 	    buf_setpos(ses.payload, ses.payload_beginning);
 	    buf_putstring(ses.kexhashbuf, 
-	    	buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
+	    	(const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
 	    	ses.payload->len-ses.payload->pos);
 
 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
 	    buf_putstring(ses.kexhashbuf,
-			ses.transkexinit->data, ses.transkexinit->len);
+			(const char*)ses.transkexinit->data, ses.transkexinit->len);
 
 		ses.requirenext = SSH_MSG_KEXDH_INIT;
 	}
@@ -783,9 +781,9 @@
 	/* K_S, the host key */
 	buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
 	/* Q_C, client's ephemeral public key octet string */
-	buf_putstring(ses.kexhashbuf, Q_C, CURVE25519_LEN);
+	buf_putstring(ses.kexhashbuf, (const char*)Q_C, CURVE25519_LEN);
 	/* Q_S, server's ephemeral public key octet string */
-	buf_putstring(ses.kexhashbuf, Q_S, CURVE25519_LEN);
+	buf_putstring(ses.kexhashbuf, (const char*)Q_S, CURVE25519_LEN);
 	/* K, the shared secret */
 	buf_putmpint(ses.kexhashbuf, ses.dh_K);
 
--- a/common-session.c	Tue May 05 20:42:38 2015 +0200
+++ b/common-session.c	Thu Jun 04 23:08:50 2015 +0800
@@ -90,8 +90,6 @@
 	ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[0]);
 	ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[1]);
 	
-	kexfirstinitialise(); /* initialise the kex state */
-
 	ses.writepayload = buf_new(TRANS_MAX_PAYLOAD_LEN);
 	ses.transseq = 0;
 
@@ -469,7 +467,7 @@
 		/* Some peers will reply with SSH_MSG_REQUEST_FAILURE, 
 		some will reply with SSH_MSG_UNIMPLEMENTED, some will exit. */
 		buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST); 
-		buf_putstring(ses.writepayload, (const unsigned char *) DROPBEAR_KEEPALIVE_STRING,
+		buf_putstring(ses.writepayload, DROPBEAR_KEEPALIVE_STRING,
 			strlen(DROPBEAR_KEEPALIVE_STRING));
 	}
 	buf_putbyte(ses.writepayload, 1); /* want_reply */
--- a/configure.ac	Tue May 05 20:42:38 2015 +0200
+++ b/configure.ac	Thu Jun 04 23:08:50 2015 +0800
@@ -265,7 +265,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 		]],
-		[[ if (sizeof(struct sockaddr_storage)) return 0 ]])],
+		[[ struct sockaddr_storage s; ]])],
 		[ ac_cv_have_struct_sockaddr_storage="yes" ],
 		[ ac_cv_have_struct_sockaddr_storage="no" ]
 	)
@@ -279,7 +279,7 @@
 #include <sys/types.h>
 #include <netinet/in.h>
 		]],
-		[[ if (sizeof(struct sockaddr_in6)) return 0 ]])],
+		[[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
 		[ ac_cv_have_struct_sockaddr_in6="yes" ],
 		[ ac_cv_have_struct_sockaddr_in6="no" ]
 	)
@@ -293,7 +293,7 @@
 #include <sys/types.h>
 #include <netinet/in.h>
 		]],
-		[[ if (sizeof(struct in6_addr)) return 0 ]])],
+		[[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
 		[ ac_cv_have_struct_in6_addr="yes" ],
 		[ ac_cv_have_struct_in6_addr="no" ]
 	)
@@ -308,7 +308,7 @@
 #include <sys/socket.h>
 #include <netdb.h>
 		]],
-		[[ if (sizeof(struct addrinfo)) return 0 ]])],
+		[[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
 		[ ac_cv_have_struct_addrinfo="yes" ],
 		[ ac_cv_have_struct_addrinfo="no" ]
 	)
--- a/dbrandom.c	Tue May 05 20:42:38 2015 +0200
+++ b/dbrandom.c	Thu Jun 04 23:08:50 2015 +0800
@@ -141,7 +141,7 @@
 	return ret;
 }
 
-void addrandom(unsigned char * buf, unsigned int len)
+void addrandom(char * buf, unsigned int len)
 {
 	hash_state hs;
 
--- a/dbrandom.h	Tue May 05 20:42:38 2015 +0200
+++ b/dbrandom.h	Thu Jun 04 23:08:50 2015 +0800
@@ -29,7 +29,7 @@
 
 void seedrandom();
 void genrandom(unsigned char* buf, unsigned int len);
-void addrandom(unsigned char * buf, unsigned int len);
+void addrandom(char * buf, unsigned int len);
 void gen_random_mpint(mp_int *max, mp_int *rand);
 
 #endif /* DROPBEAR_RANDOM_H_ */
--- a/dss.c	Tue May 05 20:42:38 2015 +0200
+++ b/dss.c	Thu Jun 04 23:08:50 2015 +0800
@@ -136,7 +136,7 @@
 void buf_put_dss_pub_key(buffer* buf, dropbear_dss_key *key) {
 
 	dropbear_assert(key != NULL);
-	buf_putstring(buf, (const unsigned char*) SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN);
+	buf_putstring(buf, SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN);
 	buf_putmpint(buf, key->p);
 	buf_putmpint(buf, key->q);
 	buf_putmpint(buf, key->g);
@@ -173,7 +173,7 @@
 	m_mp_init_multi(&val1, &val2, &val3, &val4, NULL);
 
 	/* get blob, check length */
-	string = (char*) buf_getstring(buf, &stringlen);
+	string = buf_getstring(buf, &stringlen);
 	if (stringlen != 2*SHA1_HASH_SIZE) {
 		goto out;
 	}
@@ -310,7 +310,7 @@
 		dropbear_exit("DSS error");
 	}
 
-	buf_putstring(buf, (const unsigned char*) SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN);
+	buf_putstring(buf, SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN);
 	buf_putint(buf, 2*SHA1_HASH_SIZE);
 
 	writelen = mp_unsigned_bin_size(&dss_r);
--- a/ecc.h	Tue May 05 20:42:38 2015 +0200
+++ b/ecc.h	Thu Jun 04 23:08:50 2015 +0800
@@ -12,7 +12,7 @@
 	int ltc_size; /* to match the byte sizes in ltc_ecc_sets[] */
 	const ltc_ecc_set_type *dp; /* curve domain parameters */
 	const struct ltc_hash_descriptor *hash_desc;
-	const char *name;
+	const unsigned char *name;
 };
 
 extern struct dropbear_ecc_curve ecc_curve_nistp256;
--- a/ecdsa.c	Tue May 05 20:42:38 2015 +0200
+++ b/ecdsa.c	Thu Jun 04 23:08:50 2015 +0800
@@ -83,9 +83,9 @@
 	ecc_key *new_key = NULL;
 
 	/* string   "ecdsa-sha2-[identifier]" */
-	key_ident = buf_getstring(buf, &key_ident_len);
+	key_ident = (unsigned char*)buf_getstring(buf, &key_ident_len);
 	/* string   "[identifier]" */
-	identifier = buf_getstring(buf, &identifier_len);
+	identifier = (unsigned char*)buf_getstring(buf, &identifier_len);
 
 	if (key_ident_len != identifier_len + strlen("ecdsa-sha2-")) {
 		TRACE(("Bad identifier lengths"))
@@ -144,8 +144,8 @@
 
 	curve = curve_for_dp(key->dp);
 	snprintf(key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name);
-	buf_putstring(buf, (const unsigned char *) key_ident, strlen(key_ident));
-	buf_putstring(buf, (const unsigned char *) curve->name, strlen(curve->name));
+	buf_putstring(buf, key_ident, strlen(key_ident));
+	buf_putstring(buf, curve->name, strlen(curve->name));
 	buf_put_ecc_raw_pubkey_string(buf, key);
 }
 
@@ -223,7 +223,7 @@
 	}
 
 	snprintf(key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name);
-	buf_putstring(buf, (const unsigned char *) key_ident, strlen(key_ident));
+	buf_putstring(buf, key_ident, strlen(key_ident));
 	/* enough for nistp521 */
 	sigbuf = buf_new(200);
 	buf_putmpint(sigbuf, (mp_int*)r);
--- a/gendss.c	Tue May 05 20:42:38 2015 +0200
+++ b/gendss.c	Thu Jun 04 23:08:50 2015 +0800
@@ -67,7 +67,7 @@
 
 static void getq(dropbear_dss_key *key) {
 
-	unsigned char buf[QSIZE];
+	char buf[QSIZE];
 
 	/* 160 bit prime */
 	genrandom(buf, QSIZE);
--- a/keyimport.c	Tue May 05 20:42:38 2015 +0200
+++ b/keyimport.c	Thu Jun 04 23:08:50 2015 +0800
@@ -193,7 +193,7 @@
 static void base64_encode_fp(FILE * fp, unsigned char *data,
 		int datalen, int cpl)
 {
-	unsigned char out[100];
+    char out[100];
     int n;
 	unsigned long outlen;
 	int rawcpl;
@@ -445,7 +445,7 @@
 						ret->keyblob_size);
 			}
 			outlen = ret->keyblob_size - ret->keyblob_len;
-			if (base64_decode((const unsigned char *)buffer, len,
+			if (base64_decode(buffer, len, 
 						ret->keyblob + ret->keyblob_len, &outlen) != CRYPT_OK){
 				errmsg = "Error decoding base64";
 				goto error;
@@ -507,7 +507,7 @@
 	int i, num_integers = 0;
 	sign_key *retval = NULL;
 	char *errmsg;
-	unsigned char *modptr = NULL;
+	char *modptr = NULL;
 	int modlen = -9999;
 	enum signkey_type type;
 
@@ -602,13 +602,13 @@
 
 #ifdef DROPBEAR_DSS
 	if (key->type == OSSH_DSA) {
-		buf_putstring(blobbuf, (const unsigned char *)"ssh-dss", 7);
+		buf_putstring(blobbuf, "ssh-dss", 7);
 		retkey->type = DROPBEAR_SIGNKEY_DSS;
 	} 
 #endif
 #ifdef DROPBEAR_RSA
 	if (key->type == OSSH_RSA) {
-		buf_putstring(blobbuf, (const unsigned char *)"ssh-rsa", 7);
+		buf_putstring(blobbuf, "ssh-rsa", 7);
 		retkey->type = DROPBEAR_SIGNKEY_RSA;
 	}
 #endif
@@ -646,12 +646,12 @@
 			 */
 			if (i == 1) {
 				/* Save the details for after we deal with number 2. */
-				modptr = p;
+				modptr = (char *)p;
 				modlen = len;
 			} else if (i >= 2 && i <= 5) {
-				buf_putstring(blobbuf, p, len);
+				buf_putstring(blobbuf, (const char*)p, len);
 				if (i == 2) {
-					buf_putstring(blobbuf, modptr, modlen);
+					buf_putstring(blobbuf, (const char*)modptr, modlen);
 				}
 			}
 		} else if (key->type == OSSH_DSA) {
@@ -659,7 +659,7 @@
 			 * OpenSSH key order is p, q, g, y, x,
 			 * we want the same.
 			 */
-			buf_putstring(blobbuf, p, len);
+			buf_putstring(blobbuf, (const char*)p, len);
 		}
 
 		/* Skip past the number. */
@@ -1043,7 +1043,7 @@
 		int curve_oid_len = 0;
 		const void* curve_oid = NULL;
 		unsigned long pubkey_size = 2*curve_size+1;
-		int k_size;
+		unsigned int k_size;
 		int err = 0;
 
 		/* version. less than 10 bytes */
--- a/libtomcrypt/src/ciphers/aes/aes.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/ciphers/aes/aes.c	Thu Jun 04 23:08:50 2015 +0800
@@ -122,10 +122,9 @@
  */
 int SETUP(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey)
 {
-    int i;
+    int i, j;
     ulong32 temp, *rk;
 #ifndef ENCRYPT_ONLY
-    int j;
     ulong32 *rrk;
 #endif    
     LTC_ARGCHK(key  != NULL);
@@ -149,9 +148,7 @@
     LOAD32H(rk[2], key +  8);
     LOAD32H(rk[3], key + 12);
     if (keylen == 16) {
-        #ifndef ENCRYPT_ONLY
         j = 44;
-        #endif
         for (;;) {
             temp  = rk[3];
             rk[4] = rk[0] ^ setup_mix(temp) ^ rcon[i];
@@ -164,9 +161,7 @@
             rk += 4;
         }
     } else if (keylen == 24) {
-        #ifndef ENCRYPT_ONLY
         j = 52;   
-        #endif
         LOAD32H(rk[4], key + 16);
         LOAD32H(rk[5], key + 20);
         for (;;) {
@@ -187,9 +182,7 @@
             rk += 6;
         }
     } else if (keylen == 32) {
-        #ifndef ENCRYPT_ONLY
         j = 60;
-        #endif
         LOAD32H(rk[4], key + 16);
         LOAD32H(rk[5], key + 20);
         LOAD32H(rk[6], key + 24);
@@ -735,7 +728,6 @@
 */
 void ECB_DONE(symmetric_key *skey)
 {
-   (void)skey;
 }
 
 
--- a/libtomcrypt/src/ciphers/des.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/ciphers/des.c	Thu Jun 04 23:08:50 2015 +0800
@@ -1871,7 +1871,6 @@
 */
 void des3_done(symmetric_key *skey)
 {
-   (void)skey;
 }
 
 
--- a/libtomcrypt/src/ciphers/twofish/twofish.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/ciphers/twofish/twofish.c	Thu Jun 04 23:08:50 2015 +0800
@@ -684,7 +684,6 @@
 */
 void twofish_done(symmetric_key *skey)
 {
-   (void)skey;
 }
 
 /**
--- a/libtomcrypt/src/hashes/helper/hash_file.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/hashes/helper/hash_file.c	Thu Jun 04 23:08:50 2015 +0800
@@ -25,7 +25,6 @@
 int hash_file(int hash, const char *fname, unsigned char *out, unsigned long *outlen)
 {
 #ifdef LTC_NO_FILE
-    (void)hash; (void)fname; (void)out; (void)outlen;
     return CRYPT_NOP;
 #else
     FILE *in;
--- a/libtomcrypt/src/hashes/helper/hash_filehandle.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/hashes/helper/hash_filehandle.c	Thu Jun 04 23:08:50 2015 +0800
@@ -26,7 +26,6 @@
 int hash_filehandle(int hash, FILE *in, unsigned char *out, unsigned long *outlen)
 {
 #ifdef LTC_NO_FILE
-    (void)hash; (void)in; (void)out; (void)outlen;
     return CRYPT_NOP;
 #else
     hash_state md;
--- a/libtomcrypt/src/mac/hmac/hmac_file.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/mac/hmac/hmac_file.c	Thu Jun 04 23:08:50 2015 +0800
@@ -32,7 +32,6 @@
                     unsigned char *out, unsigned long *outlen)
 {
 #ifdef LTC_NO_FILE
-    (void)hash; (void)fname; (void)key; (void)keylen; (void)out; (void)outlen;
     return CRYPT_NOP;
 #else
    hmac_state hmac;
--- a/libtomcrypt/src/misc/crypt/crypt_argchk.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/misc/crypt/crypt_argchk.c	Thu Jun 04 23:08:50 2015 +0800
@@ -21,7 +21,7 @@
 {
  fprintf(stderr, "LTC_ARGCHK '%s' failure on line %d of file %s\n",
          v, d, s);
- abort();
+ (void)raise(SIGABRT);
 }
 #endif
 
--- a/libtomcrypt/src/pk/ecc/ltc_ecc_mulmod_timing.c	Tue May 05 20:42:38 2015 +0200
+++ b/libtomcrypt/src/pk/ecc/ltc_ecc_mulmod_timing.c	Thu Jun 04 23:08:50 2015 +0800
@@ -40,7 +40,7 @@
    int        i, j, err;
    void       *mu, *mp;
    unsigned long buf;
-   int        bitcnt, mode, digidx;
+   int        first, bitbuf, bitcpy, bitcnt, mode, digidx;
 
    LTC_ARGCHK(k       != NULL);
    LTC_ARGCHK(G       != NULL);
@@ -98,6 +98,8 @@
    bitcnt = 1;
    buf    = 0;
    digidx = mp_get_digit_count(k) - 1;
+   bitcpy = bitbuf = 0;
+   first  = 1;
 
    /* perform ops */
    for (;;) {
--- a/netio.c	Tue May 05 20:42:38 2015 +0200
+++ b/netio.c	Thu Jun 04 23:08:50 2015 +0800
@@ -70,7 +70,7 @@
 	struct addrinfo *r;
 	int res = 0;
 	int fastopen = 0;
-#ifdef DROPBEAR_TCP_FAST_OPEN
+#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN
 	struct msghdr message;
 #endif
 
@@ -91,14 +91,13 @@
 		set_piggyback_ack(c->sock);
 #endif
 
-#ifdef DROPBEAR_TCP_FAST_OPEN
+#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN
 		fastopen = (c->writequeue != NULL);
 
-		memset(&message, 0x0, sizeof(message));
-		message.msg_name = r->ai_addr;
-		message.msg_namelen = r->ai_addrlen;
-
-		if (c->writequeue) {
+		if (fastopen) {
+			memset(&message, 0x0, sizeof(message));
+			message.msg_name = r->ai_addr;
+			message.msg_namelen = r->ai_addrlen;
 			/* 6 is arbitrary, enough to hold initial packets */
 			unsigned int iovlen = 6; /* Linux msg_iovlen is a size_t */
 			struct iovec iov[6];
@@ -106,18 +105,22 @@
 			message.msg_iov = iov;
 			message.msg_iovlen = iovlen;
 			res = sendmsg(c->sock, &message, MSG_FASTOPEN);
-			if (res < 0 && errno != EINPROGRESS) {
-				m_free(c->errstring);
-				c->errstring = m_strdup(strerror(errno));
-				/* Not entirely sure which kind of errors are normal - 2.6.32 seems to 
-				return EPIPE for any (nonblocking?) sendmsg(). just fall back */
-				TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno)));
-				/* No kernel MSG_FASTOPEN support. Fall back below */
-				fastopen = 0;
-				/* Set to NULL to avoid trying again */
-				c->writequeue = NULL;
+			/* Returns EINPROGRESS if FASTOPEN wasn't available */
+			if (res < 0) {
+				if (errno != EINPROGRESS) {
+					m_free(c->errstring);
+					c->errstring = m_strdup(strerror(errno));
+					/* Not entirely sure which kind of errors are normal - 2.6.32 seems to 
+					return EPIPE for any (nonblocking?) sendmsg(). just fall back */
+					TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno)));
+					/* No kernel MSG_FASTOPEN support. Fall back below */
+					fastopen = 0;
+					/* Set to NULL to avoid trying again */
+					c->writequeue = NULL;
+				}
+			} else {
+				packet_queue_consume(c->writequeue, res);
 			}
-			packet_queue_consume(c->writequeue, res);
 		}
 #endif
 
@@ -310,7 +313,7 @@
 	setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val));
 }
 
-#ifdef DROPBEAR_TCP_FAST_OPEN
+#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
 void set_listen_fast_open(int sock) {
 	int qlen = MAX(MAX_UNAUTH_PER_IP, 5);
 	if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) {
--- a/netio.h	Tue May 05 20:42:38 2015 +0200
+++ b/netio.h	Thu Jun 04 23:08:50 2015 +0800
@@ -48,7 +48,7 @@
 void packet_queue_to_iovec(struct Queue *queue, struct iovec *iov, unsigned int *iov_count);
 void packet_queue_consume(struct Queue *queue, ssize_t written);
 
-#ifdef DROPBEAR_TCP_FAST_OPEN
+#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
 /* Try for any Linux builds, will fall back if the kernel doesn't support it */
 void set_listen_fast_open(int sock);
 /* Define values which may be supported by the kernel even if the libc is too old */
--- a/options.h	Tue May 05 20:42:38 2015 +0200
+++ b/options.h	Thu Jun 04 23:08:50 2015 +0800
@@ -103,10 +103,15 @@
 #define DROPBEAR_ENABLE_CBC_MODE
 
 /* Enable "Counter Mode" for ciphers. This is more secure than normal
- * CBC mode against certain attacks. This adds around 1kB to binary 
- * size and is recommended for most cases */
+ * CBC mode against certain attacks. It is recommended for security
+ * and forwards compatibility */
 #define DROPBEAR_ENABLE_CTR_MODE
 
+/* Twofish counter mode is disabled by default because it 
+has not been tested for interoperability with other SSH implementations.
+If you test it please contact the Dropbear author */
+/* #define DROPBEAR_TWOFISH_CTR */
+
 /* You can compile with no encryption if you want. In some circumstances
  * this could be safe security-wise, though make sure you know what
  * you're doing. Anyone can see everything that goes over the wire, so
--- a/rsa.c	Tue May 05 20:42:38 2015 +0200
+++ b/rsa.c	Thu Jun 04 23:08:50 2015 +0800
@@ -174,7 +174,7 @@
 	TRACE(("enter buf_put_rsa_pub_key"))
 	dropbear_assert(key != NULL);
 
-	buf_putstring(buf, (const unsigned char *) SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN);
+	buf_putstring(buf, SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN);
 	buf_putmpint(buf, key->e);
 	buf_putmpint(buf, key->n);
 
@@ -327,7 +327,7 @@
 	mp_clear_multi(&rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL);
 	
 	/* create the signature to return */
-	buf_putstring(buf, (const unsigned char *) SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN);
+	buf_putstring(buf, SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN);
 
 	nsize = mp_unsigned_bin_size(key->n);
 
--- a/session.h	Tue May 05 20:42:38 2015 +0200
+++ b/session.h	Thu Jun 04 23:08:50 2015 +0800
@@ -63,7 +63,7 @@
 /* Client */
 void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) ATTRIB_NORETURN;
 void cli_connected(int result, int sock, void* userdata, const char *errstring);
-void cleantext(char* dirtytext);
+void cleantext(unsigned char* dirtytext);
 
 /* crypto parameters that are stored individually for transmit and receive */
 struct key_context_directional {
@@ -115,7 +115,7 @@
 	/* remotehost will be initially NULL as we delay
 	 * reading the remote version string. it will be set
 	 * by the time any recv_() packet methods are called */
-	char *remoteident;
+	unsigned char *remoteident; 
 
 	int maxfd; /* the maximum file descriptor to check with select() */
 
--- a/signkey.c	Tue May 05 20:42:38 2015 +0200
+++ b/signkey.c	Thu Jun 04 23:08:50 2015 +0800
@@ -145,7 +145,7 @@
 
 	TRACE2(("enter buf_get_pub_key"))
 
-	ident = (char *) buf_getstring(buf, &len);
+	ident = buf_getstring(buf, &len);
 	keytype = signkey_type_from_name(ident, len);
 	m_free(ident);
 
@@ -216,7 +216,7 @@
 
 	TRACE2(("enter buf_get_priv_key"))
 
-	ident = (char *)buf_getstring(buf, &len);
+	ident = buf_getstring(buf, &len);
 	keytype = signkey_type_from_name(ident, len);
 	m_free(ident);
 
@@ -522,7 +522,7 @@
 	TRACE(("enter buf_verify"))
 
 	buf_getint(buf); /* blob length */
-	type_name = (char *) buf_getstring(buf, &type_name_len);
+	type_name = buf_getstring(buf, &type_name_len);
 	type = signkey_type_from_name(type_name, type_name_len);
 	m_free(type_name);
 
--- a/svr-auth.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-auth.c	Thu Jun 04 23:08:50 2015 +0800
@@ -89,7 +89,7 @@
 
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
 	buf_putbufstring(ses.writepayload, banner);
-	buf_putstring(ses.writepayload, (const unsigned char *)"en", 2);
+	buf_putstring(ses.writepayload, "en", 2);
 
 	encrypt_packet();
 
@@ -119,9 +119,9 @@
 		svr_opts.banner = NULL;
 	}
 
-	username = (char *)buf_getstring(ses.payload, &userlen);
-	servicename = (char *)buf_getstring(ses.payload, &servicelen);
-	methodname = (char *)buf_getstring(ses.payload, &methodlen);
+	username = buf_getstring(ses.payload, &userlen);
+	servicename = buf_getstring(ses.payload, &servicelen);
+	methodname = buf_getstring(ses.payload, &methodlen);
 
 	/* only handle 'ssh-connection' currently */
 	if (servicelen != SSH_SERVICE_CONNECTION_LEN
--- a/svr-authpam.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-authpam.c	Thu Jun 04 23:08:50 2015 +0800
@@ -188,7 +188,7 @@
 
 	pam_handle_t* pamHandlep = NULL;
 
-	unsigned char * password = NULL;
+	char * password = NULL;
 	unsigned int passwordlen;
 
 	int rc = PAM_SUCCESS;
--- a/svr-authpasswd.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-authpasswd.c	Thu Jun 04 23:08:50 2015 +0800
@@ -33,6 +33,8 @@
 
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 
+/* not constant time when strings are differing lengths. 
+ string content isn't leaked, and crypt hashes are predictable length. */
 static int constant_time_strcmp(const char* a, const char* b) {
 	size_t la = strlen(a);
 	size_t lb = strlen(b);
@@ -50,7 +52,7 @@
 	
 	char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
 	char * testcrypt = NULL; /* crypt generated from the user's password sent */
-	unsigned char * password;
+	char * password;
 	unsigned int passwordlen;
 
 	unsigned int changepw;
@@ -73,7 +75,7 @@
 	password = buf_getstring(ses.payload, &passwordlen);
 
 	/* the first bytes of passwdcrypt are the salt */
-	testcrypt = crypt((char*)password, passwdcrypt);
+	testcrypt = crypt(password, passwdcrypt);
 	m_burn(password, passwordlen);
 	m_free(password);
 
--- a/svr-authpubkey.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-authpubkey.c	Thu Jun 04 23:08:50 2015 +0800
@@ -98,7 +98,7 @@
 	 * actual attempt*/
 	testkey = (buf_getbool(ses.payload) == 0);
 
-	algo = (char *) buf_getstring(ses.payload, &algolen);
+	algo = buf_getstring(ses.payload, &algolen);
 	keybloblen = buf_getint(ses.payload);
 	keyblob = buf_getptr(ses.payload, keybloblen);
 
@@ -180,8 +180,8 @@
 	CHECKCLEARTOWRITE();
 
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_PK_OK);
-	buf_putstring(ses.writepayload, (const unsigned char *) algo, algolen);
-	buf_putstring(ses.writepayload, keyblob, keybloblen);
+	buf_putstring(ses.writepayload, algo, algolen);
+	buf_putstring(ses.writepayload, (const char*)keyblob, keybloblen);
 
 	encrypt_packet();
 	TRACE(("leave send_msg_userauth_pk_ok"))
--- a/svr-authpubkeyoptions.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-authpubkeyoptions.c	Thu Jun 04 23:08:50 2015 +0800
@@ -120,7 +120,7 @@
 	if (options_buf->len - options_buf->pos < len) {
 		return DROPBEAR_FAILURE;
 	}
-	if (strncasecmp((const char *) buf_getptr(options_buf, len), opt_name, len) == 0) {
+	if (strncasecmp(buf_getptr(options_buf, len), opt_name, len) == 0) {
 		buf_incrpos(options_buf, len);
 		return DROPBEAR_SUCCESS;
 	}
--- a/svr-chansession.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-chansession.c	Thu Jun 04 23:08:50 2015 +0800
@@ -183,7 +183,7 @@
 
 	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
 	buf_putint(ses.writepayload, channel->remotechan);
-	buf_putstring(ses.writepayload, (const unsigned char *) "exit-status", 11);
+	buf_putstring(ses.writepayload, "exit-status", 11);
 	buf_putbyte(ses.writepayload, 0); /* boolean FALSE */
 	buf_putint(ses.writepayload, chansess->exit.exitstatus);
 
@@ -219,12 +219,12 @@
 
 	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
 	buf_putint(ses.writepayload, channel->remotechan);
-	buf_putstring(ses.writepayload, (const unsigned char *) "exit-signal", 11);
+	buf_putstring(ses.writepayload, "exit-signal", 11);
 	buf_putbyte(ses.writepayload, 0); /* boolean FALSE */
-	buf_putstring(ses.writepayload, (const unsigned char *) signame, strlen(signame));
+	buf_putstring(ses.writepayload, signame, strlen(signame));
 	buf_putbyte(ses.writepayload, chansess->exit.exitcore);
-	buf_putstring(ses.writepayload, (const unsigned char *) "", 0); /* error msg */
-	buf_putstring(ses.writepayload, (const unsigned char *) "", 0); /* lang */
+	buf_putstring(ses.writepayload, "", 0); /* error msg */
+	buf_putstring(ses.writepayload, "", 0); /* lang */
 
 	encrypt_packet();
 }
@@ -351,7 +351,7 @@
 
 	TRACE(("enter chansessionrequest"))
 
-	type = (char *) buf_getstring(ses.payload, &typelen);
+	type = buf_getstring(ses.payload, &typelen);
 	wantreply = buf_getbool(ses.payload);
 
 	if (typelen > MAX_NAME_LEN) {
@@ -414,7 +414,7 @@
 		return DROPBEAR_FAILURE;
 	}
 
-	signame = (char *) buf_getstring(ses.payload, NULL);
+	signame = buf_getstring(ses.payload, NULL);
 
 	i = 0;
 	while (signames[i].name != 0) {
@@ -567,7 +567,7 @@
 		return DROPBEAR_FAILURE;
 	}
 
-	chansess->term = (char *) buf_getstring(ses.payload, &termlen);
+	chansess->term = buf_getstring(ses.payload, &termlen);
 	if (termlen > MAX_TERM_LEN) {
 		/* TODO send disconnect ? */
 		TRACE(("leave sessionpty: term len too long"))
@@ -649,7 +649,7 @@
 	if (iscmd) {
 		/* "exec" */
 		if (chansess->cmd == NULL) {
-			chansess->cmd = (char *) buf_getstring(ses.payload, &cmdlen);
+			chansess->cmd = buf_getstring(ses.payload, &cmdlen);
 
 			if (cmdlen > MAX_CMD_LEN) {
 				m_free(chansess->cmd);
--- a/svr-kex.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-kex.c	Thu Jun 04 23:08:50 2015 +0800
@@ -247,7 +247,7 @@
 			{
 			struct kex_curve25519_param *param = gen_kexcurve25519_param();
 			kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
-			buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, (const char*)param->pub, CURVE25519_LEN);
 			free_kexcurve25519_param(param);
 			}
 #endif
--- a/svr-main.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-main.c	Thu Jun 04 23:08:50 2015 +0800
@@ -429,7 +429,7 @@
 		for (n = 0; n < (unsigned int)nsock; n++) {
 			int sock = socks[sockpos + n];
 			set_sock_priority(sock, DROPBEAR_PRIO_LOWDELAY);
-#ifdef DROPBEAR_TCP_FAST_OPEN
+#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
 			set_listen_fast_open(sock);
 #endif
 		}
--- a/svr-service.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-service.c	Thu Jun 04 23:08:50 2015 +0800
@@ -41,7 +41,7 @@
 
 	TRACE(("enter recv_msg_service_request"))
 
-	name = (char *) buf_getstring(ses.payload, &len);
+	name = buf_getstring(ses.payload, &len);
 
 	/* ssh-userauth */
 	if (len == SSH_SERVICE_USERAUTH_LEN && 
@@ -80,7 +80,7 @@
 	CHECKCLEARTOWRITE();
 
 	buf_putbyte(ses.writepayload, SSH_MSG_SERVICE_ACCEPT);
-	buf_putstring(ses.writepayload, (const unsigned char *) name, len);
+	buf_putstring(ses.writepayload, name, len);
 
 	encrypt_packet();
 
--- a/svr-session.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-session.c	Thu Jun 04 23:08:50 2015 +0800
@@ -138,6 +138,8 @@
 
 	/* exchange identification, version etc */
 	send_session_identification();
+	
+	kexfirstinitialise(); /* initialise the kex state */
 
 	/* start off with key exchange */
 	send_msg_kexinit();
--- a/svr-tcpfwd.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-tcpfwd.c	Thu Jun 04 23:08:50 2015 +0800
@@ -77,7 +77,7 @@
 		goto out;
 	}
 
-	reqname = (char *)buf_getstring(ses.payload, &namelen);
+	reqname = buf_getstring(ses.payload, &namelen);
 	wantreply = buf_getbool(ses.payload);
 
 	if (namelen > MAX_NAME_LEN) {
@@ -128,7 +128,7 @@
 
 	TRACE(("enter cancelremotetcp"))
 
-	bindaddr = (char *)buf_getstring(ses.payload, &addrlen);
+	bindaddr = buf_getstring(ses.payload, &addrlen);
 	if (addrlen > MAX_IP_LEN) {
 		TRACE(("addr len too long: %d", addrlen))
 		goto out;
@@ -162,7 +162,7 @@
 
 	TRACE(("enter remotetcpreq"))
 
-	request_addr = (char *)buf_getstring(ses.payload, &addrlen);
+	request_addr = buf_getstring(ses.payload, &addrlen);
 	if (addrlen > MAX_IP_LEN) {
 		TRACE(("addr len too long: %d", addrlen))
 		goto out;
@@ -247,7 +247,7 @@
 		goto out;
 	}
 
-	desthost = (char *)buf_getstring(ses.payload, &len);
+	desthost = buf_getstring(ses.payload, &len);
 	if (len > MAX_HOST_LEN) {
 		TRACE(("leave newtcpdirect: desthost too long"))
 		goto out;
@@ -255,7 +255,7 @@
 
 	destport = buf_getint(ses.payload);
 	
-	orighost = (char *)buf_getstring(ses.payload, &len);
+	orighost = buf_getstring(ses.payload, &len);
 	if (len > MAX_HOST_LEN) {
 		TRACE(("leave newtcpdirect: orighost too long"))
 		goto out;
--- a/svr-x11fwd.c	Tue May 05 20:42:38 2015 +0200
+++ b/svr-x11fwd.c	Thu Jun 04 23:08:50 2015 +0800
@@ -58,8 +58,8 @@
 	}
 
 	chansess->x11singleconn = buf_getbool(ses.payload);
-	chansess->x11authprot = (char *)buf_getstring(ses.payload, NULL);
-	chansess->x11authcookie = (char *)buf_getstring(ses.payload, NULL);
+	chansess->x11authprot = buf_getstring(ses.payload, NULL);
+	chansess->x11authcookie = buf_getstring(ses.payload, NULL);
 	chansess->x11screennum = buf_getint(ses.payload);
 
 	/* create listening socket */
@@ -203,7 +203,7 @@
 
 	if (send_msg_channel_open_init(fd, &chan_x11) == DROPBEAR_SUCCESS) {
 		ipstring = inet_ntoa(addr->sin_addr);
-		buf_putstring(ses.writepayload, (const unsigned char *)ipstring, strlen(ipstring));
+		buf_putstring(ses.writepayload, ipstring, strlen(ipstring));
 		buf_putint(ses.writepayload, addr->sin_port);
 
 		encrypt_packet();
--- a/sysoptions.h	Tue May 05 20:42:38 2015 +0200
+++ b/sysoptions.h	Thu Jun 04 23:08:50 2015 +0800
@@ -262,9 +262,12 @@
 /* Use this string since some implementations might special-case it */
 #define DROPBEAR_KEEPALIVE_STRING "[email protected]"
 
-/* Linux will attempt TCP fast open, falling back if not supported by the kernel */
+/* Linux will attempt TCP fast open, falling back if not supported by the kernel.
+ * Currently server is enabled but client is disabled by default until there
+ * is further compatibility testing */
 #ifdef __linux__
-#define DROPBEAR_TCP_FAST_OPEN 1
+#define DROPBEAR_SERVER_TCP_FAST_OPEN
+/* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */
 #endif
 
 /* no include guard for this file */
--- a/tcp-accept.c	Tue May 05 20:42:38 2015 +0200
+++ b/tcp-accept.c	Thu Jun 04 23:08:50 2015 +0800
@@ -75,7 +75,7 @@
 	}
 
 	if (send_msg_channel_open_init(fd, tcpinfo->chantype) == DROPBEAR_SUCCESS) {
-		char* addr = NULL;
+		unsigned char* addr = NULL;
 		unsigned int port = 0;
 
 		if (tcpinfo->tcp_type == direct) {
@@ -94,11 +94,11 @@
 		if (addr == NULL) {
 			addr = "localhost";
 		}
-		buf_putstring(ses.writepayload, (const unsigned char *)addr, strlen(addr));
+		buf_putstring(ses.writepayload, addr, strlen(addr));
 		buf_putint(ses.writepayload, port);
 
 		/* originator ip */
-		buf_putstring(ses.writepayload, (const unsigned char *)ipstring, strlen(ipstring));
+		buf_putstring(ses.writepayload, ipstring, strlen(ipstring));
 		/* originator port */
 		buf_putint(ses.writepayload, atol(portstring));
 
--- a/tcpfwd.h	Tue May 05 20:42:38 2015 +0200
+++ b/tcpfwd.h	Thu Jun 04 23:08:50 2015 +0800
@@ -31,16 +31,16 @@
 
 	/* For a direct-tcpip request, it's the addr/port we want the other
 	 * end to connect to */
-	char *sendaddr;
+	unsigned char *sendaddr;
 	unsigned int sendport;
 
 	/* This is the address/port that we listen on. The address has special
 	 * meanings as per the rfc, "" for all interfaces, "localhost" for 
 	 * localhost, or a normal interface name. */
-	char *listenaddr;
+	unsigned char *listenaddr;
 	unsigned int listenport;
 	/* The address that the remote host asked to listen on */
-	char *request_listenaddr;
+	unsigned char *request_listenaddr;
 
 	const struct ChanType *chantype;
 	enum {direct, forwarded} tcp_type;
@@ -48,9 +48,9 @@
 
 /* A forwarding entry */
 struct TCPFwdEntry {
-	const char *connectaddr;
+	const unsigned char* connectaddr;
 	unsigned int connectport;
-	const char *listenaddr;
+	const unsigned char* listenaddr;
 	unsigned int listenport;
 	unsigned int have_reply; /* is set to 1 after a reply has been received
 								when setting up the forwarding */