Add a batch of missing 'static's.

crypto/bcrypt.c

@@ -11,8 +11,8 @@
 #include "ssh.h"
 #include "blowfish.h"
 
-BlowfishContext *bcrypt_setup(const unsigned char *key, int keybytes,
-                              const unsigned char *salt, int saltbytes)
+static BlowfishContext *bcrypt_setup(const unsigned char *key, int keybytes,
+                                     const unsigned char *salt, int saltbytes)
 {
     int i;
     BlowfishContext *ctx;
@@ -32,9 +32,9 @@ BlowfishContext *bcrypt_setup(const unsigned char *key, int keybytes,
     return ctx;
 }
 
-void bcrypt_hash(const unsigned char *key, int keybytes,
-                 const unsigned char *salt, int saltbytes,
-                 unsigned char output[32])
+static void bcrypt_hash(const unsigned char *key, int keybytes,
+                        const unsigned char *salt, int saltbytes,
+                        unsigned char output[32])
 {
     BlowfishContext *ctx;
     int i;
@@ -49,10 +49,10 @@ void bcrypt_hash(const unsigned char *key, int keybytes,
     blowfish_free_context(ctx);
 }
 
-void bcrypt_genblock(int counter,
-                     const unsigned char hashed_passphrase[64],
-                     const unsigned char *salt, int saltbytes,
-                     unsigned char output[32])
+static void bcrypt_genblock(int counter,
+                            const unsigned char hashed_passphrase[64],
+                            const unsigned char *salt, int saltbytes,
+                            unsigned char output[32])
 {
     unsigned char hashed_salt[64];
 

crypto/ecc-ssh.c

@@ -1444,7 +1444,7 @@ typedef struct ecdh_key_m {
     ecdh_key ek;
 } ecdh_key_m;
 
-ecdh_key *ssh_ecdhkex_w_new(const ssh_kex *kex, bool is_server)
+static ecdh_key *ssh_ecdhkex_w_new(const ssh_kex *kex, bool is_server)
 {
     const struct eckex_extra *extra = (const struct eckex_extra *)kex->extra;
     const struct ec_curve *curve = extra->curve();
@@ -1463,7 +1463,7 @@ ecdh_key *ssh_ecdhkex_w_new(const ssh_kex *kex, bool is_server)
     return &dhw->ek;
 }
 
-ecdh_key *ssh_ecdhkex_m_new(const ssh_kex *kex, bool is_server)
+static ecdh_key *ssh_ecdhkex_m_new(const ssh_kex *kex, bool is_server)
 {
     const struct eckex_extra *extra = (const struct eckex_extra *)kex->extra;
     const struct ec_curve *curve = extra->curve();
@@ -1637,7 +1637,7 @@ const ssh_kex ssh_ec_kex_curve25519 = {
     .extra = &kex_extra_curve25519,
 };
 /* Pre-RFC alias */
-const ssh_kex ssh_ec_kex_curve25519_libssh = {
+static const ssh_kex ssh_ec_kex_curve25519_libssh = {
     .name = "curve25519-sha256@libssh.org",
     .main_type = KEXTYPE_ECDH,
     .hash = &ssh_sha256,

crypto/ntru.c

@@ -483,7 +483,8 @@ void ntru_scale(uint16_t *out, const uint16_t *in, uint16_t scale,
  * Given an array of values mod 3, convert them to values mod q in a
  * way that maps -1,0,+1 to -1,0,+1.
  */
-void ntru_expand(uint16_t *out, const uint16_t *in, unsigned p, unsigned q)
+static void ntru_expand(
+    uint16_t *out, const uint16_t *in, unsigned p, unsigned q)
 {
     for (size_t i = 0; i < p; i++) {
         uint16_t v = in[i];
@@ -1393,8 +1394,9 @@ void ntru_encode_plaintext(const uint16_t *plaintext, unsigned p,
  *
  * 'out' should therefore expect to receive 32 bytes of data.
  */
-void ntru_confirmation_hash(uint8_t *out, const uint16_t *plaintext,
-                            const uint16_t *pubkey, unsigned p, unsigned q)
+static void ntru_confirmation_hash(
+    uint8_t *out, const uint16_t *plaintext,
+    const uint16_t *pubkey, unsigned p, unsigned q)
 {
     /* The outer hash object */
     ssh_hash *hconfirm = ssh_hash_new(&ssh_sha512);
@@ -1450,8 +1452,9 @@ void ntru_confirmation_hash(uint8_t *out, const uint16_t *plaintext,
  *
  * The ciphertext is provided in already-encoded form.
  */
-void ntru_session_hash(uint8_t *out, unsigned ok, const uint16_t *plaintext,
-                       unsigned p, ptrlen ciphertext, ptrlen confirmation_hash)
+static void ntru_session_hash(
+    uint8_t *out, unsigned ok, const uint16_t *plaintext,
+    unsigned p, ptrlen ciphertext, ptrlen confirmation_hash)
 {
     /* The outer hash object */
     ssh_hash *hsession = ssh_hash_new(&ssh_sha512);
@@ -1866,7 +1869,7 @@ static const ecdh_keyalg ssh_ntru_selector_vt = {
     .description = ssh_ntru_description,
 };
 
-const ssh_kex ssh_ntru_curve25519 = {
+static const ssh_kex ssh_ntru_curve25519 = {
     .name = "sntrup761x25519-sha512@openssh.com",
     .main_type = KEXTYPE_ECDH,
     .hash = &ssh_sha512,

crypto/openssh-certs.c

@@ -93,35 +93,37 @@ typedef struct opensshcert_extra {
  * info appears at all, it's in the same order everywhere, and none of
  * it is repeated unnecessarily */
 enum { DSA_p, DSA_q, DSA_g, DSA_y, DSA_x };
-const unsigned dsa_pub_fmt[] = { DSA_p, DSA_q, DSA_g, DSA_y };
-const unsigned dsa_base_ossh_fmt[] = { DSA_p, DSA_q, DSA_g, DSA_y, DSA_x };
-const unsigned dsa_cert_ossh_fmt[] = { DSA_x };
+static const unsigned dsa_pub_fmt[] = { DSA_p, DSA_q, DSA_g, DSA_y };
+static const unsigned dsa_base_ossh_fmt[] = {
+    DSA_p, DSA_q, DSA_g, DSA_y, DSA_x };
+static const unsigned dsa_cert_ossh_fmt[] = { DSA_x };
 
 /* ECDSA is almost as nice, except that it pointlessly mentions the
  * curve name in the public data, which shouldn't be necessary given
  * that the SSH key id has already implied it. But at least that's
  * consistent everywhere. */
 enum { ECDSA_curve, ECDSA_point, ECDSA_exp };
-const unsigned ecdsa_pub_fmt[] = { ECDSA_curve, ECDSA_point };
-const unsigned ecdsa_base_ossh_fmt[] = { ECDSA_curve, ECDSA_point, ECDSA_exp };
-const unsigned ecdsa_cert_ossh_fmt[] = { ECDSA_exp };
+static const unsigned ecdsa_pub_fmt[] = { ECDSA_curve, ECDSA_point };
+static const unsigned ecdsa_base_ossh_fmt[] = {
+    ECDSA_curve, ECDSA_point, ECDSA_exp };
+static const unsigned ecdsa_cert_ossh_fmt[] = { ECDSA_exp };
 
 /* Ed25519 has the oddity that the private data following the
  * certificate in the OpenSSH blob is preceded by an extra copy of the
  * public data, for no obviously necessary reason since that doesn't
  * happen in any of the rest of these formats */
 enum { EDDSA_point, EDDSA_exp };
-const unsigned eddsa_pub_fmt[] = { EDDSA_point };
-const unsigned eddsa_base_ossh_fmt[] = { EDDSA_point, EDDSA_exp };
-const unsigned eddsa_cert_ossh_fmt[] = { EDDSA_point, EDDSA_exp };
+static const unsigned eddsa_pub_fmt[] = { EDDSA_point };
+static const unsigned eddsa_base_ossh_fmt[] = { EDDSA_point, EDDSA_exp };
+static const unsigned eddsa_cert_ossh_fmt[] = { EDDSA_point, EDDSA_exp };
 
 /* And RSA has the quirk that the modulus and exponent are reversed in
  * the base key type's OpenSSH blob! */
 enum { RSA_e, RSA_n, RSA_d, RSA_p, RSA_q, RSA_iqmp };
-const unsigned rsa_pub_fmt[] = { RSA_e, RSA_n };
-const unsigned rsa_base_ossh_fmt[] = {
+static const unsigned rsa_pub_fmt[] = { RSA_e, RSA_n };
+static const unsigned rsa_base_ossh_fmt[] = {
     RSA_n, RSA_e, RSA_d, RSA_p, RSA_q, RSA_iqmp };
-const unsigned rsa_cert_ossh_fmt[] = { RSA_d, RSA_p, RSA_q, RSA_iqmp };
+static const unsigned rsa_cert_ossh_fmt[] = { RSA_d, RSA_p, RSA_q, RSA_iqmp };
 
 /*
  * Routines to transform one kind of blob into another based on those
@@ -238,7 +240,7 @@ static const ssh_keyalg *opensshcert_related_alg(const ssh_keyalg *self,
     /* end of list */
 
 #define KEYALG_DEF(name, ssh_alg_id_prefix, ssh_key_id_prefix, fmt_prefix) \
-    const struct opensshcert_extra opensshcert_##name##_extra = {       \
+    static const struct opensshcert_extra opensshcert_##name##_extra = { \
         .pub_fmt = { .fmt = fmt_prefix ## _pub_fmt,                     \
                      .len = lenof(fmt_prefix ## _pub_fmt) },            \
         .base_ossh_fmt = { .fmt = fmt_prefix ## _base_ossh_fmt,         \

crypto/rsa.c

@@ -865,7 +865,8 @@ static unsigned ssh_rsa_supported_flags(const ssh_keyalg *self)
     return SSH_AGENT_RSA_SHA2_256 | SSH_AGENT_RSA_SHA2_512;
 }
 
-const char *ssh_rsa_alternate_ssh_id(const ssh_keyalg *self, unsigned flags)
+static const char *ssh_rsa_alternate_ssh_id(
+    const ssh_keyalg *self, unsigned flags)
 {
     if (flags & SSH_AGENT_RSA_SHA2_512)
         return ssh_rsa_sha512.ssh_id;