# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1383926546 -28800
# Node ID 7507b174bba0198aeaf1dd998380f45b865beca8
# Parent  754d7bee10686c045417b9139377617bd14a668d
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
- comment on ecc binary size effects

diff -r 754d7bee1068 -r 7507b174bba0 cli-kex.c
--- a/cli-kex.c	Fri Nov 08 23:32:13 2013 +0800
+++ b/cli-kex.c	Sat Nov 09 00:02:26 2013 +0800
@@ -79,7 +79,7 @@
 				}
 				cli_ses.curve25519_param = gen_kexcurve25519_param();
 			}
-			buf_putstring(ses.writepayload, cli_ses.curve25519_param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN);
 #endif
 			break;
 	}
diff -r 754d7bee1068 -r 7507b174bba0 options.h
--- a/options.h	Fri Nov 08 23:32:13 2013 +0800
+++ b/options.h	Sat Nov 09 00:02:26 2013 +0800
@@ -138,22 +138,24 @@
  * SSH2 RFC Draft requires dss, recommends rsa */
 #define DROPBEAR_RSA
 #define DROPBEAR_DSS
+/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
 #define DROPBEAR_ECDSA
 
 /* Generate hostkeys as-needed when the first connection using that key type occurs.
    This avoids the need to otherwise run "dropbearkey" and avoids some problems
-   with badly seeded random devices when systems first boot.
+   with badly seeded /dev/urandom when systems first boot.
    This also requires a runtime flag "-R". */
 #define DROPBEAR_DELAY_HOSTKEY
 
+/* Enable Curve25519 for key exchange. This is another elliptic
+ * curve method with good security properties. Increases binary size
+ * by ~10kB on x86-64 */
 #define DROPBEAR_CURVE25519
 
-/* RSA can be vulnerable to timing attacks which use the time required for
- * signing to guess the private key. Blinding avoids this attack, though makes
- * signing operations slightly slower. */
-#define RSA_BLINDING
-
-/* Enable elliptic curve Diffie Hellman key exchange */
+/* Enable elliptic curve Diffie Hellman key exchange, see note about
+ * ECDSA above */
 #define DROPBEAR_ECDH
 
 /* Control the memory/performance/compression tradeoff for zlib.
diff -r 754d7bee1068 -r 7507b174bba0 svr-kex.c
--- a/svr-kex.c	Fri Nov 08 23:32:13 2013 +0800
+++ b/svr-kex.c	Sat Nov 09 00:02:26 2013 +0800
@@ -213,7 +213,7 @@
 			{
 			struct kex_curve25519_param *param = gen_kexcurve25519_param();
 			kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
-			buf_putstring(ses.writepayload, param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN);
 			free_kexcurve25519_param(param);
 			}
 #endif
diff -r 754d7bee1068 -r 7507b174bba0 sysoptions.h
--- a/sysoptions.h	Fri Nov 08 23:32:13 2013 +0800
+++ b/sysoptions.h	Sat Nov 09 00:02:26 2013 +0800
@@ -104,8 +104,13 @@
 #define DROPBEAR_LTC_PRNG
 #endif
 
+/* RSA can be vulnerable to timing attacks which use the time required for
+ * signing to guess the private key. Blinding avoids this attack, though makes
+ * signing operations slightly slower. */
+#define RSA_BLINDING
+
 /* hashes which will be linked and registered */
-#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256)
+#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519)
 #define DROPBEAR_SHA256
 #endif
 #if defined(DROPBEAR_ECC_384)