# HG changeset patch # User Matt Johnston # Date 1383926546 -28800 # Node ID 7507b174bba0198aeaf1dd998380f45b865beca8 # Parent 754d7bee10686c045417b9139377617bd14a668d - Make curve25519 work after fixing a typo, interoperates with OpenSSH - comment on ecc binary size effects diff -r 754d7bee1068 -r 7507b174bba0 cli-kex.c --- a/cli-kex.c Fri Nov 08 23:32:13 2013 +0800 +++ b/cli-kex.c Sat Nov 09 00:02:26 2013 +0800 @@ -79,7 +79,7 @@ } cli_ses.curve25519_param = gen_kexcurve25519_param(); } - buf_putstring(ses.writepayload, cli_ses.curve25519_param->priv, CURVE25519_LEN); + buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN); #endif break; } diff -r 754d7bee1068 -r 7507b174bba0 options.h --- a/options.h Fri Nov 08 23:32:13 2013 +0800 +++ b/options.h Sat Nov 09 00:02:26 2013 +0800 @@ -138,22 +138,24 @@ * SSH2 RFC Draft requires dss, recommends rsa */ #define DROPBEAR_RSA #define DROPBEAR_DSS +/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC + * code (either ECDSA or ECDH) increases binary size - around 30kB + * on x86-64 */ #define DROPBEAR_ECDSA /* Generate hostkeys as-needed when the first connection using that key type occurs. This avoids the need to otherwise run "dropbearkey" and avoids some problems - with badly seeded random devices when systems first boot. + with badly seeded /dev/urandom when systems first boot. This also requires a runtime flag "-R". */ #define DROPBEAR_DELAY_HOSTKEY +/* Enable Curve25519 for key exchange. This is another elliptic + * curve method with good security properties. Increases binary size + * by ~10kB on x86-64 */ #define DROPBEAR_CURVE25519 -/* RSA can be vulnerable to timing attacks which use the time required for - * signing to guess the private key. Blinding avoids this attack, though makes - * signing operations slightly slower. */ -#define RSA_BLINDING - -/* Enable elliptic curve Diffie Hellman key exchange */ +/* Enable elliptic curve Diffie Hellman key exchange, see note about + * ECDSA above */ #define DROPBEAR_ECDH /* Control the memory/performance/compression tradeoff for zlib. diff -r 754d7bee1068 -r 7507b174bba0 svr-kex.c --- a/svr-kex.c Fri Nov 08 23:32:13 2013 +0800 +++ b/svr-kex.c Sat Nov 09 00:02:26 2013 +0800 @@ -213,7 +213,7 @@ { struct kex_curve25519_param *param = gen_kexcurve25519_param(); kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey); - buf_putstring(ses.writepayload, param->priv, CURVE25519_LEN); + buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN); free_kexcurve25519_param(param); } #endif diff -r 754d7bee1068 -r 7507b174bba0 sysoptions.h --- a/sysoptions.h Fri Nov 08 23:32:13 2013 +0800 +++ b/sysoptions.h Sat Nov 09 00:02:26 2013 +0800 @@ -104,8 +104,13 @@ #define DROPBEAR_LTC_PRNG #endif +/* RSA can be vulnerable to timing attacks which use the time required for + * signing to guess the private key. Blinding avoids this attack, though makes + * signing operations slightly slower. */ +#define RSA_BLINDING + /* hashes which will be linked and registered */ -#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) +#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) #define DROPBEAR_SHA256 #endif #if defined(DROPBEAR_ECC_384)