--- a/CHANGES	Mon Feb 28 13:51:27 2011 +0000
+++ b/CHANGES	Mon Feb 28 13:51:34 2011 +0000
@@ -1,3 +1,7 @@
+0.53.1 
+
+- -lcrypt needs to be before object files for static linking
+
 0.53 - Thurs 24 February 2011
 
 - Various performance/memory use improvements
@@ -19,6 +23,8 @@
 - Make -K (keepalive) and -I (idle timeout) work together sensibly in the client.
   The idle timeout is no longer reset by SSH_MSG_IGNORE packets.
 
+- Add diffie-hellman-group14-sha1 key exchange method
+
 - Compile fix if ENABLE_CLI_PROXYCMD is disabled
 
 - /usr/bin/X11/xauth is now the default path

--- a/Makefile.in	Mon Feb 28 13:51:27 2011 +0000
+++ b/Makefile.in	Mon Feb 28 13:51:34 2011 +0000
@@ -28,10 +28,10 @@
 		queue.o \
 		atomicio.o compat.o  fake-rfc2553.o 
 
-SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
+SVROBJS=@CRYPTLIB@ svr-kex.o svr-algo.o svr-auth.o sshpty.o \
 		svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \
 		svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
-		svr-tcpfwd.o svr-authpam.o @CRYPTLIB@
+		svr-tcpfwd.o svr-authpam.o
 
 CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
 		cli-session.o cli-service.o cli-runopts.o cli-chansession.o \

--- a/common-kex.c	Mon Feb 28 13:51:27 2011 +0000
+++ b/common-kex.c	Mon Feb 28 13:51:34 2011 +0000
@@ -272,8 +272,8 @@
 }
 
 /* Generate the actual encryption/integrity keys, using the results of the
- * key exchange, as specified in section 5.2 of the IETF secsh-transport
- * draft. This occurs after the DH key-exchange.
+ * key exchange, as specified in section 7.2 of the transport rfc 4253.
+ * This occurs after the DH key-exchange.
  *
  * ses.newkeys is the new set of keys which are generated, these are only
  * taken into use after both sides have sent a newkeys message */
@@ -532,7 +532,7 @@
 }
 
 /* Initialises and generate one side of the diffie-hellman key exchange values.
- * See the ietf-secsh-transport draft, section 6, for details */
+ * See the transport rfc 4253 section 8 for details */
 /* dh_pub and dh_priv MUST be already initialised */
 void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv) {
 

--- a/dropbearkey.c	Mon Feb 28 13:51:27 2011 +0000
+++ b/dropbearkey.c	Mon Feb 28 13:51:34 2011 +0000
@@ -23,7 +23,7 @@
  * SOFTWARE. */
 
 /* The format of the keyfiles is basically a raw dump of the buffer. Data types
- * are specified in the transport draft - string is a 32-bit len then the
+ * are specified in the transport rfc 4253 - string is a 32-bit len then the
  * non-null-terminated string, mp_int is a 32-bit len then the bignum data.
  * The actual functions are buf_put_rsa_priv_key() and buf_put_dss_priv_key()
 

--- a/options.h	Mon Feb 28 13:51:27 2011 +0000
+++ b/options.h	Mon Feb 28 13:51:34 2011 +0000
@@ -64,7 +64,7 @@
 #define ENABLE_SVR_LOCALTCPFWD
 #define ENABLE_SVR_REMOTETCPFWD
 
-/* Enable Authentication Agent Forwarding - server only for now */
+/* Enable Authentication Agent Forwarding */
 #define ENABLE_SVR_AGENTFWD
 #define ENABLE_CLI_AGENTFWD
 

--- a/random.c	Mon Feb 28 13:51:27 2011 +0000
+++ b/random.c	Mon Feb 28 13:51:34 2011 +0000
@@ -74,11 +74,6 @@
 	if (readfd < 0) {
 		dropbear_exit("Couldn't open random device");
 	}
-	/* todo - try various common locations */
-	if (connect(readfd, (struct sockaddr*)&egdsock, 
-			sizeof(struct sockaddr_un)) < 0) {
-		dropbear_exit("Couldn't open random device");
-	}
 
 	if (buflen > 255)
 		dropbear_exit("Can't request more than 255 bytes from egd");

--- a/svr-agentfwd.c	Mon Feb 28 13:51:27 2011 +0000
+++ b/svr-agentfwd.c	Mon Feb 28 13:51:34 2011 +0000
@@ -27,7 +27,7 @@
 
 #include "includes.h"
 
-#ifndef DISABLE_AGENTFWD
+#ifdef ENABLE_SVR_AGENTFWD
 
 #include "agentfwd.h"
 #include "session.h"

--- a/svr-chansession.c	Mon Feb 28 13:51:27 2011 +0000
+++ b/svr-chansession.c	Mon Feb 28 13:51:34 2011 +0000
@@ -240,7 +240,7 @@
 	chansess->x11authcookie = NULL;
 #endif
 
-#ifndef DISABLE_AGENTFWD
+#ifdef ENABLE_AGENTFWD
 	chansess->agentlistener = NULL;
 	chansess->agentfile = NULL;
 	chansess->agentdir = NULL;
@@ -293,7 +293,7 @@
 	x11cleanup(chansess);
 #endif
 
-#ifndef DISABLE_AGENTFWD
+#ifdef ENABLE_AGENTFWD
 	svr_agentcleanup(chansess);
 #endif
 
@@ -351,7 +351,7 @@
 	} else if (strcmp(type, "x11-req") == 0) {
 		ret = x11req(chansess);
 #endif
-#ifndef DISABLE_AGENTFWD
+#ifdef ENABLE_AGENTFWD
 	} else if (strcmp(type, "[email protected]") == 0) {
 		ret = svr_agentreq(chansess);
 #endif
@@ -937,7 +937,7 @@
 	/* set up X11 forwarding if enabled */
 	x11setauth(chansess);
 #endif
-#ifndef DISABLE_AGENTFWD
+#ifdef ENABLE_AGENTFWD
 	/* set up agent env variable */
 	svr_agentset(chansess);
 #endif

--- a/svr-kex.c	Mon Feb 28 13:51:27 2011 +0000
+++ b/svr-kex.c	Mon Feb 28 13:51:34 2011 +0000
@@ -70,7 +70,7 @@
  * that, the session hash is calculated, and signed with RSA or DSS. The
  * result is sent to the client. 
  *
- * See the ietf-secsh-transport draft, section 6, for details */
+ * See the transport rfc 4253 section 8 for details */
 static void send_msg_kexdh_reply(mp_int *dh_e) {
 
 	DEF_MP_INT(dh_y);

--- a/sysoptions.h	Mon Feb 28 13:51:27 2011 +0000
+++ b/sysoptions.h	Mon Feb 28 13:51:34 2011 +0000
@@ -99,6 +99,7 @@
 #define MAX_PROPOSED_ALGO 20
 
 /* size/count limits */
+/* From transport rfc */
 #define MIN_PACKET_LEN 16
 
 #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100)))
@@ -123,7 +124,7 @@
 #define MAX_PRIVKEY_SIZE 1700
 
 /* The maximum size of the bignum portion of the kexhash buffer */
-/* Sect. 8 of the transport draft, K_S + e + f + K */
+/* Sect. 8 of the transport rfc 4253, K_S + e + f + K */
 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
 
 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
@@ -161,6 +162,10 @@
 #define USING_LISTENERS
 #endif
 
+#if defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
+#define ENABLE_AGENTFWD
+#endif
+
 #if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD)
 #define ENABLE_CLI_MULTIHOP
 #endif