--- a/.hgsigs	Wed Jan 28 22:14:07 2015 +0800
+++ b/.hgsigs	Fri Feb 13 23:15:12 2015 +0800
@@ -13,3 +13,4 @@
 96584b934d04ebab443f603e78d38fe692d36313 0 iEYEABECAAYFAlPVFrQACgkQjPn4sExkf7xr6ACglRiLE21vRrS1rJ809o2yMADIKtwAn1f5SyZUngSde8eE55JxCMwtMC5m
 caac692b366c153cea0e9cd59aa2d79a7d843d4e 0 iEYEABECAAYFAlPk1mcACgkQjPn4sExkf7wLpgCeOqMYqpkf4lYUuyrn9VYThNpc7PkAn3JOSNgIqkKUcmSy6FstrI8jwJzq
 2d421bc0545d1be6d59a4ebfe61606d94b124b0c 0 iEYEABECAAYFAlRJDCQACgkQjPn4sExkf7xUYACcCwVJkYWXJn5x/D5A+qMupy778lEAn0rg1oNiq96YU/4jOPsS5IMItihu
+1d2d81b1b7c1b100e9c369e40b9fa5b2d491eea9 0 iEYEABECAAYFAlTKOKUACgkQjPn4sExkf7xWMACfYFozyHiRk5GaocTa5z6Ws1uyB4kAoLubxoxcnM3E7AA9mHAzc3OB5M0Y

--- a/.hgtags	Wed Jan 28 22:14:07 2015 +0800
+++ b/.hgtags	Fri Feb 13 23:15:12 2015 +0800
@@ -46,3 +46,4 @@
 0d2d39957c029adb7f4327d37fe6b4900f0736d9 DROPBEAR_2014.64
 e9579816f20ea85affc6135e87f8477992808948 DROPBEAR_2014.65
 735511a4c761141416ad0e6728989d2dafa55bc2 DROPBEAR_2014.66
+cbd674d63cd4f3781464a8d4056a5506c8ae926f DROPBEAR_2015.67

--- a/CHANGES	Wed Jan 28 22:14:07 2015 +0800
+++ b/CHANGES	Fri Feb 13 23:15:12 2015 +0800
@@ -1,3 +1,32 @@
+2015.67 - Wednesday 28 January 2015
+
+- Call fsync() after generating private keys to ensure they aren't lost if a
+  reboot occurs. Thanks to Peter Korsgaard
+
+- Disable non-delayed zlib compression by default on the server. Can be
+  enabled if required for old clients with DROPBEAR_SERVER_DELAY_ZLIB
+
+- Default client key path ~/.ssh/id_dropbear
+
+- Prefer stronger algorithms by default, from Fedor Brunner. 
+  AES256 over 3DES
+  Diffie-hellman group14 over group1
+
+- Add option to disable CBC ciphers.
+
+- Disable twofish in default options.h
+
+- Enable sha2 HMAC algorithms by default, the code was already required
+  for ECC key exchange. sha1 is the first preference still for performance. 
+
+- Fix installing dropbear.8 in a separate build directory, from Like Ma
+
+- Allow configure to succeed if libtomcrypt/libtommath are missing, from Elan Ruusamäe
+
+- Don't crash if ssh-agent provides an unknown type of key. From Catalin Patulea
+
+- Minor bug fixes, a few issues found by Coverity scan
+
 2014.66 - Thursday 23 October 2014
 
 - Use the same keepalive handling behaviour as OpenSSH. This will work better 

--- a/cli-main.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/cli-main.c	Fri Feb 13 23:15:12 2015 +0800
@@ -73,7 +73,7 @@
 #endif
 	{
 		int sock = connect_remote(cli_opts.remotehost, cli_opts.remoteport, 
-				0, &error);
+				1, &error);
 		sock_in = sock_out = sock;
 	}
 

--- a/common-algo.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/common-algo.c	Fri Feb 13 23:15:12 2015 +0800
@@ -144,6 +144,12 @@
 #ifdef DROPBEAR_AES256
 	{"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr},
 #endif
+#ifdef DROPBEAR_TWOFISH256
+	{"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr},
+#endif
+#ifdef DROPBEAR_TWOFISH128
+	{"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr},
+#endif
 #endif /* DROPBEAR_ENABLE_CTR_MODE */
 
 #ifdef DROPBEAR_ENABLE_CBC_MODE

--- a/common-kex.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/common-kex.c	Fri Feb 13 23:15:12 2015 +0800
@@ -629,16 +629,20 @@
 void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
 		sign_key *hostkey) {
 
-	mp_int dh_p;
+	DEF_MP_INT(dh_p);
+	DEF_MP_INT(dh_p_min1);
 	mp_int *dh_e = NULL, *dh_f = NULL;
 
-	/* read the prime and generator*/
-	m_mp_init(&dh_p);
+	m_mp_init_multi(&dh_p, &dh_p_min1, NULL);
 	load_dh_p(&dh_p);
 
-	/* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
-	if (mp_cmp(dh_pub_them, &dh_p) != MP_LT 
-			|| mp_cmp_d(dh_pub_them, 0) != MP_GT) {
+	if (mp_sub_d(&dh_p, 1, &dh_p_min1) != MP_OKAY) { 
+		dropbear_exit("Diffie-Hellman error");
+	}
+
+	/* Check that dh_pub_them (dh_e or dh_f) is in the range [2, p-2] */
+	if (mp_cmp(dh_pub_them, &dh_p_min1) != MP_LT 
+			|| mp_cmp_d(dh_pub_them, 1) != MP_GT) {
 		dropbear_exit("Diffie-Hellman error");
 	}
 	
@@ -649,7 +653,7 @@
 	}
 
 	/* clear no longer needed vars */
-	mp_clear_multi(&dh_p, NULL);
+	mp_clear_multi(&dh_p, &dh_p_min1, NULL);
 
 	/* From here on, the code needs to work with the _same_ vars on each side,
 	 * not vice-versaing for client/server */

--- a/dbclient.1	Wed Jan 28 22:14:07 2015 +0800
+++ b/dbclient.1	Fri Feb 13 23:15:12 2015 +0800
@@ -33,7 +33,7 @@
 Read the identity key from file
 .I idfile
 (multiple allowed). This file is created with dropbearkey(1) or converted
-from OpenSSH with dropbearconvert(1).
+from OpenSSH with dropbearconvert(1). The default path ~/.ssh/id_dropbear is used
 .TP
 .B \-L [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR
 Local port forwarding.

--- a/dbrandom.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/dbrandom.c	Fri Feb 13 23:15:12 2015 +0800
@@ -306,7 +306,7 @@
 
 		/* keep regenerating until we get one satisfying
 		 * 0 < rand < max    */
-	} while (mp_cmp(rand, max) != MP_LT);
+	} while (!(mp_cmp(rand, max) == MP_LT && mp_cmp_d(rand, 0) == MP_GT));
 	m_burn(randbuf, len);
 	m_free(randbuf);
 }

--- a/dbutil.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/dbutil.c	Fri Feb 13 23:15:12 2015 +0800
@@ -150,18 +150,31 @@
 
 
 #ifdef DEBUG_TRACE
+
+static double time_since_start()
+{
+    static double start_time = -1;
+    double nowf;
+    struct timeval tv;
+    gettimeofday(&tv, NULL);
+    nowf = tv.tv_sec + (tv.tv_usec / 1000000.0);
+    if (start_time < 0)
+    {
+        start_time = nowf;
+        return 0;
+    }
+    return nowf - start_time;
+}
+
 void dropbear_trace(const char* format, ...) {
 	va_list param;
-	struct timeval tv;
 
 	if (!debug_trace) {
 		return;
 	}
 
-	gettimeofday(&tv, NULL);
-
 	va_start(param, format);
-	fprintf(stderr, "TRACE  (%d) %d.%d: ", getpid(), (int)tv.tv_sec, (int)tv.tv_usec);
+	fprintf(stderr, "TRACE  (%d) %f: ", getpid(), time_since_start());
 	vfprintf(stderr, format, param);
 	fprintf(stderr, "\n");
 	va_end(param);
@@ -170,7 +183,6 @@
 void dropbear_trace2(const char* format, ...) {
 	static int trace_env = -1;
 	va_list param;
-	struct timeval tv;
 
 	if (trace_env == -1) {
 		trace_env = getenv("DROPBEAR_TRACE2") ? 1 : 0;
@@ -180,10 +192,8 @@
 		return;
 	}
 
-	gettimeofday(&tv, NULL);
-
 	va_start(param, format);
-	fprintf(stderr, "TRACE2 (%d) %d.%d: ", getpid(), (int)tv.tv_sec, (int)tv.tv_usec);
+	fprintf(stderr, "TRACE2 (%d) %f: ", getpid(), time_since_start());
 	vfprintf(stderr, format, param);
 	fprintf(stderr, "\n");
 	va_end(param);
@@ -390,6 +400,23 @@
 }
 #endif
 
+#if defined(__linux__) && defined(TCP_DEFER_ACCEPT)
+static void set_piggyback_ack(int sock) {
+	/* Undocumented Linux feature - set TCP_DEFER_ACCEPT and data will be piggybacked
+	on the 3rd packet (ack) of the TCP handshake. Saves a IP packet.
+	http://thread.gmane.org/gmane.linux.network/224627/focus=224727
+	"Piggyback the final ACK of the three way TCP connection establishment with the data" */
+	int val = 1;
+	/* No error checking, this is opportunistic */
+	int err = setsockopt(sock, IPPROTO_TCP, TCP_DEFER_ACCEPT, (void*)&val, sizeof(val));
+	if (err)
+	{
+		TRACE(("Failed setsockopt TCP_DEFER_ACCEPT: %s", strerror(errno)))
+	}
+}
+#endif
+
+
 /* Connect via TCP to a host. Connection will try ipv4 or ipv6, will
  * return immediately if nonblocking is set. On failure, if errstring
  * wasn't null, it will be a newly malloced error message */
@@ -437,6 +464,10 @@
 
 		if (nonblocking) {
 			setnonblocking(sock);
+
+#if defined(__linux__) && defined(TCP_DEFER_ACCEPT)
+			set_piggyback_ack(sock);
+#endif
 		}
 
 		if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) {

--- a/dbutil.h	Wed Jan 28 22:14:07 2015 +0800
+++ b/dbutil.h	Fri Feb 13 23:15:12 2015 +0800
@@ -91,7 +91,7 @@
 void * m_malloc(size_t size);
 void * m_strdup(const char * str);
 void * m_realloc(void* ptr, size_t size);
-#define m_free(X) free(X); (X) = NULL;
+#define m_free(X) do {free(X); (X) = NULL;} while (0); 
 void m_burn(void* data, unsigned int len);
 void setnonblocking(int fd);
 void disallow_core();

--- a/debian/changelog	Wed Jan 28 22:14:07 2015 +0800
+++ b/debian/changelog	Fri Feb 13 23:15:12 2015 +0800
@@ -1,3 +1,9 @@
+dropbear (2015.67-0.1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Matt Johnston <[email protected]>  Wed, 28 Jan 2015 22:53:59 +0800
+
 dropbear (2014.66-0.1) unstable; urgency=low
 
   * New upstream release.

--- a/debug.h	Wed Jan 28 22:14:07 2015 +0800
+++ b/debug.h	Fri Feb 13 23:15:12 2015 +0800
@@ -39,7 +39,7 @@
  * Caution: Don't use this in an unfriendly environment (ie unfirewalled),
  * since the printing may not sanitise strings etc. This will add a reasonable
  * amount to your executable size. */
-/* #define DEBUG_TRACE */
+/*#define DEBUG_TRACE*/
 
 /* All functions writing to the cleartext payload buffer call
  * CHECKCLEARTOWRITE() before writing. This is only really useful if you're

--- a/dropbearconvert.1	Wed Jan 28 22:14:07 2015 +0800
+++ b/dropbearconvert.1	Fri Feb 13 23:15:12 2015 +0800
@@ -39,9 +39,9 @@
 An existing Dropbear or OpenSSH private key file
 .TP
 .B output file
-The path to write the converted private key file
+The path to write the converted private key file. For client authentication ~/.ssh/id_dropbear is loaded by default
 .SH EXAMPLE
- # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/dropbear_priv
+ # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_dropbear
 .SH AUTHOR
 Matt Johnston ([email protected]).
 .SH SEE ALSO

--- a/dropbearkey.1	Wed Jan 28 22:14:07 2015 +0800
+++ b/dropbearkey.1	Fri Feb 13 23:15:12 2015 +0800
@@ -33,7 +33,7 @@
 .TP
 .B \-f \fIfile
 Write the secret key to the file
-.IR file .
+.IR file . For client authentication ~/.ssh/id_dropbear is loaded by default
 .TP
 .B \-s \fIbits
 Set the key size to

--- a/ecdsa.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/ecdsa.c	Fri Feb 13 23:15:12 2015 +0800
@@ -131,6 +131,7 @@
 
 	if (buf_getmpint(buf, new_key->k) != DROPBEAR_SUCCESS) {
 		ecc_free(new_key);
+		m_free(new_key);
 		return NULL;
 	}
 

--- a/keyimport.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/keyimport.c	Fri Feb 13 23:15:12 2015 +0800
@@ -810,7 +810,7 @@
 	}
 	m_burn(key->keyblob, key->keyblob_size);
 	m_free(key->keyblob);
-	m_burn(key, sizeof(key));
+	m_burn(key, sizeof(*key));
 	m_free(key);
 	if (errmsg) {
 		fprintf(stderr, "Error: %s\n", errmsg);

--- a/options.h	Wed Jan 28 22:14:07 2015 +0800
+++ b/options.h	Fri Feb 13 23:15:12 2015 +0800
@@ -95,8 +95,8 @@
 #define DROPBEAR_AES256
 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
 /*#define DROPBEAR_BLOWFISH*/
-/*#define DROPBEAR_TWOFISH256*/
-/*#define DROPBEAR_TWOFISH128*/
+#define DROPBEAR_TWOFISH256
+#define DROPBEAR_TWOFISH128
 
 /* Enable CBC mode for ciphers. This has security issues though
  * is the most compatible with older SSH implementations */

--- a/release.sh	Wed Jan 28 22:14:07 2015 +0800
+++ b/release.sh	Fri Feb 13 23:15:12 2015 +0800
@@ -7,7 +7,7 @@
 fi
 
 if ! head -n1 debian/changelog | grep -q $VERSION ; then
-	echo "CHANGES needs updating"
+	echo "debian/changelog needs updating"
 	exit 1
 fi
 
@@ -36,5 +36,5 @@
 (cd $RELDIR/.. && tar cjf $ARCHIVE `basename "$RELDIR"`) || exit 2
 
 ls -l $ARCHIVE
-openssl sha1 $ARCHIVE
+openssl sha -sha256 $ARCHIVE
 echo "Done to $ARCHIVE"

--- a/svr-main.c	Wed Jan 28 22:14:07 2015 +0800
+++ b/svr-main.c	Fri Feb 13 23:15:12 2015 +0800
@@ -343,6 +343,7 @@
 
 	sa_chld.sa_handler = sigchld_handler;
 	sa_chld.sa_flags = SA_NOCLDSTOP;
+	sigemptyset(&sa_chld.sa_mask);
 	if (sigaction(SIGCHLD, &sa_chld, NULL) < 0) {
 		dropbear_exit("signal() error");
 	}

--- a/sysoptions.h	Wed Jan 28 22:14:07 2015 +0800
+++ b/sysoptions.h	Fri Feb 13 23:15:12 2015 +0800
@@ -4,7 +4,7 @@
  *******************************************************************/
 
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2014.66"
+#define DROPBEAR_VERSION "2015.67"
 #endif
 
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION