- Make curve25519 work after fixing a typo, interoperates with OpenSSH

- comment on ecc binary size effects --HG-- branch : ecc

- Make curve25519 work after fixing a typo, interoperates with OpenSSH
- comment on ecc binary size effects --HG-- branch : ecc
1e00d0b9 · Matt Johnston · 29b1455f · 1e00d0b9 · 1e00d0b9 · 1e00d0b9
Commit 1e00d0b9 authored 11 years ago by Matt Johnston
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -79,7 +79,7 @@ void send_msg_kexdh_init() {
 				}
 				cli_ses.curve25519_param = gen_kexcurve25519_param();
 			}
-			buf_putstring(ses.writepayload, cli_ses.curve25519_param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN);
 #endif
 			break;
 	}

--- a/options.h
+++ b/options.h
@@ -138,22 +138,24 @@ much traffic. */
 * SSH2 RFC Draft requires dss, recommends rsa */
 #define DROPBEAR_RSA
 #define DROPBEAR_DSS
+/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
 #define DROPBEAR_ECDSA
 /* Generate hostkeys as-needed when the first connection using that key type occurs.
   This avoids the need to otherwise run "dropbearkey" and avoids some problems
-   with badly seeded random devices when systems first boot.
+   with badly seeded /dev/urandom when systems first boot.
   This also requires a runtime flag "-R". */
 #define DROPBEAR_DELAY_HOSTKEY
+/* Enable Curve25519 for key exchange. This is another elliptic
+ * curve method with good security properties. Increases binary size
+ * by ~10kB on x86-64 */
 #define DROPBEAR_CURVE25519
-/* RSA can be vulnerable to timing attacks which use the time required for
+/* Enable elliptic curve Diffie Hellman key exchange, see note about
- * signing to guess the private key. Blinding avoids this attack, though makes
+ * ECDSA above */
- * signing operations slightly slower. */
-#define RSA_BLINDING
-/* Enable elliptic curve Diffie Hellman key exchange */
 #define DROPBEAR_ECDH
 /* Control the memory/performance/compression tradeoff for zlib.

--- a/svr-kex.c
+++ b/svr-kex.c
@@ -213,7 +213,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
 			{
 			struct kex_curve25519_param *param = gen_kexcurve25519_param();
 			kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
-			buf_putstring(ses.writepayload, param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN);
 			free_kexcurve25519_param(param);
 			}
 #endif

--- a/sysoptions.h
+++ b/sysoptions.h
@@ -104,8 +104,13 @@
 #define DROPBEAR_LTC_PRNG
 #endif
+/* RSA can be vulnerable to timing attacks which use the time required for
+ * signing to guess the private key. Blinding avoids this attack, though makes
+ * signing operations slightly slower. */
+#define RSA_BLINDING
 /* hashes which will be linked and registered */
-#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256)
+#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519)
 #define DROPBEAR_SHA256
 #endif
 #if defined(DROPBEAR_ECC_384)