From 1e00d0b92676b985900594904084cc018803fa07 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Sat, 9 Nov 2013 00:02:26 +0800
Subject: [PATCH] - Make curve25519 work after fixing a typo, interoperates
 with OpenSSH - comment on ecc binary size effects

--HG--
branch : ecc
---
 cli-kex.c    |  2 +-
 options.h    | 16 +++++++++-------
 svr-kex.c    |  2 +-
 sysoptions.h |  7 ++++++-
 4 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/cli-kex.c b/cli-kex.c
index 0ab4edc0..18285ac3 100644
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -79,7 +79,7 @@ void send_msg_kexdh_init() {
 				}
 				cli_ses.curve25519_param = gen_kexcurve25519_param();
 			}
-			buf_putstring(ses.writepayload, cli_ses.curve25519_param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN);
 #endif
 			break;
 	}
diff --git a/options.h b/options.h
index ccdd3031..9a775cf8 100644
--- a/options.h
+++ b/options.h
@@ -138,22 +138,24 @@ much traffic. */
  * SSH2 RFC Draft requires dss, recommends rsa */
 #define DROPBEAR_RSA
 #define DROPBEAR_DSS
+/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
 #define DROPBEAR_ECDSA
 
 /* Generate hostkeys as-needed when the first connection using that key type occurs.
    This avoids the need to otherwise run "dropbearkey" and avoids some problems
-   with badly seeded random devices when systems first boot.
+   with badly seeded /dev/urandom when systems first boot.
    This also requires a runtime flag "-R". */
 #define DROPBEAR_DELAY_HOSTKEY
 
+/* Enable Curve25519 for key exchange. This is another elliptic
+ * curve method with good security properties. Increases binary size
+ * by ~10kB on x86-64 */
 #define DROPBEAR_CURVE25519
 
-/* RSA can be vulnerable to timing attacks which use the time required for
- * signing to guess the private key. Blinding avoids this attack, though makes
- * signing operations slightly slower. */
-#define RSA_BLINDING
-
-/* Enable elliptic curve Diffie Hellman key exchange */
+/* Enable elliptic curve Diffie Hellman key exchange, see note about
+ * ECDSA above */
 #define DROPBEAR_ECDH
 
 /* Control the memory/performance/compression tradeoff for zlib.
diff --git a/svr-kex.c b/svr-kex.c
index 4764e380..7db2f1c4 100644
--- a/svr-kex.c
+++ b/svr-kex.c
@@ -213,7 +213,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
 			{
 			struct kex_curve25519_param *param = gen_kexcurve25519_param();
 			kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
-			buf_putstring(ses.writepayload, param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN);
 			free_kexcurve25519_param(param);
 			}
 #endif
diff --git a/sysoptions.h b/sysoptions.h
index 6637ad51..8459eb67 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -104,8 +104,13 @@
 #define DROPBEAR_LTC_PRNG
 #endif
 
+/* RSA can be vulnerable to timing attacks which use the time required for
+ * signing to guess the private key. Blinding avoids this attack, though makes
+ * signing operations slightly slower. */
+#define RSA_BLINDING
+
 /* hashes which will be linked and registered */
-#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256)
+#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519)
 #define DROPBEAR_SHA256
 #endif
 #if defined(DROPBEAR_ECC_384)
-- 
GitLab