diff --git a/algo.h b/algo.h
index 062fd1fbdfac6dba841beb165ddd1c22c67b0714..8cd4c9b0a09329c78dc31e536fd48386544781c5 100644
--- a/algo.h
+++ b/algo.h
@@ -56,7 +56,6 @@ extern algo_type ssh_nocompress[];
 extern const struct dropbear_cipher dropbear_nocipher;
 extern const struct dropbear_cipher_mode dropbear_mode_none;
 extern const struct dropbear_hash dropbear_nohash;
-extern const struct dropbear_kex kex_curve25519;
 
 struct dropbear_cipher {
 	const struct ltc_cipher_descriptor *cipherdesc;
diff --git a/bignum.c b/bignum.c
index e9810b3ec4fdb1c91d3a0e66f5b533f227a176c9..44009690d579272c719ce07ce42dbfdb2e0117c8 100644
--- a/bignum.c
+++ b/bignum.c
@@ -78,8 +78,6 @@ void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len) {
 /* hash the ssh representation of the mp_int mp */
 void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, 
 				hash_state *hs, mp_int *mp) {
-
-	int i;
 	buffer * buf;
 
 	buf = buf_new(512 + 20); /* max buffer is a 4096 bit key, 
diff --git a/cli-runopts.c b/cli-runopts.c
index b8d304f1c423d61062a2e85fd1a78d77dfbc7f12..d20928b39635fce3b27950f922538f2f9968fc61 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -450,7 +450,7 @@ void cli_getopts(int argc, char ** argv) {
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 static void loadidentityfile(const char* filename) {
 	sign_key *key;
-	int keytype;
+	enum signkey_type keytype;
 
 	key = new_sign_key();
 	keytype = DROPBEAR_SIGNKEY_ANY;
diff --git a/common-algo.c b/common-algo.c
index 2cac9d75a155b40783e2d12bffaff66e738e3a83..621a8cbfaccaaed777536d631fcf499b219d274c 100644
--- a/common-algo.c
+++ b/common-algo.c
@@ -231,6 +231,8 @@ algo_type sshhostkey[] = {
 static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
 static const struct dropbear_kex kex_dh_group14 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
 
+/* These can't be const since dropbear_ecc_fill_dp() fills out
+ ecc_curve at runtime */
 #ifdef DROPBEAR_ECDH
 #ifdef DROPBEAR_ECC_256
 static struct dropbear_kex kex_ecdh_nistp256 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp256, &sha256_desc };
@@ -245,7 +247,7 @@ static struct dropbear_kex kex_ecdh_nistp521 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc
 
 #ifdef DROPBEAR_CURVE25519
 /* Referred to directly */
-const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
+static const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
 #endif
 
 algo_type sshkex[] = {
diff --git a/common-kex.c b/common-kex.c
index 8e3d1fc86f81f1d94f8ed4488fa2f4cd3ad281e0..a304d027f57ccbef982a2fef5c1ddfe82c977180 100644
--- a/common-kex.c
+++ b/common-kex.c
@@ -577,7 +577,7 @@ struct kex_dh_param *gen_kexdh_param() {
 	TRACE(("enter gen_kexdh_vals"))
 
 	struct kex_dh_param *param = m_malloc(sizeof(*param));
-	m_mp_init_multi(&param->pub, &param->priv, NULL);
+	m_mp_init_multi(&param->pub, &param->priv, &dh_g, &dh_p, &dh_q, NULL);
 
 	/* read the prime and generator*/
 	load_dh_p(&dh_p);
@@ -738,7 +738,7 @@ void free_kexcurve25519_param(struct kex_curve25519_param *param)
 
 void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *buf_pub_them,
 	sign_key *hostkey) {
-	unsigned char* out = m_malloc(CURVE25519_LEN);
+	unsigned char out[CURVE25519_LEN];
 	const unsigned char* Q_C = NULL;
 	const unsigned char* Q_S = NULL;
 
@@ -748,10 +748,9 @@ void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *buf_pub_
 	}
 
 	curve25519_donna(out, param->priv, buf_pub_them->data);
-	ses.dh_K = m_malloc(sizeof(*ses.dh_K));
-	m_mp_init(ses.dh_K);
+	m_mp_alloc_init_multi(&ses.dh_K, NULL);
 	bytes_to_mp(ses.dh_K, out, CURVE25519_LEN);
-	m_free(out);
+	m_burn(out, sizeof(out));
 
 	/* Create the remainder of the hash buffer, to generate the exchange hash.
 	   See RFC5656 section 4 page 7 */
diff --git a/ecc.c b/ecc.c
index 3e0763c704190c6796a499e40de67bc4ac1df43d..5812b18a101682a781431fba4a9f3e26feb1cae2 100644
--- a/ecc.c
+++ b/ecc.c
@@ -6,7 +6,7 @@
 
 #ifdef DROPBEAR_ECC
 
-// .dp members are filled out by dropbear_ecc_fill_dp() at startup
+/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
 #ifdef DROPBEAR_ECC_256
 struct dropbear_ecc_curve ecc_curve_nistp256 = {
 	.ltc_size = 32,
@@ -44,7 +44,7 @@ struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
 
 void dropbear_ecc_fill_dp() {
 	struct dropbear_ecc_curve **curve;
-	// libtomcrypt guarantees they're ordered by size
+	/* libtomcrypt guarantees they're ordered by size */
 	const ltc_ecc_set_type *dp = ltc_ecc_sets;
 	for (curve = dropbear_ecc_curves; *curve; curve++) {
 		for (;dp->size > 0; dp++) {
diff --git a/ecdsa.c b/ecdsa.c
index fc8ea1f788442b7f484bfe5e889466a0013a96bf..eddbf134d2d1d8aad779c2be9f780332915a6ca3 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -246,8 +246,8 @@ out:
 
 // returns values in s and r
 // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
-static int buf_get_ecdsa_verify_params(buffer *buf, struct dropbear_ecc_curve *curve,
-	void *r, void* s) {
+static int buf_get_ecdsa_verify_params(buffer *buf,
+			void *r, void* s) {
 	int ret = DROPBEAR_FAILURE;
 	unsigned int sig_len;
 	unsigned int sig_pos;
@@ -302,7 +302,7 @@ int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf) {
 		dropbear_exit("ECC error");
 	}
 
-	if (buf_get_ecdsa_verify_params(buf, curve, r, s) != DROPBEAR_SUCCESS) {
+	if (buf_get_ecdsa_verify_params(buf, r, s) != DROPBEAR_SUCCESS) {
 		goto out;
 	}
 
diff --git a/ecdsa.h b/ecdsa.h
index c871e9f976715a45c1e4dc0eb6d38eeb6ba00a9f..5186fb752e4b841ced93c8f094e5520839626f6d 100644
--- a/ecdsa.h
+++ b/ecdsa.h
@@ -7,6 +7,7 @@
 
 #ifdef DROPBEAR_ECDSA
 
+/* Prefer the larger size - it's fast anyway */
 #if defined(DROPBEAR_ECC_521)
 #define ECDSA_DEFAULT_SIZE 521
 #elif defined(DROPBEAR_ECC_384)
diff --git a/gensignkey.c b/gensignkey.c
index 5726249a401c62cdfe3ef73378ee7b01f749b359..88a394967f9b17541c6d4d95da8be5ba000d5915 100644
--- a/gensignkey.c
+++ b/gensignkey.c
@@ -85,6 +85,8 @@ int signkey_generate(enum signkey_type keytype, int bits, const char* filename)
 	/* now we can generate the key */
 	key = new_sign_key();
 
+	seedrandom();
+
 	switch(keytype) {
 #ifdef DROPBEAR_RSA
 		case DROPBEAR_SIGNKEY_RSA:
@@ -112,6 +114,8 @@ int signkey_generate(enum signkey_type keytype, int bits, const char* filename)
 			dropbear_exit("Internal error");
 	}
 
+	seedrandom();
+
 	buf = buf_new(MAX_PRIVKEY_SIZE); 
 
 	buf_put_priv_key(buf, key, keytype);
diff --git a/signkey.c b/signkey.c
index a7f45d4618cd687c10cbcd68fa7ee4ed065e9225..b1e0220a6e9ac788534b70be43375319d1fa6830 100644
--- a/signkey.c
+++ b/signkey.c
@@ -39,8 +39,7 @@ static const char *signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = {
 #ifdef DROPBEAR_ECDSA
 	"ecdsa-sha2-nistp256",
 	"ecdsa-sha2-nistp384",
-	"ecdsa-sha2-nistp521",
-	"ecdsa" // for keygen
+	"ecdsa-sha2-nistp521"
 #endif // DROPBEAR_ECDSA
 };
 
diff --git a/svr-auth.c b/svr-auth.c
index 86661086c80221c0a81fe44dd1c2dd8fb22206d5..2a3ef0e2ba80b1ad1272e92485457accabf4733a 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -231,7 +231,7 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
 
 	char* listshell = NULL;
 	char* usershell = NULL;
-	int   uid;
+	uid_t uid;
 	TRACE(("enter checkusername"))
 	if (userlen > MAX_USERNAME_LEN) {
 		return DROPBEAR_FAILURE;
diff --git a/svr-authpubkey.c b/svr-authpubkey.c
index e0727de71087f371aebb7321c3502e5e9c47bc3c..4eca2110337cf2800cf6746014701895096d0e22 100644
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -89,7 +89,7 @@ void svr_auth_pubkey() {
 	buffer * signbuf = NULL;
 	sign_key * key = NULL;
 	char* fp = NULL;
-	int type = -1;
+	enum signkey_type type = -1;
 
 	TRACE(("enter pubkeyauth"))
 
diff --git a/svr-kex.c b/svr-kex.c
index 7db2f1c4ac891cb7616cb22de9b78f09e2bab6b4..629a31b1b691b636d6387c4900c940a37dc282f8 100644
--- a/svr-kex.c
+++ b/svr-kex.c
@@ -64,18 +64,19 @@ void recv_msg_kexdh_init() {
 		case DROPBEAR_KEX_CURVE25519:
 #if defined(DROPBEAR_ECDH) || defined(DROPBEAR_CURVE25519)
 			ecdh_qs = buf_getstringbuf(ses.payload);
-			if (ses.payload->pos != ses.payload->len) {
-				dropbear_exit("Bad kex value");
-			}
 #endif
 			break;
 	}
+	if (ses.payload->pos != ses.payload->len) {
+		dropbear_exit("Bad kex value");
+	}
 
 	send_msg_kexdh_reply(&dh_e, ecdh_qs);
 
 	mp_clear(&dh_e);
 	if (ecdh_qs) {
 		buf_free(ecdh_qs);
+		ecdh_qs = NULL;
 	}
 
 	send_msg_newkeys();
@@ -132,8 +133,11 @@ static void svr_ensure_hostkey() {
 	}
 
 	if (link(fn_temp, fn) < 0) {
+		/* It's OK to get EEXIST - we probably just lost a race
+		with another connection to generate the key */
 		if (errno != EEXIST) {
-			dropbear_log(LOG_ERR, "Failed moving key file to %s", fn);
+			dropbear_log(LOG_ERR, "Failed moving key file to %s: %s", fn,
+				strerror(errno));
 			/* XXX fallback to non-atomic copy for some filesystems? */
 			goto out;
 		}
@@ -151,14 +155,6 @@ out:
 	{
 		dropbear_exit("Couldn't read or generate hostkey %s", fn);
 	}
-
-	// directory for keys.
-
-	// Create lockfile first, or wait if it exists. PID!
-	// Generate key
-	// write it, load to memory
-	// atomic rename, done.
-
 }
 #endif
 	
diff --git a/svr-runopts.c b/svr-runopts.c
index fd05bbeb5c884b679a6aa7e342072849909e9ae2..cbfd1904b730cc711e777f2425e1509bb21894a7 100644
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -410,30 +410,30 @@ static void loadhostkey(const char *keyfile, int fatal_duplicate) {
 
 #ifdef DROPBEAR_RSA
 	if (type == DROPBEAR_SIGNKEY_RSA) {
-		loadhostkey_helper("RSA", &read_key->rsakey, &svr_opts.hostkey->rsakey, fatal_duplicate);
+		loadhostkey_helper("RSA", (void**)&read_key->rsakey, (void**)&svr_opts.hostkey->rsakey, fatal_duplicate);
 	}
 #endif
 
 #ifdef DROPBEAR_DSS
 	if (type == DROPBEAR_SIGNKEY_DSS) {
-		loadhostkey_helper("DSS", &read_key->dsskey, &svr_opts.hostkey->dsskey, fatal_duplicate);
+		loadhostkey_helper("DSS", (void**)&read_key->dsskey, (void**)&svr_opts.hostkey->dsskey, fatal_duplicate);
 	}
 #endif
 
 #ifdef DROPBEAR_ECDSA
 #ifdef DROPBEAR_ECC_256
 	if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256) {
-		loadhostkey_helper("ECDSA256", &read_key->ecckey256, &svr_opts.hostkey->ecckey256, fatal_duplicate);
+		loadhostkey_helper("ECDSA256", (void**)&read_key->ecckey256, (void**)&svr_opts.hostkey->ecckey256, fatal_duplicate);
 	}
 #endif
 #ifdef DROPBEAR_ECC_384
 	if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP384) {
-		loadhostkey_helper("ECDSA384", &read_key->ecckey384, &svr_opts.hostkey->ecckey384, fatal_duplicate);
+		loadhostkey_helper("ECDSA384", (void**)&read_key->ecckey384, (void**)&svr_opts.hostkey->ecckey384, fatal_duplicate);
 	}
 #endif
 #ifdef DROPBEAR_ECC_521
 	if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) {
-		loadhostkey_helper("ECDSA521", &read_key->ecckey521, &svr_opts.hostkey->ecckey521, fatal_duplicate);
+		loadhostkey_helper("ECDSA521", (void**)&read_key->ecckey521, (void**)&svr_opts.hostkey->ecckey521, fatal_duplicate);
 	}
 #endif
 #endif // DROPBEAR_ECDSA