- Make curve25519 work after fixing a typo, interoperates with OpenSSH

- comment on ecc binary size effects

4 files changed, 17 insertions, 10 deletions

diff --git a/cli-kex.c b/cli-kex.c
index 0ab4edc..18285ac 100644
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -79,7 +79,7 @@ void send_msg_kexdh_init() {
 				}
 				cli_ses.curve25519_param = gen_kexcurve25519_param();
 			}
-			buf_putstring(ses.writepayload, cli_ses.curve25519_param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN);
 #endif
 			break;
 	}
diff --git a/options.h b/options.h
index ccdd303..9a775cf 100644
--- a/options.h
+++ b/options.h
@@ -138,22 +138,24 @@ much traffic. */
  * SSH2 RFC Draft requires dss, recommends rsa */
 #define DROPBEAR_RSA
 #define DROPBEAR_DSS
+/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
 #define DROPBEAR_ECDSA
 
 /* Generate hostkeys as-needed when the first connection using that key type occurs.
    This avoids the need to otherwise run "dropbearkey" and avoids some problems
-   with badly seeded random devices when systems first boot.
+   with badly seeded /dev/urandom when systems first boot.
    This also requires a runtime flag "-R". */
 #define DROPBEAR_DELAY_HOSTKEY
 
+/* Enable Curve25519 for key exchange. This is another elliptic
+ * curve method with good security properties. Increases binary size
+ * by ~10kB on x86-64 */
 #define DROPBEAR_CURVE25519
 
-/* RSA can be vulnerable to timing attacks which use the time required for
- * signing to guess the private key. Blinding avoids this attack, though makes
- * signing operations slightly slower. */
-#define RSA_BLINDING
-
-/* Enable elliptic curve Diffie Hellman key exchange */
+/* Enable elliptic curve Diffie Hellman key exchange, see note about
+ * ECDSA above */
 #define DROPBEAR_ECDH
 
 /* Control the memory/performance/compression tradeoff for zlib.
diff --git a/svr-kex.c b/svr-kex.c
index 4764e38..7db2f1c 100644
--- a/svr-kex.c
+++ b/svr-kex.c
@@ -213,7 +213,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
 			{
 			struct kex_curve25519_param *param = gen_kexcurve25519_param();
 			kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
-			buf_putstring(ses.writepayload, param->priv, CURVE25519_LEN);
+			buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN);
 			free_kexcurve25519_param(param);
 			}
 #endif
diff --git a/sysoptions.h b/sysoptions.h
index 6637ad5..8459eb6 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -104,8 +104,13 @@
 #define DROPBEAR_LTC_PRNG
 #endif
 
+/* RSA can be vulnerable to timing attacks which use the time required for
+ * signing to guess the private key. Blinding avoids this attack, though makes
+ * signing operations slightly slower. */
+#define RSA_BLINDING
+
 /* hashes which will be linked and registered */
-#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256)
+#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519)
 #define DROPBEAR_SHA256
 #endif
 #if defined(DROPBEAR_ECC_384)