#

# Per Solaris crypto team recommendation, we need to remove support for

# Curve25519 from OpenSSH.

#

# Patch offered upstream but rejected:

#     https://bugzilla.mindrot.org/show_bug.cgi?id=2376

#

diff -pur old/Makefile.in new/Makefile.in

--- old/Makefile.in

+++ new/Makefile.in

@@ -155,7 +155,7 @@ $(SSHDOBJS): Makefile.in config.h

 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@

 LIBCOMPAT=openbsd-compat/libopenbsd-compat.a

-$(LIBCOMPAT): always

+$(LIBCOMPAT): always libssh.a

 	(cd openbsd-compat && $(MAKE))

 always:

diff -pur old/authfd.c new/authfd.c

--- old/authfd.c

+++ new/authfd.c

@@ -565,8 +565,10 @@ ssh_add_identity_constrained(int sock, s

 	case KEY_ECDSA:

 	case KEY_ECDSA_CERT:

 #endif

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

+#endif /* WITHOUT_ED25519 */

 		type = constrained ?

 		    SSH2_AGENTC_ADD_ID_CONSTRAINED :

 		    SSH2_AGENTC_ADD_IDENTITY;

diff -pur old/authfile.c new/authfile.c

--- old/authfile.c

+++ new/authfile.c

@@ -449,7 +449,9 @@ sshkey_load_private_cert(int type, const

 	case KEY_DSA:

 	case KEY_ECDSA:

 #endif /* WITH_OPENSSL */

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

+#endif /* WITHOUT_ED25519 */

 	case KEY_UNSPEC:

 		break;

 	default:

diff -pur old/dns.c new/dns.c

--- old/dns.c

+++ new/dns.c

@@ -100,11 +100,13 @@ dns_read_key(u_int8_t *algorithm, u_int8

 		if (!*digest_type)

 			*digest_type = SSHFP_HASH_SHA256;

 		break;

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 		*algorithm = SSHFP_KEY_ED25519;

 		if (!*digest_type)

 			*digest_type = SSHFP_HASH_SHA256;

 		break;

+#endif /* WITHOUT_ED25519 */

 	default:

 		*algorithm = SSHFP_KEY_RESERVED; /* 0 */

 		*digest_type = SSHFP_HASH_RESERVED; /* 0 */

diff -pur old/dns.h new/dns.h

--- old/dns.h

+++ new/dns.h

@@ -33,7 +33,9 @@ enum sshfp_types {

 	SSHFP_KEY_RSA = 1,

 	SSHFP_KEY_DSA = 2,

 	SSHFP_KEY_ECDSA = 3,

-	SSHFP_KEY_ED25519 = 4

+#ifndef WITHOUT_ED25519

+ 	SSHFP_KEY_ED25519 = 4 

+#endif /* WITHOUT_ED25519 */

 };

 enum sshfp_hashes {

diff -pur old/ed25519.c new/ed25519.c

--- old/ed25519.c

+++ new/ed25519.c

@@ -7,6 +7,7 @@

  */

 #include "includes.h"

+#ifndef WITHOUT_ED25519

 #include "crypto_api.h"

 #include "ge25519.h"

@@ -142,3 +143,4 @@ int crypto_sign_ed25519_open(

   }

   return ret;

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/fe25519.c new/fe25519.c

--- old/fe25519.c

+++ new/fe25519.c

@@ -8,6 +8,7 @@

 #include "includes.h"

+#ifndef WITHOUT_ED25519

 #define WINDOWSIZE 1 /* Should be 1,2, or 4 */

 #define WINDOWMASK ((1<<WINDOWSIZE)-1)

@@ -335,3 +336,4 @@ void fe25519_pow2523(fe25519 *r, const f

 	/* 2^252 - 2^2 */ fe25519_square(&t,&t);

 	/* 2^252 - 3 */ fe25519_mul(r,&t,x);

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/fe25519.h new/fe25519.h

--- old/fe25519.h

+++ new/fe25519.h

@@ -8,6 +8,7 @@

 #ifndef FE25519_H

 #define FE25519_H

+#ifndef WITHOUT_ED25519

 #include "crypto_api.h"

@@ -67,4 +68,5 @@ void fe25519_invert(fe25519 *r, const fe

 void fe25519_pow2523(fe25519 *r, const fe25519 *x);

+#endif /* WITHOUT_ED25519 */

 #endif

diff -pur old/ge25519.c new/ge25519.c

--- old/ge25519.c

+++ new/ge25519.c

@@ -7,6 +7,7 @@

  */

 #include "includes.h"

+#ifndef WITHOUT_ED25519

 #include "fe25519.h"

 #include "sc25519.h"

@@ -319,3 +320,4 @@ void ge25519_scalarmult_base(ge25519_p3

     ge25519_mixadd2(r, &t);

   }

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/ge25519.h new/ge25519.h

--- old/ge25519.h

+++ new/ge25519.h

@@ -8,6 +8,7 @@

 #ifndef GE25519_H

 #define GE25519_H

+#ifndef WITHOUT_ED25519

 #include "fe25519.h"

 #include "sc25519.h"

@@ -40,4 +41,5 @@ void ge25519_double_scalarmult_vartime(g

 void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);

+#endif /* WITHOUT_ED25519 */

 #endif

diff -pur old/kex.c new/kex.c

--- old/kex.c

+++ new/kex.c

@@ -96,9 +96,11 @@ static const struct kexalg kexalgs[] = {

 # endif /* OPENSSL_HAS_NISTP521 */

 #endif /* OPENSSL_HAS_ECC */

 #endif /* WITH_OPENSSL */

+#ifndef WITHOUT_ED25519

 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)

 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },

 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */

+#endif /* WITHOUT_ED25519 */

 #ifdef GSSAPI

 	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },

 	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },

diff -pur old/kex.h new/kex.h

--- old/kex.h

+++ new/kex.h

@@ -58,13 +58,17 @@

 #define	KEX_ECDH_SHA2_NISTP256	"ecdh-sha2-nistp256"

 #define	KEX_ECDH_SHA2_NISTP384	"ecdh-sha2-nistp384"

 #define	KEX_ECDH_SHA2_NISTP521	"ecdh-sha2-nistp521"

+#ifndef WITHOUT_ED25519

 #define	KEX_CURVE25519_SHA256	"[email protected]"

+#endif /* WITHOUT_ED25519 */

 #define COMP_NONE	0

 #define COMP_ZLIB	1

 #define COMP_DELAYED	2

+#ifndef WITHOUT_ED25519

 #define CURVE25519_SIZE 32

+#endif /* WITHOUT_ED25519 */

 enum kex_init_proposals {

 	PROPOSAL_KEX_ALGS,

@@ -92,7 +96,9 @@ enum kex_exchange {

 	KEX_DH_GEX_SHA1,

 	KEX_DH_GEX_SHA256,

 	KEX_ECDH_SHA2,

+#ifndef WITHOUT_ED25519

 	KEX_C25519_SHA256,

+#endif /* WITHOUT_ED25519 */

 	KEX_GSS_GRP1_SHA1,

 	KEX_GSS_GRP14_SHA1,

 	KEX_GSS_GEX_SHA1,

@@ -161,8 +167,10 @@ struct kex {

 	u_int	min, max, nbits;	/* GEX */

 	EC_KEY	*ec_client_key;		/* ECDH */

 	const EC_GROUP *ec_group;	/* ECDH */

+#ifndef WITHOUT_ED25519

 	u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 */

 	u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */

+#endif /* WITHOUT_ED25519 */

 };

 int	 kex_names_valid(const char *);

@@ -191,8 +199,10 @@ int	 kexgex_client(struct ssh *);

 int	 kexgex_server(struct ssh *);

 int	 kexecdh_client(struct ssh *);

 int	 kexecdh_server(struct ssh *);

+#ifndef WITHOUT_ED25519

 int	 kexc25519_client(struct ssh *);

 int	 kexc25519_server(struct ssh *);

+#endif /* WITHOUT_ED25519 */

 #ifdef GSSAPI

 int	 kexgss_client(struct ssh *);

 int	 kexgss_server(struct ssh *);

@@ -213,6 +223,7 @@ int kex_ecdh_hash(int, const EC_GROUP *,

     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,

     const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);

+#ifndef WITHOUT_ED25519

 int	 kex_c25519_hash(int, const char *, const char *, const char *, size_t,

     const char *, size_t, const u_char *, size_t, const u_char *, const u_char *,

     const u_char *, size_t, u_char *, size_t *);

@@ -224,6 +235,7 @@ int	kexc25519_shared_key(const u_char ke

     const u_char pub[CURVE25519_SIZE], struct sshbuf *out)

 	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))

 	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));

+#endif /* WITHOUT_ED25519 */

 int

 derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);

diff -pur old/kexc25519.c new/kexc25519.c

--- old/kexc25519.c

+++ new/kexc25519.c

@@ -27,6 +27,7 @@

 #include "includes.h"

+#ifndef WITHOUT_ED25519

 #include <sys/types.h>

 #include <signal.h>

@@ -131,3 +132,4 @@ kex_c25519_hash(

 #endif

 	return 0;

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/kexc25519c.c new/kexc25519c.c

--- old/kexc25519c.c

+++ new/kexc25519c.c

@@ -27,6 +27,7 @@

 #include "includes.h"

+#ifndef WITHOUT_ED25519

 #include <sys/types.h>

 #include <stdio.h>

@@ -168,3 +169,4 @@ out:

 	sshbuf_free(shared_secret);

 	return r;

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/kexc25519s.c new/kexc25519s.c

--- old/kexc25519s.c

+++ new/kexc25519s.c

@@ -26,6 +26,8 @@

 #include "includes.h"

+#ifndef WITHOUT_ED25519

+

 #include <sys/types.h>

 #include <stdio.h>

 #include <string.h>

@@ -157,3 +159,4 @@ out:

 	sshbuf_free(shared_secret);

 	return r;

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/monitor.c new/monitor.c

--- old/monitor.c

+++ new/monitor.c

@@ -1941,7 +1941,9 @@ monitor_apply_keystate(struct monitor *p

 		kex->kex[KEX_ECDH_SHA2] = kexecdh_server;

 # endif

 #endif /* WITH_OPENSSL */

+#ifndef WITHOUT_ED25519

 		kex->kex[KEX_C25519_SHA256] = kexc25519_server;

+#endif /* WITHOUT_ED25519 */

 #ifdef GSSAPI

 		if (options.gss_keyex) {

 			kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;

diff -pur old/myproposal.h new/myproposal.h

--- old/myproposal.h

+++ new/myproposal.h

@@ -59,6 +59,20 @@

 # define HOSTKEY_ECDSA_METHODS

 #endif

+#ifndef WITHOUT_ED25519

+# if defined(WITH_OPENSSL) && defined(HAVE_EVP_SHA256)

+#  define KEX_CURVE25519_METHODS "[email protected],"

+# else

+#  define KEX_CURVE25519_METHODS

+# endif

+# define HOSTKEY_CURVE25519_CERT_METHODS "[email protected],"

+# define HOSTKEY_CURVE25519_METHODS "ssh-ed25519,"

+#else

+# define KEX_CURVE25519_METHODS

+# define HOSTKEY_CURVE25519_CERT_METHODS

+# define HOSTKEY_CURVE25519_METHODS

+#endif /* WITHOUT_ED25519 */

+

 #ifdef OPENSSL_HAVE_EVPGCM

 # define AESGCM_CIPHER_MODES \

 	",[email protected],[email protected]"

@@ -78,11 +92,6 @@

 #endif

 #ifdef WITH_OPENSSL

-# ifdef HAVE_EVP_SHA256

-#  define KEX_CURVE25519_METHODS "[email protected],"

-# else

-#  define KEX_CURVE25519_METHODS ""

-# endif

 #define KEX_COMMON_KEX \

 	KEX_CURVE25519_METHODS \

 	KEX_ECDH_METHODS \

@@ -97,10 +106,10 @@

 #define	KEX_DEFAULT_PK_ALG	\

 	HOSTKEY_ECDSA_CERT_METHODS \

-	"[email protected]," \

+	HOSTKEY_CURVE25519_CERT_METHODS \

 	"[email protected]," \

 	HOSTKEY_ECDSA_METHODS \

-	"ssh-ed25519," \

+	HOSTKEY_CURVE25519_METHODS \

 	"ssh-rsa" \

 /* the actual algorithms */

@@ -141,10 +150,10 @@

 #else

 #define KEX_SERVER_KEX		\

-	"[email protected]"

+	KEX_CURVE25519_METHODS

 #define	KEX_DEFAULT_PK_ALG	\

-	"[email protected]," \

-	"ssh-ed25519"

+	HOSTKEY_CURVE25519_CERT_METHODS \

+	HOSTKEY_CURVE25519_METHODS

 #define	KEX_SERVER_ENCRYPT \

 	"[email protected]," \

 	"aes128-ctr,aes192-ctr,aes256-ctr"

diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in

--- old/openbsd-compat/Makefile.in

+++ new/openbsd-compat/Makefile.in

@@ -32,7 +32,7 @@ $(OPENBSD): ../config.h

 $(PORTS): ../config.h

 libopenbsd-compat.a:  $(COMPAT) $(OPENBSD) $(PORTS)

-	$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)

+	$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) ../hash.o ../blocks.o

 	$(RANLIB) $@

 clean:

diff -pur old/pathnames.h new/pathnames.h

--- old/pathnames.h

+++ new/pathnames.h

@@ -39,7 +39,9 @@

 #define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"

 #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"

 #define _PATH_HOST_ECDSA_KEY_FILE	SSHDIR "/ssh_host_ecdsa_key"

+#ifndef WITHOUT_ED25519

 #define _PATH_HOST_ED25519_KEY_FILE	SSHDIR "/ssh_host_ed25519_key"

+#endif /* WITHOUT_ED25519 */

 #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"

 #define _PATH_DH_MODULI			SSHDIR "/moduli"

 /* Backwards compatibility */

@@ -78,7 +80,9 @@

 #define _PATH_SSH_CLIENT_ID_DSA		_PATH_SSH_USER_DIR "/id_dsa"

 #define _PATH_SSH_CLIENT_ID_ECDSA	_PATH_SSH_USER_DIR "/id_ecdsa"

 #define _PATH_SSH_CLIENT_ID_RSA		_PATH_SSH_USER_DIR "/id_rsa"

+#ifndef WITHOUT_ED25519

 #define _PATH_SSH_CLIENT_ID_ED25519	_PATH_SSH_USER_DIR "/id_ed25519"

+#endif /* WITHOUT_ED25519 */

 /*

  * Configuration file in user's home directory.  This file need not be

diff -pur old/readconf.c new/readconf.c

--- old/readconf.c

+++ new/readconf.c

@@ -1846,8 +1846,10 @@ fill_default_options(Options * options)

 			add_identity_file(options, "~/",

 			    _PATH_SSH_CLIENT_ID_ECDSA, 0);

 #endif

+#ifndef WITHOUT_ED25519

 			add_identity_file(options, "~/",

 			    _PATH_SSH_CLIENT_ID_ED25519, 0);

+#endif /* WITHOUT_ED25519 */

 		}

 	}

 	if (options->escape_char == -1)

diff -pur old/servconf.c new/servconf.c

--- old/servconf.c

+++ new/servconf.c

@@ -222,8 +222,10 @@ fill_default_server_options(ServerOption

 			options->host_key_files[options->num_host_key_files++] =

 			    _PATH_HOST_ECDSA_KEY_FILE;

 #endif

+#ifndef WITHOUT_ED25519

 			options->host_key_files[options->num_host_key_files++] =

 			    _PATH_HOST_ED25519_KEY_FILE;

+#endif /* WITHOUT_ED25519 */

 		}

 	}

 	/* No certificates by default */

diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c

--- old/smult_curve25519_ref.c

+++ new/smult_curve25519_ref.c

@@ -6,6 +6,8 @@ Public domain.

 Derived from public domain code by D. J. Bernstein.

 */

+#ifndef WITHOUT_ED25519

+

 int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *);

 static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])

@@ -263,3 +265,4 @@ int crypto_scalarmult_curve25519(unsigne

   for (i = 0;i < 32;++i) q[i] = work[64 + i];

   return 0;

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/ssh-add.0 new/ssh-add.0

--- old/ssh-add.0

+++ new/ssh-add.0

@@ -11,7 +11,7 @@ SYNOPSIS

 DESCRIPTION

      ssh-add adds private key identities to the authentication agent,

      ssh-agent(1).  When run without arguments, it adds the files

-     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and

+     ~/.ssh/id_rsa, ~/.ssh/id_dsa, and

      ~/.ssh/identity.  After loading a private key, ssh-add will try to load

      corresponding certificate information from the filename obtained by

      appending -cert.pub to the name of the private key file.  Alternative

@@ -97,14 +97,6 @@ FILES

              Contains the protocol version 2 DSA authentication identity of

              the user.

-     ~/.ssh/id_ecdsa

-             Contains the protocol version 2 ECDSA authentication identity of

-             the user.

-

-     ~/.ssh/id_ed25519

-             Contains the protocol version 2 Ed25519 authentication identity

-             of the user.

-

      ~/.ssh/id_rsa

              Contains the protocol version 2 RSA authentication identity of

              the user.

diff -pur old/ssh-add.1 new/ssh-add.1

--- old/ssh-add.1

+++ new/ssh-add.1

@@ -58,8 +58,6 @@ adds private key identities to the authe

 When run without arguments, it adds the files

 .Pa ~/.ssh/id_rsa ,

 .Pa ~/.ssh/id_dsa ,

-.Pa ~/.ssh/id_ecdsa ,

-.Pa ~/.ssh/id_ed25519

 and

 .Pa ~/.ssh/identity .

 After loading a private key,

@@ -178,10 +176,6 @@ socket used to communicate with the agen

 Contains the protocol version 1 RSA authentication identity of the user.

 .It Pa ~/.ssh/id_dsa

 Contains the protocol version 2 DSA authentication identity of the user.

-.It Pa ~/.ssh/id_ecdsa

-Contains the protocol version 2 ECDSA authentication identity of the user.

-.It Pa ~/.ssh/id_ed25519

-Contains the protocol version 2 Ed25519 authentication identity of the user.

 .It Pa ~/.ssh/id_rsa

 Contains the protocol version 2 RSA authentication identity of the user.

 .El

diff -pur old/ssh-add.c new/ssh-add.c

--- old/ssh-add.c