#

# Per Solaris crypto team recommendation, we need to remove support for

# Curve25519 from OpenSSH.

#

# Patch offered upstream:

#     https://bugzilla.mindrot.org/show_bug.cgi?id=2376

#

diff -pur old/Makefile.in new/Makefile.in

--- old/Makefile.in	2015-03-31 21:14:02.427499635 -0700

+++ new/Makefile.in	2015-04-02 02:30:04.830658823 -0700

@@ -141,7 +141,7 @@ $(SSHDOBJS): Makefile.in config.h

 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<

 LIBCOMPAT=openbsd-compat/libopenbsd-compat.a

-$(LIBCOMPAT): always

+$(LIBCOMPAT): always libssh.a

 	(cd openbsd-compat && $(MAKE))

 always:

diff -pur old/authfd.c new/authfd.c

--- old/authfd.c	2013-12-28 22:49:56.000000000 -0800

+++ new/authfd.c	2015-04-01 01:53:06.534109950 -0700

@@ -508,8 +508,10 @@ ssh_add_identity_constrained(Authenticat

 	case KEY_DSA_CERT_V00:

 	case KEY_ECDSA:

 	case KEY_ECDSA_CERT:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

+#endif /* WITHOUT_ED25519 */

 		type = constrained ?

 		    SSH2_AGENTC_ADD_ID_CONSTRAINED :

 		    SSH2_AGENTC_ADD_IDENTITY;

diff -pur old/authfile.c new/authfile.c

--- old/authfile.c	2013-12-28 22:50:15.000000000 -0800

+++ new/authfile.c	2015-04-01 05:27:03.024708427 -0700

@@ -597,9 +597,11 @@ key_private_to_blob(Key *key, Buffer *bl

 			    comment, new_format_cipher, new_format_rounds);

 		}

 		return key_private_pem_to_blob(key, blob, passphrase, comment);

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 		return key_private_to_blob2(key, blob, passphrase,

 		    comment, new_format_cipher, new_format_rounds);

+#endif /* WITHOUT_ED25519 */

 	default:

 		error("%s: cannot save key type %d", __func__, key->type);

 		return 0;

@@ -1005,8 +1007,10 @@ key_parse_private_type(Buffer *blob, int

 	case KEY_ECDSA:

 	case KEY_RSA:

 		return key_parse_private_pem(blob, type, passphrase, commentp);

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 		return key_parse_private2(blob, type, passphrase, commentp);

+#endif /* WITHOUT_ED25519 */

 	case KEY_UNSPEC:

 		if ((k = key_parse_private2(blob, type, passphrase, commentp)))

 			return k;

@@ -1213,7 +1217,9 @@ key_load_private_cert(int type, const ch

 	case KEY_RSA:

 	case KEY_DSA:

 	case KEY_ECDSA:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

+#endif /* WITHOUT_ED25519 */

 		break;

 	default:

 		error("%s: unsupported key type", __func__);

diff -pur old/crypto_api.h new/crypto_api.h

--- old/crypto_api.h	2014-01-16 17:31:34.000000000 -0800

+++ new/crypto_api.h	2015-04-02 00:35:29.952105991 -0700

@@ -26,7 +26,7 @@ int	crypto_hashblocks_sha512(unsigned ch

 #define crypto_hash_sha512_BYTES 64U

-int	crypto_hash_sha512(unsigned char *, const unsigned char *,

+extern int	crypto_hash_sha512(unsigned char *, const unsigned char *,

     unsigned long long);

 int	crypto_verify_32(const unsigned char *, const unsigned char *);

diff -pur old/ed25519.c new/ed25519.c

--- old/ed25519.c	2013-12-17 22:48:11.000000000 -0800

+++ new/ed25519.c	2015-04-01 09:03:04.052497535 -0700

@@ -6,6 +6,8 @@

  * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c

  */

+#ifndef WITHOUT_ED25519

+

 #include "includes.h"

 #include "crypto_api.h"

@@ -142,3 +144,4 @@ int crypto_sign_ed25519_open(

   }

   return ret;

 }

+#endif /* WITHOUT_ED25519 */

diff -pur old/fe25519.c new/fe25519.c

--- old/fe25519.c	2014-01-16 17:43:44.000000000 -0800

+++ new/fe25519.c	2015-04-01 03:48:12.251955071 -0700

@@ -6,6 +6,8 @@

  * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c

  */

+#ifndef WITHOUT_ED25519

+

 #include "includes.h"

 #define WINDOWSIZE 1 /* Should be 1,2, or 4 */

@@ -335,3 +337,5 @@ void fe25519_pow2523(fe25519 *r, const f

 	/* 2^252 - 2^2 */ fe25519_square(&t,&t);

 	/* 2^252 - 3 */ fe25519_mul(r,&t,x);

 }

+

+#endif /* WITHOUT_ED25519 */

diff -pur old/fe25519.h new/fe25519.h

--- old/fe25519.h	2013-12-17 22:48:11.000000000 -0800

+++ new/fe25519.h	2015-04-01 03:47:56.992321351 -0700

@@ -9,6 +9,8 @@

 #ifndef FE25519_H

 #define FE25519_H

+#ifndef WITHOUT_ED25519

+

 #include "crypto_api.h"

 #define fe25519              crypto_sign_ed25519_ref_fe25519

@@ -67,4 +69,5 @@ void fe25519_invert(fe25519 *r, const fe

 void fe25519_pow2523(fe25519 *r, const fe25519 *x);

+#endif /* WITHOUT_ED25519 */

 #endif

diff -pur old/ge25519.c new/ge25519.c

--- old/ge25519.c	2014-01-16 17:43:44.000000000 -0800

+++ new/ge25519.c	2015-04-01 03:47:40.144323636 -0700

@@ -6,6 +6,8 @@

  * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c

  */

+#ifndef WITHOUT_ED25519

+

 #include "includes.h"

 #include "fe25519.h"

@@ -319,3 +321,5 @@ void ge25519_scalarmult_base(ge25519_p3

     ge25519_mixadd2(r, &t);

   }

 }

+

+#endif /* WITHOUT_ED25519 */

diff -pur old/ge25519.h new/ge25519.h

--- old/ge25519.h	2013-12-17 22:48:11.000000000 -0800

+++ new/ge25519.h	2015-04-01 03:47:22.801071311 -0700

@@ -8,6 +8,7 @@

 #ifndef GE25519_H

 #define GE25519_H

+#ifndef WITHOUT_ED25519

 #include "fe25519.h"

 #include "sc25519.h"

@@ -40,4 +41,5 @@ void ge25519_double_scalarmult_vartime(g

 void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);

+#endif /* WITHOUT_ED25519 */

 #endif

diff -pur old/kex.c new/kex.c

--- old/kex.c	2015-03-31 21:14:02.430475216 -0700

+++ new/kex.c	2015-04-01 04:49:49.142934463 -0700

@@ -91,7 +91,7 @@ static const struct kexalg kexalgs[] = {

 # endif

 #endif

 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },

-#ifdef HAVE_EVP_SHA256

+#if defined(HAVE_EVP_SHA256) && !defined(WITHOUT_ED25519)

 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },

 #endif

 #ifdef GSSAPI

diff -pur old/kex.h new/kex.h

--- old/kex.h	2015-03-31 21:14:02.430845488 -0700

+++ new/kex.h	2015-04-01 04:58:55.837357472 -0700

@@ -43,7 +43,9 @@

 #define	KEX_ECDH_SHA2_NISTP256	"ecdh-sha2-nistp256"

 #define	KEX_ECDH_SHA2_NISTP384	"ecdh-sha2-nistp384"

 #define	KEX_ECDH_SHA2_NISTP521	"ecdh-sha2-nistp521"

+#ifndef WITHOUT_ED25519

 #define	KEX_CURVE25519_SHA256	"[email protected]"

+#endif /* WITHOUT_ED25519 */

 #define COMP_NONE	0

 #define COMP_ZLIB	1

@@ -75,7 +77,9 @@ enum kex_exchange {

 	KEX_DH_GEX_SHA1,

 	KEX_DH_GEX_SHA256,

 	KEX_ECDH_SHA2,

+#ifndef WITHOUT_ED25519

 	KEX_C25519_SHA256,

+#endif /* WITHOUT_ED25519 */

 	KEX_GSS_GRP1_SHA1,

 	KEX_GSS_GRP14_SHA1,

 	KEX_GSS_GEX_SHA1,

@@ -172,8 +176,10 @@ void	 kexgex_client(Kex *);

 void	 kexgex_server(Kex *);

 void	 kexecdh_client(Kex *);

 void	 kexecdh_server(Kex *);

+#ifndef WITHOUT_ED25519

 void	 kexc25519_client(Kex *);

 void	 kexc25519_server(Kex *);

+#endif /* WITHOUT_ED25519 */

 #ifdef GSSAPI

 void	kexgss_client(Kex *);

@@ -193,6 +199,7 @@ kex_ecdh_hash(int, const EC_GROUP *, cha

     char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,

     const BIGNUM *, u_char **, u_int *);

 #endif

+#ifndef WITHOUT_ED25519

 void

 kex_c25519_hash(int, char *, char *, char *, int,

     char *, int, u_char *, int, const u_char *, const u_char *,

@@ -206,6 +213,7 @@ void kexc25519_shared_key(const u_char k

     const u_char pub[CURVE25519_SIZE], Buffer *out)

 	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))

 	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));

+#endif /* WITHOUT_ED25519 */

 void

 derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);

diff -pur old/kexc25519.c new/kexc25519.c

--- old/kexc25519.c	2014-01-12 00:21:23.000000000 -0800

+++ new/kexc25519.c	2015-04-01 04:52:44.039054396 -0700

@@ -25,6 +25,8 @@

  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  */

+#ifndef WITHOUT_ED25519

+

 #include "includes.h"

 #include <sys/types.h>

@@ -120,3 +122,5 @@ kex_c25519_hash(

 	*hash = digest;

 	*hashlen = ssh_digest_bytes(hash_alg);

 }

+

+#endif /* WITHOUT_ED25519 */

diff -pur old/kexc25519c.c new/kexc25519c.c

--- old/kexc25519c.c	2014-01-12 00:21:23.000000000 -0800

+++ new/kexc25519c.c	2015-04-01 04:52:57.326754535 -0700

@@ -25,6 +25,8 @@

  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  */

+#ifndef WITHOUT_ED25519

+

 #include "includes.h"

 #include <sys/types.h>

@@ -127,3 +129,5 @@ kexc25519_client(Kex *kex)

 	buffer_free(&shared_secret);

 	kex_finish(kex);

 }

+

+#endif /* WITHOUT_ED25519 */

diff -pur old/kexc25519s.c new/kexc25519s.c

--- old/kexc25519s.c	2014-01-12 00:21:23.000000000 -0800

+++ new/kexc25519s.c	2015-04-01 04:53:14.320854854 -0700

@@ -24,6 +24,8 @@

  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  */

+#ifndef WITHOUT_ED25519

+

 #include "includes.h"

 #include <sys/types.h>

@@ -124,3 +126,5 @@ kexc25519_server(Kex *kex)

 	buffer_free(&shared_secret);

 	kex_finish(kex);

 }

+

+#endif /* WITHOUT_ED25519 */

diff -pur old/key.c new/key.c

--- old/key.c	2015-03-31 21:14:02.432016878 -0700

+++ new/key.c	2015-04-01 02:05:27.074044366 -0700

@@ -89,8 +89,10 @@ key_new(int type)

 	k->dsa = NULL;

 	k->rsa = NULL;

 	k->cert = NULL;

+#ifndef WITHOUT_ED25519

 	k->ed25519_sk = NULL;

 	k->ed25519_pk = NULL;

+#endif /* WITHOUT_ED25519 */

 	switch (k->type) {

 	case KEY_RSA1:

 	case KEY_RSA:

@@ -125,10 +127,12 @@ key_new(int type)

 		/* Cannot do anything until we know the group */

 		break;

 #endif

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

 		/* no need to prealloc */

 		break;

+#endif /* WITHOUT_ED25519 */

 	case KEY_UNSPEC:

 		break;

 	default:

@@ -173,10 +177,12 @@ key_add_private(Key *k)

 	case KEY_ECDSA_CERT:

 		/* Cannot do anything until we know the group */

 		break;

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

 		/* no need to prealloc */

 		break;

+#endif /* WITHOUT_ED25519 */

 	case KEY_UNSPEC:

 		break;

 	default:

@@ -239,6 +245,7 @@ key_free(Key *k)

 		k->ecdsa = NULL;

 		break;

 #endif

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

 		if (k->ed25519_pk) {

@@ -252,6 +259,7 @@ key_free(Key *k)

 			k->ed25519_sk = NULL;

 		}

 		break;

+#endif /* WITHOUT_ED25519 */

 	case KEY_UNSPEC:

 		break;

 	default:

@@ -333,10 +341,12 @@ key_equal_public(const Key *a, const Key

 		BN_CTX_free(bnctx);

 		return 1;

 #endif /* OPENSSL_HAS_ECC */

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

 		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&

 		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;

+#endif /* WITHOUT_ED25519 */

 	default:

 		fatal("key_equal: bad key type %d", a->type);

 	}

@@ -392,7 +402,9 @@ key_fingerprint_raw(const Key *k, enum f

 	case KEY_DSA:

 	case KEY_ECDSA:

 	case KEY_RSA:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

+#endif /* WITHOUT_ED25519 */

 		key_to_blob(k, &blob, &len);

 		break;

 	case KEY_DSA_CERT_V00:

@@ -400,7 +412,9 @@ key_fingerprint_raw(const Key *k, enum f

 	case KEY_DSA_CERT:

 	case KEY_ECDSA_CERT:

 	case KEY_RSA_CERT:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519_CERT:

+#endif /* WITHOUT_ED25519 */

 		/* We want a fingerprint of the _key_ not of the cert */

 		to_blob(k, &blob, &len, 1);

 		break;

@@ -728,13 +742,17 @@ key_read(Key *ret, char **cpp)

 	case KEY_RSA:

 	case KEY_DSA:

 	case KEY_ECDSA:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

+#endif /* WITHOUT_ED25519 */

 	case KEY_DSA_CERT_V00:

 	case KEY_RSA_CERT_V00:

 	case KEY_DSA_CERT:

 	case KEY_ECDSA_CERT:

 	case KEY_RSA_CERT:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519_CERT:

+#endif /* WITHOUT_ED25519 */

 		space = strchr(cp, ' ');

 		if (space == NULL) {

 			debug3("key_read: missing whitespace");

@@ -836,6 +854,7 @@ key_read(Key *ret, char **cpp)

 #endif

 		}

 #endif

+#ifndef WITHOUT_ED25519

 		if (key_type_plain(ret->type) == KEY_ED25519) {

 			free(ret->ed25519_pk);

 			ret->ed25519_pk = k->ed25519_pk;

@@ -844,6 +863,7 @@ key_read(Key *ret, char **cpp)

 			/* XXX */

 #endif

 		}

+#endif /* WITHOUT_ED25519 */

 		success = 1;

 /*XXXX*/

 		key_free(k);

@@ -907,11 +927,13 @@ key_write(const Key *key, FILE *f)

 			return 0;

 		break;

 #endif

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

 		if (key->ed25519_pk == NULL)

 			return 0;

 		break;

+#endif /* WITHOUT_ED25519 */

 	case KEY_RSA:

 	case KEY_RSA_CERT_V00:

 	case KEY_RSA_CERT:

@@ -959,7 +981,9 @@ static const struct keytype keytypes[] =

 	{ NULL, "RSA1", KEY_RSA1, 0, 0 },

 	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },

 	{ "ssh-dss", "DSA", KEY_DSA, 0, 0 },

+#ifndef WITHOUT_ED25519

 	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },

+#endif /* WITHOUT_ED25519 */

 #ifdef OPENSSL_HAS_ECC

 	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },

 	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },

@@ -983,8 +1007,10 @@ static const struct keytype keytypes[] =

 	    KEY_RSA_CERT_V00, 0, 1 },

 	{ "[email protected]", "DSA-CERT-V00",

 	    KEY_DSA_CERT_V00, 0, 1 },

+#ifndef WITHOUT_ED25519

 	{ "[email protected]", "ED25519-CERT",

 	    KEY_ED25519_CERT, 0, 1 },

+#endif /* WITHOUT_ED25519 */

 	{ "null", "null", KEY_NULL, 0, 0 },

 	{ NULL, NULL, -1, -1, 0 }

 };

@@ -1097,7 +1123,9 @@ key_type_is_valid_ca(int type)

 	case KEY_RSA:

 	case KEY_DSA:

 	case KEY_ECDSA:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

+#endif /* WITHOUT_ED25519 */

 		return 1;

 	default:

 		return 0;

@@ -1117,8 +1145,10 @@ key_size(const Key *k)

 	case KEY_DSA_CERT_V00:

 	case KEY_DSA_CERT:

 		return BN_num_bits(k->dsa->p);

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 		return 256;	/* XXX */

+#endif /* WITHOUT_ED25519 */

 #ifdef OPENSSL_HAS_ECC

 	case KEY_ECDSA:

 	case KEY_ECDSA_CERT:

@@ -1262,11 +1292,13 @@ key_generate(int type, u_int bits)

 	case KEY_RSA1:

 		k->rsa = rsa_generate_private_key(bits);

 		break;

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 		k->ed25519_pk = xmalloc(ED25519_PK_SZ);

 		k->ed25519_sk = xmalloc(ED25519_SK_SZ);

 		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);

 		break;

+#endif /* WITHOUT_ED25519 */

 	case KEY_RSA_CERT_V00:

 	case KEY_DSA_CERT_V00:

 	case KEY_RSA_CERT:

@@ -1360,6 +1392,7 @@ key_from_private(const Key *k)

 		    (BN_copy(n->rsa->e, k->rsa->e) == NULL))

 			fatal("key_from_private: BN_copy failed");

 		break;

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 	case KEY_ED25519_CERT:

 		n = key_new(k->type);

@@ -1368,6 +1401,7 @@ key_from_private(const Key *k)

 			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);

 		}

 		break;

+#endif /* WITHOUT_ED25519 */

 	default:

 		fatal("key_from_private: unknown type %d", k->type);

 		break;

@@ -1629,6 +1663,7 @@ key_from_blob2(const u_char *blob, u_int

 #endif

 		break;

 #endif /* OPENSSL_HAS_ECC */

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519_CERT:

 		(void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */

 		/* FALLTHROUGH */

@@ -1646,6 +1681,7 @@ key_from_blob2(const u_char *blob, u_int

 		key->ed25519_pk = pk;

 		pk = NULL;

 		break;

+#endif /* WITHOUT_ED25519 */

 	case KEY_UNSPEC:

 		key = key_new(type);

 		break;

@@ -1700,7 +1736,9 @@ to_blob(const Key *key, u_char **blobp,

 	case KEY_DSA_CERT:

 	case KEY_ECDSA_CERT:

 	case KEY_RSA_CERT:

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519_CERT:

+#endif /* WITHOUT_ED25519 */

 		/* Use the existing blob */

 		buffer_append(&b, buffer_ptr(&key->cert->certblob),

 		    buffer_len(&key->cert->certblob));

@@ -1728,11 +1766,13 @@ to_blob(const Key *key, u_char **blobp,

 		buffer_put_bignum2(&b, key->rsa->e);

 		buffer_put_bignum2(&b, key->rsa->n);

 		break;

+#ifndef WITHOUT_ED25519

 	case KEY_ED25519:

 		buffer_put_cstring(&b,

 		    key_ssh_name_from_type_nid(type, key->ecdsa_nid));