upstream/oracle/userland-gate: comparison components/openssh/patches/024-disable

equal deleted inserted replaced

-:e8cdd896f216
+:5683175b6e99
+#
+# Per Solaris crypto team recommendation, we need to remove support for
+# Curve25519 from OpenSSH.
+#
+# Patch offered upstream but rejected:
+#     https://bugzilla.mindrot.org/show_bug.cgi?id=2376
+#
 diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in	2015-04-10 02:43:51.101312444 -0700
+--- old/Makefile.in	2015-12-07 15:58:19.591097920 -0800
-+++ new/Makefile.in	2015-04-10 02:43:51.156820521 -0700
++++ new/Makefile.in	2015-12-07 16:05:02.810457680 -0800
-@@ -138,7 +138,7 @@ $(SSHDOBJS): Makefile.in config.h
+@@ -153,7 +153,7 @@ $(SSHDOBJS): Makefile.in config.h
-	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
 LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
 -$(LIBCOMPAT): always
 +$(LIBCOMPAT): always libssh.a
 	(cd openbsd-compat && $(MAKE))
 always:
-Only in new: Makefile.in.orig
 diff -pur old/authfd.c new/authfd.c
---- old/authfd.c	2013-12-28 22:49:56.000000000 -0800
+--- old/authfd.c
-+++ new/authfd.c	2015-04-10 02:43:51.157515880 -0700
++++ new/authfd.c
-@@ -508,8 +508,10 @@ ssh_add_identity_constrained(Authenticat
+@@ -565,8 +565,10 @@ ssh_add_identity_constrained(int sock, s
-	case KEY_DSA_CERT_V00:
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
+#endif
 +#ifndef WITHOUT_ED25519
 	case KEY_ED25519:
 	case KEY_ED25519_CERT:
 +#endif /* WITHOUT_ED25519 */
 		type = constrained ?
 		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
 		    SSH2_AGENTC_ADD_IDENTITY;
 diff -pur old/authfile.c new/authfile.c
---- old/authfile.c	2013-12-28 22:50:15.000000000 -0800
+--- old/authfile.c
-+++ new/authfile.c	2015-04-10 02:43:51.158405633 -0700
++++ new/authfile.c
-@@ -597,9 +597,11 @@ key_private_to_blob(Key *key, Buffer *bl
+@@ -449,7 +449,9 @@ sshkey_load_private_cert(int type, const
-			    comment, new_format_cipher, new_format_rounds);
-		}
-		return key_private_pem_to_blob(key, blob, passphrase, comment);
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		return key_private_to_blob2(key, blob, passphrase,
-		    comment, new_format_cipher, new_format_rounds);
-+#endif /* WITHOUT_ED25519 */
-	default:
-		error("%s: cannot save key type %d", __func__, key->type);
-		return 0;
-@@ -1005,8 +1007,10 @@ key_parse_private_type(Buffer *blob, int
-	case KEY_ECDSA:
-	case KEY_RSA:
-		return key_parse_private_pem(blob, type, passphrase, commentp);
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		return key_parse_private2(blob, type, passphrase, commentp);
-+#endif /* WITHOUT_ED25519 */
-	case KEY_UNSPEC:
-		if ((k = key_parse_private2(blob, type, passphrase, commentp)))
-			return k;
-@@ -1213,7 +1217,9 @@ key_load_private_cert(int type, const ch
-	case KEY_RSA:
 	case KEY_DSA:
 	case KEY_ECDSA:
+#endif /* WITH_OPENSSL */
 +#ifndef WITHOUT_ED25519
 	case KEY_ED25519:
 +#endif /* WITHOUT_ED25519 */
+	case KEY_UNSPEC:
 		break;
 	default:
-		error("%s: unsupported key type", __func__);
+diff -pur old/dns.c new/dns.c
-diff -pur old/crypto_api.h new/crypto_api.h
+--- old/dns.c
---- old/crypto_api.h	2014-01-16 17:31:34.000000000 -0800
++++ new/dns.c
-+++ new/crypto_api.h	2015-04-10 02:43:51.158673341 -0700
+@@ -100,11 +100,13 @@ dns_read_key(u_int8_t *algorithm, u_int8
-@@ -26,7 +26,7 @@ int	crypto_hashblocks_sha512(unsigned ch
+		if (!*digest_type)
+			*digest_type = SSHFP_HASH_SHA256;
-#define crypto_hash_sha512_BYTES 64U
+		break;
++#ifndef WITHOUT_ED25519
--int	crypto_hash_sha512(unsigned char *, const unsigned char *,
+	case KEY_ED25519:
-+extern int	crypto_hash_sha512(unsigned char *, const unsigned char *,
+		*algorithm = SSHFP_KEY_ED25519;
-unsigned long long);
+		if (!*digest_type)
+			*digest_type = SSHFP_HASH_SHA256;
-int	crypto_verify_32(const unsigned char *, const unsigned char *);
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
+		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
+diff -pur old/dns.h new/dns.h
+--- old/dns.h
++++ new/dns.h
+@@ -33,7 +33,9 @@ enum sshfp_types {
+	SSHFP_KEY_RSA = 1,
+	SSHFP_KEY_DSA = 2,
+	SSHFP_KEY_ECDSA = 3,
+-	SSHFP_KEY_ED25519 = 4
++#ifndef WITHOUT_ED25519
++ 	SSHFP_KEY_ED25519 = 4
++#endif /* WITHOUT_ED25519 */
+};
+enum sshfp_hashes {
 diff -pur old/ed25519.c new/ed25519.c
---- old/ed25519.c	2013-12-17 22:48:11.000000000 -0800
+--- old/ed25519.c
-+++ new/ed25519.c	2015-04-10 02:43:51.158974499 -0700
++++ new/ed25519.c
-@@ -6,6 +6,8 @@
+@@ -7,6 +7,7 @@
-* Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
 */
-+#ifndef WITHOUT_ED25519
-+
 #include "includes.h"
++#ifndef WITHOUT_ED25519
 #include "crypto_api.h"
-@@ -142,3 +144,4 @@ int crypto_sign_ed25519_open(
+#include "ge25519.h"
+@@ -142,3 +143,4 @@ int crypto_sign_ed25519_open(
 }
 return ret;
 }
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/fe25519.c new/fe25519.c
---- old/fe25519.c	2014-01-16 17:43:44.000000000 -0800
+--- old/fe25519.c
-+++ new/fe25519.c	2015-04-10 02:43:51.159348136 -0700
++++ new/fe25519.c
-@@ -6,6 +6,8 @@
+@@ -8,6 +8,7 @@
-* Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
-*/
-+#ifndef WITHOUT_ED25519
-+
 #include "includes.h"
++#ifndef WITHOUT_ED25519
 #define WINDOWSIZE 1 /* Should be 1,2, or 4 */
-@@ -335,3 +337,5 @@ void fe25519_pow2523(fe25519 *r, const f
+#define WINDOWMASK ((1<<WINDOWSIZE)-1)
+@@ -335,3 +336,4 @@ void fe25519_pow2523(fe25519 *r, const f
 	/* 2^252 - 2^2 */ fe25519_square(&t,&t);
 	/* 2^252 - 3 */ fe25519_mul(r,&t,x);
 }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/fe25519.h new/fe25519.h
---- old/fe25519.h	2013-12-17 22:48:11.000000000 -0800
+--- old/fe25519.h
-+++ new/fe25519.h	2015-04-10 02:43:51.159633614 -0700
++++ new/fe25519.h
-@@ -9,6 +9,8 @@
+@@ -8,6 +8,7 @@
 #ifndef FE25519_H
 #define FE25519_H
++#ifndef WITHOUT_ED25519
-+#ifndef WITHOUT_ED25519
-+
 #include "crypto_api.h"
-#define fe25519              crypto_sign_ed25519_ref_fe25519
+@@ -67,4 +68,5 @@ void fe25519_invert(fe25519 *r, const fe
-@@ -67,4 +69,5 @@ void fe25519_invert(fe25519 *r, const fe
 void fe25519_pow2523(fe25519 *r, const fe25519 *x);
 +#endif /* WITHOUT_ED25519 */
 #endif
 diff -pur old/ge25519.c new/ge25519.c
---- old/ge25519.c	2014-01-16 17:43:44.000000000 -0800
+--- old/ge25519.c
-+++ new/ge25519.c	2015-04-10 02:43:51.160002884 -0700
++++ new/ge25519.c
-@@ -6,6 +6,8 @@
+@@ -7,6 +7,7 @@
-* Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c
 */
-+#ifndef WITHOUT_ED25519
-+
 #include "includes.h"
++#ifndef WITHOUT_ED25519
 #include "fe25519.h"
-@@ -319,3 +321,5 @@ void ge25519_scalarmult_base(ge25519_p3
+#include "sc25519.h"
+@@ -319,3 +320,4 @@ void ge25519_scalarmult_base(ge25519_p3
 ge25519_mixadd2(r, &t);
 }
 }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/ge25519.h new/ge25519.h
---- old/ge25519.h	2013-12-17 22:48:11.000000000 -0800
+--- old/ge25519.h
-+++ new/ge25519.h	2015-04-10 02:43:51.160283095 -0700
++++ new/ge25519.h
 @@ -8,6 +8,7 @@
 #ifndef GE25519_H
 #define GE25519_H
 +#ifndef WITHOUT_ED25519
 void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
 +#endif /* WITHOUT_ED25519 */
 #endif
 diff -pur old/kex.c new/kex.c
---- old/kex.c	2014-01-25 14:38:04.000000000 -0800
+--- old/kex.c
-+++ new/kex.c	2015-04-10 02:43:51.160754653 -0700
++++ new/kex.c
-@@ -87,7 +87,7 @@ static const struct kexalg kexalgs[] = {
+@@ -96,9 +96,11 @@ static const struct kexalg kexalgs[] = {
-# endif
+# endif /* OPENSSL_HAS_NISTP521 */
-#endif
+#endif /* OPENSSL_HAS_ECC */
-	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+#endif /* WITH_OPENSSL */
--#ifdef HAVE_EVP_SHA256
++#ifndef WITHOUT_ED25519
-+#if defined(HAVE_EVP_SHA256) && !defined(WITHOUT_ED25519)
+#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
-#endif
+#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
-	{ NULL, -1, -1, -1},
++#endif /* WITHOUT_ED25519 */
-Only in new: kex.c.orig
+#ifdef GSSAPI
+	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
 diff -pur old/kex.h new/kex.h
---- old/kex.h	2014-01-25 14:37:26.000000000 -0800
+--- old/kex.h
-+++ new/kex.h	2015-04-10 02:47:29.726358404 -0700
++++ new/kex.h
-@@ -43,7 +43,9 @@
+@@ -58,13 +58,17 @@
 #define	KEX_ECDH_SHA2_NISTP256	"ecdh-sha2-nistp256"
 #define	KEX_ECDH_SHA2_NISTP384	"ecdh-sha2-nistp384"
 #define	KEX_ECDH_SHA2_NISTP521	"ecdh-sha2-nistp521"
 +#ifndef WITHOUT_ED25519
 #define	KEX_CURVE25519_SHA256	"[email protected]"
 +#endif /* WITHOUT_ED25519 */
 #define COMP_NONE	0
 #define COMP_ZLIB	1
-@@ -75,7 +77,9 @@ enum kex_exchange {
+#define COMP_DELAYED	2
++#ifndef WITHOUT_ED25519
+#define CURVE25519_SIZE 32
++#endif /* WITHOUT_ED25519 */
+enum kex_init_proposals {
+	PROPOSAL_KEX_ALGS,
+@@ -92,7 +96,9 @@ enum kex_exchange {
 	KEX_DH_GEX_SHA1,
 	KEX_DH_GEX_SHA256,
 	KEX_ECDH_SHA2,
 +#ifndef WITHOUT_ED25519
 	KEX_C25519_SHA256,
 +#endif /* WITHOUT_ED25519 */
-	KEX_MAX
+	KEX_GSS_GRP1_SHA1,
+	KEX_GSS_GRP14_SHA1,
+	KEX_GSS_GEX_SHA1,
+@@ -161,8 +167,10 @@ struct kex {
+	u_int	min, max, nbits;	/* GEX */
+	EC_KEY	*ec_client_key;		/* ECDH */
+	const EC_GROUP *ec_group;	/* ECDH */
++#ifndef WITHOUT_ED25519
+	u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 */
+	u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
++#endif /* WITHOUT_ED25519 */
 };
-@@ -165,8 +169,10 @@ void	 kexgex_client(Kex *);
+int	 kex_names_valid(const char *);
-void	 kexgex_server(Kex *);
+@@ -191,8 +199,10 @@ int	 kexgex_client(struct ssh *);
-void	 kexecdh_client(Kex *);
+int	 kexgex_server(struct ssh *);
-void	 kexecdh_server(Kex *);
+int	 kexecdh_client(struct ssh *);
-+#ifndef WITHOUT_ED25519
+int	 kexecdh_server(struct ssh *);
-void	 kexc25519_client(Kex *);
++#ifndef WITHOUT_ED25519
-void	 kexc25519_server(Kex *);
+int	 kexc25519_client(struct ssh *);
-+#endif /* WITHOUT_ED25519 */
+int	 kexc25519_server(struct ssh *);
++#endif /* WITHOUT_ED25519 */
-void
+#ifdef GSSAPI
-kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
+int	 kexgss_client(struct ssh *);
-@@ -181,6 +187,7 @@ kex_ecdh_hash(int, const EC_GROUP *, cha
+int	 kexgss_server(struct ssh *);
-char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
+@@ -213,6 +223,7 @@ int kex_ecdh_hash(int, const EC_GROUP *,
-const BIGNUM *, u_char **, u_int *);
+const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-#endif
+const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
-+#ifndef WITHOUT_ED25519
-void
++#ifndef WITHOUT_ED25519
-kex_c25519_hash(int, char *, char *, char *, int,
+int	 kex_c25519_hash(int, const char *, const char *, const char *, size_t,
-char *, int, u_char *, int, const u_char *, const u_char *,
+const char *, size_t, const u_char *, size_t, const u_char *, const u_char *,
-@@ -194,6 +201,7 @@ void kexc25519_shared_key(const u_char k
+const u_char *, size_t, u_char *, size_t *);
-const u_char pub[CURVE25519_SIZE], Buffer *out)
+@@ -224,6 +235,7 @@ int	kexc25519_shared_key(const u_char ke
+const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
 	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
 	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
 +#endif /* WITHOUT_ED25519 */
-void
+int
 derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
-Only in new: kex.h.orig
-Only in new: kex.h.rej
 diff -pur old/kexc25519.c new/kexc25519.c
---- old/kexc25519.c	2014-01-12 00:21:23.000000000 -0800
+--- old/kexc25519.c
-+++ new/kexc25519.c	2015-04-10 02:43:51.161993727 -0700
++++ new/kexc25519.c
-@@ -25,6 +25,8 @@
+@@ -27,6 +27,7 @@
-* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
+#include "includes.h"
++#ifndef WITHOUT_ED25519
+#include <sys/types.h>
+#include <signal.h>
+@@ -131,3 +132,4 @@ kex_c25519_hash(
+#endif
+	return 0;
+}
++#endif /* WITHOUT_ED25519 */
+diff -pur old/kexc25519c.c new/kexc25519c.c
+--- old/kexc25519c.c
++++ new/kexc25519c.c
+@@ -27,6 +27,7 @@
+#include "includes.h"
++#ifndef WITHOUT_ED25519
+#include <sys/types.h>
+#include <stdio.h>
+@@ -168,3 +169,4 @@ out:
+	sshbuf_free(shared_secret);
+	return r;
+}
++#endif /* WITHOUT_ED25519 */
+diff -pur old/kexc25519s.c new/kexc25519s.c
+--- old/kexc25519s.c
++++ new/kexc25519s.c
+@@ -26,6 +26,8 @@
+#include "includes.h"
 +#ifndef WITHOUT_ED25519
 +
-#include "includes.h"
 #include <sys/types.h>
-@@ -120,3 +122,5 @@ kex_c25519_hash(
+#include <stdio.h>
-	*hash = digest;
+#include <string.h>
-	*hashlen = ssh_digest_bytes(hash_alg);
+@@ -157,3 +159,4 @@ out:
+	sshbuf_free(shared_secret);
+	return r;
 }
++#endif /* WITHOUT_ED25519 */
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c
++++ new/monitor.c
+@@ -1941,7 +1941,9 @@ monitor_apply_keystate(struct monitor *p
+		kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+# endif
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#endif /* WITHOUT_ED25519 */
+#ifdef GSSAPI
+		if (options.gss_keyex) {
+			kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+diff -pur old/myproposal.h new/myproposal.h
+--- old/myproposal.h
++++ new/myproposal.h
+@@ -59,6 +59,20 @@
+# define HOSTKEY_ECDSA_METHODS
+#endif
++#ifndef WITHOUT_ED25519
++# if defined(WITH_OPENSSL) && defined(HAVE_EVP_SHA256)
++#  define KEX_CURVE25519_METHODS "[email protected],"
++# else
++#  define KEX_CURVE25519_METHODS
++# endif
++# define HOSTKEY_CURVE25519_CERT_METHODS "[email protected],"
++# define HOSTKEY_CURVE25519_METHODS "ssh-ed25519,"
++#else
++# define KEX_CURVE25519_METHODS
++# define HOSTKEY_CURVE25519_CERT_METHODS
++# define HOSTKEY_CURVE25519_METHODS
++#endif /* WITHOUT_ED25519 */
 +
-+#endif /* WITHOUT_ED25519 */
+#ifdef OPENSSL_HAVE_EVPGCM
-diff -pur old/kexc25519c.c new/kexc25519c.c
+# define AESGCM_CIPHER_MODES \
---- old/kexc25519c.c	2014-01-12 00:21:23.000000000 -0800
+	",[email protected],[email protected]"
-+++ new/kexc25519c.c	2015-04-10 02:43:51.162319004 -0700
+@@ -78,11 +92,6 @@
-@@ -25,6 +25,8 @@
-* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-+#ifndef WITHOUT_ED25519
-+
-#include "includes.h"
-#include <sys/types.h>
-@@ -127,3 +129,5 @@ kexc25519_client(Kex *kex)
-	buffer_free(&shared_secret);
-	kex_finish(kex);
-}
-+
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/kexc25519s.c new/kexc25519s.c
---- old/kexc25519s.c	2014-01-12 00:21:23.000000000 -0800
-+++ new/kexc25519s.c	2015-04-10 02:43:51.162628310 -0700
-@@ -24,6 +24,8 @@
-* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-+#ifndef WITHOUT_ED25519
-+
-#include "includes.h"
-#include <sys/types.h>
-@@ -124,3 +126,5 @@ kexc25519_server(Kex *kex)
-	buffer_free(&shared_secret);
-	kex_finish(kex);
-}
-+
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/key.c new/key.c
---- old/key.c	2014-01-09 15:58:53.000000000 -0800
-+++ new/key.c	2015-04-10 02:48:40.602200617 -0700
-@@ -89,8 +89,10 @@ key_new(int type)
-	k->dsa = NULL;
-	k->rsa = NULL;
-	k->cert = NULL;
-+#ifndef WITHOUT_ED25519
-	k->ed25519_sk = NULL;
-	k->ed25519_pk = NULL;
-+#endif /* WITHOUT_ED25519 */
-	switch (k->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-@@ -125,10 +127,12 @@ key_new(int type)
-		/* Cannot do anything until we know the group */
-		break;
 #endif
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
+#ifdef WITH_OPENSSL
-	case KEY_ED25519_CERT:
+-# ifdef HAVE_EVP_SHA256
-		/* no need to prealloc */
+-#  define KEX_CURVE25519_METHODS "[email protected],"
-		break;
+-# else
-+#endif /* WITHOUT_ED25519 */
+-#  define KEX_CURVE25519_METHODS ""
-	case KEY_UNSPEC:
+-# endif
-		break;
+#define KEX_COMMON_KEX \
-	default:
-@@ -173,10 +177,12 @@ key_add_private(Key *k)
-	case KEY_ECDSA_CERT:
-		/* Cannot do anything until we know the group */
-		break;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		/* no need to prealloc */
-		break;
-+#endif /* WITHOUT_ED25519 */
-	case KEY_UNSPEC:
-		break;
-	default:
-@@ -239,6 +245,7 @@ key_free(Key *k)
-		k->ecdsa = NULL;
-		break;
-#endif
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		if (k->ed25519_pk) {
-@@ -252,6 +259,7 @@ key_free(Key *k)
-			k->ed25519_sk = NULL;
-		}
-		break;
-+#endif /* WITHOUT_ED25519 */
-	case KEY_UNSPEC:
-		break;
-	default:
-@@ -333,10 +341,12 @@ key_equal_public(const Key *a, const Key
-		BN_CTX_free(bnctx);
-		return 1;
-#endif /* OPENSSL_HAS_ECC */
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
-		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		fatal("key_equal: bad key type %d", a->type);
-	}
-@@ -392,7 +402,9 @@ key_fingerprint_raw(const Key *k, enum f
-	case KEY_DSA:
-	case KEY_ECDSA:
-	case KEY_RSA:
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
-		key_to_blob(k, &blob, &len);
-		break;
-	case KEY_DSA_CERT_V00:
-@@ -400,7 +412,9 @@ key_fingerprint_raw(const Key *k, enum f
-	case KEY_DSA_CERT:
-	case KEY_ECDSA_CERT:
-	case KEY_RSA_CERT:
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
-		/* We want a fingerprint of the _key_ not of the cert */
-		to_blob(k, &blob, &len, 1);
-		break;
-@@ -728,13 +742,17 @@ key_read(Key *ret, char **cpp)
-	case KEY_RSA:
-	case KEY_DSA:
-	case KEY_ECDSA:
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
-	case KEY_DSA_CERT_V00:
-	case KEY_RSA_CERT_V00:
-	case KEY_DSA_CERT:
-	case KEY_ECDSA_CERT:
-	case KEY_RSA_CERT:
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
-		space = strchr(cp, ' ');
-		if (space == NULL) {
-			debug3("key_read: missing whitespace");
-@@ -836,6 +854,7 @@ key_read(Key *ret, char **cpp)
-#endif
-		}
-#endif
-+#ifndef WITHOUT_ED25519
-		if (key_type_plain(ret->type) == KEY_ED25519) {
-			free(ret->ed25519_pk);
-			ret->ed25519_pk = k->ed25519_pk;
-@@ -844,6 +863,7 @@ key_read(Key *ret, char **cpp)
-			/* XXX */
-#endif
-		}
-+#endif /* WITHOUT_ED25519 */
-		success = 1;
-/*XXXX*/
-		key_free(k);
-@@ -907,11 +927,13 @@ key_write(const Key *key, FILE *f)
-			return 0;
-		break;
-#endif
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		if (key->ed25519_pk == NULL)
-			return 0;
-		break;
-+#endif /* WITHOUT_ED25519 */
-	case KEY_RSA:
-	case KEY_RSA_CERT_V00:
-	case KEY_RSA_CERT:
-@@ -959,7 +981,9 @@ static const struct keytype keytypes[] =
-	{ NULL, "RSA1", KEY_RSA1, 0, 0 },
-	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
-	{ "ssh-dss", "DSA", KEY_DSA, 0, 0 },
-+#ifndef WITHOUT_ED25519
-	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
-+#endif /* WITHOUT_ED25519 */
-#ifdef OPENSSL_HAS_ECC
-	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
-	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
-@@ -983,8 +1007,10 @@ static const struct keytype keytypes[] =
-	    KEY_RSA_CERT_V00, 0, 1 },
-	{ "[email protected]", "DSA-CERT-V00",
-	    KEY_DSA_CERT_V00, 0, 1 },
-+#ifndef WITHOUT_ED25519
-	{ "[email protected]", "ED25519-CERT",
-	    KEY_ED25519_CERT, 0, 1 },
-+#endif /* WITHOUT_ED25519 */
-	{ NULL, NULL, -1, -1, 0 }
-};
-@@ -1096,7 +1122,9 @@ key_type_is_valid_ca(int type)
-	case KEY_RSA:
-	case KEY_DSA:
-	case KEY_ECDSA:
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
-		return 1;
-	default:
-		return 0;
-@@ -1116,8 +1144,10 @@ key_size(const Key *k)
-	case KEY_DSA_CERT_V00:
-	case KEY_DSA_CERT:
-		return BN_num_bits(k->dsa->p);
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		return 256;	/* XXX */
-+#endif /* WITHOUT_ED25519 */
-#ifdef OPENSSL_HAS_ECC
-	case KEY_ECDSA:
-	case KEY_ECDSA_CERT:
-@@ -1261,11 +1291,13 @@ key_generate(int type, u_int bits)
-	case KEY_RSA1:
-		k->rsa = rsa_generate_private_key(bits);
-		break;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		k->ed25519_pk = xmalloc(ED25519_PK_SZ);
-		k->ed25519_sk = xmalloc(ED25519_SK_SZ);
-		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
-		break;
-+#endif /* WITHOUT_ED25519 */
-	case KEY_RSA_CERT_V00:
-	case KEY_DSA_CERT_V00:
-	case KEY_RSA_CERT:
-@@ -1359,6 +1391,7 @@ key_from_private(const Key *k)
-		    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
-			fatal("key_from_private: BN_copy failed");
-		break;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		n = key_new(k->type);
-@@ -1367,6 +1400,7 @@ key_from_private(const Key *k)
-			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
-		}
-		break;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		fatal("key_from_private: unknown type %d", k->type);
-		break;
-@@ -1628,6 +1662,7 @@ key_from_blob2(const u_char *blob, u_int
-#endif
-		break;
-#endif /* OPENSSL_HAS_ECC */
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519_CERT:
-		(void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
-		/* FALLTHROUGH */
-@@ -1645,6 +1680,7 @@ key_from_blob2(const u_char *blob, u_int
-		key->ed25519_pk = pk;
-		pk = NULL;
-		break;
-+#endif /* WITHOUT_ED25519 */
-	case KEY_UNSPEC:
-		key = key_new(type);
-		break;
-@@ -1699,7 +1735,9 @@ to_blob(const Key *key, u_char **blobp,
-	case KEY_DSA_CERT:
-	case KEY_ECDSA_CERT:
-	case KEY_RSA_CERT:
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
-		/* Use the existing blob */
-		buffer_append(&b, buffer_ptr(&key->cert->certblob),
-		    buffer_len(&key->cert->certblob));
-@@ -1727,11 +1765,13 @@ to_blob(const Key *key, u_char **blobp,
-		buffer_put_bignum2(&b, key->rsa->e);
-		buffer_put_bignum2(&b, key->rsa->n);
-		break;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		buffer_put_cstring(&b,
-		    key_ssh_name_from_type_nid(type, key->ecdsa_nid));
-		buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
-		break;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		error("key_to_blob: unsupported key type %d", key->type);
-		buffer_free(&b);
-@@ -1775,9 +1815,11 @@ key_sign(
-	case KEY_RSA_CERT:
-	case KEY_RSA:
-		return ssh_rsa_sign(key, sigp, lenp, data, datalen);
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
-+#endif /* WITHOUT_ED25519 */
-	default:
-		error("key_sign: invalid key type %d", key->type);
-		return -1;
-@@ -1811,9 +1853,11 @@ key_verify(
-	case KEY_RSA_CERT:
-	case KEY_RSA:
-		return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
-+#endif /* WITHOUT_ED25519 */
-	default:
-		error("key_verify: invalid key type %d", key->type);
-		return -1;
-@@ -1833,8 +1877,10 @@ key_demote(const Key *k)
-	pk->dsa = NULL;
-	pk->ecdsa = NULL;
-	pk->rsa = NULL;
-+#ifndef WITHOUT_ED25519
-	pk->ed25519_pk = NULL;
-	pk->ed25519_sk = NULL;
-+#endif /* WITHOUT_ED25519 */
-	switch (k->type) {
-	case KEY_RSA_CERT_V00:
-@@ -1878,6 +1924,7 @@ key_demote(const Key *k)
-			fatal("key_demote: EC_KEY_set_public_key failed");
-		break;
-#endif
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519_CERT:
-		key_cert_copy(k, pk);
-		/* FALLTHROUGH */
-@@ -1887,6 +1934,7 @@ key_demote(const Key *k)
-			memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
-		}
-		break;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		fatal("key_demote: bad key type %d", k->type);
-		break;
-@@ -1916,8 +1964,10 @@ key_type_plain(int type)
-		return KEY_DSA;
-	case KEY_ECDSA_CERT:
-		return KEY_ECDSA;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519_CERT:
-		return KEY_ED25519;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		return type;
-	}
-@@ -1943,6 +1993,7 @@ key_to_certified(Key *k, int legacy)
-		k->cert = cert_new();
-		k->type = KEY_ECDSA_CERT;
-		return 0;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		if (legacy)
-			fatal("%s: legacy ED25519 certificates are not "
-@@ -1950,6 +2001,7 @@ key_to_certified(Key *k, int legacy)
-		k->cert = cert_new();
-		k->type = KEY_ED25519_CERT;
-		return 0;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		error("%s: key has incorrect type %s", __func__, key_type(k));
-		return -1;
-@@ -2028,10 +2080,12 @@ key_certify(Key *k, Key *ca)
-		buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
-		buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
-		break;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519_CERT:
-		buffer_put_string(&k->cert->certblob,
-		    k->ed25519_pk, ED25519_PK_SZ);
-		break;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		error("%s: key has incorrect type %s", __func__, key_type(k));
-		buffer_clear(&k->cert->certblob);
-@@ -2449,6 +2503,7 @@ key_private_serialize(const Key *key, Bu
-		buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
-		break;
-#endif /* OPENSSL_HAS_ECC */
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
-		buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
-@@ -2461,6 +2516,7 @@ key_private_serialize(const Key *key, Bu
-		buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
-		buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
-		break;
-+#endif /* WITHOUT_ED25519 */
-	}
-}
-@@ -2575,6 +2631,7 @@ key_private_deserialize(Buffer *blob)
-		buffer_get_bignum2(blob, k->rsa->p);
-		buffer_get_bignum2(blob, k->rsa->q);
-		break;
-+#ifndef WITHOUT_ED25519
-	case KEY_ED25519:
-		k = key_new_private(type);
-		k->ed25519_pk = buffer_get_string(blob, &pklen);
-@@ -2601,6 +2658,7 @@ key_private_deserialize(Buffer *blob)
-			fatal("%s: ed25519 sklen %d != %d",
-			    __func__, sklen, ED25519_SK_SZ);
-		break;
-+#endif /* WITHOUT_ED25519 */
-	default:
-		free(type_name);
-		buffer_clear(blob);
-Only in new: key.c.orig
-Only in new: key.c.rej
-diff -pur old/key.h new/key.h
---- old/key.h	2014-01-09 15:58:53.000000000 -0800
-+++ new/key.h	2015-04-10 02:43:51.166553603 -0700
-@@ -39,11 +39,15 @@ enum types {
-	KEY_RSA,
-	KEY_DSA,
-	KEY_ECDSA,
-+#ifndef WITHOUT_ED25519
-	KEY_ED25519,
-+#endif /* WITHOUT_ED25519 */
-	KEY_RSA_CERT,
-	KEY_DSA_CERT,
-	KEY_ECDSA_CERT,
-+#ifndef WITHOUT_ED25519
-	KEY_ED25519_CERT,
-+#endif /* WITHOUT_ED25519 */
-	KEY_RSA_CERT_V00,
-	KEY_DSA_CERT_V00,
-	KEY_UNSPEC
-@@ -88,12 +92,16 @@ struct Key {
-	void	*ecdsa;
-#endif
-	struct KeyCert *cert;
-+#ifndef WITHOUT_ED25519
-	u_char	*ed25519_sk;
-	u_char	*ed25519_pk;
-+#endif /* WITHOUT_ED25519 */
-};
-+#ifndef WITHOUT_ED25519
-#define	ED25519_SK_SZ	crypto_sign_ed25519_SECRETKEYBYTES
-#define	ED25519_PK_SZ	crypto_sign_ed25519_PUBLICKEYBYTES
-+#endif /* WITHOUT_ED25519 */
-Key		*key_new(int);
-void		 key_add_private(Key *);
-@@ -152,8 +160,10 @@ int	 ssh_ecdsa_sign(const Key *, u_char
-int	 ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-int	 ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int	 ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-+#ifndef WITHOUT_ED25519
-int	 ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int	 ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-+#endif /* WITHOUT_ED25519 */
-#if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
-void	key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
-Only in new: key.h.orig
-diff -pur old/monitor.c new/monitor.c
---- old/monitor.c	2015-04-10 02:43:51.067342317 -0700
-+++ new/monitor.c	2015-04-10 02:49:10.399820034 -0700
-@@ -1887,7 +1887,9 @@ mm_get_kex(Buffer *m)
-	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
-	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
-	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
-+#ifndef WITHOUT_ED25519
-	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
-+#endif /* WITHOUT_ED25519 */
-	kex->server = 1;
-	kex->hostkey_type = buffer_get_int(m);
-	kex->kex_type = buffer_get_int(m);
-Only in new: monitor.c.orig
-Only in new: monitor.c.rej
-diff -pur old/myproposal.h new/myproposal.h
---- old/myproposal.h	2013-12-06 16:24:02.000000000 -0800
-+++ new/myproposal.h	2015-04-10 02:43:51.168744484 -0700
-@@ -80,6 +80,24 @@
-# define SHA2_HMAC_MODES
-#endif
-+#ifdef WITHOUT_ED25519
-+# define KEX_DEFAULT_KEX \
-+	KEX_ECDH_METHODS \
-+	KEX_SHA256_METHODS \
-+	"diffie-hellman-group-exchange-sha1," \
-+	"diffie-hellman-group14-sha1," \
-+	"diffie-hellman-group1-sha1"
-+
-+#define	KEX_DEFAULT_PK_ALG	\
-+	HOSTKEY_ECDSA_CERT_METHODS \
-+	"[email protected]," \
-+	"[email protected]," \
-+	"[email protected]," \
-+	"[email protected]," \
-+	HOSTKEY_ECDSA_METHODS \
-+	"ssh-rsa," \
-+	"ssh-dss"
-+#else /* WITHOUT_ED25519 */
-# define KEX_DEFAULT_KEX \
 	KEX_CURVE25519_METHODS \
 	KEX_ECDH_METHODS \
-@@ -99,6 +117,7 @@
+@@ -97,10 +106,10 @@
-	"ssh-ed25519," \
-	"ssh-rsa," \
+#define	KEX_DEFAULT_PK_ALG	\
-	"ssh-dss"
+	HOSTKEY_ECDSA_CERT_METHODS \
-+#endif /* WITHOUT_ED25519 */
+-	"[email protected]," \
++	HOSTKEY_CURVE25519_CERT_METHODS \
+	"[email protected]," \
+	HOSTKEY_ECDSA_METHODS \
+-	"ssh-ed25519," \
++	HOSTKEY_CURVE25519_METHODS \
+	"ssh-rsa" \
 /* the actual algorithms */
+@@ -141,10 +150,10 @@
+#else
+#define KEX_SERVER_KEX		\
+-	"[email protected]"
++	KEX_CURVE25519_METHODS
+#define	KEX_DEFAULT_PK_ALG	\
+-	"[email protected]," \
+-	"ssh-ed25519"
++	HOSTKEY_CURVE25519_CERT_METHODS \
++	HOSTKEY_CURVE25519_METHODS
+#define	KEX_SERVER_ENCRYPT \
+	"[email protected]," \
+	"aes128-ctr,aes192-ctr,aes256-ctr"
 diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in
---- old/openbsd-compat/Makefile.in	2013-12-06 17:37:54.000000000 -0800
+--- old/openbsd-compat/Makefile.in
-+++ new/openbsd-compat/Makefile.in	2015-04-10 02:43:51.169041778 -0700
++++ new/openbsd-compat/Makefile.in
-@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
-OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
--COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-+COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 @@ -32,7 +32,7 @@ $(OPENBSD): ../config.h
 $(PORTS): ../config.h
 libopenbsd-compat.a:  $(COMPAT) $(OPENBSD) $(PORTS)
 -	$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
 +	$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) ../hash.o ../blocks.o
 	$(RANLIB) $@
 clean:
 diff -pur old/pathnames.h new/pathnames.h
---- old/pathnames.h	2013-12-06 16:24:02.000000000 -0800
+--- old/pathnames.h
-+++ new/pathnames.h	2015-04-10 02:43:51.169362243 -0700
++++ new/pathnames.h
 @@ -39,7 +39,9 @@
 #define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"
 #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
 #define _PATH_HOST_ECDSA_KEY_FILE	SSHDIR "/ssh_host_ecdsa_key"
 +#ifndef WITHOUT_ED25519
 +#endif /* WITHOUT_ED25519 */
 /*
 * Configuration file in user's home directory.  This file need not be
 diff -pur old/readconf.c new/readconf.c
---- old/readconf.c	2015-04-10 02:43:51.075573457 -0700
+--- old/readconf.c
-+++ new/readconf.c	2015-04-10 02:43:51.170150446 -0700
++++ new/readconf.c
-@@ -1702,8 +1702,10 @@ fill_default_options(Options * options)
+@@ -1846,8 +1846,10 @@ fill_default_options(Options * options)
 			add_identity_file(options, "~/",
 			    _PATH_SSH_CLIENT_ID_ECDSA, 0);
 #endif
 +#ifndef WITHOUT_ED25519
 			add_identity_file(options, "~/",
 			    _PATH_SSH_CLIENT_ID_ED25519, 0);
 +#endif /* WITHOUT_ED25519 */
 		}
 	}
 	if (options->escape_char == -1)
-Only in new: readconf.c.orig
-diff -pur old/sc25519.c new/sc25519.c
---- old/sc25519.c	2014-01-16 17:43:44.000000000 -0800
-+++ new/sc25519.c	2015-04-10 02:43:51.170631841 -0700
-@@ -6,6 +6,8 @@
-* Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c
-*/
-+#ifndef WITHOUT_ED25519
-+
-#include "includes.h"
-#include "sc25519.h"
-@@ -306,3 +308,5 @@ void sc25519_2interleave2(unsigned char
-r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
-r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
-}
-+
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/sc25519.h new/sc25519.h
---- old/sc25519.h	2013-12-17 22:48:11.000000000 -0800
-+++ new/sc25519.h	2015-04-10 02:43:51.170901036 -0700
-@@ -8,6 +8,7 @@
-#ifndef SC25519_H
-#define SC25519_H
-+#ifndef WITHOUT_ED25519
-#include "crypto_api.h"
-@@ -77,4 +78,5 @@ void sc25519_window5(signed char r[51],
-void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2);
-+#endif /* WITHOUT_ED25519 */
-#endif
 diff -pur old/servconf.c new/servconf.c
---- old/servconf.c	2015-04-10 02:43:51.086374994 -0700
+--- old/servconf.c
-+++ new/servconf.c	2015-04-10 02:43:51.171761969 -0700
++++ new/servconf.c
-@@ -189,8 +189,10 @@ fill_default_server_options(ServerOption
+@@ -222,8 +222,10 @@ fill_default_server_options(ServerOption
 			options->host_key_files[options->num_host_key_files++] =
 			    _PATH_HOST_ECDSA_KEY_FILE;
 #endif
 +#ifndef WITHOUT_ED25519
 			options->host_key_files[options->num_host_key_files++] =
 			    _PATH_HOST_ED25519_KEY_FILE;
 +#endif /* WITHOUT_ED25519 */
 		}
 	}
 	/* No certificates by default */
-Only in new: servconf.c.orig
 diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c
---- old/smult_curve25519_ref.c	2013-11-03 13:26:53.000000000 -0800
+--- old/smult_curve25519_ref.c
-+++ new/smult_curve25519_ref.c	2015-04-10 02:43:51.172253244 -0700
++++ new/smult_curve25519_ref.c
 @@ -6,6 +6,8 @@ Public domain.
 Derived from public domain code by D. J. Bernstein.
 */
 +#ifndef WITHOUT_ED25519
 +
 int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *);
 static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
-@@ -263,3 +265,5 @@ int crypto_scalarmult_curve25519(unsigne
+@@ -263,3 +265,4 @@ int crypto_scalarmult_curve25519(unsigne
 for (i = 0;i < 32;++i) q[i] = work[64 + i];
 return 0;
 }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/ssh-add.0 new/ssh-add.0
---- old/ssh-add.0	2014-01-29 17:52:47.000000000 -0800
+--- old/ssh-add.0
-+++ new/ssh-add.0	2015-04-10 02:43:51.172577448 -0700
++++ new/ssh-add.0
 @@ -11,7 +11,7 @@ SYNOPSIS
 DESCRIPTION
 ssh-add adds private key identities to the authentication agent,
 ssh-agent(1).  When run without arguments, it adds the files
 -     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
-+     ~/.ssh/id_rsa, ~/.ssh/id_dsa and
++     ~/.ssh/id_rsa, ~/.ssh/id_dsa, and
 ~/.ssh/identity.  After loading a private key, ssh-add will try to load
 corresponding certificate information from the filename obtained by
 appending -cert.pub to the name of the private key file.  Alternative
-@@ -91,14 +91,6 @@ FILES
+@@ -97,14 +97,6 @@ FILES
 Contains the protocol version 2 DSA authentication identity of
 the user.
 -     ~/.ssh/id_ecdsa
 -             Contains the protocol version 2 ECDSA authentication identity of
 -             the user.
 -
 -     ~/.ssh/id_ed25519
--             Contains the protocol version 2 ED25519 authentication identity
+-             Contains the protocol version 2 Ed25519 authentication identity
 -             of the user.
 -
 ~/.ssh/id_rsa
 Contains the protocol version 2 RSA authentication identity of
 the user.
 diff -pur old/ssh-add.1 new/ssh-add.1
---- old/ssh-add.1	2013-12-17 22:46:28.000000000 -0800
+--- old/ssh-add.1
-+++ new/ssh-add.1	2015-04-10 02:43:51.172897417 -0700
++++ new/ssh-add.1
-@@ -57,8 +57,6 @@ adds private key identities to the authe
+@@ -58,8 +58,6 @@ adds private key identities to the authe
 When run without arguments, it adds the files
 .Pa ~/.ssh/id_rsa ,
 .Pa ~/.ssh/id_dsa ,
 -.Pa ~/.ssh/id_ecdsa ,
 -.Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/identity .
 After loading a private key,
-@@ -168,10 +166,6 @@ socket used to communicate with the agen
+@@ -178,10 +176,6 @@ socket used to communicate with the agen
 Contains the protocol version 1 RSA authentication identity of the user.
 .It Pa ~/.ssh/id_dsa
 Contains the protocol version 2 DSA authentication identity of the user.
 -.It Pa ~/.ssh/id_ecdsa
 -Contains the protocol version 2 ECDSA authentication identity of the user.
 -.It Pa ~/.ssh/id_ed25519
--Contains the protocol version 2 ED25519 authentication identity of the user.
+-Contains the protocol version 2 Ed25519 authentication identity of the user.
 .It Pa ~/.ssh/id_rsa
 Contains the protocol version 2 RSA authentication identity of the user.
 .El
 diff -pur old/ssh-add.c new/ssh-add.c
---- old/ssh-add.c	2013-12-28 22:44:07.000000000 -0800
+--- old/ssh-add.c
-+++ new/ssh-add.c	2015-04-10 02:43:51.173249822 -0700
++++ new/ssh-add.c
-@@ -73,7 +73,9 @@ static char *default_files[] = {
+@@ -78,7 +78,9 @@ static char *default_files[] = {
-#ifdef OPENSSL_HAS_ECC
 	_PATH_SSH_CLIENT_ID_ECDSA,
 #endif
-+#ifndef WITHOUT_ED25519
+#endif /* WITH_OPENSSL */
-	_PATH_SSH_CLIENT_ID_ED25519,
+-	_PATH_SSH_CLIENT_ID_ED25519,
-+#endif /* WITHOUT_ED25519 */
++#ifndef WITHOUT_ED25519
++ 	_PATH_SSH_CLIENT_ID_ED25519,
++#endif /* WITHOUT_ED25519 */
+#ifdef WITH_SSH1
 	_PATH_SSH_CLIENT_IDENTITY,
-	NULL
+#endif
-};
 diff -pur old/ssh-agent.0 new/ssh-agent.0
---- old/ssh-agent.0	2014-01-29 17:52:47.000000000 -0800
+--- old/ssh-agent.0
-+++ new/ssh-agent.0	2015-04-10 02:43:51.173618938 -0700
++++ new/ssh-agent.0
-@@ -9,7 +9,7 @@ SYNOPSIS
+@@ -10,7 +10,7 @@ SYNOPSIS
 DESCRIPTION
 ssh-agent is a program to hold private keys used for public key
--     authentication (RSA, DSA, ECDSA, ED25519).  The idea is that ssh-agent is
+-     authentication (RSA, DSA, ECDSA, Ed25519).  ssh-agent is usually started
-+     authentication (RSA, DSA).  The idea is that ssh-agent is
++     authentication (RSA, DSA).  ssh-agent is usually started
-started in the beginning of an X-session or a login session, and all
+in the beginning of an X-session or a login session, and all other
-other windows or programs are started as clients to the ssh-agent
+windows or programs are started as clients to the ssh-agent program.
-program.  Through use of environment variables the agent can be located
+Through use of environment variables the agent can be located and
-@@ -46,8 +46,8 @@ DESCRIPTION
-The agent initially does not have any private keys.  Keys are added using
-ssh-add(1).  When executed without arguments, ssh-add(1) adds the files
--     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
--     ~/.ssh/identity.  If the identity has a passphrase, ssh-add(1) asks for
-+     ~/.ssh/id_rsa, ~/.ssh/id_dsa ~/.ssh/identity.
-+     If the identity has a passphrase, ssh-add(1) asks for
-the passphrase on the terminal if it has one or from a small X11 program
-if running under X11.  If neither of these is the case then the
-authentication will fail.  It then sends the identity to the agent.
-@@ -97,14 +97,6 @@ FILES
-Contains the protocol version 2 DSA authentication identity of
-the user.
--     ~/.ssh/id_ecdsa
--             Contains the protocol version 2 ECDSA authentication identity of
--             the user.
--
--     ~/.ssh/id_ed25519
--             Contains the protocol version 2 ED25519 authentication identity
--             of the user.
--
-~/.ssh/id_rsa
-Contains the protocol version 2 RSA authentication identity of
-the user.
 diff -pur old/ssh-agent.1 new/ssh-agent.1
---- old/ssh-agent.1	2013-12-17 22:46:28.000000000 -0800
+--- old/ssh-agent.1
-+++ new/ssh-agent.1	2015-04-10 02:43:51.173976932 -0700
++++ new/ssh-agent.1
-@@ -53,7 +53,7 @@
+@@ -54,7 +54,7 @@
 .Sh DESCRIPTION
 .Nm
 is a program to hold private keys used for public key authentication
--(RSA, DSA, ECDSA, ED25519).
+-(RSA, DSA, ECDSA, Ed25519).
 +(RSA, DSA).
-The idea is that
 .Nm
-is started in the beginning of an X-session or a login session, and
+is usually started in the beginning of an X-session or a login session, and
-@@ -114,9 +114,7 @@ When executed without arguments,
+all other windows or programs are started as clients to the ssh-agent
-.Xr ssh-add 1
-adds the files
-.Pa ~/.ssh/id_rsa ,
--.Pa ~/.ssh/id_dsa ,
--.Pa ~/.ssh/id_ecdsa ,
--.Pa ~/.ssh/id_ed25519
-+.Pa ~/.ssh/id_dsa
-and
-.Pa ~/.ssh/identity .
-If the identity has a passphrase,
-@@ -189,10 +187,6 @@ line terminates.
-Contains the protocol version 1 RSA authentication identity of the user.
-.It Pa ~/.ssh/id_dsa
-Contains the protocol version 2 DSA authentication identity of the user.
--.It Pa ~/.ssh/id_ecdsa
--Contains the protocol version 2 ECDSA authentication identity of the user.
--.It Pa ~/.ssh/id_ed25519
--Contains the protocol version 2 ED25519 authentication identity of the user.
-.It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 RSA authentication identity of the user.
-.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
 diff -pur old/ssh-ed25519.c new/ssh-ed25519.c
---- old/ssh-ed25519.c	2013-12-06 17:37:54.000000000 -0800
+--- old/ssh-ed25519.c
-+++ new/ssh-ed25519.c	2015-04-10 02:43:51.174245635 -0700
++++ new/ssh-ed25519.c
-@@ -15,6 +15,8 @@
+@@ -17,6 +17,8 @@
-* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-*/
+#include "includes.h"
 +#ifndef WITHOUT_ED25519
 +
-#include "includes.h"
 #include <sys/types.h>
-@@ -141,3 +143,5 @@ ssh_ed25519_verify(const Key *key, const
+#include <limits.h>
-	/* translate return code carefully */
-	return (ret == 0) ? 1 : -1;
+@@ -164,3 +166,4 @@ ssh_ed25519_verify(const struct sshkey *
+	free(ktype);
+	return r;
 }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/ssh-keygen.0 new/ssh-keygen.0
---- old/ssh-keygen.0	2014-01-29 17:52:47.000000000 -0800
+--- old/ssh-keygen.0
-+++ new/ssh-keygen.0	2015-04-10 02:43:51.175019524 -0700
++++ new/ssh-keygen.0
+@@ -4,7 +4,7 @@ NAME
+ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion
+SYNOPSIS
+-     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
++     ssh-keygen [-q] [-b bits] [-t dsa | rsa | rsa1]
+[-N new_passphrase] [-C comment] [-f output_keyfile]
+ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
+ssh-keygen -i [-m key_format] [-f input_keyfile]
 @@ -32,7 +32,7 @@ SYNOPSIS
 DESCRIPTION
 ssh-keygen generates, manages and converts authentication keys for
 ssh(1).  ssh-keygen can create RSA keys for use by SSH protocol version 1
--     and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
+-     and DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
 +     and DSA or RSA keys for use by SSH protocol version 2.
 The type of key to be generated is specified with the -t option.  If
 invoked without any arguments, ssh-keygen will generate an RSA key for
 use in SSH protocol 2 connections.
 @@ -46,7 +46,7 @@ DESCRIPTION
 @@ -79,14 +79,14 @@ DESCRIPTION
 The options are as follows:
 -     -A      For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for
-+     -A      For each of the key types (rsa1, rsa, and dsa) for
++     -A      For each of the key types (rsa1, rsa and dsa) for
 which host keys do not exist, generate the host keys with the
 default key file path, an empty passphrase, default bits for the
 key type, and default comment.  This is used by /etc/rc to
 generate new host keys.
 -a rounds
 -             When saving a new-format private key (i.e. an ed25519 key or any
-+             When saving a new-format private key (i.e. any
++             When saving a new-format private key (i.e.
 SSH protocol 2 key when the -o flag is set), this option
 specifies the number of KDF (key derivation function) rounds
 used.  Higher numbers result in slower passphrase verification
 @@ -103,12 +103,7 @@ DESCRIPTION
 Specifies the number of bits in the key to create.  For RSA keys,
-the minimum size is 768 bits and the default is 2048 bits.
+the minimum size is 1024 bits and the default is 2048 bits.
 Generally, 2048 bits is considered sufficient.  DSA keys must be
 -             exactly 1024 bits as specified by FIPS 186-2.  For ECDSA keys,
 -             the -b flag determines the key length by selecting from one of
 -             three elliptic curve sizes: 256, 384 or 521 bits.  Attempting to
 -             use bit lengths other than these three values for ECDSA keys will
--             fail.  ED25519 keys have a fixed length and the -b flag will be
+-             fail.  Ed25519 keys have a fixed length and the -b flag will be
 -             ignored.
 +             exactly 1024 bits as specified by FIPS 186-2.
 -C comment
 Provides a new comment.
-@@ -274,7 +269,7 @@ DESCRIPTION
+@@ -279,7 +274,7 @@ DESCRIPTION
 new OpenSSH format rather than the more compatible PEM format.
 The new format has increased resistance to brute-force password
 cracking but is not supported by versions of OpenSSH prior to
 -             6.5.  Ed25519 keys always use the new private key format.
 +             6.5.
 -P passphrase
 Provides the (old) passphrase.
-@@ -315,8 +310,8 @@ DESCRIPTION
+@@ -318,9 +313,9 @@ DESCRIPTION
+Test DH group exchange candidate primes (generated using the -G
--t type
+option) for safety.
+-     -t dsa | ecdsa | ed25519 | rsa | rsa1
++     -t dsa |  rsa | rsa1
 Specifies the type of key to create.  The possible values are
--             ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'',
+-             M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or
--             ``ed25519'', or ``rsa'' for protocol version 2.
++             M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or
-+             ``rsa1'' for protocol version 1 and ``dsa'' or ``rsa'' for
+M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.
-+             protocol version 2.
 -u      Update a KRL.  When specified with -k, keys listed via the
-command line are added to the existing KRL rather than a new KRL
+@@ -525,10 +520,8 @@ FILES
-@@ -521,10 +516,8 @@ FILES
 contents of this file secret.
 ~/.ssh/id_dsa
 -     ~/.ssh/id_ecdsa
 -     ~/.ssh/id_ed25519
 ~/.ssh/id_rsa
--             Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+-             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
 +             Contains the protocol version 2 DSA or RSA
 authentication identity of the user.  This file should not be
 readable by anyone but the user.  It is possible to specify a
 passphrase when generating the key; that passphrase will be used
-@@ -534,10 +527,8 @@ FILES
+@@ -538,10 +531,8 @@ FILES
 read this file when a login attempt is made.
 ~/.ssh/id_dsa.pub
 -     ~/.ssh/id_ecdsa.pub
 -     ~/.ssh/id_ed25519.pub
 ~/.ssh/id_rsa.pub
--             Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public
+-             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public
 +             Contains the protocol version 2 DSA or RSA public
 key for authentication.  The contents of this file should be
 added to ~/.ssh/authorized_keys on all machines where the user
 wishes to log in using public key authentication.  There is no
 diff -pur old/ssh-keygen.1 new/ssh-keygen.1
---- old/ssh-keygen.1	2013-12-28 22:47:14.000000000 -0800
+--- old/ssh-keygen.1
-+++ new/ssh-keygen.1	2015-04-10 02:43:51.175831546 -0700
++++ new/ssh-keygen.1
-@@ -140,7 +140,7 @@ generates, manages and converts authenti
+@@ -46,7 +46,7 @@
+.Nm ssh-keygen
+.Op Fl q
+.Op Fl b Ar bits
+-.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
++.Op Fl t Cm dsa | rsa | rsa1
+.Op Fl N Ar new_passphrase
+.Op Fl C Ar comment
+.Op Fl f Ar output_keyfile
+@@ -142,7 +142,7 @@ generates, manages and converts authenti
 .Xr ssh 1 .
 .Nm
 can create RSA keys for use by SSH protocol version 1 and
--DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
+-DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
 +DSA or RSA keys for use by SSH protocol version 2.
 The type of key to be generated is specified with the
 .Fl t
 option.
-@@ -168,8 +168,6 @@ with public key authentication runs this
+@@ -170,8 +170,6 @@ with public key authentication runs this
 key in
 .Pa ~/.ssh/identity ,
 .Pa ~/.ssh/id_dsa ,
 -.Pa ~/.ssh/id_ecdsa ,
 -.Pa ~/.ssh/id_ed25519
 or
 .Pa ~/.ssh/id_rsa .
 Additionally, the system administrator may use this to generate host keys,
-@@ -217,7 +215,7 @@ should be placed to be activated.
+@@ -219,7 +217,7 @@ should be placed to be activated.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl A
 -For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
-+For each of the key types (rsa1, rsa, dsa)
++For each of the key types (rsa1, rsa and dsa)
 for which host keys
 do not exist, generate the host keys with the default key file path,
 an empty passphrase, default bits for the key type, and default comment.
-@@ -225,8 +223,7 @@ This is used by
+@@ -227,7 +225,7 @@ This is used by
 .Pa /etc/rc
 to generate new host keys.
 .It Fl a Ar rounds
 -When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
--2 key when the
++When saving a new-format private key (i.e. SSH protocol
-+When saving a new-format private key (i.e. any SSH protocol 2 key when the
+2 key when the
 .Fl o
 flag is set), this option specifies the number of KDF (key derivation function)
-rounds used.
+@@ -247,15 +245,6 @@ Specifies the number of bits in the key
-@@ -245,15 +242,6 @@ Specifies the number of bits in the key
+For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
-For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
 Generally, 2048 bits is considered sufficient.
 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
 -For ECDSA keys, the
 -.Fl b
 -flag determines the key length by selecting from one of three elliptic
 -curve sizes: 256, 384 or 521 bits.
 -Attempting to use bit lengths other than these three values for ECDSA keys
 -will fail.
--ED25519 keys have a fixed length and the
+-Ed25519 keys have a fixed length and the
 -.Fl b
 -flag will be ignored.
 .It Fl C Ar comment
 Provides a new comment.
 .It Fl c
-@@ -468,7 +456,6 @@ to save SSH protocol 2 private keys usin
+@@ -478,7 +467,6 @@ to save SSH protocol 2 private keys usin
 the more compatible PEM format.
 The new format has increased resistance to brute-force password cracking
 but is not supported by versions of OpenSSH prior to 6.5.
 -Ed25519 keys always use the new private key format.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
-@@ -520,8 +507,6 @@ The possible values are
+@@ -524,14 +512,12 @@ section for details.
+Test DH group exchange candidate primes (generated using the
+.Fl G
+option) for safety.
+-.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
++.It Fl t Cm dsa | rsa | rsa1
+Specifies the type of key to create.
+The possible values are
 .Dq rsa1
 for protocol version 1 and
 .Dq dsa ,
 -.Dq ecdsa ,
 -.Dq ed25519 ,
 or
 .Dq rsa
 for protocol version 2.
-@@ -800,10 +785,8 @@ where the user wishes to log in using RS
+@@ -810,10 +796,8 @@ where the user wishes to log in using RS
 There is no need to keep the contents of this file secret.
 .Pp
 .It Pa ~/.ssh/id_dsa
 -.It Pa ~/.ssh/id_ecdsa
 -.It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_rsa
--Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+-Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
 +Contains the protocol version 2 DSA or RSA
 authentication identity of the user.
 This file should not be readable by anyone but the user.
 It is possible to
-@@ -816,10 +799,8 @@ but it is offered as the default file fo
+@@ -826,10 +810,8 @@ but it is offered as the default file fo
 will read this file when a login attempt is made.
 .Pp
 .It Pa ~/.ssh/id_dsa.pub
 -.It Pa ~/.ssh/id_ecdsa.pub
 -.It Pa ~/.ssh/id_ed25519.pub
 .It Pa ~/.ssh/id_rsa.pub
--Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+-Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
 +Contains the protocol version 2 DSA or RSA
 public key for authentication.
 The contents of this file should be added to
 .Pa ~/.ssh/authorized_keys
 diff -pur old/ssh-keygen.c new/ssh-keygen.c
---- old/ssh-keygen.c	2013-12-06 16:24:02.000000000 -0800
+--- old/ssh-keygen.c
-+++ new/ssh-keygen.c	2015-04-10 02:43:51.176894394 -0700
++++ new/ssh-keygen.c
-@@ -197,7 +197,11 @@ type_bits_valid(int type, u_int32_t *bit
+@@ -217,7 +217,11 @@ type_bits_valid(int type, const char *na
-	}
+		fatal("key bits exceeds maximum %d", maxbits);
 	if (type == KEY_DSA && *bitsp != 1024)
 		fatal("DSA keys must be 1024 bits");
-+#ifdef WITHOUT_ED25519
+-	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)
-+	else if (type != KEY_ECDSA && *bitsp < 768)
++	else if (type != KEY_ECDSA &&
-+#else /* WITHOUT_ED25519 */
++#ifndef WITHOUT_ED25519
-	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
++		 type != KEY_ED25519 &&
 +#endif /* WITHOUT_ED25519 */
-		fatal("Key must at least be 768 bits");
++		 *bitsp < 1024)
-	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
+		fatal("Key must at least be 1024 bits");
+	else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)
 		fatal("Invalid ECDSA key length - valid lengths are "
-@@ -233,10 +237,12 @@ ask_filename(struct passwd *pw, const ch
+@@ -252,10 +256,12 @@ ask_filename(struct passwd *pw, const ch
 		case KEY_RSA:
 			name = _PATH_SSH_CLIENT_ID_RSA;
 			break;
 +#ifndef WITHOUT_ED25519
 		case KEY_ED25519:
 		case KEY_ED25519_CERT:
 			name = _PATH_SSH_CLIENT_ID_ED25519;
 			break;
 +#endif /* WITHOUT_ED25519 */
 		default:
-			fprintf(stderr, "bad key type\n");
+			fatal("bad key type");
-			exit(1);
+		}
-@@ -900,7 +906,9 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -939,7 +945,9 @@ do_gen_all_hostkeys(struct passwd *pw)
-#ifdef OPENSSL_HAS_ECC
 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
-#endif
+#endif /* OPENSSL_HAS_ECC */
-+#ifndef WITHOUT_ED25519
+#endif /* WITH_OPENSSL */
-		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
+-		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
++#ifndef WITHOUT_ED25519
++ 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
 +#endif /* WITHOUT_ED25519 */
 		{ NULL, NULL, NULL }
 	};
-@@ -1616,7 +1624,10 @@ do_ca_sign(struct passwd *pw, int argc,
+@@ -1605,7 +1613,10 @@ do_ca_sign(struct passwd *pw, int argc,
-		if ((public = key_load_public(tmp, &comment)) == NULL)
+			fatal("%s: unable to open \"%s\": %s",
-			fatal("%s: unable to open \"%s\"", __func__, tmp);
+			    __func__, tmp, ssh_err(r));
 		if (public->type != KEY_RSA && public->type != KEY_DSA &&
 -		    public->type != KEY_ECDSA && public->type != KEY_ED25519)
 +#ifndef WITHOUT_ED25519
 +		    public->type != KEY_ED25519 &&
 +#endif /* WITHOUT_ED25519 */
 +		    public->type != KEY_ECDSA)
 			fatal("%s: key \"%s\" type %s cannot be certified",
-			    __func__, tmp, key_type(public));
+			    __func__, tmp, sshkey_type(public));
+@@ -2502,8 +2513,10 @@ main(int argc, char **argv)
+			    _PATH_HOST_DSA_KEY_FILE, rr_hostname);
+			n += do_print_resource_record(pw,
+			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
++#ifndef WITHOUT_ED25519
+			n += do_print_resource_record(pw,
+			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
++#endif /* WITHOUT_ED25519 */
+			if (n == 0)
+				fatal("no keys found.");
+			exit(0);
 diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0
---- old/ssh-keyscan.0	2014-01-29 17:52:47.000000000 -0800
+--- old/ssh-keyscan.0
-+++ new/ssh-keyscan.0	2015-04-10 02:43:51.177179968 -0700
++++ new/ssh-keyscan.0
 @@ -48,9 +48,9 @@ DESCRIPTION
 -t type
 Specifies the type of the key to fetch from the scanned hosts.
-The possible values are ``rsa1'' for protocol version 1 and
+The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],
--             ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version
+-             M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.  Multiple
-+             ``dsa'' or ``rsa'' for protocol version
++             or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.  Multiple
-2.  Multiple values may be specified by separating them with
+values may be specified by separating them with commas.  The
--             commas.  The default is to fetch ``rsa'' and ``ecdsa'' keys.
+-             default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys.
-+             commas.  The default is to fetch ``rsa'' keys.
++             default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^] keys.
 -v      Verbose mode.  Causes ssh-keyscan to print debugging messages
 about its progress.
 @@ -72,12 +72,11 @@ FILES
 host-or-namelist bits exponent modulus
--     Output format for rsa, dsa and ecdsa keys:
+-     Output format for RSA, DSA, ECDSA, and Ed25519 keys:
-+     Output format for rsa and dsa keys:
++     Output format for RSA, and DSA keys:
 host-or-namelist keytype base64-encoded-key
--     Where keytype is either ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'',
+-     Where keytype is either M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^],
--     ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss'' or ``ssh-rsa''.
+-     M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
-+     Where keytype is either ``ssh-dss'' or ``ssh-rsa''.
++     Where keytype is either M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
 /etc/ssh/ssh_known_hosts
 @@ -89,7 +88,7 @@ EXAMPLES
 Find all hosts from the file ssh_hosts which have new or different keys
 from those in the sorted file ssh_known_hosts:
--     $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \
+-     $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
 +     $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
 sort -u - ssh_known_hosts | diff ssh_known_hosts -
 SEE ALSO
 diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1
---- old/ssh-keyscan.1	2013-12-17 22:46:28.000000000 -0800
+--- old/ssh-keyscan.1
-+++ new/ssh-keyscan.1	2015-04-10 02:43:51.177539875 -0700
++++ new/ssh-keyscan.1
-@@ -89,16 +89,12 @@ The possible values are
+@@ -90,18 +90,13 @@ Specifies the type of the key to fetch f
+The possible values are
 .Dq rsa1
 for protocol version 1 and
-.Dq dsa ,
+-.Dq dsa ,
 -.Dq ecdsa ,
 -.Dq ed25519 ,
++.Dq dsa
 or
 .Dq rsa
 for protocol version 2.
 Multiple values may be specified by separating them with commas.
 The default is to fetch
-.Dq rsa
+-.Dq rsa ,
+-.Dq ecdsa ,
 -and
--.Dq ecdsa
+-.Dq ed25519
++.Dq rsa
 keys.
 .It Fl v
 Verbose mode.
-@@ -127,7 +123,7 @@ attacks which have begun after the ssh_k
+@@ -130,7 +125,7 @@ Output format for RSA1 keys:
 host-or-namelist bits exponent modulus
 .Ed
 .Pp
--.Pa Output format for rsa, dsa and ecdsa keys:
+-Output format for RSA, DSA, ECDSA, and Ed25519 keys:
-+.Pa Output format for rsa and dsa keys:
++Output format for RSA and DSA keys:
 .Bd -literal
 host-or-namelist keytype base64-encoded-key
 .Ed
-@@ -135,10 +131,6 @@ host-or-namelist keytype base64-encoded-
+@@ -138,10 +133,6 @@ host-or-namelist keytype base64-encoded-
 Where
-.Pa keytype
+.Ar keytype
 is either
 -.Dq ecdsa-sha2-nistp256 ,
 -.Dq ecdsa-sha2-nistp384 ,
 -.Dq ecdsa-sha2-nistp521 ,
 -.Dq ssh-ed25519 ,
 .Dq ssh-dss
 or
 .Dq ssh-rsa .
-@@ -158,7 +150,7 @@ Find all hosts from the file
+@@ -159,7 +150,7 @@ Find all hosts from the file
 which have new or different keys from those in the sorted file
 .Pa ssh_known_hosts :
 .Bd -literal
--$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
+-$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
 +$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
 .Ed
 .Sh SEE ALSO
 diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
---- old/ssh-keyscan.c	2013-12-06 16:24:02.000000000 -0800
+--- old/ssh-keyscan.c
-+++ new/ssh-keyscan.c	2015-04-10 02:43:51.178102053 -0700
++++ new/ssh-keyscan.c
-@@ -56,7 +56,9 @@ int ssh_port = SSH_DEFAULT_PORT;
+@@ -286,7 +286,9 @@ keygrab_ssh2(con *c)
-#define KT_DSA		2
+	c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
-#define KT_RSA		4
+# endif
-#define KT_ECDSA	8
+#endif
 +#ifndef WITHOUT_ED25519
-#define KT_ED25519	16
+	c->c_ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
 +#endif /* WITHOUT_ED25519 */
+	ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
-int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */
+	/*
+	 * do the key-exchange until an error occurs or until
-@@ -247,9 +249,11 @@ keygrab_ssh2(con *c)
+@@ -612,10 +614,15 @@ do_host(char *host)
-	packet_set_connection(c->c_fd, c->c_fd);
-	enable_compat20();
-	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
--	    c->c_keytype == KT_DSA ?  "ssh-dss" :
-+#ifndef WITHOUT_ED25519
-+	    c->c_keytype == KT_ED25519 ?  "ssh-ed25519" :
-+#endif /* WITHOUT_ED25519 */
-	    (c->c_keytype == KT_RSA ? "ssh-rsa" :
--	    (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
-+	    (c->c_keytype == KT_DSA ? "ssh-dss" :
-	    "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
-	c->c_kex = kex_setup(myproposal);
-	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
-@@ -257,7 +261,9 @@ keygrab_ssh2(con *c)
-	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
-	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
-	c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
-+#ifndef WITHOUT_ED25519
-	c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client;
-+#endif /* WITHOUT_ED25519 */
-	c->c_kex->verify_host_key = hostjump;
-	if (!(j = setjmp(kexjmp))) {
-@@ -575,10 +581,15 @@ do_host(char *host)
 {
 	char *name = strnnsep(&host, " \t\n");
 	int j;
-+#ifdef WITHOUT_ED25519
++#ifndef WITHOUT_ED25519
++	int max_kt = KT_ED25519;
++#else
 +	int max_kt = KT_ECDSA;
-+#else
++#endif /* WITHOUT_ED25519 */
-+	int max_kt = KT_ED25519;
-+#endif
 	if (name == NULL)
 		return;
 -	for (j = KT_RSA1; j <= KT_ED25519; j *= 2) {
 +	for (j = KT_RSA1; j <= max_kt; j *= 2) {
 		if (get_keytypes & j) {
 			while (ncon >= MAXCON)
 				conloop();
-@@ -685,9 +696,11 @@ main(int argc, char **argv)
+@@ -719,9 +726,11 @@ main(int argc, char **argv)
 				case KEY_RSA:
 					get_keytypes |= KT_RSA;
 					break;
 +#ifndef WITHOUT_ED25519
 				case KEY_ED25519:
 +#endif /* WITHOUT_ED25519 */
 				case KEY_UNSPEC:
 					fatal("unknown key type %s", tname);
 				}
 diff -pur old/ssh-keysign.0 new/ssh-keysign.0
---- old/ssh-keysign.0	2014-01-29 17:52:48.000000000 -0800
+--- old/ssh-keysign.0
-+++ new/ssh-keysign.0	2015-04-10 02:43:51.178360839 -0700
++++ new/ssh-keysign.0
 @@ -24,8 +24,6 @@ FILES
 Controls whether ssh-keysign is enabled.
 /etc/ssh/ssh_host_dsa_key
 -     /etc/ssh/ssh_host_ecdsa_key
 -     /etc/ssh/ssh_host_ed25519_key-cert.pub
 /etc/ssh/ssh_host_rsa_key-cert.pub
 If these files exist they are assumed to contain public
 certificate information corresponding with the private keys
 diff -pur old/ssh-keysign.8 new/ssh-keysign.8
---- old/ssh-keysign.8	2015-04-10 02:43:51.009217654 -0700
+--- old/ssh-keysign.8
-+++ new/ssh-keysign.8	2015-04-10 02:43:51.178615438 -0700
++++ new/ssh-keysign.8
 @@ -62,8 +62,6 @@ Controls whether
 is enabled.
 .Pp
 .It Pa /etc/ssh/ssh_host_dsa_key
 -.It Pa /etc/ssh/ssh_host_ecdsa_key
 -.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
 .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
 diff -pur old/ssh-keysign.c new/ssh-keysign.c
---- old/ssh-keysign.c	2013-12-06 16:24:02.000000000 -0800
+--- old/ssh-keysign.c
-+++ new/ssh-keysign.c	2015-04-10 02:43:51.178924008 -0700
++++ new/ssh-keysign.c
-@@ -150,7 +150,11 @@ main(int argc, char **argv)
+@@ -168,7 +168,7 @@ main(int argc, char **argv)
 {
-	Buffer b;
+	struct sshbuf *b;
 	Options options;
-+#ifdef WITHOUT_ED25519
+-#define NUM_KEYTYPES 4
 +#define NUM_KEYTYPES 3
-+#else
+	struct sshkey *keys[NUM_KEYTYPES], *key = NULL;
-#define NUM_KEYTYPES 4
-+#endif
-	Key *keys[NUM_KEYTYPES], *key = NULL;
 	struct passwd *pw;
-	int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
+	int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
-@@ -169,7 +173,9 @@ main(int argc, char **argv)
+@@ -190,7 +190,9 @@ main(int argc, char **argv)
-	i = 0;
+	/* XXX This really needs to read sshd_config for the paths */
 	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
 	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
 +#ifndef WITHOUT_ED25519
 	key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
 +#endif /* WITHOUT_ED25519 */
 	key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
 	original_real_uid = getuid();	/* XXX readconf.c needs this */
 diff -pur old/ssh.0 new/ssh.0
---- old/ssh.0	2014-01-29 17:52:47.000000000 -0800
+--- old/ssh.0
-+++ new/ssh.0	2015-04-10 02:43:51.179753862 -0700
++++ new/ssh.0
-@@ -142,8 +142,8 @@ DESCRIPTION
+@@ -140,8 +140,8 @@ DESCRIPTION
 -i identity_file
 Selects a file from which the identity (private key) for public
 key authentication is read.  The default is ~/.ssh/identity for
 -             protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
 -             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
-+             protocol version 1, and ~/.ssh/id_dsa, and ~/.ssh/id_rsa for
++             protocol version 1, and ~/.ssh/id_dsa
-+             protocol version 2.
++             and ~/.ssh/id_rsa for protocol version 2.
 Identity files may also be specified on a per-host basis in the
 configuration file.  It is possible to have multiple -i options
 (and multiple identities specified in configuration files).  ssh
-@@ -446,7 +446,7 @@ AUTHENTICATION
+@@ -463,7 +463,7 @@ AUTHENTICATION
 creates a public/private key pair for authentication purposes.  The
 server knows the public key, and only the user knows the private key.
 ssh implements public key authentication protocol automatically, using
--     one of the DSA, ECDSA, ED25519 or RSA algorithms.  Protocol 1 is
+-     one of the DSA, ECDSA, Ed25519 or RSA algorithms.  Protocol 1 is
 +     one of the DSA or RSA algorithms.  Protocol 1 is
 restricted to using only RSA keys, but protocol 2 may use any.  The
 HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
 algorithms.
-@@ -459,11 +459,9 @@ AUTHENTICATION
+@@ -476,11 +476,9 @@ AUTHENTICATION
 The user creates his/her key pair by running ssh-keygen(1).  This stores
 the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
 -     2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2
--     ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
+-     Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
 -     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA),
 -     ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2
--     ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
+-     Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
 +     2 DSA) or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
 +     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA)
 +     or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
 directory.  The user should then copy the public key to
 ~/.ssh/authorized_keys in his/her home directory on the remote machine.
 The authorized_keys file corresponds to the conventional ~/.rhosts file,
-@@ -799,7 +797,7 @@ FILES
+@@ -825,7 +823,7 @@ FILES
 for the user, and not accessible by others.
 ~/.ssh/authorized_keys
--             Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
+-             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
 +             Lists the public keys (DSA, RSA) that can be used
 for logging in as this user.  The format of this file is
 described in the sshd(8) manual page.  This file is not highly
 sensitive, but the recommended permissions are read/write for the
-@@ -817,8 +815,6 @@ FILES
+@@ -843,8 +841,6 @@ FILES
 ~/.ssh/identity
 ~/.ssh/id_dsa
 -     ~/.ssh/id_ecdsa
 -     ~/.ssh/id_ed25519
 ~/.ssh/id_rsa
 Contains the private key for authentication.  These files contain
 sensitive data and should be readable by the user but not
-@@ -830,8 +826,6 @@ FILES
+@@ -856,8 +852,6 @@ FILES
 ~/.ssh/identity.pub
 ~/.ssh/id_dsa.pub
 -     ~/.ssh/id_ecdsa.pub
 -     ~/.ssh/id_ed25519.pub
 ~/.ssh/id_rsa.pub
 Contains the public key for authentication.  These files are not
 sensitive and can (but need not) be readable by anyone.
-@@ -862,8 +856,6 @@ FILES
+@@ -888,8 +882,6 @@ FILES
 /etc/ssh/ssh_host_key
 /etc/ssh/ssh_host_dsa_key
 -     /etc/ssh/ssh_host_ecdsa_key
 -     /etc/ssh/ssh_host_ed25519_key
 /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys and are
 used for host-based authentication.  If protocol version 1 is
 diff -pur old/ssh.1 new/ssh.1
---- old/ssh.1	2013-12-17 22:46:28.000000000 -0800
+--- old/ssh.1
-+++ new/ssh.1	2015-04-10 02:43:51.180632097 -0700
++++ new/ssh.1
-@@ -279,8 +279,6 @@ The default is
+@@ -292,9 +292,7 @@ public key authentication is read.
+The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
-.Pa ~/.ssh/id_dsa ,
+-.Pa ~/.ssh/id_dsa ,
 -.Pa ~/.ssh/id_ecdsa ,
 -.Pa ~/.ssh/id_ed25519
++.Pa ~/.ssh/id_dsa
 and
 .Pa ~/.ssh/id_rsa
 for protocol version 2.
-@@ -758,7 +756,7 @@ key pair for authentication purposes.
+@@ -848,7 +846,7 @@ key pair for authentication purposes.
 The server knows the public key, and only the user knows the private key.
 .Nm
 implements public key authentication protocol automatically,
--using one of the DSA, ECDSA, ED25519 or RSA algorithms.
+-using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
 +using one of the DSA or RSA algorithms.
 Protocol 1 is restricted to using only RSA keys,
 but protocol 2 may use any.
 The HISTORY section of
-@@ -783,10 +781,6 @@ This stores the private key in
+@@ -873,10 +871,6 @@ This stores the private key in
 (protocol 1),
 .Pa ~/.ssh/id_dsa
 (protocol 2 DSA),
 -.Pa ~/.ssh/id_ecdsa
 -(protocol 2 ECDSA),
 -.Pa ~/.ssh/id_ed25519
--(protocol 2 ED25519),
+-(protocol 2 Ed25519),
 or
 .Pa ~/.ssh/id_rsa
 (protocol 2 RSA)
-@@ -795,10 +789,6 @@ and stores the public key in
+@@ -885,10 +879,6 @@ and stores the public key in
 (protocol 1),
 .Pa ~/.ssh/id_dsa.pub
 (protocol 2 DSA),
 -.Pa ~/.ssh/id_ecdsa.pub
 -(protocol 2 ECDSA),
 -.Pa ~/.ssh/id_ed25519.pub
--(protocol 2 ED25519),
+-(protocol 2 Ed25519),
 or
 .Pa ~/.ssh/id_rsa.pub
 (protocol 2 RSA)
-@@ -1338,7 +1328,7 @@ secret, but the recommended permissions
+@@ -1444,7 +1434,7 @@ secret, but the recommended permissions
 and not accessible by others.
 .Pp
 .It Pa ~/.ssh/authorized_keys
--Lists the public keys (DSA, ECDSA, ED25519, RSA)
+-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
 +Lists the public keys (DSA, RSA)
 that can be used for logging in as this user.
 The format of this file is described in the
 .Xr sshd 8
-@@ -1360,8 +1350,6 @@ above.
+@@ -1466,8 +1456,6 @@ above.
 .Pp
 .It Pa ~/.ssh/identity
 .It Pa ~/.ssh/id_dsa
 -.It Pa ~/.ssh/id_ecdsa
 -.It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_rsa
 Contains the private key for authentication.
 These files
-@@ -1375,8 +1363,6 @@ sensitive part of this file using 3DES.
+@@ -1481,8 +1469,6 @@ sensitive part of this file using 3DES.
 .Pp
 .It Pa ~/.ssh/identity.pub
 .It Pa ~/.ssh/id_dsa.pub
 -.It Pa ~/.ssh/id_ecdsa.pub
 -.It Pa ~/.ssh/id_ed25519.pub
 .It Pa ~/.ssh/id_rsa.pub
 Contains the public key for authentication.
 These files are not
-@@ -1415,8 +1401,6 @@ The file format and configuration option
+@@ -1521,8 +1507,6 @@ The file format and configuration option
 .Pp
 .It Pa /etc/ssh/ssh_host_key
 .It Pa /etc/ssh/ssh_host_dsa_key
 -.It Pa /etc/ssh/ssh_host_ecdsa_key
 -.It Pa /etc/ssh/ssh_host_ed25519_key
 .It Pa /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys
 and are used for host-based authentication.
 diff -pur old/ssh.c new/ssh.c
---- old/ssh.c	2013-12-28 22:53:40.000000000 -0800
+--- old/ssh.c
-+++ new/ssh.c	2015-04-10 02:43:51.181446718 -0700
++++ new/ssh.c
-@@ -1010,8 +1010,10 @@ main(int ac, char **av)
+@@ -1233,8 +1233,10 @@ main(int ac, char **av)
+		sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA,
+		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL);
 #endif
++#ifndef WITHOUT_ED25519
+		sensitive_data.keys[2] = key_load_private_cert(KEY_ED25519,
+		    _PATH_HOST_ED25519_KEY_FILE, "", NULL);
++#endif /* WITHOUT_ED25519 */
 		sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
 		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
-+#ifndef WITHOUT_ED25519
+		sensitive_data.keys[4] = key_load_private_cert(KEY_DSA,
-		sensitive_data.keys[4] = key_load_private_cert(KEY_ED25519,
+@@ -1243,8 +1245,10 @@ main(int ac, char **av)
-		    _PATH_HOST_ED25519_KEY_FILE, "", NULL);
+		sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA,
-+#endif /* WITHOUT_ED25519 */
+		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
-		sensitive_data.keys[5] = key_load_private_type(KEY_DSA,
-		    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
-#ifdef OPENSSL_HAS_ECC
-@@ -1020,8 +1022,10 @@ main(int ac, char **av)
 #endif
++#ifndef WITHOUT_ED25519
+		sensitive_data.keys[6] = key_load_private_type(KEY_ED25519,
+		    _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
++#endif /* WITHOUT_ED25519 */
 		sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
 		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
-+#ifndef WITHOUT_ED25519
+		sensitive_data.keys[8] = key_load_private_type(KEY_DSA,
-		sensitive_data.keys[8] = key_load_private_type(KEY_ED25519,
+@@ -1261,8 +1265,10 @@ main(int ac, char **av)
-		    _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
+			sensitive_data.keys[1] = key_load_cert(
-+#endif /* WITHOUT_ED25519 */
+			    _PATH_HOST_ECDSA_KEY_FILE);
-		PRIV_END;
-		if (options.hostbased_authentication == 1 &&
-@@ -1038,8 +1042,10 @@ main(int ac, char **av)
 #endif
++#ifndef WITHOUT_ED25519
+			sensitive_data.keys[2] = key_load_cert(
+			    _PATH_HOST_ED25519_KEY_FILE);
++#endif /* WITHOUT_ED25519 */
 			sensitive_data.keys[3] = key_load_cert(
 			    _PATH_HOST_RSA_KEY_FILE);
-+#ifndef WITHOUT_ED25519
 			sensitive_data.keys[4] = key_load_cert(
-			    _PATH_HOST_ED25519_KEY_FILE);
+@@ -1271,8 +1277,10 @@ main(int ac, char **av)
-+#endif /* WITHOUT_ED25519 */
 			sensitive_data.keys[5] = key_load_public(
-			    _PATH_HOST_DSA_KEY_FILE, NULL);
+			    _PATH_HOST_ECDSA_KEY_FILE, NULL);
-#ifdef OPENSSL_HAS_ECC
-@@ -1048,8 +1054,10 @@ main(int ac, char **av)
 #endif
++#ifndef WITHOUT_ED25519
+			sensitive_data.keys[6] = key_load_public(
+			    _PATH_HOST_ED25519_KEY_FILE, NULL);
++#endif /* WITHOUT_ED25519 */
 			sensitive_data.keys[7] = key_load_public(
 			    _PATH_HOST_RSA_KEY_FILE, NULL);
-+#ifndef WITHOUT_ED25519
 			sensitive_data.keys[8] = key_load_public(
-			    _PATH_HOST_ED25519_KEY_FILE, NULL);
+diff -pur old/ssh_api.c new/ssh_api.c
-+#endif /* WITHOUT_ED25519 */
+--- old/ssh_api.c
-			sensitive_data.external_keysign = 1;
++++ new/ssh_api.c
-		}
+@@ -109,7 +109,9 @@ ssh_init(struct ssh **sshp, int is_serve
+		ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+# endif
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+		ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#endif /* WITHOUT_ED25519 */
+		ssh->kex->load_host_public_key=&_ssh_host_public_key;
+		ssh->kex->load_host_private_key=&_ssh_host_private_key;
+		ssh->kex->sign=&_ssh_host_key_sign;
+@@ -123,7 +125,9 @@ ssh_init(struct ssh **sshp, int is_serve
+		ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+# endif
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+		ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
++#endif /* WITHOUT_ED25519 */
+		ssh->kex->verify_host_key =&_ssh_verify_host_key;
 	}
+	*sshp = ssh;
 diff -pur old/ssh_config.0 new/ssh_config.0
---- old/ssh_config.0	2014-01-29 17:52:48.000000000 -0800
+--- old/ssh_config.0
-+++ new/ssh_config.0	2015-04-10 02:43:51.182117645 -0700
++++ new/ssh_config.0
-@@ -409,14 +409,9 @@ DESCRIPTION
+@@ -444,13 +444,8 @@ DESCRIPTION
-client wants to use in order of preference.  The default for this
+specified key types will be appended to the default set instead
-option is:
+of replacing them.  The default for this option is:
 -                [email protected],
 -                [email protected],
 -                [email protected],
 -                [email protected],
-[email protected],[email protected],
+[email protected],
-[email protected],[email protected],
 -                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa,ssh-dss
+-                ssh-ed25519,ssh-rsa
-+                ssh-rsa,ssh-dss
++                ssh-rsa
+The -Q option of ssh(1) may be used to list supported key types.
+@@ -461,13 +456,8 @@ DESCRIPTION
+key types will be appended to the default set instead of
+replacing them.  The default for this option is:
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+[email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
 If hostkeys are known for the destination host then this default
 is modified to prefer their algorithms.
-@@ -446,10 +441,10 @@ DESCRIPTION
+@@ -503,10 +493,10 @@ DESCRIPTION
-default is ``no''.
+default is M-bM-^@M-^\noM-bM-^@M-^].
 IdentityFile
--             Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA
+-             Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA
 +             Specifies a file from which the user's DSA or RSA
 authentication identity is read.  The default is ~/.ssh/identity
 -             for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
 -             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
-+             for protocol version 1, and ~/.ssh/id_dsa and ~/.ssh/id_rsa for
++             for protocol version 1, and ~/.ssh/id_dsa
-+             protocol version 2.
++             and ~/.ssh/id_rsa for protocol version 2.
 Additionally, any identities represented by the authentication
 agent will be used for authentication unless IdentitiesOnly is
 set.  ssh(1) will try to load certificate information from the
-@@ -509,8 +504,6 @@ DESCRIPTION
+@@ -569,7 +559,6 @@ DESCRIPTION
-Specifies the available KEX (Key Exchange) algorithms.  Multiple
+will be appended to the default set instead of replacing them.
-algorithms must be comma-separated.  The default is:
+The default is:
 -                   [email protected],
--                   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
 diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1,
+@@ -727,13 +716,8 @@ DESCRIPTION
+types after it will be appended to the default instead of
+replacing it.  The default for this option is:
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+[email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+The -Q option of ssh(1) may be used to list supported key types.
 diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5	2015-04-10 02:43:51.077725535 -0700
+--- old/ssh_config.5
-+++ new/ssh_config.5	2015-04-10 02:43:51.182862658 -0700
++++ new/ssh_config.5
-@@ -723,14 +723,9 @@ Specifies the protocol version 2 host ke
+@@ -806,13 +806,8 @@ character, then the specified key types
-that the client wants to use in order of preference.
+instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 [email protected],
 [email protected],
 [email protected],
 [email protected],
-[email protected],[email protected],
+[email protected],
-[email protected],[email protected],
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--ssh-ed25519,ssh-rsa,ssh-dss
+-ssh-ed25519,ssh-rsa
-+ssh-rsa,ssh-dss
++ssh-rsa
+.Ed
+.Pp
+The
+@@ -829,13 +824,8 @@ character, then the specified key types
+instead of replacing them.
+The default for this option is:
+.Bd -literal -offset 3n
+[email protected],
+[email protected],
+[email protected],
+[email protected],
+[email protected],
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ssh-rsa
++ssh-rsa
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
-@@ -772,14 +767,12 @@ offers many different identities.
+@@ -890,14 +880,12 @@ offers many different identities.
 The default is
 .Dq no .
 .It Cm IdentityFile
--Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
+-Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
 +Specifies a file from which the user's DSA or RSA authentication
 identity is read.
 The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
 -.Pa ~/.ssh/id_ecdsa ,
 -.Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/id_rsa
 for protocol version 2.
-@@ -892,8 +885,6 @@ Specifies the available KEX (Key Exchang
+@@ -1014,7 +1002,6 @@ character, then the specified methods wi
-Multiple algorithms must be comma-separated.
+instead of replacing them.
 The default is:
 .Bd -literal -offset indent
 [email protected],
--ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
 diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1,
+@@ -1259,13 +1246,8 @@ character, then the key types after it w
-Only in new: ssh_config.5.orig
+instead of replacing it.
+The default for this option is:
+.Bd -literal -offset 3n
+[email protected],
+[email protected],
+[email protected],
+[email protected],
+[email protected],
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ssh-rsa
++ssh-rsa
+.Ed
+.Pp
+The
 diff -pur old/sshconnect.c new/sshconnect.c
---- old/sshconnect.c	2015-04-10 02:43:51.092987117 -0700
+--- old/sshconnect.c
-+++ new/sshconnect.c	2015-04-10 02:43:51.183586425 -0700
++++ new/sshconnect.c
-@@ -1325,7 +1325,9 @@ show_other_keys(struct hostkeys *hostkey
+@@ -1392,7 +1392,9 @@ show_other_keys(struct hostkeys *hostkey
 		KEY_RSA,
 		KEY_DSA,
 		KEY_ECDSA,
 +#ifndef WITHOUT_ED25519
 		KEY_ED25519,
 +#endif /* WITHOUT_ED25519 */
 		-1
 	};
 	int i, ret = 0;
-Only in new: sshconnect.c.orig
 diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c	2015-04-10 02:43:51.055621784 -0700
+--- old/sshconnect2.c
-+++ new/sshconnect2.c	2015-04-10 02:49:31.451117756 -0700
++++ new/sshconnect2.c
-@@ -213,7 +213,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -247,7 +247,9 @@ ssh_kex2(char *host, struct sockaddr *ho
-	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
-	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+# endif
+#endif
 +#ifndef WITHOUT_ED25519
 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
 +#endif /* WITHOUT_ED25519 */
-	kex->client_version_string=client_version_string;
+#ifdef GSSAPI
-	kex->server_version_string=server_version_string;
+	if (options.gss_keyex) {
-	kex->verify_host_key=&verify_host_key_callback;
+		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
-Only in new: sshconnect2.c.orig
-Only in new: sshconnect2.c.rej
 diff -pur old/sshd.0 new/sshd.0
---- old/sshd.0	2014-01-29 17:52:47.000000000 -0800
+--- old/sshd.0
-+++ new/sshd.0	2015-04-10 02:43:51.185708016 -0700
++++ new/sshd.0
-@@ -82,8 +82,7 @@ DESCRIPTION
+@@ -81,8 +81,7 @@ DESCRIPTION
 be given if sshd is not run as root (as the normal host key files
 are normally not readable by anyone but root).  The default is
 /etc/ssh/ssh_host_key for protocol version 1, and
 -             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
 -             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
 +             /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
 protocol version 2.  It is possible to have multiple host key
 files for the different protocol versions and host key
 algorithms.
-@@ -148,7 +147,7 @@ DESCRIPTION
+@@ -146,7 +145,7 @@ DESCRIPTION
 AUTHENTICATION
 The OpenSSH SSH daemon supports SSH protocols 1 and 2.  The default is to
 use protocol 2 only, though this can be changed via the Protocol option
--     in sshd_config(5).  Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+-     in sshd_config(5).  Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
 +     in sshd_config(5).  Protocol 2 supports DSA and RSA keys;
 protocol 1 only supports RSA keys.  For both protocols, each host has a
 host-specific key, normally 2048 bits, used to identify the host.
-@@ -278,15 +277,13 @@ AUTHORIZED_KEYS FILE FORMAT
+@@ -279,15 +278,13 @@ AUTHORIZED_KEYS FILE FORMAT
 starts with a number).  The bits, exponent, modulus, and comment fields
 give the RSA key for protocol version 1; the comment field is not used
 for anything (but may be convenient for the user to identify the key).
--     For protocol version 2 the keytype is ``ecdsa-sha2-nistp256'',
+-     For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
--     ``ecdsa-sha2-nistp384'', ``ecdsa-sha2-nistp521'', ``ssh-ed25519'',
+-     M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or
--     ``ssh-dss'' or ``ssh-rsa''.
+-     M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
-+     For protocol version 2 the keytype is ``ssh-dss'' or ``ssh-rsa''.
++     For protocol version 2 the keytype is M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
 Note that lines in this file are usually several hundred bytes long
 (because of the size of the public key encoding) up to a limit of 8
 kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
 kilobits.  You don't want to type them in; instead, copy the
 -     identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub
 +     identity.pub, id_dsa.pub or the id_rsa.pub
 file and edit it.
 sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
-@@ -513,7 +510,7 @@ FILES
+@@ -514,7 +511,7 @@ FILES
 for the user, and not accessible by others.
 ~/.ssh/authorized_keys
--             Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
+-             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
 +             Lists the public keys (DSA, RSA) that can be used
 for logging in as this user.  The format of this file is
 described above.  The content of the file is not highly
 sensitive, but the recommended permissions are read/write for the
-@@ -574,8 +571,6 @@ FILES
+@@ -570,8 +567,6 @@ FILES
 /etc/ssh/ssh_host_key
 /etc/ssh/ssh_host_dsa_key
 -     /etc/ssh/ssh_host_ecdsa_key
 -     /etc/ssh/ssh_host_ed25519_key
 /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys.  These
 files should only be owned by root, readable only by root, and
-@@ -584,8 +579,6 @@ FILES
+@@ -580,8 +575,6 @@ FILES
 /etc/ssh/ssh_host_key.pub
 /etc/ssh/ssh_host_dsa_key.pub
 -     /etc/ssh/ssh_host_ecdsa_key.pub
 -     /etc/ssh/ssh_host_ed25519_key.pub
 /etc/ssh/ssh_host_rsa_key.pub
 These files contain the public parts of the host keys.  These
 files should be world-readable but writable only by root.  Their
 diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8	2015-04-10 02:43:51.068793178 -0700
+--- old/sshd.8	2015-12-10 12:36:52.040393250 -0800
-+++ new/sshd.8	2015-04-10 02:43:51.186397825 -0700
++++ new/sshd.8	2015-12-10 12:40:30.706984900 -0800
-@@ -175,8 +175,6 @@ The default is
+@@ -172,8 +172,6 @@ The default is
 .Pa /etc/ssh/ssh_host_key
 for protocol version 1, and
 .Pa /etc/ssh/ssh_host_dsa_key ,
 -.Pa /etc/ssh/ssh_host_ecdsa_key .
 -.Pa /etc/ssh/ssh_host_ed25519_key
 and
 .Pa /etc/ssh/ssh_host_rsa_key
 for protocol version 2.
-@@ -281,7 +279,7 @@ though this can be changed via the
+@@ -275,7 +273,7 @@ though this can be changed via the
 .Cm Protocol
 option in
 .Xr sshd_config 4 .
--Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+-Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
 +Protocol 2 supports DSA and RSA keys;
 protocol 1 only supports RSA keys.
 For both protocols,
 each host has a host-specific key,
-@@ -492,10 +490,6 @@ protocol version 1; the
+@@ -491,10 +489,6 @@ protocol version 1; the
 comment field is not used for anything (but may be convenient for the
 user to identify the key).
 For protocol version 2 the keytype is
 -.Dq ecdsa-sha2-nistp256 ,
 -.Dq ecdsa-sha2-nistp384 ,
 -.Dq ecdsa-sha2-nistp521 ,
 -.Dq ssh-ed25519 ,
 .Dq ssh-dss
 or
 .Dq ssh-rsa .
-@@ -507,8 +501,6 @@ keys up to 16 kilobits.
+@@ -506,8 +500,6 @@ keys up to 16 kilobits.
 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub ,
 -.Pa id_ecdsa.pub ,
 -.Pa id_ed25519.pub ,
 or the
 .Pa id_rsa.pub
 file and edit it.
-@@ -808,7 +800,7 @@ secret, but the recommended permissions
+@@ -807,7 +799,7 @@ secret, but the recommended permissions
 and not accessible by others.
 .Pp
 .It Pa ~/.ssh/authorized_keys
--Lists the public keys (DSA, ECDSA, ED25519, RSA)
+-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
 +Lists the public keys (DSA, RSA)
 that can be used for logging in as this user.
 The format of this file is described above.
 The content of the file is not highly sensitive, but the recommended
-@@ -888,8 +880,6 @@ rlogin/rsh.
+@@ -881,8 +873,6 @@ rlogin/rsh.
 .Pp
 .It Pa /etc/ssh/ssh_host_key
 .It Pa /etc/ssh/ssh_host_dsa_key
 -.It Pa /etc/ssh/ssh_host_ecdsa_key
 -.It Pa /etc/ssh/ssh_host_ed25519_key
 .It Pa /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys.
 These files should only be owned by root, readable only by root, and not
-@@ -900,8 +890,6 @@ does not start if these files are group/
+@@ -893,8 +883,6 @@ does not start if these files are group/
 .Pp
 .It Pa /etc/ssh/ssh_host_key.pub
 .It Pa /etc/ssh/ssh_host_dsa_key.pub
 -.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
 -.It Pa /etc/ssh/ssh_host_ed25519_key.pub
 .It Pa /etc/ssh/ssh_host_rsa_key.pub
 These files contain the public parts of the host keys.
 These files should be world-readable but writable only by
 diff -pur old/sshd.c new/sshd.c
---- old/sshd.c	2015-04-10 02:43:51.101980137 -0700
+--- old/sshd.c
-+++ new/sshd.c	2015-04-10 02:49:46.274593753 -0700
++++ new/sshd.c
-@@ -797,7 +797,9 @@ list_hostkey_types(void)
+@@ -811,7 +811,9 @@ list_hostkey_types(void)
 		case KEY_RSA:
 		case KEY_DSA:
 		case KEY_ECDSA:
 +#ifndef WITHOUT_ED25519
 		case KEY_ED25519:
 +#endif /* WITHOUT_ED25519 */
 			if (buffer_len(&b) > 0)
 				buffer_append(&b, ",", 1);
 			p = key_ssh_name(key);
-@@ -814,7 +816,9 @@ list_hostkey_types(void)
+@@ -826,7 +828,9 @@ list_hostkey_types(void)
 		case KEY_RSA_CERT:
 		case KEY_DSA_CERT:
 		case KEY_ECDSA_CERT:
 +#ifndef WITHOUT_ED25519
 		case KEY_ED25519_CERT:
 +#endif /* WITHOUT_ED25519 */
 			if (buffer_len(&b) > 0)
 				buffer_append(&b, ",", 1);
 			p = key_ssh_name(key);
-@@ -842,7 +846,9 @@ get_hostkey_by_type(int type, int need_p
+@@ -852,7 +856,9 @@ get_hostkey_by_type(int type, int nid, i
 		case KEY_RSA_CERT:
 		case KEY_DSA_CERT:
 		case KEY_ECDSA_CERT:
 +#ifndef WITHOUT_ED25519
 		case KEY_ED25519_CERT:
 +#endif /* WITHOUT_ED25519 */
 			key = sensitive_data.host_certificates[i];
 			break;
 		default:
-@@ -1719,7 +1725,9 @@ main(int ac, char **av)
+@@ -1810,7 +1816,9 @@ main(int ac, char **av)
 		case KEY_RSA:
 		case KEY_DSA:
 		case KEY_ECDSA:
 +#ifndef WITHOUT_ED25519
 		case KEY_ED25519:
 +#endif /* WITHOUT_ED25519 */
-			sensitive_data.have_ssh2_key = 1;
+			if (have_agent || key != NULL)
+				sensitive_data.have_ssh2_key = 1;
 			break;
-		}
+@@ -2646,7 +2654,9 @@ do_ssh2_kex(void)
-@@ -2501,7 +2509,9 @@ do_ssh2_kex(void)
-	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
-	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+# endif
+#endif
 +#ifndef WITHOUT_ED25519
 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#endif /* WITHOUT_ED25519 */
-	kex->server = 1;
+#ifdef GSSAPI
-	kex->client_version_string=client_version_string;
+	if (options.gss_keyex) {
-	kex->server_version_string=server_version_string;
+		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
-Only in new: sshd.c.orig
-Only in new: sshd.c.rej
 diff -pur old/sshd_config.0 new/sshd_config.0
---- old/sshd_config.0	2014-01-29 17:52:48.000000000 -0800
+--- old/sshd_config.0
-+++ new/sshd_config.0	2015-04-10 02:43:51.188313577 -0700
++++ new/sshd_config.0
-@@ -332,12 +332,11 @@ DESCRIPTION
+@@ -403,13 +403,8 @@ DESCRIPTION
+specified key types will be appended to the default set instead
+of replacing them.  The default for this option is:
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+[email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+The -Q option of ssh(1) may be used to list supported key types.
+@@ -438,8 +433,7 @@ DESCRIPTION
 HostKey
 Specifies a file containing a private host key used by SSH.  The
 default is /etc/ssh/ssh_host_key for protocol version 1, and
 -             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
 -             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
-+             /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
++             /etc/ssh/ssh_host_dsa_key, and /etc/ssh/ssh_host_rsa_key for
-protocol version 2.  Note that sshd(8) will refuse to use a file
+protocol version 2.
-if it is group/world-accessible.  It is possible to have multiple
-host key files.  ``rsa1'' keys are used for version 1 and
+Note that sshd(8) will refuse to use a file if it is group/world-
--             ``dsa'', ``ecdsa'', ``ed25519'' or ``rsa'' are used for version 2
+@@ -447,7 +441,7 @@ DESCRIPTION
-+             ``dsa'' or ``rsa'' are used for version 2
+of the keys are actually used by sshd(8).
-of the SSH protocol.  It is also possible to specify public host
-key files instead.  In this case operations on the private key
+It is possible to have multiple host key files.  M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
-will be delegated to an ssh-agent(1).
+-             used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
-@@ -399,8 +398,6 @@ DESCRIPTION
++             used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] are
-Specifies the available KEX (Key Exchange) algorithms.  Multiple
+used for version 2 of the SSH protocol.  It is also possible to
-algorithms must be comma-separated.  The default is
+specify public host key files instead.  In this case operations
+on the private key will be delegated to an ssh-agent(1).
+@@ -462,13 +456,8 @@ DESCRIPTION
+Specifies the protocol version 2 host key algorithms that the
+server offers.  The default for this option is:
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+[email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+The list of available key types may also be obtained using the -Q
+option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
+@@ -532,7 +521,6 @@ DESCRIPTION
+will be appended to the default set instead of replacing them.
+The supported algorithms are:
+-                   [email protected]
+diffie-hellman-group1-sha1
+diffie-hellman-group14-sha1
+diffie-hellman-group-exchange-sha1
+@@ -543,7 +531,6 @@ DESCRIPTION
+The default is:
 -                   [email protected],
--                   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha1
-diffie-hellman-group14-sha1,
+@@ -787,13 +774,8 @@ DESCRIPTION
+specified key types will be appended to the default set instead
+of replacing them.  The default for this option is:
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+[email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+The -Q option of ssh(1) may be used to list supported key types.
 diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5	2015-04-10 02:43:51.078482159 -0700
+--- old/sshd_config.5
-+++ new/sshd_config.5	2015-04-10 02:43:51.189013912 -0700
++++ new/sshd_config.5
-@@ -540,8 +540,6 @@ The default is
+@@ -712,8 +712,6 @@ The default is
 .Pa /etc/ssh/ssh_host_key
 for protocol version 1, and
 .Pa /etc/ssh/ssh_host_dsa_key ,
 -.Pa /etc/ssh/ssh_host_ecdsa_key ,
 -.Pa /etc/ssh/ssh_host_ed25519_key
 and
 .Pa /etc/ssh/ssh_host_rsa_key
 for protocol version 2.
-@@ -552,8 +550,6 @@ It is possible to have multiple host key
+@@ -730,8 +728,6 @@ It is possible to have multiple host key
 .Dq rsa1
 keys are used for version 1 and
 .Dq dsa ,
 -.Dq ecdsa ,
 -.Dq ed25519
 or
 .Dq rsa
 are used for version 2 of the SSH protocol.
-@@ -663,8 +659,6 @@ Specifies the available KEX (Key Exchang
+@@ -878,8 +874,6 @@ The supported algorithms are:
-Multiple algorithms must be comma-separated.
+.Pp
-The default is
+.Bl -item -compact -offset indent
+.It
+[email protected]
+-.It
+diffie-hellman-group1-sha1
+.It
+diffie-hellman-group14-sha1
+@@ -897,7 +891,6 @@ ecdh-sha2-nistp521
+.Pp
+The default is:
 .Bd -literal -offset indent
 [email protected],
--ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha1
-diffie-hellman-group14-sha1,
+diff -pur old/sshkey.c new/sshkey.c
-Only in new: sshd_config.5.orig
+--- old/sshkey.c
-diff -pur old/verify.c new/verify.c
++++ new/sshkey.c
---- old/verify.c	2014-01-16 17:43:44.000000000 -0800
+@@ -85,9 +85,11 @@ struct keytype {
-+++ new/verify.c	2015-04-10 02:43:51.189372783 -0700
+	int cert;
-@@ -9,6 +9,8 @@
+};
+static const struct keytype keytypes[] = {
-#include "crypto_api.h"
++#ifndef WITHOUT_ED25519
+	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
-+#ifndef WITHOUT_ED25519
+	{ "[email protected]", "ED25519-CERT",
-+
+	    KEY_ED25519_CERT, 0, 1 },
-int crypto_verify_32(const unsigned char *x,const unsigned char *y)
++#endif /* WITHOUT_ED25519 */
-{
+#ifdef WITH_OPENSSL
-unsigned int differentbits = 0;
+	{ NULL, "RSA1", KEY_RSA1, 0, 0 },
-@@ -47,3 +49,4 @@ int crypto_verify_32(const unsigned char
+	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
-F(31)
+@@ -278,8 +280,10 @@ sshkey_size(const struct sshkey *k)
-return (1 & ((differentbits - 1) >> 8)) - 1;
+	case KEY_ECDSA_CERT:
-}
+		return sshkey_curve_nid_to_bits(k->ecdsa_nid);
-+#endif /* WITHOUT_ED25519 */
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+		return 256;	/* XXX */
+	}
+	return 0;
+@@ -292,7 +296,9 @@ sshkey_type_is_valid_ca(int type)
+	case KEY_RSA:
+	case KEY_DSA:
+	case KEY_ECDSA:
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+		return 1;
+	default:
+		return 0;
+@@ -318,8 +324,10 @@ sshkey_type_plain(int type)
+		return KEY_DSA;
+	case KEY_ECDSA_CERT:
+		return KEY_ECDSA;
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519_CERT:
+		return KEY_ED25519;
++#endif /* WITHOUT_ED25519 */
+	default:
+		return type;
+	}
+@@ -472,8 +480,10 @@ sshkey_new(int type)
+	k->dsa = NULL;
+	k->rsa = NULL;
+	k->cert = NULL;
++#ifndef WITHOUT_ED25519
+	k->ed25519_sk = NULL;
+	k->ed25519_pk = NULL;
++#endif /* WITHOUT_ED25519 */
+	switch (k->type) {
+#ifdef WITH_OPENSSL
+	case KEY_RSA1:
+@@ -508,10 +518,12 @@ sshkey_new(int type)
+		/* Cannot do anything until we know the group */
+		break;
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		/* no need to prealloc */
+		break;
++#endif /* WITHOUT_ED25519 */
+	case KEY_UNSPEC:
+		break;
+	default:
+@@ -558,10 +570,12 @@ sshkey_add_private(struct sshkey *k)
+		/* Cannot do anything until we know the group */
+		break;
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		/* no need to prealloc */
+		break;
++#endif /* WITHOUT_ED25519 */
+	case KEY_UNSPEC:
+		break;
+	default:
+@@ -613,6 +627,7 @@ sshkey_free(struct sshkey *k)
+		break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		if (k->ed25519_pk) {
+@@ -626,6 +641,7 @@ sshkey_free(struct sshkey *k)
+			k->ed25519_sk = NULL;
+		}
+		break;
++#endif /* WITHOUT_ED25519 */
+	case KEY_UNSPEC:
+		break;
+	default:
+@@ -703,10 +719,12 @@ sshkey_equal_public(const struct sshkey
+		return 1;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
+		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
++#endif /* WITHOUT_ED25519 */
+	default:
+		return 0;
+	}
+@@ -749,7 +767,9 @@ to_blob_buf(const struct sshkey *key, st
+	case KEY_ECDSA_CERT:
+	case KEY_RSA_CERT:
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+		/* Use the existing blob */
+		/* XXX modified flag? */
+		if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
+@@ -786,6 +806,7 @@ to_blob_buf(const struct sshkey *key, st
+			return ret;
+		break;
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+		if (key->ed25519_pk == NULL)
+			return SSH_ERR_INVALID_ARGUMENT;
+@@ -794,6 +815,7 @@ to_blob_buf(const struct sshkey *key, st
+		    key->ed25519_pk, ED25519_PK_SZ)) != 0)
+			return ret;
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		return SSH_ERR_KEY_TYPE_UNKNOWN;
+	}
+@@ -1267,11 +1289,13 @@ sshkey_read(struct sshkey *ret, char **c
+	case KEY_RSA:
+	case KEY_DSA:
+	case KEY_ECDSA:
+-	case KEY_ED25519:
++#ifndef WITHOUT_ED25519
++ 	case KEY_ED25519:
++	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+	case KEY_DSA_CERT:
+	case KEY_ECDSA_CERT:
+	case KEY_RSA_CERT:
+-	case KEY_ED25519_CERT:
+		space = strchr(cp, ' ');
+		if (space == NULL)
+			return SSH_ERR_INVALID_FORMAT;
+@@ -1363,6 +1387,7 @@ sshkey_read(struct sshkey *ret, char **c
+		}
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+		if (sshkey_type_plain(ret->type) == KEY_ED25519) {
+			free(ret->ed25519_pk);
+			ret->ed25519_pk = k->ed25519_pk;
+@@ -1371,6 +1396,7 @@ sshkey_read(struct sshkey *ret, char **c
+			/* XXX */
+#endif
+		}
++#endif /* WITHOUT_ED25519 */
+		retval = 0;
+/*XXXX*/
+		sshkey_free(k);
+@@ -1662,7 +1688,8 @@ sshkey_generate(int type, u_int bits, st
+	if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
+		return SSH_ERR_ALLOC_FAIL;
+	switch (type) {
+-	case KEY_ED25519:
++#ifndef WITHOUT_ED25519
++		case KEY_ED25519:
+		if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
+		    (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
+			ret = SSH_ERR_ALLOC_FAIL;
+@@ -1671,6 +1698,7 @@ sshkey_generate(int type, u_int bits, st
+		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
+		ret = 0;
+		break;
++#endif /* WITHOUT_ED25519 */
+#ifdef WITH_OPENSSL
+	case KEY_DSA:
+		ret = dsa_generate_private_key(bits, &k->dsa);
+@@ -1806,6 +1834,7 @@ sshkey_from_private(const struct sshkey
+		}
+		break;
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		if ((n = sshkey_new(k->type)) == NULL)
+@@ -1818,6 +1847,7 @@ sshkey_from_private(const struct sshkey
+			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+		}
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		return SSH_ERR_KEY_TYPE_UNKNOWN;
+	}
+@@ -2084,6 +2114,7 @@ sshkey_from_blob_internal(struct sshbuf
+		break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519_CERT:
+		/* Skip nonce */
+		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
+@@ -2105,6 +2136,7 @@ sshkey_from_blob_internal(struct sshbuf
+		key->ed25519_pk = pk;
+		pk = NULL;
+		break;
++#endif /* WITHOUT_ED25519 */
+	case KEY_UNSPEC:
+		if ((key = sshkey_new(type)) == NULL) {
+			ret = SSH_ERR_ALLOC_FAIL;
+@@ -2197,9 +2229,11 @@ sshkey_sign(const struct sshkey *key,
+	case KEY_RSA:
+		return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
++#endif /* WITHOUT_ED25519 */
+	default:
+		return SSH_ERR_KEY_TYPE_UNKNOWN;
+	}
+@@ -2229,9 +2263,11 @@ sshkey_verify(const struct sshkey *key,
+	case KEY_RSA:
+		return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
++#endif /* WITHOUT_ED25519 */
+	default:
+		return SSH_ERR_KEY_TYPE_UNKNOWN;
+	}
+@@ -2255,8 +2291,10 @@ sshkey_demote(const struct sshkey *k, st
+	pk->dsa = NULL;
+	pk->ecdsa = NULL;
+	pk->rsa = NULL;
++#ifndef WITHOUT_ED25519
+	pk->ed25519_pk = NULL;
+	pk->ed25519_sk = NULL;
++#endif /* WITHOUT_ED25519 */
+	switch (k->type) {
+#ifdef WITH_OPENSSL
+@@ -2306,6 +2344,7 @@ sshkey_demote(const struct sshkey *k, st
+		break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519_CERT:
+		if ((ret = sshkey_cert_copy(k, pk)) != 0)
+			goto fail;
+@@ -2319,6 +2358,7 @@ sshkey_demote(const struct sshkey *k, st
+			memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+		}
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		ret = SSH_ERR_KEY_TYPE_UNKNOWN;
+fail:
+@@ -2347,9 +2387,11 @@ sshkey_to_certified(struct sshkey *k)
+		newtype = KEY_ECDSA_CERT;
+		break;
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+		newtype = KEY_ED25519_CERT;
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		return SSH_ERR_INVALID_ARGUMENT;
+	}
+@@ -2428,11 +2470,13 @@ sshkey_certify(struct sshkey *k, struct
+			goto out;
+		break;
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519_CERT:
+		if ((ret = sshbuf_put_string(cert,
+		    k->ed25519_pk, ED25519_PK_SZ)) != 0)
+			goto out;
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		ret = SSH_ERR_INVALID_ARGUMENT;
+		goto out;
+@@ -2607,6 +2651,7 @@ sshkey_private_serialize(const struct ss
+		break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+		if ((r = sshbuf_put_string(b, key->ed25519_pk,
+		    ED25519_PK_SZ)) != 0 ||
+@@ -2626,6 +2671,7 @@ sshkey_private_serialize(const struct ss
+		    ED25519_SK_SZ)) != 0)
+			goto out;
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		r = SSH_ERR_INVALID_ARGUMENT;
+		goto out;
+@@ -2750,6 +2796,7 @@ sshkey_private_deserialize(struct sshbuf
+			goto out;
+		break;
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+		if ((k = sshkey_new_private(type)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+@@ -2780,6 +2827,7 @@ sshkey_private_deserialize(struct sshbuf
+		k->ed25519_sk = ed25519_sk;
+		ed25519_pk = ed25519_sk = NULL;
+		break;
++#endif /* WITHOUT_ED25519 */
+	default:
+		r = SSH_ERR_KEY_TYPE_UNKNOWN;
+		goto out;
+@@ -3545,9 +3593,11 @@ sshkey_private_to_fileblob(struct sshkey
+		return sshkey_private_pem_to_blob(key, blob,
+		    passphrase, comment);
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+		return sshkey_private_to_blob2(key, blob, passphrase,
+		    comment, new_format_cipher, new_format_rounds);
++#endif /* WITHOUT_ED25519 */
+	default:
+		return SSH_ERR_KEY_TYPE_UNKNOWN;
+	}
+@@ -3853,9 +3903,11 @@ sshkey_parse_private_fileblob_type(struc
+		return sshkey_parse_private_pem_fileblob(blob, type,
+		    passphrase, keyp);
+#endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+	case KEY_ED25519:
+		return sshkey_parse_private2(blob, type, passphrase,
+		    keyp, commentp);
++#endif /* WITHOUT_ED25519 */
+	case KEY_UNSPEC:
+		if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
+		    commentp)) == 0)
+diff -pur old/sshkey.h new/sshkey.h
+--- old/sshkey.h
++++ new/sshkey.h
+@@ -57,11 +57,15 @@ enum sshkey_types {
+	KEY_RSA,
+	KEY_DSA,
+	KEY_ECDSA,
+-	KEY_ED25519,
++#ifndef WITHOUT_ED25519
++ 	KEY_ED25519,
++#endif /* WITHOUT_ED25519 */
+	KEY_RSA_CERT,
+	KEY_DSA_CERT,
+	KEY_ECDSA_CERT,
++#ifndef WITHOUT_ED25519
+	KEY_ED25519_CERT,
++#endif /* WITHOUT_ED25519 */
+	KEY_NULL,
+	KEY_UNSPEC
+};
+@@ -104,13 +108,17 @@ struct sshkey {
+	DSA	*dsa;
+	int	 ecdsa_nid;	/* NID of curve */
+	EC_KEY	*ecdsa;
++#ifndef WITHOUT_ED25519
+	u_char	*ed25519_sk;
+	u_char	*ed25519_pk;
++#endif /* WITHOUT_ED25519 */
+	struct sshkey_cert *cert;
+};
++#ifndef WITHOUT_ED25519
+#define	ED25519_SK_SZ	crypto_sign_ed25519_SECRETKEYBYTES
+#define	ED25519_PK_SZ	crypto_sign_ed25519_PUBLICKEYBYTES
++#endif /* WITHOUT_ED25519 */
+struct sshkey	*sshkey_new(int);
+int		 sshkey_add_private(struct sshkey *);
+@@ -208,11 +216,13 @@ int ssh_ecdsa_sign(const struct sshkey *
+int ssh_ecdsa_verify(const struct sshkey *key,
+const u_char *signature, size_t signaturelen,
+const u_char *data, size_t datalen, u_int compat);
++#ifndef WITHOUT_ED25519
+int ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+const u_char *data, size_t datalen, u_int compat);
+int ssh_ed25519_verify(const struct sshkey *key,
+const u_char *signature, size_t signaturelen,
+const u_char *data, size_t datalen, u_int compat);
++#endif /* WITHOUT_ED25519 */
+#endif
+#if !defined(WITH_OPENSSL)

branch	s11u3-sru
changeset 5324	5683175b6e99
parent 4129	1b849fbbd264