#
# Per Solaris crypto team recommendation, we need to remove support for
# Curve25519 from OpenSSH.
#
# Patch offered upstream:
# https://bugzilla.mindrot.org/show_bug.cgi?id=2376
#
diff -pur old/Makefile.in new/Makefile.in
--- old/Makefile.in 2015-03-31 21:14:02.427499635 -0700
+++ new/Makefile.in 2015-04-02 02:30:04.830658823 -0700
@@ -141,7 +141,7 @@ $(SSHDOBJS): Makefile.in config.h
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
-$(LIBCOMPAT): always
+$(LIBCOMPAT): always libssh.a
(cd openbsd-compat && $(MAKE))
always:
diff -pur old/authfd.c new/authfd.c
--- old/authfd.c 2013-12-28 22:49:56.000000000 -0800
+++ new/authfd.c 2015-04-01 01:53:06.534109950 -0700
@@ -508,8 +508,10 @@ ssh_add_identity_constrained(Authenticat
case KEY_DSA_CERT_V00:
case KEY_ECDSA:
case KEY_ECDSA_CERT:
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
+#endif /* WITHOUT_ED25519 */
type = constrained ?
SSH2_AGENTC_ADD_ID_CONSTRAINED :
SSH2_AGENTC_ADD_IDENTITY;
diff -pur old/authfile.c new/authfile.c
--- old/authfile.c 2013-12-28 22:50:15.000000000 -0800
+++ new/authfile.c 2015-04-01 05:27:03.024708427 -0700
@@ -597,9 +597,11 @@ key_private_to_blob(Key *key, Buffer *bl
comment, new_format_cipher, new_format_rounds);
}
return key_private_pem_to_blob(key, blob, passphrase, comment);
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
return key_private_to_blob2(key, blob, passphrase,
comment, new_format_cipher, new_format_rounds);
+#endif /* WITHOUT_ED25519 */
default:
error("%s: cannot save key type %d", __func__, key->type);
return 0;
@@ -1005,8 +1007,10 @@ key_parse_private_type(Buffer *blob, int
case KEY_ECDSA:
case KEY_RSA:
return key_parse_private_pem(blob, type, passphrase, commentp);
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
return key_parse_private2(blob, type, passphrase, commentp);
+#endif /* WITHOUT_ED25519 */
case KEY_UNSPEC:
if ((k = key_parse_private2(blob, type, passphrase, commentp)))
return k;
@@ -1213,7 +1217,9 @@ key_load_private_cert(int type, const ch
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
+#endif /* WITHOUT_ED25519 */
break;
default:
error("%s: unsupported key type", __func__);
diff -pur old/crypto_api.h new/crypto_api.h
--- old/crypto_api.h 2014-01-16 17:31:34.000000000 -0800
+++ new/crypto_api.h 2015-04-02 00:35:29.952105991 -0700
@@ -26,7 +26,7 @@ int crypto_hashblocks_sha512(unsigned ch
#define crypto_hash_sha512_BYTES 64U
-int crypto_hash_sha512(unsigned char *, const unsigned char *,
+extern int crypto_hash_sha512(unsigned char *, const unsigned char *,
unsigned long long);
int crypto_verify_32(const unsigned char *, const unsigned char *);
diff -pur old/ed25519.c new/ed25519.c
--- old/ed25519.c 2013-12-17 22:48:11.000000000 -0800
+++ new/ed25519.c 2015-04-01 09:03:04.052497535 -0700
@@ -6,6 +6,8 @@
* Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#include "crypto_api.h"
@@ -142,3 +144,4 @@ int crypto_sign_ed25519_open(
}
return ret;
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/fe25519.c new/fe25519.c
--- old/fe25519.c 2014-01-16 17:43:44.000000000 -0800
+++ new/fe25519.c 2015-04-01 03:48:12.251955071 -0700
@@ -6,6 +6,8 @@
* Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#define WINDOWSIZE 1 /* Should be 1,2, or 4 */
@@ -335,3 +337,5 @@ void fe25519_pow2523(fe25519 *r, const f
/* 2^252 - 2^2 */ fe25519_square(&t,&t);
/* 2^252 - 3 */ fe25519_mul(r,&t,x);
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/fe25519.h new/fe25519.h
--- old/fe25519.h 2013-12-17 22:48:11.000000000 -0800
+++ new/fe25519.h 2015-04-01 03:47:56.992321351 -0700
@@ -9,6 +9,8 @@
#ifndef FE25519_H
#define FE25519_H
+#ifndef WITHOUT_ED25519
+
#include "crypto_api.h"
#define fe25519 crypto_sign_ed25519_ref_fe25519
@@ -67,4 +69,5 @@ void fe25519_invert(fe25519 *r, const fe
void fe25519_pow2523(fe25519 *r, const fe25519 *x);
+#endif /* WITHOUT_ED25519 */
#endif
diff -pur old/ge25519.c new/ge25519.c
--- old/ge25519.c 2014-01-16 17:43:44.000000000 -0800
+++ new/ge25519.c 2015-04-01 03:47:40.144323636 -0700
@@ -6,6 +6,8 @@
* Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#include "fe25519.h"
@@ -319,3 +321,5 @@ void ge25519_scalarmult_base(ge25519_p3
ge25519_mixadd2(r, &t);
}
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/ge25519.h new/ge25519.h
--- old/ge25519.h 2013-12-17 22:48:11.000000000 -0800
+++ new/ge25519.h 2015-04-01 03:47:22.801071311 -0700
@@ -8,6 +8,7 @@
#ifndef GE25519_H
#define GE25519_H
+#ifndef WITHOUT_ED25519
#include "fe25519.h"
#include "sc25519.h"
@@ -40,4 +41,5 @@ void ge25519_double_scalarmult_vartime(g
void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
+#endif /* WITHOUT_ED25519 */
#endif
diff -pur old/kex.c new/kex.c
--- old/kex.c 2015-03-31 21:14:02.430475216 -0700
+++ new/kex.c 2015-04-01 04:49:49.142934463 -0700
@@ -91,7 +91,7 @@ static const struct kexalg kexalgs[] = {
# endif
#endif
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-#ifdef HAVE_EVP_SHA256
+#if defined(HAVE_EVP_SHA256) && !defined(WITHOUT_ED25519)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif
#ifdef GSSAPI
diff -pur old/kex.h new/kex.h
--- old/kex.h 2015-03-31 21:14:02.430845488 -0700
+++ new/kex.h 2015-04-01 04:58:55.837357472 -0700
@@ -43,7 +43,9 @@
#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
+#ifndef WITHOUT_ED25519
#define KEX_CURVE25519_SHA256 "[email protected]"
+#endif /* WITHOUT_ED25519 */
#define COMP_NONE 0
#define COMP_ZLIB 1
@@ -75,7 +77,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
+#ifndef WITHOUT_ED25519
KEX_C25519_SHA256,
+#endif /* WITHOUT_ED25519 */
KEX_GSS_GRP1_SHA1,
KEX_GSS_GRP14_SHA1,
KEX_GSS_GEX_SHA1,
@@ -172,8 +176,10 @@ void kexgex_client(Kex *);
void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void kexecdh_server(Kex *);
+#ifndef WITHOUT_ED25519
void kexc25519_client(Kex *);
void kexc25519_server(Kex *);
+#endif /* WITHOUT_ED25519 */
#ifdef GSSAPI
void kexgss_client(Kex *);
@@ -193,6 +199,7 @@ kex_ecdh_hash(int, const EC_GROUP *, cha
char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
const BIGNUM *, u_char **, u_int *);
#endif
+#ifndef WITHOUT_ED25519
void
kex_c25519_hash(int, char *, char *, char *, int,
char *, int, u_char *, int, const u_char *, const u_char *,
@@ -206,6 +213,7 @@ void kexc25519_shared_key(const u_char k
const u_char pub[CURVE25519_SIZE], Buffer *out)
__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
+#endif /* WITHOUT_ED25519 */
void
derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
diff -pur old/kexc25519.c new/kexc25519.c
--- old/kexc25519.c 2014-01-12 00:21:23.000000000 -0800
+++ new/kexc25519.c 2015-04-01 04:52:44.039054396 -0700
@@ -25,6 +25,8 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#include <sys/types.h>
@@ -120,3 +122,5 @@ kex_c25519_hash(
*hash = digest;
*hashlen = ssh_digest_bytes(hash_alg);
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/kexc25519c.c new/kexc25519c.c
--- old/kexc25519c.c 2014-01-12 00:21:23.000000000 -0800
+++ new/kexc25519c.c 2015-04-01 04:52:57.326754535 -0700
@@ -25,6 +25,8 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#include <sys/types.h>
@@ -127,3 +129,5 @@ kexc25519_client(Kex *kex)
buffer_free(&shared_secret);
kex_finish(kex);
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/kexc25519s.c new/kexc25519s.c
--- old/kexc25519s.c 2014-01-12 00:21:23.000000000 -0800
+++ new/kexc25519s.c 2015-04-01 04:53:14.320854854 -0700
@@ -24,6 +24,8 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#include <sys/types.h>
@@ -124,3 +126,5 @@ kexc25519_server(Kex *kex)
buffer_free(&shared_secret);
kex_finish(kex);
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/key.c new/key.c
--- old/key.c 2015-03-31 21:14:02.432016878 -0700
+++ new/key.c 2015-04-01 02:05:27.074044366 -0700
@@ -89,8 +89,10 @@ key_new(int type)
k->dsa = NULL;
k->rsa = NULL;
k->cert = NULL;
+#ifndef WITHOUT_ED25519
k->ed25519_sk = NULL;
k->ed25519_pk = NULL;
+#endif /* WITHOUT_ED25519 */
switch (k->type) {
case KEY_RSA1:
case KEY_RSA:
@@ -125,10 +127,12 @@ key_new(int type)
/* Cannot do anything until we know the group */
break;
#endif
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
/* no need to prealloc */
break;
+#endif /* WITHOUT_ED25519 */
case KEY_UNSPEC:
break;
default:
@@ -173,10 +177,12 @@ key_add_private(Key *k)
case KEY_ECDSA_CERT:
/* Cannot do anything until we know the group */
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
/* no need to prealloc */
break;
+#endif /* WITHOUT_ED25519 */
case KEY_UNSPEC:
break;
default:
@@ -239,6 +245,7 @@ key_free(Key *k)
k->ecdsa = NULL;
break;
#endif
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
if (k->ed25519_pk) {
@@ -252,6 +259,7 @@ key_free(Key *k)
k->ed25519_sk = NULL;
}
break;
+#endif /* WITHOUT_ED25519 */
case KEY_UNSPEC:
break;
default:
@@ -333,10 +341,12 @@ key_equal_public(const Key *a, const Key
BN_CTX_free(bnctx);
return 1;
#endif /* OPENSSL_HAS_ECC */
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
+#endif /* WITHOUT_ED25519 */
default:
fatal("key_equal: bad key type %d", a->type);
}
@@ -392,7 +402,9 @@ key_fingerprint_raw(const Key *k, enum f
case KEY_DSA:
case KEY_ECDSA:
case KEY_RSA:
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
+#endif /* WITHOUT_ED25519 */
key_to_blob(k, &blob, &len);
break;
case KEY_DSA_CERT_V00:
@@ -400,7 +412,9 @@ key_fingerprint_raw(const Key *k, enum f
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
+#endif /* WITHOUT_ED25519 */
/* We want a fingerprint of the _key_ not of the cert */
to_blob(k, &blob, &len, 1);
break;
@@ -728,13 +742,17 @@ key_read(Key *ret, char **cpp)
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
+#endif /* WITHOUT_ED25519 */
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
+#endif /* WITHOUT_ED25519 */
space = strchr(cp, ' ');
if (space == NULL) {
debug3("key_read: missing whitespace");
@@ -836,6 +854,7 @@ key_read(Key *ret, char **cpp)
#endif
}
#endif
+#ifndef WITHOUT_ED25519
if (key_type_plain(ret->type) == KEY_ED25519) {
free(ret->ed25519_pk);
ret->ed25519_pk = k->ed25519_pk;
@@ -844,6 +863,7 @@ key_read(Key *ret, char **cpp)
/* XXX */
#endif
}
+#endif /* WITHOUT_ED25519 */
success = 1;
/*XXXX*/
key_free(k);
@@ -907,11 +927,13 @@ key_write(const Key *key, FILE *f)
return 0;
break;
#endif
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
if (key->ed25519_pk == NULL)
return 0;
break;
+#endif /* WITHOUT_ED25519 */
case KEY_RSA:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
@@ -959,7 +981,9 @@ static const struct keytype keytypes[] =
{ NULL, "RSA1", KEY_RSA1, 0, 0 },
{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
{ "ssh-dss", "DSA", KEY_DSA, 0, 0 },
+#ifndef WITHOUT_ED25519
{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
+#endif /* WITHOUT_ED25519 */
#ifdef OPENSSL_HAS_ECC
{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
@@ -983,8 +1007,10 @@ static const struct keytype keytypes[] =
KEY_RSA_CERT_V00, 0, 1 },
{ "[email protected]", "DSA-CERT-V00",
KEY_DSA_CERT_V00, 0, 1 },
+#ifndef WITHOUT_ED25519
{ "[email protected]", "ED25519-CERT",
KEY_ED25519_CERT, 0, 1 },
+#endif /* WITHOUT_ED25519 */
{ "null", "null", KEY_NULL, 0, 0 },
{ NULL, NULL, -1, -1, 0 }
};
@@ -1097,7 +1123,9 @@ key_type_is_valid_ca(int type)
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
+#endif /* WITHOUT_ED25519 */
return 1;
default:
return 0;
@@ -1117,8 +1145,10 @@ key_size(const Key *k)
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
return BN_num_bits(k->dsa->p);
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
return 256; /* XXX */
+#endif /* WITHOUT_ED25519 */
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
case KEY_ECDSA_CERT:
@@ -1262,11 +1292,13 @@ key_generate(int type, u_int bits)
case KEY_RSA1:
k->rsa = rsa_generate_private_key(bits);
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
k->ed25519_pk = xmalloc(ED25519_PK_SZ);
k->ed25519_sk = xmalloc(ED25519_SK_SZ);
crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
break;
+#endif /* WITHOUT_ED25519 */
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
@@ -1360,6 +1392,7 @@ key_from_private(const Key *k)
(BN_copy(n->rsa->e, k->rsa->e) == NULL))
fatal("key_from_private: BN_copy failed");
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
n = key_new(k->type);
@@ -1368,6 +1401,7 @@ key_from_private(const Key *k)
memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
}
break;
+#endif /* WITHOUT_ED25519 */
default:
fatal("key_from_private: unknown type %d", k->type);
break;
@@ -1629,6 +1663,7 @@ key_from_blob2(const u_char *blob, u_int
#endif
break;
#endif /* OPENSSL_HAS_ECC */
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
(void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
/* FALLTHROUGH */
@@ -1646,6 +1681,7 @@ key_from_blob2(const u_char *blob, u_int
key->ed25519_pk = pk;
pk = NULL;
break;
+#endif /* WITHOUT_ED25519 */
case KEY_UNSPEC:
key = key_new(type);
break;
@@ -1700,7 +1736,9 @@ to_blob(const Key *key, u_char **blobp,
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
+#endif /* WITHOUT_ED25519 */
/* Use the existing blob */
buffer_append(&b, buffer_ptr(&key->cert->certblob),
buffer_len(&key->cert->certblob));
@@ -1728,11 +1766,13 @@ to_blob(const Key *key, u_char **blobp,
buffer_put_bignum2(&b, key->rsa->e);
buffer_put_bignum2(&b, key->rsa->n);
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
buffer_put_cstring(&b,
key_ssh_name_from_type_nid(type, key->ecdsa_nid));
buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
break;
+#endif /* WITHOUT_ED25519 */
default:
error("key_to_blob: unsupported key type %d", key->type);
buffer_free(&b);
@@ -1776,9 +1816,11 @@ key_sign(
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_sign(key, sigp, lenp, data, datalen);
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
+#endif /* WITHOUT_ED25519 */
default:
error("key_sign: invalid key type %d", key->type);
return -1;
@@ -1812,9 +1854,11 @@ key_verify(
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
+#endif /* WITHOUT_ED25519 */
default:
error("key_verify: invalid key type %d", key->type);
return -1;
@@ -1834,8 +1878,10 @@ key_demote(const Key *k)
pk->dsa = NULL;
pk->ecdsa = NULL;
pk->rsa = NULL;
+#ifndef WITHOUT_ED25519
pk->ed25519_pk = NULL;
pk->ed25519_sk = NULL;
+#endif /* WITHOUT_ED25519 */
switch (k->type) {
case KEY_RSA_CERT_V00:
@@ -1879,6 +1925,7 @@ key_demote(const Key *k)
fatal("key_demote: EC_KEY_set_public_key failed");
break;
#endif
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
key_cert_copy(k, pk);
/* FALLTHROUGH */
@@ -1888,6 +1935,7 @@ key_demote(const Key *k)
memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
}
break;
+#endif /* WITHOUT_ED25519 */
default:
fatal("key_demote: bad key type %d", k->type);
break;
@@ -1917,8 +1965,10 @@ key_type_plain(int type)
return KEY_DSA;
case KEY_ECDSA_CERT:
return KEY_ECDSA;
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
return KEY_ED25519;
+#endif /* WITHOUT_ED25519 */
default:
return type;
}
@@ -1944,6 +1994,7 @@ key_to_certified(Key *k, int legacy)
k->cert = cert_new();
k->type = KEY_ECDSA_CERT;
return 0;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
if (legacy)
fatal("%s: legacy ED25519 certificates are not "
@@ -1951,6 +2002,7 @@ key_to_certified(Key *k, int legacy)
k->cert = cert_new();
k->type = KEY_ED25519_CERT;
return 0;
+#endif /* WITHOUT_ED25519 */
default:
error("%s: key has incorrect type %s", __func__, key_type(k));
return -1;
@@ -2029,10 +2081,12 @@ key_certify(Key *k, Key *ca)
buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
buffer_put_string(&k->cert->certblob,
k->ed25519_pk, ED25519_PK_SZ);
break;
+#endif /* WITHOUT_ED25519 */
default:
error("%s: key has incorrect type %s", __func__, key_type(k));
buffer_clear(&k->cert->certblob);
@@ -2450,6 +2504,7 @@ key_private_serialize(const Key *key, Bu
buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
break;
#endif /* OPENSSL_HAS_ECC */
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
@@ -2462,6 +2517,7 @@ key_private_serialize(const Key *key, Bu
buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
break;
+#endif /* WITHOUT_ED25519 */
}
}
@@ -2576,6 +2632,7 @@ key_private_deserialize(Buffer *blob)
buffer_get_bignum2(blob, k->rsa->p);
buffer_get_bignum2(blob, k->rsa->q);
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
k = key_new_private(type);
k->ed25519_pk = buffer_get_string(blob, &pklen);
@@ -2602,6 +2659,7 @@ key_private_deserialize(Buffer *blob)
fatal("%s: ed25519 sklen %d != %d",
__func__, sklen, ED25519_SK_SZ);
break;
+#endif /* WITHOUT_ED25519 */
default:
free(type_name);
buffer_clear(blob);
diff -pur old/key.h new/key.h
--- old/key.h 2015-03-31 21:14:02.432362912 -0700
+++ new/key.h 2015-04-01 02:07:01.018270150 -0700
@@ -39,11 +39,15 @@ enum types {
KEY_RSA,
KEY_DSA,
KEY_ECDSA,
+#ifndef WITHOUT_ED25519
KEY_ED25519,
+#endif /* WITHOUT_ED25519 */
KEY_RSA_CERT,
KEY_DSA_CERT,
KEY_ECDSA_CERT,
+#ifndef WITHOUT_ED25519
KEY_ED25519_CERT,
+#endif /* WITHOUT_ED25519 */
KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00,
KEY_NULL,
@@ -89,12 +93,16 @@ struct Key {
void *ecdsa;
#endif
struct KeyCert *cert;
+#ifndef WITHOUT_ED25519
u_char *ed25519_sk;
u_char *ed25519_pk;
+#endif /* WITHOUT_ED25519 */
};
+#ifndef WITHOUT_ED25519
#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES
#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES
+#endif /* WITHOUT_ED25519 */
Key *key_new(int);
void key_add_private(Key *);
@@ -153,8 +161,10 @@ int ssh_ecdsa_sign(const Key *, u_char
int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
+#ifndef WITHOUT_ED25519
int ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
int ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
+#endif /* WITHOUT_ED25519 */
#if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
void key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c 2015-03-31 21:14:02.433735148 -0700
+++ new/monitor.c 2015-04-01 04:54:56.314967559 -0700
@@ -1902,7 +1902,9 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#ifndef WITHOUT_ED25519
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#endif /* WITHOUT_ED25519 */
#ifdef GSSAPI
if (options.gss_keyex) {
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
diff -pur old/myproposal.h new/myproposal.h
--- old/myproposal.h 2013-12-06 16:24:02.000000000 -0800
+++ new/myproposal.h 2015-04-01 02:12:36.430101847 -0700
@@ -80,6 +80,24 @@
# define SHA2_HMAC_MODES
#endif
+#ifdef WITHOUT_ED25519
+# define KEX_DEFAULT_KEX \
+ KEX_ECDH_METHODS \
+ KEX_SHA256_METHODS \
+ "diffie-hellman-group-exchange-sha1," \
+ "diffie-hellman-group14-sha1," \
+ "diffie-hellman-group1-sha1"
+
+#define KEX_DEFAULT_PK_ALG \
+ HOSTKEY_ECDSA_CERT_METHODS \
+ "[email protected]," \
+ "[email protected]," \
+ "[email protected]," \
+ "[email protected]," \
+ HOSTKEY_ECDSA_METHODS \
+ "ssh-rsa," \
+ "ssh-dss"
+#else /* WITHOUT_ED25519 */
# define KEX_DEFAULT_KEX \
KEX_CURVE25519_METHODS \
KEX_ECDH_METHODS \
@@ -99,6 +117,7 @@
"ssh-ed25519," \
"ssh-rsa," \
"ssh-dss"
+#endif /* WITHOUT_ED25519 */
/* the actual algorithms */
diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in
--- old/openbsd-compat/Makefile.in 2013-12-06 17:37:54.000000000 -0800
+++ new/openbsd-compat/Makefile.in 2015-04-02 02:29:35.165103300 -0700
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
-COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
@@ -32,7 +32,7 @@ $(OPENBSD): ../config.h
$(PORTS): ../config.h
libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS)
- $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
+ $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) ../hash.o ../blocks.o
$(RANLIB) $@
clean:
diff -pur old/pathnames.h new/pathnames.h
--- old/pathnames.h 2013-12-06 16:24:02.000000000 -0800
+++ new/pathnames.h 2015-04-01 02:13:45.651827507 -0700
@@ -39,7 +39,9 @@
#define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key"
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
+#ifndef WITHOUT_ED25519
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
+#endif /* WITHOUT_ED25519 */
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
#define _PATH_DH_MODULI SSHDIR "/moduli"
/* Backwards compatibility */
@@ -78,7 +80,9 @@
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
+#ifndef WITHOUT_ED25519
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
+#endif /* WITHOUT_ED25519 */
/*
* Configuration file in user's home directory. This file need not be
diff -pur old/readconf.c new/readconf.c
--- old/readconf.c 2015-03-31 21:14:02.435957183 -0700
+++ new/readconf.c 2015-04-01 02:14:22.222135058 -0700
@@ -1715,8 +1715,10 @@ fill_default_options(Options * options)
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
+#ifndef WITHOUT_ED25519
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
+#endif /* WITHOUT_ED25519 */
}
}
if (options->escape_char == -1)
diff -pur old/sc25519.c new/sc25519.c
--- old/sc25519.c 2014-01-16 17:43:44.000000000 -0800
+++ new/sc25519.c 2015-04-01 03:46:19.162528358 -0700
@@ -6,6 +6,8 @@
* Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#include "sc25519.h"
@@ -306,3 +308,5 @@ void sc25519_2interleave2(unsigned char
r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/sc25519.h new/sc25519.h
--- old/sc25519.h 2013-12-17 22:48:11.000000000 -0800
+++ new/sc25519.h 2015-04-01 03:45:37.633735864 -0700
@@ -8,6 +8,7 @@
#ifndef SC25519_H
#define SC25519_H
+#ifndef WITHOUT_ED25519
#include "crypto_api.h"
@@ -77,4 +78,5 @@ void sc25519_window5(signed char r[51],
void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2);
+#endif /* WITHOUT_ED25519 */
#endif
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c 2015-03-31 21:14:02.437668507 -0700
+++ new/servconf.c 2015-04-01 02:15:09.724697791 -0700
@@ -190,8 +190,10 @@ fill_default_server_options(ServerOption
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_ECDSA_KEY_FILE;
#endif
+#ifndef WITHOUT_ED25519
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_ED25519_KEY_FILE;
+#endif /* WITHOUT_ED25519 */
}
}
/* No certificates by default */
diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c
--- old/smult_curve25519_ref.c 2013-11-03 13:26:53.000000000 -0800
+++ new/smult_curve25519_ref.c 2015-04-01 04:55:30.360761627 -0700
@@ -6,6 +6,8 @@ Public domain.
Derived from public domain code by D. J. Bernstein.
*/
+#ifndef WITHOUT_ED25519
+
int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *);
static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
@@ -263,3 +265,5 @@ int crypto_scalarmult_curve25519(unsigne
for (i = 0;i < 32;++i) q[i] = work[64 + i];
return 0;
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/ssh-add.0 new/ssh-add.0
--- old/ssh-add.0 2014-01-29 17:52:47.000000000 -0800
+++ new/ssh-add.0 2015-04-02 08:18:24.840811117 -0700
@@ -11,7 +11,7 @@ SYNOPSIS
DESCRIPTION
ssh-add adds private key identities to the authentication agent,
ssh-agent(1). When run without arguments, it adds the files
- ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
+ ~/.ssh/id_rsa, ~/.ssh/id_dsa and
~/.ssh/identity. After loading a private key, ssh-add will try to load
corresponding certificate information from the filename obtained by
appending -cert.pub to the name of the private key file. Alternative
@@ -91,14 +91,6 @@ FILES
Contains the protocol version 2 DSA authentication identity of
the user.
- ~/.ssh/id_ecdsa
- Contains the protocol version 2 ECDSA authentication identity of
- the user.
-
- ~/.ssh/id_ed25519
- Contains the protocol version 2 ED25519 authentication identity
- of the user.
-
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of
the user.
diff -pur old/ssh-add.1 new/ssh-add.1
--- old/ssh-add.1 2013-12-17 22:46:28.000000000 -0800
+++ new/ssh-add.1 2015-04-02 08:11:00.150982710 -0700
@@ -57,8 +57,6 @@ adds private key identities to the authe
When run without arguments, it adds the files
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_ed25519
and
.Pa ~/.ssh/identity .
After loading a private key,
@@ -168,10 +166,6 @@ socket used to communicate with the agen
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa ~/.ssh/id_ecdsa
-Contains the protocol version 2 ECDSA authentication identity of the user.
-.It Pa ~/.ssh/id_ed25519
-Contains the protocol version 2 ED25519 authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.El
diff -pur old/ssh-add.c new/ssh-add.c
--- old/ssh-add.c 2013-12-28 22:44:07.000000000 -0800
+++ new/ssh-add.c 2015-04-01 04:55:52.619415360 -0700
@@ -73,7 +73,9 @@ static char *default_files[] = {
#ifdef OPENSSL_HAS_ECC
_PATH_SSH_CLIENT_ID_ECDSA,
#endif
+#ifndef WITHOUT_ED25519
_PATH_SSH_CLIENT_ID_ED25519,
+#endif /* WITHOUT_ED25519 */
_PATH_SSH_CLIENT_IDENTITY,
NULL
};
diff -pur old/ssh-agent.0 new/ssh-agent.0
--- old/ssh-agent.0 2014-01-29 17:52:47.000000000 -0800
+++ new/ssh-agent.0 2015-04-02 08:18:54.504859476 -0700
@@ -9,7 +9,7 @@ SYNOPSIS
DESCRIPTION
ssh-agent is a program to hold private keys used for public key
- authentication (RSA, DSA, ECDSA, ED25519). The idea is that ssh-agent is
+ authentication (RSA, DSA). The idea is that ssh-agent is
started in the beginning of an X-session or a login session, and all
other windows or programs are started as clients to the ssh-agent
program. Through use of environment variables the agent can be located
@@ -46,8 +46,8 @@ DESCRIPTION
The agent initially does not have any private keys. Keys are added using
ssh-add(1). When executed without arguments, ssh-add(1) adds the files
- ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
- ~/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for
+ ~/.ssh/id_rsa, ~/.ssh/id_dsa ~/.ssh/identity.
+ If the identity has a passphrase, ssh-add(1) asks for
the passphrase on the terminal if it has one or from a small X11 program
if running under X11. If neither of these is the case then the
authentication will fail. It then sends the identity to the agent.
@@ -97,14 +97,6 @@ FILES
Contains the protocol version 2 DSA authentication identity of
the user.
- ~/.ssh/id_ecdsa
- Contains the protocol version 2 ECDSA authentication identity of
- the user.
-
- ~/.ssh/id_ed25519
- Contains the protocol version 2 ED25519 authentication identity
- of the user.
-
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of
the user.
diff -pur old/ssh-agent.1 new/ssh-agent.1
--- old/ssh-agent.1 2013-12-17 22:46:28.000000000 -0800
+++ new/ssh-agent.1 2015-04-02 08:11:35.139725778 -0700
@@ -53,7 +53,7 @@
.Sh DESCRIPTION
.Nm
is a program to hold private keys used for public key authentication
-(RSA, DSA, ECDSA, ED25519).
+(RSA, DSA).
The idea is that
.Nm
is started in the beginning of an X-session or a login session, and
@@ -114,9 +114,7 @@ When executed without arguments,
.Xr ssh-add 1
adds the files
.Pa ~/.ssh/id_rsa ,
-.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_ed25519
+.Pa ~/.ssh/id_dsa
and
.Pa ~/.ssh/identity .
If the identity has a passphrase,
@@ -189,10 +187,6 @@ line terminates.
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa ~/.ssh/id_ecdsa
-Contains the protocol version 2 ECDSA authentication identity of the user.
-.It Pa ~/.ssh/id_ed25519
-Contains the protocol version 2 ED25519 authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
diff -pur old/ssh-ed25519.c new/ssh-ed25519.c
--- old/ssh-ed25519.c 2013-12-06 17:37:54.000000000 -0800
+++ new/ssh-ed25519.c 2015-04-01 03:45:52.747724716 -0700
@@ -15,6 +15,8 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#ifndef WITHOUT_ED25519
+
#include "includes.h"
#include <sys/types.h>
@@ -141,3 +143,5 @@ ssh_ed25519_verify(const Key *key, const
/* translate return code carefully */
return (ret == 0) ? 1 : -1;
}
+
+#endif /* WITHOUT_ED25519 */
diff -pur old/ssh-keygen.0 new/ssh-keygen.0
--- old/ssh-keygen.0 2014-01-29 17:52:47.000000000 -0800
+++ new/ssh-keygen.0 2015-04-02 08:01:54.866988427 -0700
@@ -32,7 +32,7 @@ SYNOPSIS
DESCRIPTION
ssh-keygen generates, manages and converts authentication keys for
ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
- and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
+ and DSA or RSA keys for use by SSH protocol version 2.
The type of key to be generated is specified with the -t option. If
invoked without any arguments, ssh-keygen will generate an RSA key for
use in SSH protocol 2 connections.
@@ -46,7 +46,7 @@ DESCRIPTION
Normally each user wishing to use SSH with public key authentication runs
this once to create the authentication key in ~/.ssh/identity,
- ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa.
+ ~/.ssh/id_dsa or ~/.ssh/id_rsa.
Additionally, the system administrator may use this to generate host
keys, as seen in /etc/rc.
@@ -79,14 +79,14 @@ DESCRIPTION
The options are as follows:
- -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for
+ -A For each of the key types (rsa1, rsa, and dsa) for
which host keys do not exist, generate the host keys with the
default key file path, an empty passphrase, default bits for the
key type, and default comment. This is used by /etc/rc to
generate new host keys.
-a rounds
- When saving a new-format private key (i.e. an ed25519 key or any
+ When saving a new-format private key (i.e. any
SSH protocol 2 key when the -o flag is set), this option
specifies the number of KDF (key derivation function) rounds
used. Higher numbers result in slower passphrase verification
@@ -103,12 +103,7 @@ DESCRIPTION
Specifies the number of bits in the key to create. For RSA keys,
the minimum size is 768 bits and the default is 2048 bits.
Generally, 2048 bits is considered sufficient. DSA keys must be
- exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys,
- the -b flag determines the key length by selecting from one of
- three elliptic curve sizes: 256, 384 or 521 bits. Attempting to
- use bit lengths other than these three values for ECDSA keys will
- fail. ED25519 keys have a fixed length and the -b flag will be
- ignored.
+ exactly 1024 bits as specified by FIPS 186-2.
-C comment
Provides a new comment.
@@ -274,7 +269,7 @@ DESCRIPTION
new OpenSSH format rather than the more compatible PEM format.
The new format has increased resistance to brute-force password
cracking but is not supported by versions of OpenSSH prior to
- 6.5. Ed25519 keys always use the new private key format.
+ 6.5.
-P passphrase
Provides the (old) passphrase.
@@ -315,8 +310,8 @@ DESCRIPTION
-t type
Specifies the type of key to create. The possible values are
- ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'',
- ``ed25519'', or ``rsa'' for protocol version 2.
+ ``rsa1'' for protocol version 1 and ``dsa'' or ``rsa'' for
+ protocol version 2.
-u Update a KRL. When specified with -k, keys listed via the
command line are added to the existing KRL rather than a new KRL
@@ -521,10 +516,8 @@ FILES
contents of this file secret.
~/.ssh/id_dsa
- ~/.ssh/id_ecdsa
- ~/.ssh/id_ed25519
~/.ssh/id_rsa
- Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+ Contains the protocol version 2 DSA or RSA
authentication identity of the user. This file should not be
readable by anyone but the user. It is possible to specify a
passphrase when generating the key; that passphrase will be used
@@ -534,10 +527,8 @@ FILES
read this file when a login attempt is made.
~/.ssh/id_dsa.pub
- ~/.ssh/id_ecdsa.pub
- ~/.ssh/id_ed25519.pub
~/.ssh/id_rsa.pub
- Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public
+ Contains the protocol version 2 DSA or RSA public
key for authentication. The contents of this file should be
added to ~/.ssh/authorized_keys on all machines where the user
wishes to log in using public key authentication. There is no
diff -pur old/ssh-keygen.1 new/ssh-keygen.1
--- old/ssh-keygen.1 2013-12-28 22:47:14.000000000 -0800
+++ new/ssh-keygen.1 2015-04-02 08:13:41.714356008 -0700
@@ -140,7 +140,7 @@ generates, manages and converts authenti
.Xr ssh 1 .
.Nm
can create RSA keys for use by SSH protocol version 1 and
-DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
+DSA or RSA keys for use by SSH protocol version 2.
The type of key to be generated is specified with the
.Fl t
option.
@@ -168,8 +168,6 @@ with public key authentication runs this
key in
.Pa ~/.ssh/identity ,
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_ed25519
or
.Pa ~/.ssh/id_rsa .
Additionally, the system administrator may use this to generate host keys,
@@ -217,7 +215,7 @@ should be placed to be activated.
The options are as follows:
.Bl -tag -width Ds
.It Fl A
-For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
+For each of the key types (rsa1, rsa, dsa)
for which host keys
do not exist, generate the host keys with the default key file path,
an empty passphrase, default bits for the key type, and default comment.
@@ -225,8 +223,7 @@ This is used by
.Pa /etc/rc
to generate new host keys.
.It Fl a Ar rounds
-When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
-2 key when the
+When saving a new-format private key (i.e. any SSH protocol 2 key when the
.Fl o
flag is set), this option specifies the number of KDF (key derivation function)
rounds used.
@@ -245,15 +242,6 @@ Specifies the number of bits in the key
For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
Generally, 2048 bits is considered sufficient.
DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
-For ECDSA keys, the
-.Fl b
-flag determines the key length by selecting from one of three elliptic
-curve sizes: 256, 384 or 521 bits.
-Attempting to use bit lengths other than these three values for ECDSA keys
-will fail.
-ED25519 keys have a fixed length and the
-.Fl b
-flag will be ignored.
.It Fl C Ar comment
Provides a new comment.
.It Fl c
@@ -468,7 +456,6 @@ to save SSH protocol 2 private keys usin
the more compatible PEM format.
The new format has increased resistance to brute-force password cracking
but is not supported by versions of OpenSSH prior to 6.5.
-Ed25519 keys always use the new private key format.
.It Fl P Ar passphrase
Provides the (old) passphrase.
.It Fl p
@@ -520,8 +507,6 @@ The possible values are
.Dq rsa1
for protocol version 1 and
.Dq dsa ,
-.Dq ecdsa ,
-.Dq ed25519 ,
or
.Dq rsa
for protocol version 2.
@@ -800,10 +785,8 @@ where the user wishes to log in using RS
There is no need to keep the contents of this file secret.
.Pp
.It Pa ~/.ssh/id_dsa
-.It Pa ~/.ssh/id_ecdsa
-.It Pa ~/.ssh/id_ed25519
.It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+Contains the protocol version 2 DSA or RSA
authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
@@ -816,10 +799,8 @@ but it is offered as the default file fo
will read this file when a login attempt is made.
.Pp
.It Pa ~/.ssh/id_dsa.pub
-.It Pa ~/.ssh/id_ecdsa.pub
-.It Pa ~/.ssh/id_ed25519.pub
.It Pa ~/.ssh/id_rsa.pub
-Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+Contains the protocol version 2 DSA or RSA
public key for authentication.
The contents of this file should be added to
.Pa ~/.ssh/authorized_keys
diff -pur old/ssh-keygen.c new/ssh-keygen.c
--- old/ssh-keygen.c 2013-12-06 16:24:02.000000000 -0800
+++ new/ssh-keygen.c 2015-04-01 02:26:11.265143754 -0700
@@ -197,7 +197,11 @@ type_bits_valid(int type, u_int32_t *bit
}
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
+#ifdef WITHOUT_ED25519
+ else if (type != KEY_ECDSA && *bitsp < 768)
+#else /* WITHOUT_ED25519 */
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
+#endif /* WITHOUT_ED25519 */
fatal("Key must at least be 768 bits");
else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
fatal("Invalid ECDSA key length - valid lengths are "
@@ -233,10 +237,12 @@ ask_filename(struct passwd *pw, const ch
case KEY_RSA:
name = _PATH_SSH_CLIENT_ID_RSA;
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
case KEY_ED25519_CERT:
name = _PATH_SSH_CLIENT_ID_ED25519;
break;
+#endif /* WITHOUT_ED25519 */
default:
fprintf(stderr, "bad key type\n");
exit(1);
@@ -900,7 +906,9 @@ do_gen_all_hostkeys(struct passwd *pw)
#ifdef OPENSSL_HAS_ECC
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
#endif
+#ifndef WITHOUT_ED25519
{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
+#endif /* WITHOUT_ED25519 */
{ NULL, NULL, NULL }
};
@@ -1616,7 +1624,10 @@ do_ca_sign(struct passwd *pw, int argc,
if ((public = key_load_public(tmp, &comment)) == NULL)
fatal("%s: unable to open \"%s\"", __func__, tmp);
if (public->type != KEY_RSA && public->type != KEY_DSA &&
- public->type != KEY_ECDSA && public->type != KEY_ED25519)
+#ifndef WITHOUT_ED25519
+ public->type != KEY_ED25519 &&
+#endif /* WITHOUT_ED25519 */
+ public->type != KEY_ECDSA)
fatal("%s: key \"%s\" type %s cannot be certified",
__func__, tmp, key_type(public));
diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0
--- old/ssh-keyscan.0 2014-01-29 17:52:47.000000000 -0800
+++ new/ssh-keyscan.0 2015-04-02 08:03:08.223476077 -0700
@@ -48,9 +48,9 @@ DESCRIPTION
-t type
Specifies the type of the key to fetch from the scanned hosts.
The possible values are ``rsa1'' for protocol version 1 and
- ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version
+ ``dsa'' or ``rsa'' for protocol version
2. Multiple values may be specified by separating them with
- commas. The default is to fetch ``rsa'' and ``ecdsa'' keys.
+ commas. The default is to fetch ``rsa'' keys.
-v Verbose mode. Causes ssh-keyscan to print debugging messages
about its progress.
@@ -72,12 +72,11 @@ FILES
host-or-namelist bits exponent modulus
- Output format for rsa, dsa and ecdsa keys:
+ Output format for rsa and dsa keys:
host-or-namelist keytype base64-encoded-key
- Where keytype is either ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'',
- ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss'' or ``ssh-rsa''.
+ Where keytype is either ``ssh-dss'' or ``ssh-rsa''.
/etc/ssh/ssh_known_hosts
@@ -89,7 +88,7 @@ EXAMPLES
Find all hosts from the file ssh_hosts which have new or different keys
from those in the sorted file ssh_known_hosts:
- $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \
+ $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
sort -u - ssh_known_hosts | diff ssh_known_hosts -
SEE ALSO
diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1
--- old/ssh-keyscan.1 2013-12-17 22:46:28.000000000 -0800
+++ new/ssh-keyscan.1 2015-04-02 08:14:50.877137257 -0700
@@ -89,16 +89,12 @@ The possible values are
.Dq rsa1
for protocol version 1 and
.Dq dsa ,
-.Dq ecdsa ,
-.Dq ed25519 ,
or
.Dq rsa
for protocol version 2.
Multiple values may be specified by separating them with commas.
The default is to fetch
.Dq rsa
-and
-.Dq ecdsa
keys.
.It Fl v
Verbose mode.
@@ -127,7 +123,7 @@ attacks which have begun after the ssh_k
host-or-namelist bits exponent modulus
.Ed
.Pp
-.Pa Output format for rsa, dsa and ecdsa keys:
+.Pa Output format for rsa and dsa keys:
.Bd -literal
host-or-namelist keytype base64-encoded-key
.Ed
@@ -135,10 +131,6 @@ host-or-namelist keytype base64-encoded-
Where
.Pa keytype
is either
-.Dq ecdsa-sha2-nistp256 ,
-.Dq ecdsa-sha2-nistp384 ,
-.Dq ecdsa-sha2-nistp521 ,
-.Dq ssh-ed25519 ,
.Dq ssh-dss
or
.Dq ssh-rsa .
@@ -158,7 +150,7 @@ Find all hosts from the file
which have new or different keys from those in the sorted file
.Pa ssh_known_hosts :
.Bd -literal
-$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
+$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
sort -u - ssh_known_hosts | diff ssh_known_hosts -
.Ed
.Sh SEE ALSO
diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
--- old/ssh-keyscan.c 2013-12-06 16:24:02.000000000 -0800
+++ new/ssh-keyscan.c 2015-04-01 02:51:28.981556385 -0700
@@ -56,7 +56,9 @@ int ssh_port = SSH_DEFAULT_PORT;
#define KT_DSA 2
#define KT_RSA 4
#define KT_ECDSA 8
+#ifndef WITHOUT_ED25519
#define KT_ED25519 16
+#endif /* WITHOUT_ED25519 */
int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */
@@ -247,9 +249,11 @@ keygrab_ssh2(con *c)
packet_set_connection(c->c_fd, c->c_fd);
enable_compat20();
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- c->c_keytype == KT_DSA ? "ssh-dss" :
+#ifndef WITHOUT_ED25519
+ c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
+#endif /* WITHOUT_ED25519 */
(c->c_keytype == KT_RSA ? "ssh-rsa" :
- (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
+ (c->c_keytype == KT_DSA ? "ssh-dss" :
"ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
c->c_kex = kex_setup(myproposal);
c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
@@ -257,7 +261,9 @@ keygrab_ssh2(con *c)
c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+#ifndef WITHOUT_ED25519
c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client;
+#endif /* WITHOUT_ED25519 */
c->c_kex->verify_host_key = hostjump;
if (!(j = setjmp(kexjmp))) {
@@ -575,10 +581,15 @@ do_host(char *host)
{
char *name = strnnsep(&host, " \t\n");
int j;
+#ifdef WITHOUT_ED25519
+ int max_kt = KT_ECDSA;
+#else
+ int max_kt = KT_ED25519;
+#endif
if (name == NULL)
return;
- for (j = KT_RSA1; j <= KT_ED25519; j *= 2) {
+ for (j = KT_RSA1; j <= max_kt; j *= 2) {
if (get_keytypes & j) {
while (ncon >= MAXCON)
conloop();
@@ -685,9 +696,11 @@ main(int argc, char **argv)
case KEY_RSA:
get_keytypes |= KT_RSA;
break;
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
get_keytypes |= KT_ED25519;
break;
+#endif /* WITHOUT_ED25519 */
case KEY_UNSPEC:
fatal("unknown key type %s", tname);
}
diff -pur old/ssh-keysign.0 new/ssh-keysign.0
--- old/ssh-keysign.0 2014-01-29 17:52:48.000000000 -0800
+++ new/ssh-keysign.0 2015-04-02 08:03:28.313581826 -0700
@@ -24,8 +24,6 @@ FILES
Controls whether ssh-keysign is enabled.
/etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to
generate the digital signature. They should be owned by root,
@@ -34,8 +32,6 @@ FILES
host-based authentication is used.
/etc/ssh/ssh_host_dsa_key-cert.pub
- /etc/ssh/ssh_host_ecdsa_key-cert.pub
- /etc/ssh/ssh_host_ed25519_key-cert.pub
/etc/ssh/ssh_host_rsa_key-cert.pub
If these files exist they are assumed to contain public
certificate information corresponding with the private keys
diff -pur old/ssh-keysign.8 new/ssh-keysign.8
--- old/ssh-keysign.8 2015-03-31 21:14:02.337922491 -0700
+++ new/ssh-keysign.8 2015-04-02 08:16:42.230595366 -0700
@@ -62,8 +62,6 @@ Controls whether
is enabled.
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key
-.It Pa /etc/ssh/ssh_host_ecdsa_key
-.It Pa /etc/ssh/ssh_host_ed25519_key
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to
generate the digital signature.
@@ -74,8 +72,6 @@ Since they are readable only by root,
must be set-uid root if host-based authentication is used.
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
-.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
-.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
diff -pur old/ssh-keysign.c new/ssh-keysign.c
--- old/ssh-keysign.c 2013-12-06 16:24:02.000000000 -0800
+++ new/ssh-keysign.c 2015-04-01 02:53:53.600004403 -0700
@@ -150,7 +150,11 @@ main(int argc, char **argv)
{
Buffer b;
Options options;
+#ifdef WITHOUT_ED25519
+#define NUM_KEYTYPES 3
+#else
#define NUM_KEYTYPES 4
+#endif
Key *keys[NUM_KEYTYPES], *key = NULL;
struct passwd *pw;
int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
@@ -169,7 +173,9 @@ main(int argc, char **argv)
i = 0;
key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+#ifndef WITHOUT_ED25519
key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
+#endif /* WITHOUT_ED25519 */
key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
original_real_uid = getuid(); /* XXX readconf.c needs this */
diff -pur old/ssh.0 new/ssh.0
--- old/ssh.0 2014-01-29 17:52:47.000000000 -0800
+++ new/ssh.0 2015-04-02 08:05:51.667197938 -0700
@@ -142,8 +142,8 @@ DESCRIPTION
-i identity_file
Selects a file from which the identity (private key) for public
key authentication is read. The default is ~/.ssh/identity for
- protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
- ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
+ protocol version 1, and ~/.ssh/id_dsa, and ~/.ssh/id_rsa for
+ protocol version 2.
Identity files may also be specified on a per-host basis in the
configuration file. It is possible to have multiple -i options
(and multiple identities specified in configuration files). ssh
@@ -446,7 +446,7 @@ AUTHENTICATION
creates a public/private key pair for authentication purposes. The
server knows the public key, and only the user knows the private key.
ssh implements public key authentication protocol automatically, using
- one of the DSA, ECDSA, ED25519 or RSA algorithms. Protocol 1 is
+ one of the DSA or RSA algorithms. Protocol 1 is
restricted to using only RSA keys, but protocol 2 may use any. The
HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
algorithms.
@@ -459,11 +459,9 @@ AUTHENTICATION
The user creates his/her key pair by running ssh-keygen(1). This stores
the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
- 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2
- ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
- ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA),
- ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2
- ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
+ 2 DSA) or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
+ ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA)
+ or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
directory. The user should then copy the public key to
~/.ssh/authorized_keys in his/her home directory on the remote machine.
The authorized_keys file corresponds to the conventional ~/.rhosts file,
@@ -799,7 +797,7 @@ FILES
for the user, and not accessible by others.
~/.ssh/authorized_keys
- Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
+ Lists the public keys (DSA, RSA) that can be used
for logging in as this user. The format of this file is
described in the sshd(8) manual page. This file is not highly
sensitive, but the recommended permissions are read/write for the
@@ -817,8 +815,6 @@ FILES
~/.ssh/identity
~/.ssh/id_dsa
- ~/.ssh/id_ecdsa
- ~/.ssh/id_ed25519
~/.ssh/id_rsa
Contains the private key for authentication. These files contain
sensitive data and should be readable by the user but not
@@ -830,8 +826,6 @@ FILES
~/.ssh/identity.pub
~/.ssh/id_dsa.pub
- ~/.ssh/id_ecdsa.pub
- ~/.ssh/id_ed25519.pub
~/.ssh/id_rsa.pub
Contains the public key for authentication. These files are not
sensitive and can (but need not) be readable by anyone.
@@ -862,8 +856,6 @@ FILES
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys and are
used for host-based authentication. If protocol version 1 is
diff -pur old/ssh.1 new/ssh.1
--- old/ssh.1 2013-12-17 22:46:28.000000000 -0800
+++ new/ssh.1 2015-04-02 08:15:39.041359535 -0700
@@ -279,8 +279,6 @@ The default is
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_ed25519
and
.Pa ~/.ssh/id_rsa
for protocol version 2.
@@ -758,7 +756,7 @@ key pair for authentication purposes.
The server knows the public key, and only the user knows the private key.
.Nm
implements public key authentication protocol automatically,
-using one of the DSA, ECDSA, ED25519 or RSA algorithms.
+using one of the DSA or RSA algorithms.
Protocol 1 is restricted to using only RSA keys,
but protocol 2 may use any.
The HISTORY section of
@@ -783,10 +781,6 @@ This stores the private key in
(protocol 1),
.Pa ~/.ssh/id_dsa
(protocol 2 DSA),
-.Pa ~/.ssh/id_ecdsa
-(protocol 2 ECDSA),
-.Pa ~/.ssh/id_ed25519
-(protocol 2 ED25519),
or
.Pa ~/.ssh/id_rsa
(protocol 2 RSA)
@@ -795,10 +789,6 @@ and stores the public key in
(protocol 1),
.Pa ~/.ssh/id_dsa.pub
(protocol 2 DSA),
-.Pa ~/.ssh/id_ecdsa.pub
-(protocol 2 ECDSA),
-.Pa ~/.ssh/id_ed25519.pub
-(protocol 2 ED25519),
or
.Pa ~/.ssh/id_rsa.pub
(protocol 2 RSA)
@@ -1338,7 +1328,7 @@ secret, but the recommended permissions
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA, ECDSA, ED25519, RSA)
+Lists the public keys (DSA, RSA)
that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8
@@ -1360,8 +1350,6 @@ above.
.Pp
.It Pa ~/.ssh/identity
.It Pa ~/.ssh/id_dsa
-.It Pa ~/.ssh/id_ecdsa
-.It Pa ~/.ssh/id_ed25519
.It Pa ~/.ssh/id_rsa
Contains the private key for authentication.
These files
@@ -1375,8 +1363,6 @@ sensitive part of this file using 3DES.
.Pp
.It Pa ~/.ssh/identity.pub
.It Pa ~/.ssh/id_dsa.pub
-.It Pa ~/.ssh/id_ecdsa.pub
-.It Pa ~/.ssh/id_ed25519.pub
.It Pa ~/.ssh/id_rsa.pub
Contains the public key for authentication.
These files are not
@@ -1415,8 +1401,6 @@ The file format and configuration option
.Pp
.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
-.It Pa /etc/ssh/ssh_host_ecdsa_key
-.It Pa /etc/ssh/ssh_host_ed25519_key
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys
and are used for host-based authentication.
diff -pur old/ssh.c new/ssh.c
--- old/ssh.c 2013-12-28 22:53:40.000000000 -0800
+++ new/ssh.c 2015-04-01 03:33:55.003074053 -0700
@@ -1010,8 +1010,10 @@ main(int ac, char **av)
#endif
sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
_PATH_HOST_RSA_KEY_FILE, "", NULL);
+#ifndef WITHOUT_ED25519
sensitive_data.keys[4] = key_load_private_cert(KEY_ED25519,
_PATH_HOST_ED25519_KEY_FILE, "", NULL);
+#endif /* WITHOUT_ED25519 */
sensitive_data.keys[5] = key_load_private_type(KEY_DSA,
_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
#ifdef OPENSSL_HAS_ECC
@@ -1020,8 +1022,10 @@ main(int ac, char **av)
#endif
sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
+#ifndef WITHOUT_ED25519
sensitive_data.keys[8] = key_load_private_type(KEY_ED25519,
_PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
+#endif /* WITHOUT_ED25519 */
PRIV_END;
if (options.hostbased_authentication == 1 &&
@@ -1038,8 +1042,10 @@ main(int ac, char **av)
#endif
sensitive_data.keys[3] = key_load_cert(
_PATH_HOST_RSA_KEY_FILE);
+#ifndef WITHOUT_ED25519
sensitive_data.keys[4] = key_load_cert(
_PATH_HOST_ED25519_KEY_FILE);
+#endif /* WITHOUT_ED25519 */
sensitive_data.keys[5] = key_load_public(
_PATH_HOST_DSA_KEY_FILE, NULL);
#ifdef OPENSSL_HAS_ECC
@@ -1048,8 +1054,10 @@ main(int ac, char **av)
#endif
sensitive_data.keys[7] = key_load_public(
_PATH_HOST_RSA_KEY_FILE, NULL);
+#ifndef WITHOUT_ED25519
sensitive_data.keys[8] = key_load_public(
_PATH_HOST_ED25519_KEY_FILE, NULL);
+#endif /* WITHOUT_ED25519 */
sensitive_data.external_keysign = 1;
}
}
diff -pur old/ssh_config.0 new/ssh_config.0
--- old/ssh_config.0 2014-01-29 17:52:48.000000000 -0800
+++ new/ssh_config.0 2015-04-02 08:07:55.171885768 -0700
@@ -409,14 +409,9 @@ DESCRIPTION
client wants to use in order of preference. The default for this
option is:
- [email protected],
- [email protected],
- [email protected],
- [email protected],
[email protected],[email protected],
[email protected],[email protected],
- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
- ssh-ed25519,ssh-rsa,ssh-dss
+ ssh-rsa,ssh-dss
If hostkeys are known for the destination host then this default
is modified to prefer their algorithms.
@@ -446,10 +441,10 @@ DESCRIPTION
default is ``no''.
IdentityFile
- Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA
+ Specifies a file from which the user's DSA or RSA
authentication identity is read. The default is ~/.ssh/identity
- for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
- ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
+ for protocol version 1, and ~/.ssh/id_dsa and ~/.ssh/id_rsa for
+ protocol version 2.
Additionally, any identities represented by the authentication
agent will be used for authentication unless IdentitiesOnly is
set. ssh(1) will try to load certificate information from the
@@ -509,8 +504,6 @@ DESCRIPTION
Specifies the available KEX (Key Exchange) algorithms. Multiple
algorithms must be comma-separated. The default is:
- [email protected],
- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diff -pur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5 2015-03-31 21:14:02.439364932 -0700
+++ new/ssh_config.5 2015-04-02 08:16:12.714886637 -0700
@@ -729,14 +729,9 @@ Specifies the protocol version 2 host ke
that the client wants to use in order of preference.
The default for this option is:
.Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
[email protected],[email protected],
[email protected],[email protected],
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa,ssh-dss
+ssh-rsa,ssh-dss
.Ed
.Pp
If hostkeys are known for the destination host then this default is modified
@@ -778,14 +773,12 @@ offers many different identities.
The default is
.Dq no .
.It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
+Specifies a file from which the user's DSA or RSA authentication
identity is read.
The default is
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_ed25519
and
.Pa ~/.ssh/id_rsa
for protocol version 2.
@@ -898,8 +891,6 @@ Specifies the available KEX (Key Exchang
Multiple algorithms must be comma-separated.
The default is:
.Bd -literal -offset indent
[email protected],
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diff -pur old/sshconnect.c new/sshconnect.c
--- old/sshconnect.c 2015-03-31 21:14:02.413909705 -0700
+++ new/sshconnect.c 2015-04-01 04:56:41.997313652 -0700
@@ -1325,7 +1325,9 @@ show_other_keys(struct hostkeys *hostkey
KEY_RSA,
KEY_DSA,
KEY_ECDSA,
+#ifndef WITHOUT_ED25519
KEY_ED25519,
+#endif /* WITHOUT_ED25519 */
-1
};
int i, ret = 0;
diff -pur old/sshconnect2.c new/sshconnect2.c
--- old/sshconnect2.c 2015-03-31 21:14:02.440456459 -0700
+++ new/sshconnect2.c 2015-04-01 04:56:58.805755301 -0700
@@ -246,7 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+#ifndef WITHOUT_ED25519
kex->kex[KEX_C25519_SHA256] = kexc25519_client;
+#endif /* WITHOUT_ED25519 */
#ifdef GSSAPI
if (options.gss_keyex) {
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
diff -pur old/sshd.0 new/sshd.0
--- old/sshd.0 2014-01-29 17:52:47.000000000 -0800
+++ new/sshd.0 2015-04-02 08:09:18.391442884 -0700
@@ -82,8 +82,7 @@ DESCRIPTION
be given if sshd is not run as root (as the normal host key files
are normally not readable by anyone but root). The default is
/etc/ssh/ssh_host_key for protocol version 1, and
- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
+ /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
protocol version 2. It is possible to have multiple host key
files for the different protocol versions and host key
algorithms.
@@ -148,7 +147,7 @@ DESCRIPTION
AUTHENTICATION
The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to
use protocol 2 only, though this can be changed via the Protocol option
- in sshd_config(5). Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+ in sshd_config(5). Protocol 2 supports DSA and RSA keys;
protocol 1 only supports RSA keys. For both protocols, each host has a
host-specific key, normally 2048 bits, used to identify the host.
@@ -278,15 +277,13 @@ AUTHORIZED_KEYS FILE FORMAT
starts with a number). The bits, exponent, modulus, and comment fields
give the RSA key for protocol version 1; the comment field is not used
for anything (but may be convenient for the user to identify the key).
- For protocol version 2 the keytype is ``ecdsa-sha2-nistp256'',
- ``ecdsa-sha2-nistp384'', ``ecdsa-sha2-nistp521'', ``ssh-ed25519'',
- ``ssh-dss'' or ``ssh-rsa''.
+ For protocol version 2 the keytype is ``ssh-dss'' or ``ssh-rsa''.
Note that lines in this file are usually several hundred bytes long
(because of the size of the public key encoding) up to a limit of 8
kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
kilobits. You don't want to type them in; instead, copy the
- identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub
+ identity.pub, id_dsa.pub or the id_rsa.pub
file and edit it.
sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
@@ -513,7 +510,7 @@ FILES
for the user, and not accessible by others.
~/.ssh/authorized_keys
- Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
+ Lists the public keys (DSA, RSA) that can be used
for logging in as this user. The format of this file is
described above. The content of the file is not highly
sensitive, but the recommended permissions are read/write for the
@@ -574,8 +571,6 @@ FILES
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys. These
files should only be owned by root, readable only by root, and
@@ -584,8 +579,6 @@ FILES
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_dsa_key.pub
- /etc/ssh/ssh_host_ecdsa_key.pub
- /etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key.pub
These files contain the public parts of the host keys. These
files should be world-readable but writable only by root. Their
diff -pur old/sshd.8 new/sshd.8
--- old/sshd.8 2015-03-31 21:14:02.389944452 -0700
+++ new/sshd.8 2015-04-02 08:17:21.818430805 -0700
@@ -175,8 +175,6 @@ The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
.Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key .
-.Pa /etc/ssh/ssh_host_ed25519_key
and
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
@@ -281,7 +279,7 @@ though this can be changed via the
.Cm Protocol
option in
.Xr sshd_config 4 .
-Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+Protocol 2 supports DSA and RSA keys;
protocol 1 only supports RSA keys.
For both protocols,
each host has a host-specific key,
@@ -492,10 +490,6 @@ protocol version 1; the
comment field is not used for anything (but may be convenient for the
user to identify the key).
For protocol version 2 the keytype is
-.Dq ecdsa-sha2-nistp256 ,
-.Dq ecdsa-sha2-nistp384 ,
-.Dq ecdsa-sha2-nistp521 ,
-.Dq ssh-ed25519 ,
.Dq ssh-dss
or
.Dq ssh-rsa .
@@ -507,8 +501,6 @@ keys up to 16 kilobits.
You don't want to type them in; instead, copy the
.Pa identity.pub ,
.Pa id_dsa.pub ,
-.Pa id_ecdsa.pub ,
-.Pa id_ed25519.pub ,
or the
.Pa id_rsa.pub
file and edit it.
@@ -808,7 +800,7 @@ secret, but the recommended permissions
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA, ECDSA, ED25519, RSA)
+Lists the public keys (DSA, RSA)
that can be used for logging in as this user.
The format of this file is described above.
The content of the file is not highly sensitive, but the recommended
@@ -888,8 +880,6 @@ rlogin/rsh.
.Pp
.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
-.It Pa /etc/ssh/ssh_host_ecdsa_key
-.It Pa /etc/ssh/ssh_host_ed25519_key
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys.
These files should only be owned by root, readable only by root, and not
@@ -900,8 +890,6 @@ does not start if these files are group/
.Pp
.It Pa /etc/ssh/ssh_host_key.pub
.It Pa /etc/ssh/ssh_host_dsa_key.pub
-.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
-.It Pa /etc/ssh/ssh_host_ed25519_key.pub
.It Pa /etc/ssh/ssh_host_rsa_key.pub
These files contain the public parts of the host keys.
These files should be world-readable but writable only by
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c 2015-03-31 21:14:02.441576765 -0700
+++ new/sshd.c 2015-04-01 03:42:59.569147555 -0700
@@ -797,7 +797,9 @@ list_hostkey_types(void)
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
+#endif /* WITHOUT_ED25519 */
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
p = key_ssh_name(key);
@@ -814,7 +816,9 @@ list_hostkey_types(void)
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
+#endif /* WITHOUT_ED25519 */
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
p = key_ssh_name(key);
@@ -842,7 +846,9 @@ get_hostkey_by_type(int type, int need_p
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
+#ifndef WITHOUT_ED25519
case KEY_ED25519_CERT:
+#endif /* WITHOUT_ED25519 */
key = sensitive_data.host_certificates[i];
break;
default:
@@ -1719,7 +1725,9 @@ main(int ac, char **av)
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
+#endif /* WITHOUT_ED25519 */
sensitive_data.have_ssh2_key = 1;
break;
}
@@ -2546,7 +2554,9 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#ifndef WITHOUT_ED25519
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#endif /* WITHOUT_ED25519 */
#ifdef GSSAPI
if (options.gss_keyex) {
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
diff -pur old/sshd_config.0 new/sshd_config.0
--- old/sshd_config.0 2014-01-29 17:52:48.000000000 -0800
+++ new/sshd_config.0 2015-04-02 08:09:53.957389224 -0700
@@ -332,12 +332,11 @@ DESCRIPTION
HostKey
Specifies a file containing a private host key used by SSH. The
default is /etc/ssh/ssh_host_key for protocol version 1, and
- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
+ /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
protocol version 2. Note that sshd(8) will refuse to use a file
if it is group/world-accessible. It is possible to have multiple
host key files. ``rsa1'' keys are used for version 1 and
- ``dsa'', ``ecdsa'', ``ed25519'' or ``rsa'' are used for version 2
+ ``dsa'' or ``rsa'' are used for version 2
of the SSH protocol. It is also possible to specify public host
key files instead. In this case operations on the private key
will be delegated to an ssh-agent(1).
@@ -399,8 +398,6 @@ DESCRIPTION
Specifies the available KEX (Key Exchange) algorithms. Multiple
algorithms must be comma-separated. The default is
- [email protected],
- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5 2015-03-31 21:14:02.442624133 -0700
+++ new/sshd_config.5 2015-04-02 08:16:29.655757790 -0700
@@ -546,8 +546,6 @@ The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
.Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key ,
-.Pa /etc/ssh/ssh_host_ed25519_key
and
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
@@ -558,8 +556,6 @@ It is possible to have multiple host key
.Dq rsa1
keys are used for version 1 and
.Dq dsa ,
-.Dq ecdsa ,
-.Dq ed25519
or
.Dq rsa
are used for version 2 of the SSH protocol.
@@ -669,8 +665,6 @@ Specifies the available KEX (Key Exchang
Multiple algorithms must be comma-separated.
The default is
.Bd -literal -offset indent
[email protected],
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diff -pur old/verify.c new/verify.c
--- old/verify.c 2014-01-16 17:43:44.000000000 -0800
+++ new/verify.c 2015-04-01 03:43:49.962792178 -0700
@@ -9,6 +9,8 @@
#include "crypto_api.h"
+#ifndef WITHOUT_ED25519
+
int crypto_verify_32(const unsigned char *x,const unsigned char *y)
{
unsigned int differentbits = 0;
@@ -47,3 +49,4 @@ int crypto_verify_32(const unsigned char
F(31)
return (1 & ((differentbits - 1) >> 8)) - 1;
}
+#endif /* WITHOUT_ED25519 */