# HG changeset patch # User Tomas Kuthan # Date 1429116060 25200 # Node ID 1b849fbbd2642407eba11068f7c6e8b534aa171c # Parent 5b637a3058122d1774bf16efac2baecf5873b01a date: Thu Apr 09 12:53:33 2015 -0700 20820589 Disable Curve25519 in OpenSSH diff -r 5b637a305812 -r 1b849fbbd264 components/openssh/Makefile --- a/components/openssh/Makefile Wed Apr 15 09:30:56 2015 -0700 +++ b/components/openssh/Makefile Wed Apr 15 09:41:00 2015 -0700 @@ -57,6 +57,7 @@ CFLAGS += -DPAM_ENHANCEMENT CFLAGS += -DPAM_BUGFIX CFLAGS += -DOPTION_DEFAULT_VALUE +CFLAGS += -DWITHOUT_ED25519 CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)" diff -r 5b637a305812 -r 1b849fbbd264 components/openssh/patches/024-disable_ed25519.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/024-disable_ed25519.patch Wed Apr 15 09:41:00 2015 -0700 @@ -0,0 +1,2080 @@ +diff -pur old/Makefile.in new/Makefile.in +--- old/Makefile.in 2015-04-10 02:43:51.101312444 -0700 ++++ new/Makefile.in 2015-04-10 02:43:51.156820521 -0700 +@@ -138,7 +138,7 @@ $(SSHDOBJS): Makefile.in config.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c $< + + LIBCOMPAT=openbsd-compat/libopenbsd-compat.a +-$(LIBCOMPAT): always ++$(LIBCOMPAT): always libssh.a + (cd openbsd-compat && $(MAKE)) + always: + +Only in new: Makefile.in.orig +diff -pur old/authfd.c new/authfd.c +--- old/authfd.c 2013-12-28 22:49:56.000000000 -0800 ++++ new/authfd.c 2015-04-10 02:43:51.157515880 -0700 +@@ -508,8 +508,10 @@ ssh_add_identity_constrained(Authenticat + case KEY_DSA_CERT_V00: + case KEY_ECDSA: + case KEY_ECDSA_CERT: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: ++#endif /* WITHOUT_ED25519 */ + type = constrained ? + SSH2_AGENTC_ADD_ID_CONSTRAINED : + SSH2_AGENTC_ADD_IDENTITY; +diff -pur old/authfile.c new/authfile.c +--- old/authfile.c 2013-12-28 22:50:15.000000000 -0800 ++++ new/authfile.c 2015-04-10 02:43:51.158405633 -0700 +@@ -597,9 +597,11 @@ key_private_to_blob(Key *key, Buffer *bl + comment, new_format_cipher, new_format_rounds); + } + return key_private_pem_to_blob(key, blob, passphrase, comment); ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + return key_private_to_blob2(key, blob, passphrase, + comment, new_format_cipher, new_format_rounds); ++#endif /* WITHOUT_ED25519 */ + default: + error("%s: cannot save key type %d", __func__, key->type); + return 0; +@@ -1005,8 +1007,10 @@ key_parse_private_type(Buffer *blob, int + case KEY_ECDSA: + case KEY_RSA: + return key_parse_private_pem(blob, type, passphrase, commentp); ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + return key_parse_private2(blob, type, passphrase, commentp); ++#endif /* WITHOUT_ED25519 */ + case KEY_UNSPEC: + if ((k = key_parse_private2(blob, type, passphrase, commentp))) + return k; +@@ -1213,7 +1217,9 @@ key_load_private_cert(int type, const ch + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: ++#endif /* WITHOUT_ED25519 */ + break; + default: + error("%s: unsupported key type", __func__); +diff -pur old/crypto_api.h new/crypto_api.h +--- old/crypto_api.h 2014-01-16 17:31:34.000000000 -0800 ++++ new/crypto_api.h 2015-04-10 02:43:51.158673341 -0700 +@@ -26,7 +26,7 @@ int crypto_hashblocks_sha512(unsigned ch + + #define crypto_hash_sha512_BYTES 64U + +-int crypto_hash_sha512(unsigned char *, const unsigned char *, ++extern int crypto_hash_sha512(unsigned char *, const unsigned char *, + unsigned long long); + + int crypto_verify_32(const unsigned char *, const unsigned char *); +diff -pur old/ed25519.c new/ed25519.c +--- old/ed25519.c 2013-12-17 22:48:11.000000000 -0800 ++++ new/ed25519.c 2015-04-10 02:43:51.158974499 -0700 +@@ -6,6 +6,8 @@ + * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + #include "crypto_api.h" + +@@ -142,3 +144,4 @@ int crypto_sign_ed25519_open( + } + return ret; + } ++#endif /* WITHOUT_ED25519 */ +diff -pur old/fe25519.c new/fe25519.c +--- old/fe25519.c 2014-01-16 17:43:44.000000000 -0800 ++++ new/fe25519.c 2015-04-10 02:43:51.159348136 -0700 +@@ -6,6 +6,8 @@ + * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + + #define WINDOWSIZE 1 /* Should be 1,2, or 4 */ +@@ -335,3 +337,5 @@ void fe25519_pow2523(fe25519 *r, const f + /* 2^252 - 2^2 */ fe25519_square(&t,&t); + /* 2^252 - 3 */ fe25519_mul(r,&t,x); + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/fe25519.h new/fe25519.h +--- old/fe25519.h 2013-12-17 22:48:11.000000000 -0800 ++++ new/fe25519.h 2015-04-10 02:43:51.159633614 -0700 +@@ -9,6 +9,8 @@ + #ifndef FE25519_H + #define FE25519_H + ++#ifndef WITHOUT_ED25519 ++ + #include "crypto_api.h" + + #define fe25519 crypto_sign_ed25519_ref_fe25519 +@@ -67,4 +69,5 @@ void fe25519_invert(fe25519 *r, const fe + + void fe25519_pow2523(fe25519 *r, const fe25519 *x); + ++#endif /* WITHOUT_ED25519 */ + #endif +diff -pur old/ge25519.c new/ge25519.c +--- old/ge25519.c 2014-01-16 17:43:44.000000000 -0800 ++++ new/ge25519.c 2015-04-10 02:43:51.160002884 -0700 +@@ -6,6 +6,8 @@ + * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + + #include "fe25519.h" +@@ -319,3 +321,5 @@ void ge25519_scalarmult_base(ge25519_p3 + ge25519_mixadd2(r, &t); + } + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/ge25519.h new/ge25519.h +--- old/ge25519.h 2013-12-17 22:48:11.000000000 -0800 ++++ new/ge25519.h 2015-04-10 02:43:51.160283095 -0700 +@@ -8,6 +8,7 @@ + + #ifndef GE25519_H + #define GE25519_H ++#ifndef WITHOUT_ED25519 + + #include "fe25519.h" + #include "sc25519.h" +@@ -40,4 +41,5 @@ void ge25519_double_scalarmult_vartime(g + + void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s); + ++#endif /* WITHOUT_ED25519 */ + #endif +diff -pur old/kex.c new/kex.c +--- old/kex.c 2014-01-25 14:38:04.000000000 -0800 ++++ new/kex.c 2015-04-10 02:43:51.160754653 -0700 +@@ -87,7 +87,7 @@ static const struct kexalg kexalgs[] = { + # endif + #endif + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, +-#ifdef HAVE_EVP_SHA256 ++#if defined(HAVE_EVP_SHA256) && !defined(WITHOUT_ED25519) + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + #endif + { NULL, -1, -1, -1}, +Only in new: kex.c.orig +diff -pur old/kex.h new/kex.h +--- old/kex.h 2014-01-25 14:37:26.000000000 -0800 ++++ new/kex.h 2015-04-10 02:47:29.726358404 -0700 +@@ -43,7 +43,9 @@ + #define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256" + #define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384" + #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" ++#ifndef WITHOUT_ED25519 + #define KEX_CURVE25519_SHA256 "curve25519-sha256@libssh.org" ++#endif /* WITHOUT_ED25519 */ + + #define COMP_NONE 0 + #define COMP_ZLIB 1 +@@ -75,7 +77,9 @@ enum kex_exchange { + KEX_DH_GEX_SHA1, + KEX_DH_GEX_SHA256, + KEX_ECDH_SHA2, ++#ifndef WITHOUT_ED25519 + KEX_C25519_SHA256, ++#endif /* WITHOUT_ED25519 */ + KEX_MAX + }; + +@@ -165,8 +169,10 @@ void kexgex_client(Kex *); + void kexgex_server(Kex *); + void kexecdh_client(Kex *); + void kexecdh_server(Kex *); ++#ifndef WITHOUT_ED25519 + void kexc25519_client(Kex *); + void kexc25519_server(Kex *); ++#endif /* WITHOUT_ED25519 */ + + void + kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, +@@ -181,6 +187,7 @@ kex_ecdh_hash(int, const EC_GROUP *, cha + char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, + const BIGNUM *, u_char **, u_int *); + #endif ++#ifndef WITHOUT_ED25519 + void + kex_c25519_hash(int, char *, char *, char *, int, + char *, int, u_char *, int, const u_char *, const u_char *, +@@ -194,6 +201,7 @@ void kexc25519_shared_key(const u_char k + const u_char pub[CURVE25519_SIZE], Buffer *out) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); ++#endif /* WITHOUT_ED25519 */ + + void + derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); +Only in new: kex.h.orig +Only in new: kex.h.rej +diff -pur old/kexc25519.c new/kexc25519.c +--- old/kexc25519.c 2014-01-12 00:21:23.000000000 -0800 ++++ new/kexc25519.c 2015-04-10 02:43:51.161993727 -0700 +@@ -25,6 +25,8 @@ + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + + #include +@@ -120,3 +122,5 @@ kex_c25519_hash( + *hash = digest; + *hashlen = ssh_digest_bytes(hash_alg); + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/kexc25519c.c new/kexc25519c.c +--- old/kexc25519c.c 2014-01-12 00:21:23.000000000 -0800 ++++ new/kexc25519c.c 2015-04-10 02:43:51.162319004 -0700 +@@ -25,6 +25,8 @@ + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + + #include +@@ -127,3 +129,5 @@ kexc25519_client(Kex *kex) + buffer_free(&shared_secret); + kex_finish(kex); + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/kexc25519s.c new/kexc25519s.c +--- old/kexc25519s.c 2014-01-12 00:21:23.000000000 -0800 ++++ new/kexc25519s.c 2015-04-10 02:43:51.162628310 -0700 +@@ -24,6 +24,8 @@ + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + + #include +@@ -124,3 +126,5 @@ kexc25519_server(Kex *kex) + buffer_free(&shared_secret); + kex_finish(kex); + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/key.c new/key.c +--- old/key.c 2014-01-09 15:58:53.000000000 -0800 ++++ new/key.c 2015-04-10 02:48:40.602200617 -0700 +@@ -89,8 +89,10 @@ key_new(int type) + k->dsa = NULL; + k->rsa = NULL; + k->cert = NULL; ++#ifndef WITHOUT_ED25519 + k->ed25519_sk = NULL; + k->ed25519_pk = NULL; ++#endif /* WITHOUT_ED25519 */ + switch (k->type) { + case KEY_RSA1: + case KEY_RSA: +@@ -125,10 +127,12 @@ key_new(int type) + /* Cannot do anything until we know the group */ + break; + #endif ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + /* no need to prealloc */ + break; ++#endif /* WITHOUT_ED25519 */ + case KEY_UNSPEC: + break; + default: +@@ -173,10 +177,12 @@ key_add_private(Key *k) + case KEY_ECDSA_CERT: + /* Cannot do anything until we know the group */ + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + /* no need to prealloc */ + break; ++#endif /* WITHOUT_ED25519 */ + case KEY_UNSPEC: + break; + default: +@@ -239,6 +245,7 @@ key_free(Key *k) + k->ecdsa = NULL; + break; + #endif ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + if (k->ed25519_pk) { +@@ -252,6 +259,7 @@ key_free(Key *k) + k->ed25519_sk = NULL; + } + break; ++#endif /* WITHOUT_ED25519 */ + case KEY_UNSPEC: + break; + default: +@@ -333,10 +341,12 @@ key_equal_public(const Key *a, const Key + BN_CTX_free(bnctx); + return 1; + #endif /* OPENSSL_HAS_ECC */ ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + return a->ed25519_pk != NULL && b->ed25519_pk != NULL && + memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; ++#endif /* WITHOUT_ED25519 */ + default: + fatal("key_equal: bad key type %d", a->type); + } +@@ -392,7 +402,9 @@ key_fingerprint_raw(const Key *k, enum f + case KEY_DSA: + case KEY_ECDSA: + case KEY_RSA: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: ++#endif /* WITHOUT_ED25519 */ + key_to_blob(k, &blob, &len); + break; + case KEY_DSA_CERT_V00: +@@ -400,7 +412,9 @@ key_fingerprint_raw(const Key *k, enum f + case KEY_DSA_CERT: + case KEY_ECDSA_CERT: + case KEY_RSA_CERT: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: ++#endif /* WITHOUT_ED25519 */ + /* We want a fingerprint of the _key_ not of the cert */ + to_blob(k, &blob, &len, 1); + break; +@@ -728,13 +742,17 @@ key_read(Key *ret, char **cpp) + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: ++#endif /* WITHOUT_ED25519 */ + case KEY_DSA_CERT_V00: + case KEY_RSA_CERT_V00: + case KEY_DSA_CERT: + case KEY_ECDSA_CERT: + case KEY_RSA_CERT: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: ++#endif /* WITHOUT_ED25519 */ + space = strchr(cp, ' '); + if (space == NULL) { + debug3("key_read: missing whitespace"); +@@ -836,6 +854,7 @@ key_read(Key *ret, char **cpp) + #endif + } + #endif ++#ifndef WITHOUT_ED25519 + if (key_type_plain(ret->type) == KEY_ED25519) { + free(ret->ed25519_pk); + ret->ed25519_pk = k->ed25519_pk; +@@ -844,6 +863,7 @@ key_read(Key *ret, char **cpp) + /* XXX */ + #endif + } ++#endif /* WITHOUT_ED25519 */ + success = 1; + /*XXXX*/ + key_free(k); +@@ -907,11 +927,13 @@ key_write(const Key *key, FILE *f) + return 0; + break; + #endif ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + if (key->ed25519_pk == NULL) + return 0; + break; ++#endif /* WITHOUT_ED25519 */ + case KEY_RSA: + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: +@@ -959,7 +981,9 @@ static const struct keytype keytypes[] = + { NULL, "RSA1", KEY_RSA1, 0, 0 }, + { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, + { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, ++#ifndef WITHOUT_ED25519 + { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, ++#endif /* WITHOUT_ED25519 */ + #ifdef OPENSSL_HAS_ECC + { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, + { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, +@@ -983,8 +1007,10 @@ static const struct keytype keytypes[] = + KEY_RSA_CERT_V00, 0, 1 }, + { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", + KEY_DSA_CERT_V00, 0, 1 }, ++#ifndef WITHOUT_ED25519 + { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", + KEY_ED25519_CERT, 0, 1 }, ++#endif /* WITHOUT_ED25519 */ + { NULL, NULL, -1, -1, 0 } + }; + +@@ -1096,7 +1122,9 @@ key_type_is_valid_ca(int type) + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: ++#endif /* WITHOUT_ED25519 */ + return 1; + default: + return 0; +@@ -1116,8 +1144,10 @@ key_size(const Key *k) + case KEY_DSA_CERT_V00: + case KEY_DSA_CERT: + return BN_num_bits(k->dsa->p); ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + return 256; /* XXX */ ++#endif /* WITHOUT_ED25519 */ + #ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: + case KEY_ECDSA_CERT: +@@ -1261,11 +1291,13 @@ key_generate(int type, u_int bits) + case KEY_RSA1: + k->rsa = rsa_generate_private_key(bits); + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + k->ed25519_pk = xmalloc(ED25519_PK_SZ); + k->ed25519_sk = xmalloc(ED25519_SK_SZ); + crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); + break; ++#endif /* WITHOUT_ED25519 */ + case KEY_RSA_CERT_V00: + case KEY_DSA_CERT_V00: + case KEY_RSA_CERT: +@@ -1359,6 +1391,7 @@ key_from_private(const Key *k) + (BN_copy(n->rsa->e, k->rsa->e) == NULL)) + fatal("key_from_private: BN_copy failed"); + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + n = key_new(k->type); +@@ -1367,6 +1400,7 @@ key_from_private(const Key *k) + memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); + } + break; ++#endif /* WITHOUT_ED25519 */ + default: + fatal("key_from_private: unknown type %d", k->type); + break; +@@ -1628,6 +1662,7 @@ key_from_blob2(const u_char *blob, u_int + #endif + break; + #endif /* OPENSSL_HAS_ECC */ ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: + (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ + /* FALLTHROUGH */ +@@ -1645,6 +1680,7 @@ key_from_blob2(const u_char *blob, u_int + key->ed25519_pk = pk; + pk = NULL; + break; ++#endif /* WITHOUT_ED25519 */ + case KEY_UNSPEC: + key = key_new(type); + break; +@@ -1699,7 +1735,9 @@ to_blob(const Key *key, u_char **blobp, + case KEY_DSA_CERT: + case KEY_ECDSA_CERT: + case KEY_RSA_CERT: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: ++#endif /* WITHOUT_ED25519 */ + /* Use the existing blob */ + buffer_append(&b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); +@@ -1727,11 +1765,13 @@ to_blob(const Key *key, u_char **blobp, + buffer_put_bignum2(&b, key->rsa->e); + buffer_put_bignum2(&b, key->rsa->n); + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + buffer_put_cstring(&b, + key_ssh_name_from_type_nid(type, key->ecdsa_nid)); + buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ); + break; ++#endif /* WITHOUT_ED25519 */ + default: + error("key_to_blob: unsupported key type %d", key->type); + buffer_free(&b); +@@ -1775,9 +1815,11 @@ key_sign( + case KEY_RSA_CERT: + case KEY_RSA: + return ssh_rsa_sign(key, sigp, lenp, data, datalen); ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + return ssh_ed25519_sign(key, sigp, lenp, data, datalen); ++#endif /* WITHOUT_ED25519 */ + default: + error("key_sign: invalid key type %d", key->type); + return -1; +@@ -1811,9 +1853,11 @@ key_verify( + case KEY_RSA_CERT: + case KEY_RSA: + return ssh_rsa_verify(key, signature, signaturelen, data, datalen); ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + return ssh_ed25519_verify(key, signature, signaturelen, data, datalen); ++#endif /* WITHOUT_ED25519 */ + default: + error("key_verify: invalid key type %d", key->type); + return -1; +@@ -1833,8 +1877,10 @@ key_demote(const Key *k) + pk->dsa = NULL; + pk->ecdsa = NULL; + pk->rsa = NULL; ++#ifndef WITHOUT_ED25519 + pk->ed25519_pk = NULL; + pk->ed25519_sk = NULL; ++#endif /* WITHOUT_ED25519 */ + + switch (k->type) { + case KEY_RSA_CERT_V00: +@@ -1878,6 +1924,7 @@ key_demote(const Key *k) + fatal("key_demote: EC_KEY_set_public_key failed"); + break; + #endif ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: + key_cert_copy(k, pk); + /* FALLTHROUGH */ +@@ -1887,6 +1934,7 @@ key_demote(const Key *k) + memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); + } + break; ++#endif /* WITHOUT_ED25519 */ + default: + fatal("key_demote: bad key type %d", k->type); + break; +@@ -1916,8 +1964,10 @@ key_type_plain(int type) + return KEY_DSA; + case KEY_ECDSA_CERT: + return KEY_ECDSA; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: + return KEY_ED25519; ++#endif /* WITHOUT_ED25519 */ + default: + return type; + } +@@ -1943,6 +1993,7 @@ key_to_certified(Key *k, int legacy) + k->cert = cert_new(); + k->type = KEY_ECDSA_CERT; + return 0; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + if (legacy) + fatal("%s: legacy ED25519 certificates are not " +@@ -1950,6 +2001,7 @@ key_to_certified(Key *k, int legacy) + k->cert = cert_new(); + k->type = KEY_ED25519_CERT; + return 0; ++#endif /* WITHOUT_ED25519 */ + default: + error("%s: key has incorrect type %s", __func__, key_type(k)); + return -1; +@@ -2028,10 +2080,12 @@ key_certify(Key *k, Key *ca) + buffer_put_bignum2(&k->cert->certblob, k->rsa->e); + buffer_put_bignum2(&k->cert->certblob, k->rsa->n); + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: + buffer_put_string(&k->cert->certblob, + k->ed25519_pk, ED25519_PK_SZ); + break; ++#endif /* WITHOUT_ED25519 */ + default: + error("%s: key has incorrect type %s", __func__, key_type(k)); + buffer_clear(&k->cert->certblob); +@@ -2449,6 +2503,7 @@ key_private_serialize(const Key *key, Bu + buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); + break; + #endif /* OPENSSL_HAS_ECC */ ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); + buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); +@@ -2461,6 +2516,7 @@ key_private_serialize(const Key *key, Bu + buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); + buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); + break; ++#endif /* WITHOUT_ED25519 */ + } + } + +@@ -2575,6 +2631,7 @@ key_private_deserialize(Buffer *blob) + buffer_get_bignum2(blob, k->rsa->p); + buffer_get_bignum2(blob, k->rsa->q); + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + k = key_new_private(type); + k->ed25519_pk = buffer_get_string(blob, &pklen); +@@ -2601,6 +2658,7 @@ key_private_deserialize(Buffer *blob) + fatal("%s: ed25519 sklen %d != %d", + __func__, sklen, ED25519_SK_SZ); + break; ++#endif /* WITHOUT_ED25519 */ + default: + free(type_name); + buffer_clear(blob); +Only in new: key.c.orig +Only in new: key.c.rej +diff -pur old/key.h new/key.h +--- old/key.h 2014-01-09 15:58:53.000000000 -0800 ++++ new/key.h 2015-04-10 02:43:51.166553603 -0700 +@@ -39,11 +39,15 @@ enum types { + KEY_RSA, + KEY_DSA, + KEY_ECDSA, ++#ifndef WITHOUT_ED25519 + KEY_ED25519, ++#endif /* WITHOUT_ED25519 */ + KEY_RSA_CERT, + KEY_DSA_CERT, + KEY_ECDSA_CERT, ++#ifndef WITHOUT_ED25519 + KEY_ED25519_CERT, ++#endif /* WITHOUT_ED25519 */ + KEY_RSA_CERT_V00, + KEY_DSA_CERT_V00, + KEY_UNSPEC +@@ -88,12 +92,16 @@ struct Key { + void *ecdsa; + #endif + struct KeyCert *cert; ++#ifndef WITHOUT_ED25519 + u_char *ed25519_sk; + u_char *ed25519_pk; ++#endif /* WITHOUT_ED25519 */ + }; + ++#ifndef WITHOUT_ED25519 + #define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES + #define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES ++#endif /* WITHOUT_ED25519 */ + + Key *key_new(int); + void key_add_private(Key *); +@@ -152,8 +160,10 @@ int ssh_ecdsa_sign(const Key *, u_char + int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); + int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); + int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); ++#ifndef WITHOUT_ED25519 + int ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int); + int ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int); ++#endif /* WITHOUT_ED25519 */ + + #if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK)) + void key_dump_ec_point(const EC_GROUP *, const EC_POINT *); +Only in new: key.h.orig +diff -pur old/monitor.c new/monitor.c +--- old/monitor.c 2015-04-10 02:43:51.067342317 -0700 ++++ new/monitor.c 2015-04-10 02:49:10.399820034 -0700 +@@ -1887,7 +1887,9 @@ mm_get_kex(Buffer *m) + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; + kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; + kex->kex[KEX_ECDH_SHA2] = kexecdh_server; ++#ifndef WITHOUT_ED25519 + kex->kex[KEX_C25519_SHA256] = kexc25519_server; ++#endif /* WITHOUT_ED25519 */ + kex->server = 1; + kex->hostkey_type = buffer_get_int(m); + kex->kex_type = buffer_get_int(m); +Only in new: monitor.c.orig +Only in new: monitor.c.rej +diff -pur old/myproposal.h new/myproposal.h +--- old/myproposal.h 2013-12-06 16:24:02.000000000 -0800 ++++ new/myproposal.h 2015-04-10 02:43:51.168744484 -0700 +@@ -80,6 +80,24 @@ + # define SHA2_HMAC_MODES + #endif + ++#ifdef WITHOUT_ED25519 ++# define KEX_DEFAULT_KEX \ ++ KEX_ECDH_METHODS \ ++ KEX_SHA256_METHODS \ ++ "diffie-hellman-group-exchange-sha1," \ ++ "diffie-hellman-group14-sha1," \ ++ "diffie-hellman-group1-sha1" ++ ++#define KEX_DEFAULT_PK_ALG \ ++ HOSTKEY_ECDSA_CERT_METHODS \ ++ "ssh-rsa-cert-v01@openssh.com," \ ++ "ssh-dss-cert-v01@openssh.com," \ ++ "ssh-rsa-cert-v00@openssh.com," \ ++ "ssh-dss-cert-v00@openssh.com," \ ++ HOSTKEY_ECDSA_METHODS \ ++ "ssh-rsa," \ ++ "ssh-dss" ++#else /* WITHOUT_ED25519 */ + # define KEX_DEFAULT_KEX \ + KEX_CURVE25519_METHODS \ + KEX_ECDH_METHODS \ +@@ -99,6 +117,7 @@ + "ssh-ed25519," \ + "ssh-rsa," \ + "ssh-dss" ++#endif /* WITHOUT_ED25519 */ + + /* the actual algorithms */ + +diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in +--- old/openbsd-compat/Makefile.in 2013-12-06 17:37:54.000000000 -0800 ++++ new/openbsd-compat/Makefile.in 2015-04-10 02:43:51.169041778 -0700 +@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ + + OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o + +-COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o ++COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o + + PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o + +@@ -32,7 +32,7 @@ $(OPENBSD): ../config.h + $(PORTS): ../config.h + + libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS) +- $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) ++ $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) ../hash.o ../blocks.o + $(RANLIB) $@ + + clean: +diff -pur old/pathnames.h new/pathnames.h +--- old/pathnames.h 2013-12-06 16:24:02.000000000 -0800 ++++ new/pathnames.h 2015-04-10 02:43:51.169362243 -0700 +@@ -39,7 +39,9 @@ + #define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key" + #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" + #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" ++#ifndef WITHOUT_ED25519 + #define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" ++#endif /* WITHOUT_ED25519 */ + #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" + #define _PATH_DH_MODULI SSHDIR "/moduli" + /* Backwards compatibility */ +@@ -78,7 +80,9 @@ + #define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa" + #define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa" + #define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa" ++#ifndef WITHOUT_ED25519 + #define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519" ++#endif /* WITHOUT_ED25519 */ + + /* + * Configuration file in user's home directory. This file need not be +diff -pur old/readconf.c new/readconf.c +--- old/readconf.c 2015-04-10 02:43:51.075573457 -0700 ++++ new/readconf.c 2015-04-10 02:43:51.170150446 -0700 +@@ -1702,8 +1702,10 @@ fill_default_options(Options * options) + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_ECDSA, 0); + #endif ++#ifndef WITHOUT_ED25519 + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_ED25519, 0); ++#endif /* WITHOUT_ED25519 */ + } + } + if (options->escape_char == -1) +Only in new: readconf.c.orig +diff -pur old/sc25519.c new/sc25519.c +--- old/sc25519.c 2014-01-16 17:43:44.000000000 -0800 ++++ new/sc25519.c 2015-04-10 02:43:51.170631841 -0700 +@@ -6,6 +6,8 @@ + * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + + #include "sc25519.h" +@@ -306,3 +308,5 @@ void sc25519_2interleave2(unsigned char + r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2); + r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2); + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/sc25519.h new/sc25519.h +--- old/sc25519.h 2013-12-17 22:48:11.000000000 -0800 ++++ new/sc25519.h 2015-04-10 02:43:51.170901036 -0700 +@@ -8,6 +8,7 @@ + + #ifndef SC25519_H + #define SC25519_H ++#ifndef WITHOUT_ED25519 + + #include "crypto_api.h" + +@@ -77,4 +78,5 @@ void sc25519_window5(signed char r[51], + + void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2); + ++#endif /* WITHOUT_ED25519 */ + #endif +diff -pur old/servconf.c new/servconf.c +--- old/servconf.c 2015-04-10 02:43:51.086374994 -0700 ++++ new/servconf.c 2015-04-10 02:43:51.171761969 -0700 +@@ -189,8 +189,10 @@ fill_default_server_options(ServerOption + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_ECDSA_KEY_FILE; + #endif ++#ifndef WITHOUT_ED25519 + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_ED25519_KEY_FILE; ++#endif /* WITHOUT_ED25519 */ + } + } + /* No certificates by default */ +Only in new: servconf.c.orig +diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c +--- old/smult_curve25519_ref.c 2013-11-03 13:26:53.000000000 -0800 ++++ new/smult_curve25519_ref.c 2015-04-10 02:43:51.172253244 -0700 +@@ -6,6 +6,8 @@ Public domain. + Derived from public domain code by D. J. Bernstein. + */ + ++#ifndef WITHOUT_ED25519 ++ + int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *); + + static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) +@@ -263,3 +265,5 @@ int crypto_scalarmult_curve25519(unsigne + for (i = 0;i < 32;++i) q[i] = work[64 + i]; + return 0; + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/ssh-add.0 new/ssh-add.0 +--- old/ssh-add.0 2014-01-29 17:52:47.000000000 -0800 ++++ new/ssh-add.0 2015-04-10 02:43:51.172577448 -0700 +@@ -11,7 +11,7 @@ SYNOPSIS + DESCRIPTION + ssh-add adds private key identities to the authentication agent, + ssh-agent(1). When run without arguments, it adds the files +- ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ++ ~/.ssh/id_rsa, ~/.ssh/id_dsa and + ~/.ssh/identity. After loading a private key, ssh-add will try to load + corresponding certificate information from the filename obtained by + appending -cert.pub to the name of the private key file. Alternative +@@ -91,14 +91,6 @@ FILES + Contains the protocol version 2 DSA authentication identity of + the user. + +- ~/.ssh/id_ecdsa +- Contains the protocol version 2 ECDSA authentication identity of +- the user. +- +- ~/.ssh/id_ed25519 +- Contains the protocol version 2 ED25519 authentication identity +- of the user. +- + ~/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of + the user. +diff -pur old/ssh-add.1 new/ssh-add.1 +--- old/ssh-add.1 2013-12-17 22:46:28.000000000 -0800 ++++ new/ssh-add.1 2015-04-10 02:43:51.172897417 -0700 +@@ -57,8 +57,6 @@ adds private key identities to the authe + When run without arguments, it adds the files + .Pa ~/.ssh/id_rsa , + .Pa ~/.ssh/id_dsa , +-.Pa ~/.ssh/id_ecdsa , +-.Pa ~/.ssh/id_ed25519 + and + .Pa ~/.ssh/identity . + After loading a private key, +@@ -168,10 +166,6 @@ socket used to communicate with the agen + Contains the protocol version 1 RSA authentication identity of the user. + .It Pa ~/.ssh/id_dsa + Contains the protocol version 2 DSA authentication identity of the user. +-.It Pa ~/.ssh/id_ecdsa +-Contains the protocol version 2 ECDSA authentication identity of the user. +-.It Pa ~/.ssh/id_ed25519 +-Contains the protocol version 2 ED25519 authentication identity of the user. + .It Pa ~/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of the user. + .El +diff -pur old/ssh-add.c new/ssh-add.c +--- old/ssh-add.c 2013-12-28 22:44:07.000000000 -0800 ++++ new/ssh-add.c 2015-04-10 02:43:51.173249822 -0700 +@@ -73,7 +73,9 @@ static char *default_files[] = { + #ifdef OPENSSL_HAS_ECC + _PATH_SSH_CLIENT_ID_ECDSA, + #endif ++#ifndef WITHOUT_ED25519 + _PATH_SSH_CLIENT_ID_ED25519, ++#endif /* WITHOUT_ED25519 */ + _PATH_SSH_CLIENT_IDENTITY, + NULL + }; +diff -pur old/ssh-agent.0 new/ssh-agent.0 +--- old/ssh-agent.0 2014-01-29 17:52:47.000000000 -0800 ++++ new/ssh-agent.0 2015-04-10 02:43:51.173618938 -0700 +@@ -9,7 +9,7 @@ SYNOPSIS + + DESCRIPTION + ssh-agent is a program to hold private keys used for public key +- authentication (RSA, DSA, ECDSA, ED25519). The idea is that ssh-agent is ++ authentication (RSA, DSA). The idea is that ssh-agent is + started in the beginning of an X-session or a login session, and all + other windows or programs are started as clients to the ssh-agent + program. Through use of environment variables the agent can be located +@@ -46,8 +46,8 @@ DESCRIPTION + + The agent initially does not have any private keys. Keys are added using + ssh-add(1). When executed without arguments, ssh-add(1) adds the files +- ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and +- ~/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for ++ ~/.ssh/id_rsa, ~/.ssh/id_dsa ~/.ssh/identity. ++ If the identity has a passphrase, ssh-add(1) asks for + the passphrase on the terminal if it has one or from a small X11 program + if running under X11. If neither of these is the case then the + authentication will fail. It then sends the identity to the agent. +@@ -97,14 +97,6 @@ FILES + Contains the protocol version 2 DSA authentication identity of + the user. + +- ~/.ssh/id_ecdsa +- Contains the protocol version 2 ECDSA authentication identity of +- the user. +- +- ~/.ssh/id_ed25519 +- Contains the protocol version 2 ED25519 authentication identity +- of the user. +- + ~/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of + the user. +diff -pur old/ssh-agent.1 new/ssh-agent.1 +--- old/ssh-agent.1 2013-12-17 22:46:28.000000000 -0800 ++++ new/ssh-agent.1 2015-04-10 02:43:51.173976932 -0700 +@@ -53,7 +53,7 @@ + .Sh DESCRIPTION + .Nm + is a program to hold private keys used for public key authentication +-(RSA, DSA, ECDSA, ED25519). ++(RSA, DSA). + The idea is that + .Nm + is started in the beginning of an X-session or a login session, and +@@ -114,9 +114,7 @@ When executed without arguments, + .Xr ssh-add 1 + adds the files + .Pa ~/.ssh/id_rsa , +-.Pa ~/.ssh/id_dsa , +-.Pa ~/.ssh/id_ecdsa , +-.Pa ~/.ssh/id_ed25519 ++.Pa ~/.ssh/id_dsa + and + .Pa ~/.ssh/identity . + If the identity has a passphrase, +@@ -189,10 +187,6 @@ line terminates. + Contains the protocol version 1 RSA authentication identity of the user. + .It Pa ~/.ssh/id_dsa + Contains the protocol version 2 DSA authentication identity of the user. +-.It Pa ~/.ssh/id_ecdsa +-Contains the protocol version 2 ECDSA authentication identity of the user. +-.It Pa ~/.ssh/id_ed25519 +-Contains the protocol version 2 ED25519 authentication identity of the user. + .It Pa ~/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of the user. + .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt +diff -pur old/ssh-ed25519.c new/ssh-ed25519.c +--- old/ssh-ed25519.c 2013-12-06 17:37:54.000000000 -0800 ++++ new/ssh-ed25519.c 2015-04-10 02:43:51.174245635 -0700 +@@ -15,6 +15,8 @@ + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + ++#ifndef WITHOUT_ED25519 ++ + #include "includes.h" + + #include +@@ -141,3 +143,5 @@ ssh_ed25519_verify(const Key *key, const + /* translate return code carefully */ + return (ret == 0) ? 1 : -1; + } ++ ++#endif /* WITHOUT_ED25519 */ +diff -pur old/ssh-keygen.0 new/ssh-keygen.0 +--- old/ssh-keygen.0 2014-01-29 17:52:47.000000000 -0800 ++++ new/ssh-keygen.0 2015-04-10 02:43:51.175019524 -0700 +@@ -32,7 +32,7 @@ SYNOPSIS + DESCRIPTION + ssh-keygen generates, manages and converts authentication keys for + ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 +- and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. ++ and DSA or RSA keys for use by SSH protocol version 2. + The type of key to be generated is specified with the -t option. If + invoked without any arguments, ssh-keygen will generate an RSA key for + use in SSH protocol 2 connections. +@@ -46,7 +46,7 @@ DESCRIPTION + + Normally each user wishing to use SSH with public key authentication runs + this once to create the authentication key in ~/.ssh/identity, +- ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. ++ ~/.ssh/id_dsa or ~/.ssh/id_rsa. + Additionally, the system administrator may use this to generate host + keys, as seen in /etc/rc. + +@@ -79,14 +79,14 @@ DESCRIPTION + + The options are as follows: + +- -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for ++ -A For each of the key types (rsa1, rsa, and dsa) for + which host keys do not exist, generate the host keys with the + default key file path, an empty passphrase, default bits for the + key type, and default comment. This is used by /etc/rc to + generate new host keys. + + -a rounds +- When saving a new-format private key (i.e. an ed25519 key or any ++ When saving a new-format private key (i.e. any + SSH protocol 2 key when the -o flag is set), this option + specifies the number of KDF (key derivation function) rounds + used. Higher numbers result in slower passphrase verification +@@ -103,12 +103,7 @@ DESCRIPTION + Specifies the number of bits in the key to create. For RSA keys, + the minimum size is 768 bits and the default is 2048 bits. + Generally, 2048 bits is considered sufficient. DSA keys must be +- exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, +- the -b flag determines the key length by selecting from one of +- three elliptic curve sizes: 256, 384 or 521 bits. Attempting to +- use bit lengths other than these three values for ECDSA keys will +- fail. ED25519 keys have a fixed length and the -b flag will be +- ignored. ++ exactly 1024 bits as specified by FIPS 186-2. + + -C comment + Provides a new comment. +@@ -274,7 +269,7 @@ DESCRIPTION + new OpenSSH format rather than the more compatible PEM format. + The new format has increased resistance to brute-force password + cracking but is not supported by versions of OpenSSH prior to +- 6.5. Ed25519 keys always use the new private key format. ++ 6.5. + + -P passphrase + Provides the (old) passphrase. +@@ -315,8 +310,8 @@ DESCRIPTION + + -t type + Specifies the type of key to create. The possible values are +- ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'', +- ``ed25519'', or ``rsa'' for protocol version 2. ++ ``rsa1'' for protocol version 1 and ``dsa'' or ``rsa'' for ++ protocol version 2. + + -u Update a KRL. When specified with -k, keys listed via the + command line are added to the existing KRL rather than a new KRL +@@ -521,10 +516,8 @@ FILES + contents of this file secret. + + ~/.ssh/id_dsa +- ~/.ssh/id_ecdsa +- ~/.ssh/id_ed25519 + ~/.ssh/id_rsa +- Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA ++ Contains the protocol version 2 DSA or RSA + authentication identity of the user. This file should not be + readable by anyone but the user. It is possible to specify a + passphrase when generating the key; that passphrase will be used +@@ -534,10 +527,8 @@ FILES + read this file when a login attempt is made. + + ~/.ssh/id_dsa.pub +- ~/.ssh/id_ecdsa.pub +- ~/.ssh/id_ed25519.pub + ~/.ssh/id_rsa.pub +- Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public ++ Contains the protocol version 2 DSA or RSA public + key for authentication. The contents of this file should be + added to ~/.ssh/authorized_keys on all machines where the user + wishes to log in using public key authentication. There is no +diff -pur old/ssh-keygen.1 new/ssh-keygen.1 +--- old/ssh-keygen.1 2013-12-28 22:47:14.000000000 -0800 ++++ new/ssh-keygen.1 2015-04-10 02:43:51.175831546 -0700 +@@ -140,7 +140,7 @@ generates, manages and converts authenti + .Xr ssh 1 . + .Nm + can create RSA keys for use by SSH protocol version 1 and +-DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. ++DSA or RSA keys for use by SSH protocol version 2. + The type of key to be generated is specified with the + .Fl t + option. +@@ -168,8 +168,6 @@ with public key authentication runs this + key in + .Pa ~/.ssh/identity , + .Pa ~/.ssh/id_dsa , +-.Pa ~/.ssh/id_ecdsa , +-.Pa ~/.ssh/id_ed25519 + or + .Pa ~/.ssh/id_rsa . + Additionally, the system administrator may use this to generate host keys, +@@ -217,7 +215,7 @@ should be placed to be activated. + The options are as follows: + .Bl -tag -width Ds + .It Fl A +-For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) ++For each of the key types (rsa1, rsa, dsa) + for which host keys + do not exist, generate the host keys with the default key file path, + an empty passphrase, default bits for the key type, and default comment. +@@ -225,8 +223,7 @@ This is used by + .Pa /etc/rc + to generate new host keys. + .It Fl a Ar rounds +-When saving a new-format private key (i.e. an ed25519 key or any SSH protocol +-2 key when the ++When saving a new-format private key (i.e. any SSH protocol 2 key when the + .Fl o + flag is set), this option specifies the number of KDF (key derivation function) + rounds used. +@@ -245,15 +242,6 @@ Specifies the number of bits in the key + For RSA keys, the minimum size is 768 bits and the default is 2048 bits. + Generally, 2048 bits is considered sufficient. + DSA keys must be exactly 1024 bits as specified by FIPS 186-2. +-For ECDSA keys, the +-.Fl b +-flag determines the key length by selecting from one of three elliptic +-curve sizes: 256, 384 or 521 bits. +-Attempting to use bit lengths other than these three values for ECDSA keys +-will fail. +-ED25519 keys have a fixed length and the +-.Fl b +-flag will be ignored. + .It Fl C Ar comment + Provides a new comment. + .It Fl c +@@ -468,7 +456,6 @@ to save SSH protocol 2 private keys usin + the more compatible PEM format. + The new format has increased resistance to brute-force password cracking + but is not supported by versions of OpenSSH prior to 6.5. +-Ed25519 keys always use the new private key format. + .It Fl P Ar passphrase + Provides the (old) passphrase. + .It Fl p +@@ -520,8 +507,6 @@ The possible values are + .Dq rsa1 + for protocol version 1 and + .Dq dsa , +-.Dq ecdsa , +-.Dq ed25519 , + or + .Dq rsa + for protocol version 2. +@@ -800,10 +785,8 @@ where the user wishes to log in using RS + There is no need to keep the contents of this file secret. + .Pp + .It Pa ~/.ssh/id_dsa +-.It Pa ~/.ssh/id_ecdsa +-.It Pa ~/.ssh/id_ed25519 + .It Pa ~/.ssh/id_rsa +-Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA ++Contains the protocol version 2 DSA or RSA + authentication identity of the user. + This file should not be readable by anyone but the user. + It is possible to +@@ -816,10 +799,8 @@ but it is offered as the default file fo + will read this file when a login attempt is made. + .Pp + .It Pa ~/.ssh/id_dsa.pub +-.It Pa ~/.ssh/id_ecdsa.pub +-.It Pa ~/.ssh/id_ed25519.pub + .It Pa ~/.ssh/id_rsa.pub +-Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA ++Contains the protocol version 2 DSA or RSA + public key for authentication. + The contents of this file should be added to + .Pa ~/.ssh/authorized_keys +diff -pur old/ssh-keygen.c new/ssh-keygen.c +--- old/ssh-keygen.c 2013-12-06 16:24:02.000000000 -0800 ++++ new/ssh-keygen.c 2015-04-10 02:43:51.176894394 -0700 +@@ -197,7 +197,11 @@ type_bits_valid(int type, u_int32_t *bit + } + if (type == KEY_DSA && *bitsp != 1024) + fatal("DSA keys must be 1024 bits"); ++#ifdef WITHOUT_ED25519 ++ else if (type != KEY_ECDSA && *bitsp < 768) ++#else /* WITHOUT_ED25519 */ + else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) ++#endif /* WITHOUT_ED25519 */ + fatal("Key must at least be 768 bits"); + else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) + fatal("Invalid ECDSA key length - valid lengths are " +@@ -233,10 +237,12 @@ ask_filename(struct passwd *pw, const ch + case KEY_RSA: + name = _PATH_SSH_CLIENT_ID_RSA; + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + case KEY_ED25519_CERT: + name = _PATH_SSH_CLIENT_ID_ED25519; + break; ++#endif /* WITHOUT_ED25519 */ + default: + fprintf(stderr, "bad key type\n"); + exit(1); +@@ -900,7 +906,9 @@ do_gen_all_hostkeys(struct passwd *pw) + #ifdef OPENSSL_HAS_ECC + { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, + #endif ++#ifndef WITHOUT_ED25519 + { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, ++#endif /* WITHOUT_ED25519 */ + { NULL, NULL, NULL } + }; + +@@ -1616,7 +1624,10 @@ do_ca_sign(struct passwd *pw, int argc, + if ((public = key_load_public(tmp, &comment)) == NULL) + fatal("%s: unable to open \"%s\"", __func__, tmp); + if (public->type != KEY_RSA && public->type != KEY_DSA && +- public->type != KEY_ECDSA && public->type != KEY_ED25519) ++#ifndef WITHOUT_ED25519 ++ public->type != KEY_ED25519 && ++#endif /* WITHOUT_ED25519 */ ++ public->type != KEY_ECDSA) + fatal("%s: key \"%s\" type %s cannot be certified", + __func__, tmp, key_type(public)); + +diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0 +--- old/ssh-keyscan.0 2014-01-29 17:52:47.000000000 -0800 ++++ new/ssh-keyscan.0 2015-04-10 02:43:51.177179968 -0700 +@@ -48,9 +48,9 @@ DESCRIPTION + -t type + Specifies the type of the key to fetch from the scanned hosts. + The possible values are ``rsa1'' for protocol version 1 and +- ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version ++ ``dsa'' or ``rsa'' for protocol version + 2. Multiple values may be specified by separating them with +- commas. The default is to fetch ``rsa'' and ``ecdsa'' keys. ++ commas. The default is to fetch ``rsa'' keys. + + -v Verbose mode. Causes ssh-keyscan to print debugging messages + about its progress. +@@ -72,12 +72,11 @@ FILES + + host-or-namelist bits exponent modulus + +- Output format for rsa, dsa and ecdsa keys: ++ Output format for rsa and dsa keys: + + host-or-namelist keytype base64-encoded-key + +- Where keytype is either ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'', +- ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss'' or ``ssh-rsa''. ++ Where keytype is either ``ssh-dss'' or ``ssh-rsa''. + + /etc/ssh/ssh_known_hosts + +@@ -89,7 +88,7 @@ EXAMPLES + Find all hosts from the file ssh_hosts which have new or different keys + from those in the sorted file ssh_known_hosts: + +- $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \ ++ $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ + sort -u - ssh_known_hosts | diff ssh_known_hosts - + + SEE ALSO +diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1 +--- old/ssh-keyscan.1 2013-12-17 22:46:28.000000000 -0800 ++++ new/ssh-keyscan.1 2015-04-10 02:43:51.177539875 -0700 +@@ -89,16 +89,12 @@ The possible values are + .Dq rsa1 + for protocol version 1 and + .Dq dsa , +-.Dq ecdsa , +-.Dq ed25519 , + or + .Dq rsa + for protocol version 2. + Multiple values may be specified by separating them with commas. + The default is to fetch + .Dq rsa +-and +-.Dq ecdsa + keys. + .It Fl v + Verbose mode. +@@ -127,7 +123,7 @@ attacks which have begun after the ssh_k + host-or-namelist bits exponent modulus + .Ed + .Pp +-.Pa Output format for rsa, dsa and ecdsa keys: ++.Pa Output format for rsa and dsa keys: + .Bd -literal + host-or-namelist keytype base64-encoded-key + .Ed +@@ -135,10 +131,6 @@ host-or-namelist keytype base64-encoded- + Where + .Pa keytype + is either +-.Dq ecdsa-sha2-nistp256 , +-.Dq ecdsa-sha2-nistp384 , +-.Dq ecdsa-sha2-nistp521 , +-.Dq ssh-ed25519 , + .Dq ssh-dss + or + .Dq ssh-rsa . +@@ -158,7 +150,7 @@ Find all hosts from the file + which have new or different keys from those in the sorted file + .Pa ssh_known_hosts : + .Bd -literal +-$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e ++$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e + sort -u - ssh_known_hosts | diff ssh_known_hosts - + .Ed + .Sh SEE ALSO +diff -pur old/ssh-keyscan.c new/ssh-keyscan.c +--- old/ssh-keyscan.c 2013-12-06 16:24:02.000000000 -0800 ++++ new/ssh-keyscan.c 2015-04-10 02:43:51.178102053 -0700 +@@ -56,7 +56,9 @@ int ssh_port = SSH_DEFAULT_PORT; + #define KT_DSA 2 + #define KT_RSA 4 + #define KT_ECDSA 8 ++#ifndef WITHOUT_ED25519 + #define KT_ED25519 16 ++#endif /* WITHOUT_ED25519 */ + + int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */ + +@@ -247,9 +249,11 @@ keygrab_ssh2(con *c) + packet_set_connection(c->c_fd, c->c_fd); + enable_compat20(); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = +- c->c_keytype == KT_DSA ? "ssh-dss" : ++#ifndef WITHOUT_ED25519 ++ c->c_keytype == KT_ED25519 ? "ssh-ed25519" : ++#endif /* WITHOUT_ED25519 */ + (c->c_keytype == KT_RSA ? "ssh-rsa" : +- (c->c_keytype == KT_ED25519 ? "ssh-ed25519" : ++ (c->c_keytype == KT_DSA ? "ssh-dss" : + "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")); + c->c_kex = kex_setup(myproposal); + c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; +@@ -257,7 +261,9 @@ keygrab_ssh2(con *c) + c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; + c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; + c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client; ++#ifndef WITHOUT_ED25519 + c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client; ++#endif /* WITHOUT_ED25519 */ + c->c_kex->verify_host_key = hostjump; + + if (!(j = setjmp(kexjmp))) { +@@ -575,10 +581,15 @@ do_host(char *host) + { + char *name = strnnsep(&host, " \t\n"); + int j; ++#ifdef WITHOUT_ED25519 ++ int max_kt = KT_ECDSA; ++#else ++ int max_kt = KT_ED25519; ++#endif + + if (name == NULL) + return; +- for (j = KT_RSA1; j <= KT_ED25519; j *= 2) { ++ for (j = KT_RSA1; j <= max_kt; j *= 2) { + if (get_keytypes & j) { + while (ncon >= MAXCON) + conloop(); +@@ -685,9 +696,11 @@ main(int argc, char **argv) + case KEY_RSA: + get_keytypes |= KT_RSA; + break; ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: + get_keytypes |= KT_ED25519; + break; ++#endif /* WITHOUT_ED25519 */ + case KEY_UNSPEC: + fatal("unknown key type %s", tname); + } +diff -pur old/ssh-keysign.0 new/ssh-keysign.0 +--- old/ssh-keysign.0 2014-01-29 17:52:48.000000000 -0800 ++++ new/ssh-keysign.0 2015-04-10 02:43:51.178360839 -0700 +@@ -24,8 +24,6 @@ FILES + Controls whether ssh-keysign is enabled. + + /etc/ssh/ssh_host_dsa_key +- /etc/ssh/ssh_host_ecdsa_key +- /etc/ssh/ssh_host_ed25519_key + /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys used to + generate the digital signature. They should be owned by root, +@@ -34,8 +32,6 @@ FILES + host-based authentication is used. + + /etc/ssh/ssh_host_dsa_key-cert.pub +- /etc/ssh/ssh_host_ecdsa_key-cert.pub +- /etc/ssh/ssh_host_ed25519_key-cert.pub + /etc/ssh/ssh_host_rsa_key-cert.pub + If these files exist they are assumed to contain public + certificate information corresponding with the private keys +diff -pur old/ssh-keysign.8 new/ssh-keysign.8 +--- old/ssh-keysign.8 2015-04-10 02:43:51.009217654 -0700 ++++ new/ssh-keysign.8 2015-04-10 02:43:51.178615438 -0700 +@@ -62,8 +62,6 @@ Controls whether + is enabled. + .Pp + .It Pa /etc/ssh/ssh_host_dsa_key +-.It Pa /etc/ssh/ssh_host_ecdsa_key +-.It Pa /etc/ssh/ssh_host_ed25519_key + .It Pa /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys used to + generate the digital signature. +@@ -74,8 +72,6 @@ Since they are readable only by root, + must be set-uid root if host-based authentication is used. + .Pp + .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub +-.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub +-.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub + .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub + If these files exist they are assumed to contain public certificate + information corresponding with the private keys above. +diff -pur old/ssh-keysign.c new/ssh-keysign.c +--- old/ssh-keysign.c 2013-12-06 16:24:02.000000000 -0800 ++++ new/ssh-keysign.c 2015-04-10 02:43:51.178924008 -0700 +@@ -150,7 +150,11 @@ main(int argc, char **argv) + { + Buffer b; + Options options; ++#ifdef WITHOUT_ED25519 ++#define NUM_KEYTYPES 3 ++#else + #define NUM_KEYTYPES 4 ++#endif + Key *keys[NUM_KEYTYPES], *key = NULL; + struct passwd *pw; + int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; +@@ -169,7 +173,9 @@ main(int argc, char **argv) + i = 0; + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); ++#ifndef WITHOUT_ED25519 + key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY); ++#endif /* WITHOUT_ED25519 */ + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); + + original_real_uid = getuid(); /* XXX readconf.c needs this */ +diff -pur old/ssh.0 new/ssh.0 +--- old/ssh.0 2014-01-29 17:52:47.000000000 -0800 ++++ new/ssh.0 2015-04-10 02:43:51.179753862 -0700 +@@ -142,8 +142,8 @@ DESCRIPTION + -i identity_file + Selects a file from which the identity (private key) for public + key authentication is read. The default is ~/.ssh/identity for +- protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, +- ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. ++ protocol version 1, and ~/.ssh/id_dsa, and ~/.ssh/id_rsa for ++ protocol version 2. + Identity files may also be specified on a per-host basis in the + configuration file. It is possible to have multiple -i options + (and multiple identities specified in configuration files). ssh +@@ -446,7 +446,7 @@ AUTHENTICATION + creates a public/private key pair for authentication purposes. The + server knows the public key, and only the user knows the private key. + ssh implements public key authentication protocol automatically, using +- one of the DSA, ECDSA, ED25519 or RSA algorithms. Protocol 1 is ++ one of the DSA or RSA algorithms. Protocol 1 is + restricted to using only RSA keys, but protocol 2 may use any. The + HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA + algorithms. +@@ -459,11 +459,9 @@ AUTHENTICATION + + The user creates his/her key pair by running ssh-keygen(1). This stores + the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol +- 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2 +- ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in +- ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), +- ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2 +- ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home ++ 2 DSA) or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in ++ ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA) ++ or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home + directory. The user should then copy the public key to + ~/.ssh/authorized_keys in his/her home directory on the remote machine. + The authorized_keys file corresponds to the conventional ~/.rhosts file, +@@ -799,7 +797,7 @@ FILES + for the user, and not accessible by others. + + ~/.ssh/authorized_keys +- Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used ++ Lists the public keys (DSA, RSA) that can be used + for logging in as this user. The format of this file is + described in the sshd(8) manual page. This file is not highly + sensitive, but the recommended permissions are read/write for the +@@ -817,8 +815,6 @@ FILES + + ~/.ssh/identity + ~/.ssh/id_dsa +- ~/.ssh/id_ecdsa +- ~/.ssh/id_ed25519 + ~/.ssh/id_rsa + Contains the private key for authentication. These files contain + sensitive data and should be readable by the user but not +@@ -830,8 +826,6 @@ FILES + + ~/.ssh/identity.pub + ~/.ssh/id_dsa.pub +- ~/.ssh/id_ecdsa.pub +- ~/.ssh/id_ed25519.pub + ~/.ssh/id_rsa.pub + Contains the public key for authentication. These files are not + sensitive and can (but need not) be readable by anyone. +@@ -862,8 +856,6 @@ FILES + + /etc/ssh/ssh_host_key + /etc/ssh/ssh_host_dsa_key +- /etc/ssh/ssh_host_ecdsa_key +- /etc/ssh/ssh_host_ed25519_key + /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys and are + used for host-based authentication. If protocol version 1 is +diff -pur old/ssh.1 new/ssh.1 +--- old/ssh.1 2013-12-17 22:46:28.000000000 -0800 ++++ new/ssh.1 2015-04-10 02:43:51.180632097 -0700 +@@ -279,8 +279,6 @@ The default is + .Pa ~/.ssh/identity + for protocol version 1, and + .Pa ~/.ssh/id_dsa , +-.Pa ~/.ssh/id_ecdsa , +-.Pa ~/.ssh/id_ed25519 + and + .Pa ~/.ssh/id_rsa + for protocol version 2. +@@ -758,7 +756,7 @@ key pair for authentication purposes. + The server knows the public key, and only the user knows the private key. + .Nm + implements public key authentication protocol automatically, +-using one of the DSA, ECDSA, ED25519 or RSA algorithms. ++using one of the DSA or RSA algorithms. + Protocol 1 is restricted to using only RSA keys, + but protocol 2 may use any. + The HISTORY section of +@@ -783,10 +781,6 @@ This stores the private key in + (protocol 1), + .Pa ~/.ssh/id_dsa + (protocol 2 DSA), +-.Pa ~/.ssh/id_ecdsa +-(protocol 2 ECDSA), +-.Pa ~/.ssh/id_ed25519 +-(protocol 2 ED25519), + or + .Pa ~/.ssh/id_rsa + (protocol 2 RSA) +@@ -795,10 +789,6 @@ and stores the public key in + (protocol 1), + .Pa ~/.ssh/id_dsa.pub + (protocol 2 DSA), +-.Pa ~/.ssh/id_ecdsa.pub +-(protocol 2 ECDSA), +-.Pa ~/.ssh/id_ed25519.pub +-(protocol 2 ED25519), + or + .Pa ~/.ssh/id_rsa.pub + (protocol 2 RSA) +@@ -1338,7 +1328,7 @@ secret, but the recommended permissions + and not accessible by others. + .Pp + .It Pa ~/.ssh/authorized_keys +-Lists the public keys (DSA, ECDSA, ED25519, RSA) ++Lists the public keys (DSA, RSA) + that can be used for logging in as this user. + The format of this file is described in the + .Xr sshd 8 +@@ -1360,8 +1350,6 @@ above. + .Pp + .It Pa ~/.ssh/identity + .It Pa ~/.ssh/id_dsa +-.It Pa ~/.ssh/id_ecdsa +-.It Pa ~/.ssh/id_ed25519 + .It Pa ~/.ssh/id_rsa + Contains the private key for authentication. + These files +@@ -1375,8 +1363,6 @@ sensitive part of this file using 3DES. + .Pp + .It Pa ~/.ssh/identity.pub + .It Pa ~/.ssh/id_dsa.pub +-.It Pa ~/.ssh/id_ecdsa.pub +-.It Pa ~/.ssh/id_ed25519.pub + .It Pa ~/.ssh/id_rsa.pub + Contains the public key for authentication. + These files are not +@@ -1415,8 +1401,6 @@ The file format and configuration option + .Pp + .It Pa /etc/ssh/ssh_host_key + .It Pa /etc/ssh/ssh_host_dsa_key +-.It Pa /etc/ssh/ssh_host_ecdsa_key +-.It Pa /etc/ssh/ssh_host_ed25519_key + .It Pa /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys + and are used for host-based authentication. +diff -pur old/ssh.c new/ssh.c +--- old/ssh.c 2013-12-28 22:53:40.000000000 -0800 ++++ new/ssh.c 2015-04-10 02:43:51.181446718 -0700 +@@ -1010,8 +1010,10 @@ main(int ac, char **av) + #endif + sensitive_data.keys[3] = key_load_private_cert(KEY_RSA, + _PATH_HOST_RSA_KEY_FILE, "", NULL); ++#ifndef WITHOUT_ED25519 + sensitive_data.keys[4] = key_load_private_cert(KEY_ED25519, + _PATH_HOST_ED25519_KEY_FILE, "", NULL); ++#endif /* WITHOUT_ED25519 */ + sensitive_data.keys[5] = key_load_private_type(KEY_DSA, + _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); + #ifdef OPENSSL_HAS_ECC +@@ -1020,8 +1022,10 @@ main(int ac, char **av) + #endif + sensitive_data.keys[7] = key_load_private_type(KEY_RSA, + _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); ++#ifndef WITHOUT_ED25519 + sensitive_data.keys[8] = key_load_private_type(KEY_ED25519, + _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL); ++#endif /* WITHOUT_ED25519 */ + PRIV_END; + + if (options.hostbased_authentication == 1 && +@@ -1038,8 +1042,10 @@ main(int ac, char **av) + #endif + sensitive_data.keys[3] = key_load_cert( + _PATH_HOST_RSA_KEY_FILE); ++#ifndef WITHOUT_ED25519 + sensitive_data.keys[4] = key_load_cert( + _PATH_HOST_ED25519_KEY_FILE); ++#endif /* WITHOUT_ED25519 */ + sensitive_data.keys[5] = key_load_public( + _PATH_HOST_DSA_KEY_FILE, NULL); + #ifdef OPENSSL_HAS_ECC +@@ -1048,8 +1054,10 @@ main(int ac, char **av) + #endif + sensitive_data.keys[7] = key_load_public( + _PATH_HOST_RSA_KEY_FILE, NULL); ++#ifndef WITHOUT_ED25519 + sensitive_data.keys[8] = key_load_public( + _PATH_HOST_ED25519_KEY_FILE, NULL); ++#endif /* WITHOUT_ED25519 */ + sensitive_data.external_keysign = 1; + } + } +diff -pur old/ssh_config.0 new/ssh_config.0 +--- old/ssh_config.0 2014-01-29 17:52:48.000000000 -0800 ++++ new/ssh_config.0 2015-04-10 02:43:51.182117645 -0700 +@@ -409,14 +409,9 @@ DESCRIPTION + client wants to use in order of preference. The default for this + option is: + +- ecdsa-sha2-nistp256-cert-v01@openssh.com, +- ecdsa-sha2-nistp384-cert-v01@openssh.com, +- ecdsa-sha2-nistp521-cert-v01@openssh.com, +- ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, + ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, +- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +- ssh-ed25519,ssh-rsa,ssh-dss ++ ssh-rsa,ssh-dss + + If hostkeys are known for the destination host then this default + is modified to prefer their algorithms. +@@ -446,10 +441,10 @@ DESCRIPTION + default is ``no''. + + IdentityFile +- Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA ++ Specifies a file from which the user's DSA or RSA + authentication identity is read. The default is ~/.ssh/identity +- for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, +- ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. ++ for protocol version 1, and ~/.ssh/id_dsa and ~/.ssh/id_rsa for ++ protocol version 2. + Additionally, any identities represented by the authentication + agent will be used for authentication unless IdentitiesOnly is + set. ssh(1) will try to load certificate information from the +@@ -509,8 +504,6 @@ DESCRIPTION + Specifies the available KEX (Key Exchange) algorithms. Multiple + algorithms must be comma-separated. The default is: + +- curve25519-sha256@libssh.org, +- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group-exchange-sha1, + diffie-hellman-group14-sha1, +diff -pur old/ssh_config.5 new/ssh_config.5 +--- old/ssh_config.5 2015-04-10 02:43:51.077725535 -0700 ++++ new/ssh_config.5 2015-04-10 02:43:51.182862658 -0700 +@@ -723,14 +723,9 @@ Specifies the protocol version 2 host ke + that the client wants to use in order of preference. + The default for this option is: + .Bd -literal -offset 3n +-ecdsa-sha2-nistp256-cert-v01@openssh.com, +-ecdsa-sha2-nistp384-cert-v01@openssh.com, +-ecdsa-sha2-nistp521-cert-v01@openssh.com, +-ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, + ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, +-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-ssh-ed25519,ssh-rsa,ssh-dss ++ssh-rsa,ssh-dss + .Ed + .Pp + If hostkeys are known for the destination host then this default is modified +@@ -772,14 +767,12 @@ offers many different identities. + The default is + .Dq no . + .It Cm IdentityFile +-Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication ++Specifies a file from which the user's DSA or RSA authentication + identity is read. + The default is + .Pa ~/.ssh/identity + for protocol version 1, and + .Pa ~/.ssh/id_dsa , +-.Pa ~/.ssh/id_ecdsa , +-.Pa ~/.ssh/id_ed25519 + and + .Pa ~/.ssh/id_rsa + for protocol version 2. +@@ -892,8 +885,6 @@ Specifies the available KEX (Key Exchang + Multiple algorithms must be comma-separated. + The default is: + .Bd -literal -offset indent +-curve25519-sha256@libssh.org, +-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group-exchange-sha1, + diffie-hellman-group14-sha1, +Only in new: ssh_config.5.orig +diff -pur old/sshconnect.c new/sshconnect.c +--- old/sshconnect.c 2015-04-10 02:43:51.092987117 -0700 ++++ new/sshconnect.c 2015-04-10 02:43:51.183586425 -0700 +@@ -1325,7 +1325,9 @@ show_other_keys(struct hostkeys *hostkey + KEY_RSA, + KEY_DSA, + KEY_ECDSA, ++#ifndef WITHOUT_ED25519 + KEY_ED25519, ++#endif /* WITHOUT_ED25519 */ + -1 + }; + int i, ret = 0; +Only in new: sshconnect.c.orig +diff -pur old/sshconnect2.c new/sshconnect2.c +--- old/sshconnect2.c 2015-04-10 02:43:51.055621784 -0700 ++++ new/sshconnect2.c 2015-04-10 02:49:31.451117756 -0700 +@@ -213,7 +213,9 @@ ssh_kex2(char *host, struct sockaddr *ho + kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; + kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; + kex->kex[KEX_ECDH_SHA2] = kexecdh_client; ++#ifndef WITHOUT_ED25519 + kex->kex[KEX_C25519_SHA256] = kexc25519_client; ++#endif /* WITHOUT_ED25519 */ + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; + kex->verify_host_key=&verify_host_key_callback; +Only in new: sshconnect2.c.orig +Only in new: sshconnect2.c.rej +diff -pur old/sshd.0 new/sshd.0 +--- old/sshd.0 2014-01-29 17:52:47.000000000 -0800 ++++ new/sshd.0 2015-04-10 02:43:51.185708016 -0700 +@@ -82,8 +82,7 @@ DESCRIPTION + be given if sshd is not run as root (as the normal host key files + are normally not readable by anyone but root). The default is + /etc/ssh/ssh_host_key for protocol version 1, and +- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key. +- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for ++ /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for + protocol version 2. It is possible to have multiple host key + files for the different protocol versions and host key + algorithms. +@@ -148,7 +147,7 @@ DESCRIPTION + AUTHENTICATION + The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to + use protocol 2 only, though this can be changed via the Protocol option +- in sshd_config(5). Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys; ++ in sshd_config(5). Protocol 2 supports DSA and RSA keys; + protocol 1 only supports RSA keys. For both protocols, each host has a + host-specific key, normally 2048 bits, used to identify the host. + +@@ -278,15 +277,13 @@ AUTHORIZED_KEYS FILE FORMAT + starts with a number). The bits, exponent, modulus, and comment fields + give the RSA key for protocol version 1; the comment field is not used + for anything (but may be convenient for the user to identify the key). +- For protocol version 2 the keytype is ``ecdsa-sha2-nistp256'', +- ``ecdsa-sha2-nistp384'', ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', +- ``ssh-dss'' or ``ssh-rsa''. ++ For protocol version 2 the keytype is ``ssh-dss'' or ``ssh-rsa''. + + Note that lines in this file are usually several hundred bytes long + (because of the size of the public key encoding) up to a limit of 8 + kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 + kilobits. You don't want to type them in; instead, copy the +- identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub ++ identity.pub, id_dsa.pub or the id_rsa.pub + file and edit it. + + sshd enforces a minimum RSA key modulus size for protocol 1 and protocol +@@ -513,7 +510,7 @@ FILES + for the user, and not accessible by others. + + ~/.ssh/authorized_keys +- Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used ++ Lists the public keys (DSA, RSA) that can be used + for logging in as this user. The format of this file is + described above. The content of the file is not highly + sensitive, but the recommended permissions are read/write for the +@@ -574,8 +571,6 @@ FILES + + /etc/ssh/ssh_host_key + /etc/ssh/ssh_host_dsa_key +- /etc/ssh/ssh_host_ecdsa_key +- /etc/ssh/ssh_host_ed25519_key + /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys. These + files should only be owned by root, readable only by root, and +@@ -584,8 +579,6 @@ FILES + + /etc/ssh/ssh_host_key.pub + /etc/ssh/ssh_host_dsa_key.pub +- /etc/ssh/ssh_host_ecdsa_key.pub +- /etc/ssh/ssh_host_ed25519_key.pub + /etc/ssh/ssh_host_rsa_key.pub + These files contain the public parts of the host keys. These + files should be world-readable but writable only by root. Their +diff -pur old/sshd.8 new/sshd.8 +--- old/sshd.8 2015-04-10 02:43:51.068793178 -0700 ++++ new/sshd.8 2015-04-10 02:43:51.186397825 -0700 +@@ -175,8 +175,6 @@ The default is + .Pa /etc/ssh/ssh_host_key + for protocol version 1, and + .Pa /etc/ssh/ssh_host_dsa_key , +-.Pa /etc/ssh/ssh_host_ecdsa_key . +-.Pa /etc/ssh/ssh_host_ed25519_key + and + .Pa /etc/ssh/ssh_host_rsa_key + for protocol version 2. +@@ -281,7 +279,7 @@ though this can be changed via the + .Cm Protocol + option in + .Xr sshd_config 4 . +-Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys; ++Protocol 2 supports DSA and RSA keys; + protocol 1 only supports RSA keys. + For both protocols, + each host has a host-specific key, +@@ -492,10 +490,6 @@ protocol version 1; the + comment field is not used for anything (but may be convenient for the + user to identify the key). + For protocol version 2 the keytype is +-.Dq ecdsa-sha2-nistp256 , +-.Dq ecdsa-sha2-nistp384 , +-.Dq ecdsa-sha2-nistp521 , +-.Dq ssh-ed25519 , + .Dq ssh-dss + or + .Dq ssh-rsa . +@@ -507,8 +501,6 @@ keys up to 16 kilobits. + You don't want to type them in; instead, copy the + .Pa identity.pub , + .Pa id_dsa.pub , +-.Pa id_ecdsa.pub , +-.Pa id_ed25519.pub , + or the + .Pa id_rsa.pub + file and edit it. +@@ -808,7 +800,7 @@ secret, but the recommended permissions + and not accessible by others. + .Pp + .It Pa ~/.ssh/authorized_keys +-Lists the public keys (DSA, ECDSA, ED25519, RSA) ++Lists the public keys (DSA, RSA) + that can be used for logging in as this user. + The format of this file is described above. + The content of the file is not highly sensitive, but the recommended +@@ -888,8 +880,6 @@ rlogin/rsh. + .Pp + .It Pa /etc/ssh/ssh_host_key + .It Pa /etc/ssh/ssh_host_dsa_key +-.It Pa /etc/ssh/ssh_host_ecdsa_key +-.It Pa /etc/ssh/ssh_host_ed25519_key + .It Pa /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys. + These files should only be owned by root, readable only by root, and not +@@ -900,8 +890,6 @@ does not start if these files are group/ + .Pp + .It Pa /etc/ssh/ssh_host_key.pub + .It Pa /etc/ssh/ssh_host_dsa_key.pub +-.It Pa /etc/ssh/ssh_host_ecdsa_key.pub +-.It Pa /etc/ssh/ssh_host_ed25519_key.pub + .It Pa /etc/ssh/ssh_host_rsa_key.pub + These files contain the public parts of the host keys. + These files should be world-readable but writable only by +diff -pur old/sshd.c new/sshd.c +--- old/sshd.c 2015-04-10 02:43:51.101980137 -0700 ++++ new/sshd.c 2015-04-10 02:49:46.274593753 -0700 +@@ -797,7 +797,9 @@ list_hostkey_types(void) + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: ++#endif /* WITHOUT_ED25519 */ + if (buffer_len(&b) > 0) + buffer_append(&b, ",", 1); + p = key_ssh_name(key); +@@ -814,7 +816,9 @@ list_hostkey_types(void) + case KEY_RSA_CERT: + case KEY_DSA_CERT: + case KEY_ECDSA_CERT: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: ++#endif /* WITHOUT_ED25519 */ + if (buffer_len(&b) > 0) + buffer_append(&b, ",", 1); + p = key_ssh_name(key); +@@ -842,7 +846,9 @@ get_hostkey_by_type(int type, int need_p + case KEY_RSA_CERT: + case KEY_DSA_CERT: + case KEY_ECDSA_CERT: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519_CERT: ++#endif /* WITHOUT_ED25519 */ + key = sensitive_data.host_certificates[i]; + break; + default: +@@ -1719,7 +1725,9 @@ main(int ac, char **av) + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: ++#ifndef WITHOUT_ED25519 + case KEY_ED25519: ++#endif /* WITHOUT_ED25519 */ + sensitive_data.have_ssh2_key = 1; + break; + } +@@ -2501,7 +2509,9 @@ do_ssh2_kex(void) + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; + kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; + kex->kex[KEX_ECDH_SHA2] = kexecdh_server; ++#ifndef WITHOUT_ED25519 + kex->kex[KEX_C25519_SHA256] = kexc25519_server; ++#endif /* WITHOUT_ED25519 */ + kex->server = 1; + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; +Only in new: sshd.c.orig +Only in new: sshd.c.rej +diff -pur old/sshd_config.0 new/sshd_config.0 +--- old/sshd_config.0 2014-01-29 17:52:48.000000000 -0800 ++++ new/sshd_config.0 2015-04-10 02:43:51.188313577 -0700 +@@ -332,12 +332,11 @@ DESCRIPTION + HostKey + Specifies a file containing a private host key used by SSH. The + default is /etc/ssh/ssh_host_key for protocol version 1, and +- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, +- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for ++ /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for + protocol version 2. Note that sshd(8) will refuse to use a file + if it is group/world-accessible. It is possible to have multiple + host key files. ``rsa1'' keys are used for version 1 and +- ``dsa'', ``ecdsa'', ``ed25519'' or ``rsa'' are used for version 2 ++ ``dsa'' or ``rsa'' are used for version 2 + of the SSH protocol. It is also possible to specify public host + key files instead. In this case operations on the private key + will be delegated to an ssh-agent(1). +@@ -399,8 +398,6 @@ DESCRIPTION + Specifies the available KEX (Key Exchange) algorithms. Multiple + algorithms must be comma-separated. The default is + +- curve25519-sha256@libssh.org, +- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group-exchange-sha1, + diffie-hellman-group14-sha1, +diff -pur old/sshd_config.5 new/sshd_config.5 +--- old/sshd_config.5 2015-04-10 02:43:51.078482159 -0700 ++++ new/sshd_config.5 2015-04-10 02:43:51.189013912 -0700 +@@ -540,8 +540,6 @@ The default is + .Pa /etc/ssh/ssh_host_key + for protocol version 1, and + .Pa /etc/ssh/ssh_host_dsa_key , +-.Pa /etc/ssh/ssh_host_ecdsa_key , +-.Pa /etc/ssh/ssh_host_ed25519_key + and + .Pa /etc/ssh/ssh_host_rsa_key + for protocol version 2. +@@ -552,8 +550,6 @@ It is possible to have multiple host key + .Dq rsa1 + keys are used for version 1 and + .Dq dsa , +-.Dq ecdsa , +-.Dq ed25519 + or + .Dq rsa + are used for version 2 of the SSH protocol. +@@ -663,8 +659,6 @@ Specifies the available KEX (Key Exchang + Multiple algorithms must be comma-separated. + The default is + .Bd -literal -offset indent +-curve25519-sha256@libssh.org, +-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group-exchange-sha1, + diffie-hellman-group14-sha1, +Only in new: sshd_config.5.orig +diff -pur old/verify.c new/verify.c +--- old/verify.c 2014-01-16 17:43:44.000000000 -0800 ++++ new/verify.c 2015-04-10 02:43:51.189372783 -0700 +@@ -9,6 +9,8 @@ + + #include "crypto_api.h" + ++#ifndef WITHOUT_ED25519 ++ + int crypto_verify_32(const unsigned char *x,const unsigned char *y) + { + unsigned int differentbits = 0; +@@ -47,3 +49,4 @@ int crypto_verify_32(const unsigned char + F(31) + return (1 & ((differentbits - 1) >> 8)) - 1; + } ++#endif /* WITHOUT_ED25519 */