# HG changeset patch # User Tomas Kuthan # Date 1461183237 25200 # Node ID c5f05bd2a9bc404f149b25bff2a71ab9ac1a5fd4 # Parent 5f0e7a0f17c263bde96284f410c23140a32e6b0f PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates 22931214 upgrade OpenSSH to 7.2p2 22931349 problem in UTILITY/OPENSSH 20955968 remove servconf.c portion of 003-last_login.patch when upgrading to OpenSSH 7.2 22489925 Re-enable Curve25519 in OpenSSH diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/Makefile --- a/components/openssh/Makefile Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/Makefile Wed Apr 20 13:13:57 2016 -0700 @@ -27,16 +27,16 @@ include ../../make-rules/shared-macros.mk COMPONENT_NAME= openssh -COMPONENT_VERSION= 7.1p2 +COMPONENT_VERSION= 7.2p2 HUMAN_VERSION= $(COMPONENT_VERSION) # Version for IPS. The encoding rules are: # OpenSSH .p => IPS ..0. # OpenSSH ..p => IPS ... -IPS_COMPONENT_VERSION= 7.1.0.2 +IPS_COMPONENT_VERSION= 7.2.0.2 COMPONENT_PROJECT_URL= http://www.openssh.org/ -COMPONENT_ARCHIVE_HASH= sha256:dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd +COMPONENT_ARCHIVE_HASH= sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c COMPONENT_ARCHIVE_URL= http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE) TPNO_OPENSSH= 26419 diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/network-ssh.p5m --- a/components/openssh/network-ssh.p5m Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/network-ssh.p5m Wed Apr 20 13:13:57 2016 -0700 @@ -32,7 +32,7 @@ value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2012/335 +set name=org.opensolaris.arc-caseid value=PSARC/2012/335 value=PSARC/2016/216 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) file path=etc/ssh/ssh_config group=sys mode=0644 \ original_name=SUNWssh:etc/ssh/ssh_config overlay=allow preserve=renamenew diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/003-last_login.patch --- a/components/openssh/patches/003-last_login.patch Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/patches/003-last_login.patch Wed Apr 20 13:13:57 2016 -0700 @@ -4,6 +4,9 @@ # their consideration: # https://bugzilla.mindrot.org/show_bug.cgi?id=2278 # +# Update - accepted upstream: +# https://github.com/openssh/openssh-portable/commit/ac908c1eeacccfa +# # OpenSSH normally updates lastlog when users login and reads lastlog to # determine the last login time of the user however on Solaris the # pam_unix_session(5) module handles both of these tasks so we compile @@ -12,31 +15,6 @@ # can't be changed so we update sshd's configuration parsing to flag # this as unsupported and update the man page here. # -diff -pur old/servconf.c new/servconf.c ---- old/servconf.c -+++ new/servconf.c -@@ -504,7 +504,11 @@ static struct { - { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, - { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, - { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, -+#ifdef DISABLE_LASTLOG -+ { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, -+#else - { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, -+#endif - { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, - { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, - { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, -@@ -2268,7 +2272,9 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sChallengeResponseAuthentication, - o->challenge_response_authentication); - dump_cfg_fmtint(sPrintMotd, o->print_motd); -+#ifndef DISABLE_LASTLOG - dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); -+#endif /* !DISABLE_LASTLOG */ - dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); - dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); - dump_cfg_fmtint(sPermitTTY, o->permit_tty); diff -pur old/sshd_config.5 new/sshd_config.5 --- old/sshd_config.5 +++ new/sshd_config.5 diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/013-dtrace_sftp.patch --- a/components/openssh/patches/013-dtrace_sftp.patch Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/patches/013-dtrace_sftp.patch Wed Apr 20 13:13:57 2016 -0700 @@ -5,8 +5,8 @@ # contribute the changes to the upstream community. # diff -pur old/Makefile.in new/Makefile.in ---- old/Makefile.in 2015-03-28 14:10:39.426859283 +0100 -+++ new/Makefile.in 2015-03-28 14:16:12.472203388 +0100 +--- old/Makefile.in ++++ new/Makefile.in @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -23,18 +23,18 @@ ssh-pkcs11.o smult_curve25519_ref.o \ poly1305.o chacha.o cipher-chachapoly.o \ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ -@@ -110,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o \ +@@ -107,7 +109,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw + monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ +- sftp-server.o sftp-common.o \ ++ sftp-server.o sftp-common.o sftp_provider.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -- sandbox-seccomp-filter.o sandbox-capsicum.o -+ sandbox-seccomp-filter.o sandbox-capsicum.o sftp_provider.o - - MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out - MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 + sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ + sandbox-solaris.o @@ -187,8 +189,8 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) @@ -63,18 +63,18 @@ rm -f regress/unittests/test_helper/*.a rm -f regress/unittests/test_helper/*.o rm -f regress/unittests/sshbuf/*.o -@@ -340,6 +351,7 @@ install-files: - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 +@@ -336,6 +347,7 @@ install-files: + $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + mkdir -p $(ROOTDLIBDIR64) && cp $(srcdir)/sftp64.d $(ROOTDLIBDIR64)/sftp64.d install-sysconf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ diff -pur old/sftp-server.c new/sftp-server.c ---- old/sftp-server.c 2015-03-17 06:49:20.000000000 +0100 -+++ new/sftp-server.c 2015-03-28 14:27:55.661510029 +0100 -@@ -55,6 +55,9 @@ +--- old/sftp-server.c ++++ new/sftp-server.c +@@ -54,6 +54,9 @@ #include "sftp.h" #include "sftp-common.h" @@ -84,7 +84,7 @@ /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; -@@ -741,14 +744,17 @@ process_read(u_int32_t id) +@@ -740,14 +743,17 @@ process_read(u_int32_t id) u_int32_t len; int r, handle, fd, ret, status = SSH2_FX_FAILURE; u_int64_t off; @@ -104,7 +104,7 @@ if (len > sizeof buf) { len = sizeof buf; debug2("read change len %d", len); -@@ -759,7 +765,13 @@ process_read(u_int32_t id) +@@ -758,7 +764,13 @@ process_read(u_int32_t id) error("process_read: seek failed"); status = errno_to_portable(errno); } else { @@ -118,7 +118,7 @@ if (ret < 0) { status = errno_to_portable(errno); } else if (ret == 0) { -@@ -782,14 +794,16 @@ process_write(u_int32_t id) +@@ -781,14 +793,16 @@ process_write(u_int32_t id) size_t len; int r, handle, fd, ret, status; u_char *data; @@ -136,7 +136,7 @@ fd = handle_to_fd(handle); if (fd < 0) -@@ -801,7 +815,14 @@ process_write(u_int32_t id) +@@ -800,7 +814,14 @@ process_write(u_int32_t id) error("process_write: seek failed"); } else { /* XXX ATOMICIO ? */ diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/017-option_default_value.patch --- a/components/openssh/patches/017-option_default_value.patch Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/patches/017-option_default_value.patch Wed Apr 20 13:13:57 2016 -0700 @@ -10,9 +10,10 @@ # This is for Solaris only, we will not contribute back these changes to the # upstream. # ---- orig/readconf.c Thu Sep 4 17:27:04 2014 -+++ new/readconf.c Tue Sep 9 17:33:50 2014 -@@ -1575,7 +1575,11 @@ +diff -pur old/readconf.c new/readconf.c +--- old/readconf.c ++++ new/readconf.c +@@ -1803,7 +1803,11 @@ fill_default_options(Options * options) if (options->forward_x11 == -1) options->forward_x11 = 0; if (options->forward_x11_trusted == -1) @@ -24,7 +25,7 @@ if (options->forward_x11_timeout == -1) options->forward_x11_timeout = 1200; if (options->exit_on_forward_failure == -1) -@@ -1593,7 +1597,11 @@ +@@ -1825,7 +1829,11 @@ fill_default_options(Options * options) if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) @@ -36,9 +37,10 @@ if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; if (options->password_authentication == -1) ---- orig/servconf.c Thu Sep 4 17:17:58 2014 -+++ new/servconf.c Tue Sep 9 17:36:32 2014 -@@ -208,7 +208,11 @@ +diff -pur old/servconf.c new/servconf.c +--- old/servconf.c ++++ new/servconf.c +@@ -265,7 +265,11 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -50,7 +52,7 @@ if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -244,7 +248,11 @@ +@@ -303,7 +307,11 @@ fill_default_server_options(ServerOption if (options->kerberos_get_afs_token == -1) options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) @@ -61,10 +63,11 @@ +#endif if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; - if (options->password_authentication == -1) ---- orig/ssh_config.5 Thu Sep 4 17:58:05 2014 -+++ new/ssh_config.5 Tue Sep 9 17:48:39 2014 -@@ -643,8 +643,8 @@ + if (options->gss_strict_acceptor == -1) +diff -pur old/ssh_config.5 new/ssh_config.5 +--- old/ssh_config.5 ++++ new/ssh_config.5 +@@ -802,8 +802,8 @@ Furthermore, the token used for the session will be set to expire after 20 minutes. Remote clients will be refused access after this time. .Pp @@ -75,7 +78,7 @@ .Pp See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. -@@ -673,8 +673,8 @@ +@@ -832,8 +832,8 @@ The default is .Pa /etc/ssh/ssh_known_hosts2 . .It Cm GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. @@ -83,12 +86,13 @@ -.Dq no . +The default on Solaris is +.Dq yes . - Note that this option applies to protocol version 2 only. .It Cm GSSAPIDelegateCredentials Forward (delegate) credentials to the server. ---- orig/sshd_config.5 Thu Sep 4 17:58:07 2014 -+++ new/sshd_config.5 Tue Sep 9 17:49:58 2014 -@@ -490,8 +490,8 @@ + The default is +diff -pur old/sshd_config.5 new/sshd_config.5 +--- old/sshd_config.5 ++++ new/sshd_config.5 +@@ -621,8 +621,8 @@ The default is .Dq no . .It Cm GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. @@ -96,10 +100,10 @@ -.Dq no . +The default on Solaris is +.Dq yes . - Note that this option applies to protocol version 2 only. .It Cm GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache -@@ -1239,8 +1239,8 @@ + on logout. +@@ -1637,8 +1637,8 @@ The argument must be .Dq yes or .Dq no . diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/019-no_uid_restoration_test.patch --- a/components/openssh/patches/019-no_uid_restoration_test.patch Wed Apr 20 13:13:57 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,70 +0,0 @@ -# -# OpenSSH verifies, that changing [ug]id back to 0 fails, after it -# was set to the values of the user logging in. -# On Solaris, if that user was given PRIV_PROC_SETUID privilege, -# set[gu]id(0) succeeds. But in this case this is not an error in -# dropping privilege, such user is supposed to be able to do that. -# -# This fix removes this check entirely. Skipping the check only in -# case PRIV_PROC_SETUID is asserted in the effective set was considered -# but decided against. The check is redundant, because inability to -# restore uid=0 can be inferred from successful run of setreuid(uid, uid). -# -# The fix is implemented by replacing an OS-related HAVE_CYGWIN guard -# with a functional NO_UID_RESTORATION_TEST and by defining the new -# symbol in the component Makefile. -# -# This patch was submitted upstream: -# -# https://bugzilla.mindrot.org/show_bug.cgi?id=2299 -# -# See the above URL for details on if/when it might be accepted. -# -diff -ur old/uidswap.c new/uidswap.c ---- old/uidswap.c 2014-01-18 01:43:50.000000000 -0800 -+++ new/uidswap.c 2014-09-04 06:26:32.965065384 -0700 -@@ -134,7 +134,7 @@ - void - permanently_drop_suid(uid_t uid) - { --#ifndef HAVE_CYGWIN -+#ifndef NO_UID_RESTORATION_TEST - uid_t old_uid = getuid(); - #endif - -@@ -142,7 +142,7 @@ - if (setresuid(uid, uid, uid) < 0) - fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); - --#ifndef HAVE_CYGWIN -+#ifndef NO_UID_RESTORATION_TEST - /* Try restoration of UID if changed (test clearing of saved uid) */ - if (old_uid != uid && - (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) -@@ -199,7 +199,7 @@ - void - permanently_set_uid(struct passwd *pw) - { --#ifndef HAVE_CYGWIN -+#ifndef NO_UID_RESTORATION_TEST - uid_t old_uid = getuid(); - gid_t old_gid = getgid(); - #endif -@@ -227,7 +227,7 @@ - if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) - fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); - --#ifndef HAVE_CYGWIN -+#ifndef NO_UID_RESTORATION_TEST - /* Try restoration of GID if changed (test clearing of saved gid) */ - if (old_gid != pw->pw_gid && pw->pw_uid != 0 && - (setgid(old_gid) != -1 || setegid(old_gid) != -1)) -@@ -241,7 +241,7 @@ - (u_int)pw->pw_gid); - } - --#ifndef HAVE_CYGWIN -+#ifndef NO_UID_RESTORATION_TEST - /* Try restoration of UID if changed (test clearing of saved uid) */ - if (old_uid != pw->pw_uid && - (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/023-gsskex.patch --- a/components/openssh/patches/023-gsskex.patch Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/patches/023-gsskex.patch Wed Apr 20 13:13:57 2016 -0700 @@ -26,8 +26,8 @@ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o \ + sftp-server.o sftp-common.o sftp_provider.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ diff -pur old/auth2-gss.c new/auth2-gss.c --- old/auth2-gss.c +++ new/auth2-gss.c @@ -420,7 +420,7 @@ diff -pur old/kex.c new/kex.c --- old/kex.c +++ new/kex.c -@@ -55,6 +55,10 @@ +@@ -54,6 +54,10 @@ #include "sshbuf.h" #include "digest.h" @@ -431,7 +431,7 @@ #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -@@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = { +@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = { #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ @@ -443,7 +443,7 @@ { NULL, -1, -1, -1}, }; -@@ -126,7 +135,7 @@ kex_alg_by_name(const char *name) +@@ -138,7 +147,7 @@ kex_alg_by_name(const char *name) const struct kexalg *k; for (k = kexalgs; k->name != NULL; k++) { @@ -455,7 +455,7 @@ diff -pur old/kex.h new/kex.h --- old/kex.h +++ new/kex.h -@@ -93,6 +93,9 @@ enum kex_exchange { +@@ -92,6 +92,9 @@ enum kex_exchange { KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, KEX_C25519_SHA256, @@ -465,7 +465,7 @@ KEX_MAX }; -@@ -139,6 +142,10 @@ struct kex { +@@ -140,6 +143,10 @@ struct kex { u_int flags; int hash_alg; int ec_nid; @@ -476,7 +476,7 @@ char *client_version_string; char *server_version_string; char *failed_choice; -@@ -186,6 +193,10 @@ int kexecdh_client(struct ssh *); +@@ -189,6 +196,10 @@ int kexecdh_client(struct ssh *); int kexecdh_server(struct ssh *); int kexc25519_client(struct ssh *); int kexc25519_server(struct ssh *); @@ -490,7 +490,7 @@ diff -pur old/monitor.c new/monitor.c --- old/monitor.c +++ new/monitor.c -@@ -160,6 +160,7 @@ int mm_answer_gss_setup_ctx(int, Buffer +@@ -159,6 +159,7 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -498,7 +498,7 @@ #endif #ifdef SSH_AUDIT_EVENTS -@@ -244,11 +245,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -243,11 +244,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, @@ -516,7 +516,7 @@ #ifdef WITH_OPENSSL {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, #endif -@@ -363,6 +370,10 @@ monitor_child_preauth(Authctxt *_authctx +@@ -362,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctx /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -527,7 +527,7 @@ } else { mon_dispatch = mon_dispatch_proto15; -@@ -502,6 +513,10 @@ monitor_child_postauth(struct monitor *p +@@ -501,6 +512,10 @@ monitor_child_postauth(struct monitor *p monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -538,7 +538,7 @@ } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1927,6 +1942,13 @@ monitor_apply_keystate(struct monitor *p +@@ -1924,6 +1939,13 @@ monitor_apply_keystate(struct monitor *p # endif #endif /* WITH_OPENSSL */ kex->kex[KEX_C25519_SHA256] = kexc25519_server; @@ -552,7 +552,7 @@ kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; -@@ -2026,6 +2048,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -2023,6 +2045,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -562,7 +562,7 @@ goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2053,6 +2078,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2050,6 +2075,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -572,7 +572,7 @@ in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2070,6 +2098,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2067,6 +2095,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -580,7 +580,7 @@ } return (0); } -@@ -2081,6 +2110,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2078,6 +2107,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -590,7 +590,7 @@ gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2107,6 +2139,9 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2104,6 +2136,9 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -600,7 +600,7 @@ authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); buffer_clear(m); -@@ -2120,5 +2155,47 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2117,5 +2152,47 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -707,7 +707,7 @@ diff -pur old/readconf.c new/readconf.c --- old/readconf.c +++ new/readconf.c -@@ -147,6 +147,7 @@ typedef enum { +@@ -148,6 +148,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -715,7 +715,7 @@ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -198,11 +199,15 @@ static struct { +@@ -199,11 +200,15 @@ static struct { { "gssauthentication", oGssAuthentication }, /* alias */ { "gssapidelegatecredentials", oGssDelegateCreds }, { "gssdelegatecreds", oGssDelegateCreds }, /* alias */ @@ -731,7 +731,7 @@ #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -933,6 +938,10 @@ parse_time: +@@ -965,6 +970,10 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -742,7 +742,7 @@ case oGssDelegateCreds: intptr = &options->gss_deleg_creds; goto parse_flag; -@@ -1647,6 +1656,7 @@ initialize_options(Options * options) +@@ -1694,6 +1703,7 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -750,7 +750,7 @@ options->gss_deleg_creds = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; -@@ -1786,6 +1796,12 @@ fill_default_options(Options * options) +@@ -1834,6 +1844,12 @@ fill_default_options(Options * options) #else options->gss_authentication = 0; #endif @@ -785,7 +785,7 @@ options->gss_cleanup_creds = -1; options->gss_strict_acceptor = -1; options->password_authentication = -1; -@@ -300,6 +301,12 @@ fill_default_server_options(ServerOption +@@ -312,6 +313,12 @@ fill_default_server_options(ServerOption #else options->gss_authentication = 0; #endif @@ -798,7 +798,7 @@ if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->gss_strict_acceptor == -1) -@@ -442,6 +449,7 @@ typedef enum { +@@ -449,6 +456,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, @@ -806,7 +806,7 @@ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, -@@ -519,6 +527,8 @@ static struct { +@@ -526,6 +534,8 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */ @@ -815,7 +815,7 @@ #ifdef USE_GSS_STORE_CRED { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #else /* USE_GSS_STORE_CRED */ -@@ -528,6 +538,8 @@ static struct { +@@ -535,6 +545,8 @@ static struct { #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssauthentication", sUnsupported, SSHCFG_ALL }, /* alias */ @@ -824,7 +824,7 @@ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, #endif -@@ -1311,6 +1323,10 @@ process_server_config_line(ServerOptions +@@ -1319,6 +1331,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -835,7 +835,7 @@ case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -2357,6 +2373,7 @@ dump_config(ServerOptions *o) +@@ -2373,6 +2389,7 @@ dump_config(ServerOptions *o) #endif #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); @@ -907,10 +907,10 @@ diff -pur old/ssh_config.5 new/ssh_config.5 --- old/ssh_config.5 +++ new/ssh_config.5 -@@ -757,6 +757,12 @@ Specifies whether user authentication ba +@@ -834,6 +834,12 @@ The default is + Specifies whether user authentication based on GSSAPI is allowed. The default on Solaris is .Dq yes . - Note that this option applies to protocol version 2 only. +.It Cm GSSAPIKeyExchange +Specifies whether key exchange based on GSSAPI may be used. When using +GSSAPI key exchange the server need not have a host key. @@ -923,19 +923,19 @@ diff -pur old/sshconnect2.c new/sshconnect2.c --- old/sshconnect2.c +++ new/sshconnect2.c -@@ -163,12 +163,37 @@ ssh_kex2(char *host, struct sockaddr *ho - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; +@@ -164,11 +164,35 @@ ssh_kex2(char *host, struct sockaddr *ho + char *s; struct kex *kex; int r; +#ifdef GSSAPI + char *orig = NULL, *gss = NULL; + char *gss_host = NULL; +#endif -+ xxx_host = host; xxx_hostaddr = hostaddr; +- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + @@ -956,13 +956,11 @@ + } +#endif + - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -- options.kex_algorithms); -+ myproposal[PROPOSAL_KEX_ALGS]); ++ if (!(s = kex_names_cat(myproposal[PROPOSAL_KEX_ALGS], "ext-info-c"))) + fatal("%s: kex_names_cat", __func__); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(options.ciphers); - myproposal[PROPOSAL_ENC_ALGS_STOC] = -@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -199,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho order_hostkeyalgs(host, hostaddr, port)); } @@ -980,7 +978,7 @@ if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); -@@ -215,9 +251,22 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -217,9 +252,22 @@ ssh_kex2(char *host, struct sockaddr *ho # endif #endif kex->kex[KEX_C25519_SHA256] = kexc25519_client; @@ -1003,7 +1001,7 @@ dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); -@@ -310,6 +359,7 @@ int input_gssapi_token(int type, u_int32 +@@ -315,6 +363,7 @@ int input_gssapi_token(int type, u_int32 int input_gssapi_hash(int type, u_int32_t, void *); int input_gssapi_error(int, u_int32_t, void *); int input_gssapi_errtok(int, u_int32_t, void *); @@ -1011,7 +1009,7 @@ #endif void userauth(Authctxt *, char *); -@@ -325,6 +375,11 @@ static char *authmethods_get(void); +@@ -330,6 +379,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -1023,7 +1021,7 @@ {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -649,7 +704,10 @@ userauth_gssapi(Authctxt *authctxt) +@@ -678,7 +732,10 @@ userauth_gssapi(Authctxt *authctxt) * once. */ if (gss_supported == NULL) @@ -1035,7 +1033,7 @@ /* Check to see if the mechanism is usable before we offer it */ while (mech < gss_supported->count && !ok) { -@@ -753,8 +811,8 @@ input_gssapi_response(int type, u_int32_ +@@ -782,8 +839,8 @@ input_gssapi_response(int type, u_int32_ { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -1046,7 +1044,7 @@ if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -867,6 +925,48 @@ input_gssapi_error(int type, u_int32_t p +@@ -896,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p free(lang); return 0; } @@ -1098,7 +1096,7 @@ diff -pur old/sshd.c new/sshd.c --- old/sshd.c +++ new/sshd.c -@@ -1827,10 +1827,13 @@ main(int ac, char **av) +@@ -1833,10 +1833,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -1112,7 +1110,7 @@ if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -2588,6 +2591,48 @@ do_ssh2_kex(void) +@@ -2596,6 +2599,48 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); @@ -1161,7 +1159,7 @@ /* start key exchange */ if ((r = kex_setup(active_state, myproposal)) != 0) fatal("kex_setup: %s", ssh_err(r)); -@@ -2602,6 +2647,13 @@ do_ssh2_kex(void) +@@ -2610,6 +2655,13 @@ do_ssh2_kex(void) # endif #endif kex->kex[KEX_C25519_SHA256] = kexc25519_server; @@ -1178,28 +1176,27 @@ diff -pur old/sshd_config.5 new/sshd_config.5 --- old/sshd_config.5 +++ new/sshd_config.5 -@@ -621,6 +621,12 @@ Specifies whether user authentication ba +@@ -623,6 +623,11 @@ The default is + Specifies whether user authentication based on GSSAPI is allowed. The default on Solaris is .Dq yes . - Note that this option applies to protocol version 2 only. +.It Cm GSSAPIKeyExchange +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange +doesn't rely on ssh keys to verify host identity. +The default on Solaris is +.Dq yes . -+Note that this option applies to protocol version 2 only. .It Cm GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache on logout. diff -pur old/sshkey.c new/sshkey.c --- old/sshkey.c +++ new/sshkey.c -@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = +@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = # endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ + { "null", "null", KEY_NULL, 0, 0 }, - { NULL, NULL, -1, -1, 0 } + { NULL, NULL, -1, -1, 0, 0 } }; diff -pur old/sshkey.h new/sshkey.h diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/024-disable_ed25519.patch --- a/components/openssh/patches/024-disable_ed25519.patch Wed Apr 20 13:13:57 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,2140 +0,0 @@ -# -# Per Solaris crypto team recommendation, we need to remove support for -# Curve25519 from OpenSSH. -# -# Patch offered upstream but rejected: -# https://bugzilla.mindrot.org/show_bug.cgi?id=2376 -# -diff -pur old/Makefile.in new/Makefile.in ---- old/Makefile.in -+++ new/Makefile.in -@@ -155,7 +155,7 @@ $(SSHDOBJS): Makefile.in config.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ - - LIBCOMPAT=openbsd-compat/libopenbsd-compat.a --$(LIBCOMPAT): always -+$(LIBCOMPAT): always libssh.a - (cd openbsd-compat && $(MAKE)) - always: - -diff -pur old/authfd.c new/authfd.c ---- old/authfd.c -+++ new/authfd.c -@@ -565,8 +565,10 @@ ssh_add_identity_constrained(int sock, s - case KEY_ECDSA: - case KEY_ECDSA_CERT: - #endif -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: -+#endif /* WITHOUT_ED25519 */ - type = constrained ? - SSH2_AGENTC_ADD_ID_CONSTRAINED : - SSH2_AGENTC_ADD_IDENTITY; -diff -pur old/authfile.c new/authfile.c ---- old/authfile.c -+++ new/authfile.c -@@ -449,7 +449,9 @@ sshkey_load_private_cert(int type, const - case KEY_DSA: - case KEY_ECDSA: - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: -+#endif /* WITHOUT_ED25519 */ - case KEY_UNSPEC: - break; - default: -diff -pur old/dns.c new/dns.c ---- old/dns.c -+++ new/dns.c -@@ -100,11 +100,13 @@ dns_read_key(u_int8_t *algorithm, u_int8 - if (!*digest_type) - *digest_type = SSHFP_HASH_SHA256; - break; -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - *algorithm = SSHFP_KEY_ED25519; - if (!*digest_type) - *digest_type = SSHFP_HASH_SHA256; - break; -+#endif /* WITHOUT_ED25519 */ - default: - *algorithm = SSHFP_KEY_RESERVED; /* 0 */ - *digest_type = SSHFP_HASH_RESERVED; /* 0 */ -diff -pur old/dns.h new/dns.h ---- old/dns.h -+++ new/dns.h -@@ -33,7 +33,9 @@ enum sshfp_types { - SSHFP_KEY_RSA = 1, - SSHFP_KEY_DSA = 2, - SSHFP_KEY_ECDSA = 3, -- SSHFP_KEY_ED25519 = 4 -+#ifndef WITHOUT_ED25519 -+ SSHFP_KEY_ED25519 = 4 -+#endif /* WITHOUT_ED25519 */ - }; - - enum sshfp_hashes { -diff -pur old/ed25519.c new/ed25519.c ---- old/ed25519.c -+++ new/ed25519.c -@@ -7,6 +7,7 @@ - */ - - #include "includes.h" -+#ifndef WITHOUT_ED25519 - #include "crypto_api.h" - - #include "ge25519.h" -@@ -142,3 +143,4 @@ int crypto_sign_ed25519_open( - } - return ret; - } -+#endif /* WITHOUT_ED25519 */ -diff -pur old/fe25519.c new/fe25519.c ---- old/fe25519.c -+++ new/fe25519.c -@@ -8,6 +8,7 @@ - - #include "includes.h" - -+#ifndef WITHOUT_ED25519 - #define WINDOWSIZE 1 /* Should be 1,2, or 4 */ - #define WINDOWMASK ((1< - - #include -@@ -131,3 +132,4 @@ kex_c25519_hash( - #endif - return 0; - } -+#endif /* WITHOUT_ED25519 */ -diff -pur old/kexc25519c.c new/kexc25519c.c ---- old/kexc25519c.c -+++ new/kexc25519c.c -@@ -27,6 +27,7 @@ - - #include "includes.h" - -+#ifndef WITHOUT_ED25519 - #include - - #include -@@ -168,3 +169,4 @@ out: - sshbuf_free(shared_secret); - return r; - } -+#endif /* WITHOUT_ED25519 */ -diff -pur old/kexc25519s.c new/kexc25519s.c ---- old/kexc25519s.c -+++ new/kexc25519s.c -@@ -26,6 +26,8 @@ - - #include "includes.h" - -+#ifndef WITHOUT_ED25519 -+ - #include - #include - #include -@@ -157,3 +159,4 @@ out: - sshbuf_free(shared_secret); - return r; - } -+#endif /* WITHOUT_ED25519 */ -diff -pur old/monitor.c new/monitor.c ---- old/monitor.c -+++ new/monitor.c -@@ -1941,7 +1941,9 @@ monitor_apply_keystate(struct monitor *p - kex->kex[KEX_ECDH_SHA2] = kexecdh_server; - # endif - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - kex->kex[KEX_C25519_SHA256] = kexc25519_server; -+#endif /* WITHOUT_ED25519 */ - #ifdef GSSAPI - if (options.gss_keyex) { - kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; -diff -pur old/myproposal.h new/myproposal.h ---- old/myproposal.h -+++ new/myproposal.h -@@ -59,6 +59,20 @@ - # define HOSTKEY_ECDSA_METHODS - #endif - -+#ifndef WITHOUT_ED25519 -+# if defined(WITH_OPENSSL) && defined(HAVE_EVP_SHA256) -+# define KEX_CURVE25519_METHODS "curve25519-sha256@libssh.org," -+# else -+# define KEX_CURVE25519_METHODS -+# endif -+# define HOSTKEY_CURVE25519_CERT_METHODS "ssh-ed25519-cert-v01@openssh.com," -+# define HOSTKEY_CURVE25519_METHODS "ssh-ed25519," -+#else -+# define KEX_CURVE25519_METHODS -+# define HOSTKEY_CURVE25519_CERT_METHODS -+# define HOSTKEY_CURVE25519_METHODS -+#endif /* WITHOUT_ED25519 */ -+ - #ifdef OPENSSL_HAVE_EVPGCM - # define AESGCM_CIPHER_MODES \ - ",aes128-gcm@openssh.com,aes256-gcm@openssh.com" -@@ -78,11 +92,6 @@ - #endif - - #ifdef WITH_OPENSSL --# ifdef HAVE_EVP_SHA256 --# define KEX_CURVE25519_METHODS "curve25519-sha256@libssh.org," --# else --# define KEX_CURVE25519_METHODS "" --# endif - #define KEX_COMMON_KEX \ - KEX_CURVE25519_METHODS \ - KEX_ECDH_METHODS \ -@@ -97,10 +106,10 @@ - - #define KEX_DEFAULT_PK_ALG \ - HOSTKEY_ECDSA_CERT_METHODS \ -- "ssh-ed25519-cert-v01@openssh.com," \ -+ HOSTKEY_CURVE25519_CERT_METHODS \ - "ssh-rsa-cert-v01@openssh.com," \ - HOSTKEY_ECDSA_METHODS \ -- "ssh-ed25519," \ -+ HOSTKEY_CURVE25519_METHODS \ - "ssh-rsa" \ - - /* the actual algorithms */ -@@ -141,10 +150,10 @@ - #else - - #define KEX_SERVER_KEX \ -- "curve25519-sha256@libssh.org" -+ KEX_CURVE25519_METHODS - #define KEX_DEFAULT_PK_ALG \ -- "ssh-ed25519-cert-v01@openssh.com," \ -- "ssh-ed25519" -+ HOSTKEY_CURVE25519_CERT_METHODS \ -+ HOSTKEY_CURVE25519_METHODS - #define KEX_SERVER_ENCRYPT \ - "chacha20-poly1305@openssh.com," \ - "aes128-ctr,aes192-ctr,aes256-ctr" -diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in ---- old/openbsd-compat/Makefile.in -+++ new/openbsd-compat/Makefile.in -@@ -32,7 +32,7 @@ $(OPENBSD): ../config.h - $(PORTS): ../config.h - - libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS) -- $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) -+ $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) ../hash.o ../blocks.o - $(RANLIB) $@ - - clean: -diff -pur old/pathnames.h new/pathnames.h ---- old/pathnames.h -+++ new/pathnames.h -@@ -39,7 +39,9 @@ - #define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key" - #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" - #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" -+#ifndef WITHOUT_ED25519 - #define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" -+#endif /* WITHOUT_ED25519 */ - #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" - #define _PATH_DH_MODULI SSHDIR "/moduli" - /* Backwards compatibility */ -@@ -78,7 +80,9 @@ - #define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa" - #define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa" - #define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa" -+#ifndef WITHOUT_ED25519 - #define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519" -+#endif /* WITHOUT_ED25519 */ - - /* - * Configuration file in user's home directory. This file need not be -diff -pur old/readconf.c new/readconf.c ---- old/readconf.c -+++ new/readconf.c -@@ -1846,8 +1846,10 @@ fill_default_options(Options * options) - add_identity_file(options, "~/", - _PATH_SSH_CLIENT_ID_ECDSA, 0); - #endif -+#ifndef WITHOUT_ED25519 - add_identity_file(options, "~/", - _PATH_SSH_CLIENT_ID_ED25519, 0); -+#endif /* WITHOUT_ED25519 */ - } - } - if (options->escape_char == -1) -diff -pur old/servconf.c new/servconf.c ---- old/servconf.c -+++ new/servconf.c -@@ -222,8 +222,10 @@ fill_default_server_options(ServerOption - options->host_key_files[options->num_host_key_files++] = - _PATH_HOST_ECDSA_KEY_FILE; - #endif -+#ifndef WITHOUT_ED25519 - options->host_key_files[options->num_host_key_files++] = - _PATH_HOST_ED25519_KEY_FILE; -+#endif /* WITHOUT_ED25519 */ - } - } - /* No certificates by default */ -diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c ---- old/smult_curve25519_ref.c -+++ new/smult_curve25519_ref.c -@@ -6,6 +6,8 @@ Public domain. - Derived from public domain code by D. J. Bernstein. - */ - -+#ifndef WITHOUT_ED25519 -+ - int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *); - - static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) -@@ -263,3 +265,4 @@ int crypto_scalarmult_curve25519(unsigne - for (i = 0;i < 32;++i) q[i] = work[64 + i]; - return 0; - } -+#endif /* WITHOUT_ED25519 */ -diff -pur old/ssh-add.0 new/ssh-add.0 ---- old/ssh-add.0 -+++ new/ssh-add.0 -@@ -11,7 +11,7 @@ SYNOPSIS - DESCRIPTION - ssh-add adds private key identities to the authentication agent, - ssh-agent(1). When run without arguments, it adds the files -- ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and -+ ~/.ssh/id_rsa, ~/.ssh/id_dsa, and - ~/.ssh/identity. After loading a private key, ssh-add will try to load - corresponding certificate information from the filename obtained by - appending -cert.pub to the name of the private key file. Alternative -@@ -97,14 +97,6 @@ FILES - Contains the protocol version 2 DSA authentication identity of - the user. - -- ~/.ssh/id_ecdsa -- Contains the protocol version 2 ECDSA authentication identity of -- the user. -- -- ~/.ssh/id_ed25519 -- Contains the protocol version 2 Ed25519 authentication identity -- of the user. -- - ~/.ssh/id_rsa - Contains the protocol version 2 RSA authentication identity of - the user. -diff -pur old/ssh-add.1 new/ssh-add.1 ---- old/ssh-add.1 -+++ new/ssh-add.1 -@@ -58,8 +58,6 @@ adds private key identities to the authe - When run without arguments, it adds the files - .Pa ~/.ssh/id_rsa , - .Pa ~/.ssh/id_dsa , --.Pa ~/.ssh/id_ecdsa , --.Pa ~/.ssh/id_ed25519 - and - .Pa ~/.ssh/identity . - After loading a private key, -@@ -178,10 +176,6 @@ socket used to communicate with the agen - Contains the protocol version 1 RSA authentication identity of the user. - .It Pa ~/.ssh/id_dsa - Contains the protocol version 2 DSA authentication identity of the user. --.It Pa ~/.ssh/id_ecdsa --Contains the protocol version 2 ECDSA authentication identity of the user. --.It Pa ~/.ssh/id_ed25519 --Contains the protocol version 2 Ed25519 authentication identity of the user. - .It Pa ~/.ssh/id_rsa - Contains the protocol version 2 RSA authentication identity of the user. - .El -diff -pur old/ssh-add.c new/ssh-add.c ---- old/ssh-add.c -+++ new/ssh-add.c -@@ -78,7 +78,9 @@ static char *default_files[] = { - _PATH_SSH_CLIENT_ID_ECDSA, - #endif - #endif /* WITH_OPENSSL */ -- _PATH_SSH_CLIENT_ID_ED25519, -+#ifndef WITHOUT_ED25519 -+ _PATH_SSH_CLIENT_ID_ED25519, -+#endif /* WITHOUT_ED25519 */ - #ifdef WITH_SSH1 - _PATH_SSH_CLIENT_IDENTITY, - #endif -diff -pur old/ssh-agent.0 new/ssh-agent.0 ---- old/ssh-agent.0 -+++ new/ssh-agent.0 -@@ -10,7 +10,7 @@ SYNOPSIS - - DESCRIPTION - ssh-agent is a program to hold private keys used for public key -- authentication (RSA, DSA, ECDSA, Ed25519). ssh-agent is usually started -+ authentication (RSA, DSA). ssh-agent is usually started - in the beginning of an X-session or a login session, and all other - windows or programs are started as clients to the ssh-agent program. - Through use of environment variables the agent can be located and -diff -pur old/ssh-agent.1 new/ssh-agent.1 ---- old/ssh-agent.1 -+++ new/ssh-agent.1 -@@ -54,7 +54,7 @@ - .Sh DESCRIPTION - .Nm - is a program to hold private keys used for public key authentication --(RSA, DSA, ECDSA, Ed25519). -+(RSA, DSA). - .Nm - is usually started in the beginning of an X-session or a login session, and - all other windows or programs are started as clients to the ssh-agent -diff -pur old/ssh-ed25519.c new/ssh-ed25519.c ---- old/ssh-ed25519.c -+++ new/ssh-ed25519.c -@@ -17,6 +17,8 @@ - - #include "includes.h" - -+#ifndef WITHOUT_ED25519 -+ - #include - #include - -@@ -164,3 +166,4 @@ ssh_ed25519_verify(const struct sshkey * - free(ktype); - return r; - } -+#endif /* WITHOUT_ED25519 */ -diff -pur old/ssh-keygen.0 new/ssh-keygen.0 ---- old/ssh-keygen.0 -+++ new/ssh-keygen.0 -@@ -4,7 +4,7 @@ NAME - ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion - - SYNOPSIS -- ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] -+ ssh-keygen [-q] [-b bits] [-t dsa | rsa | rsa1] - [-N new_passphrase] [-C comment] [-f output_keyfile] - ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] - ssh-keygen -i [-m key_format] [-f input_keyfile] -@@ -32,7 +32,7 @@ SYNOPSIS - DESCRIPTION - ssh-keygen generates, manages and converts authentication keys for - ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 -- and DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2. -+ and DSA or RSA keys for use by SSH protocol version 2. - The type of key to be generated is specified with the -t option. If - invoked without any arguments, ssh-keygen will generate an RSA key for - use in SSH protocol 2 connections. -@@ -46,7 +46,7 @@ DESCRIPTION - - Normally each user wishing to use SSH with public key authentication runs - this once to create the authentication key in ~/.ssh/identity, -- ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. -+ ~/.ssh/id_dsa or ~/.ssh/id_rsa. - Additionally, the system administrator may use this to generate host - keys, as seen in /etc/rc. - -@@ -79,14 +79,14 @@ DESCRIPTION - - The options are as follows: - -- -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for -+ -A For each of the key types (rsa1, rsa and dsa) for - which host keys do not exist, generate the host keys with the - default key file path, an empty passphrase, default bits for the - key type, and default comment. This is used by /etc/rc to - generate new host keys. - - -a rounds -- When saving a new-format private key (i.e. an ed25519 key or any -+ When saving a new-format private key (i.e. - SSH protocol 2 key when the -o flag is set), this option - specifies the number of KDF (key derivation function) rounds - used. Higher numbers result in slower passphrase verification -@@ -103,12 +103,7 @@ DESCRIPTION - Specifies the number of bits in the key to create. For RSA keys, - the minimum size is 1024 bits and the default is 2048 bits. - Generally, 2048 bits is considered sufficient. DSA keys must be -- exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, -- the -b flag determines the key length by selecting from one of -- three elliptic curve sizes: 256, 384 or 521 bits. Attempting to -- use bit lengths other than these three values for ECDSA keys will -- fail. Ed25519 keys have a fixed length and the -b flag will be -- ignored. -+ exactly 1024 bits as specified by FIPS 186-2. - - -C comment - Provides a new comment. -@@ -279,7 +274,7 @@ DESCRIPTION - new OpenSSH format rather than the more compatible PEM format. - The new format has increased resistance to brute-force password - cracking but is not supported by versions of OpenSSH prior to -- 6.5. Ed25519 keys always use the new private key format. -+ 6.5. - - -P passphrase - Provides the (old) passphrase. -@@ -318,9 +313,9 @@ DESCRIPTION - Test DH group exchange candidate primes (generated using the -G - option) for safety. - -- -t dsa | ecdsa | ed25519 | rsa | rsa1 -+ -t dsa | rsa | rsa1 - Specifies the type of key to create. The possible values are -- M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or -+ M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or - M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2. - - -u Update a KRL. When specified with -k, keys listed via the -@@ -525,10 +520,8 @@ FILES - contents of this file secret. - - ~/.ssh/id_dsa -- ~/.ssh/id_ecdsa -- ~/.ssh/id_ed25519 - ~/.ssh/id_rsa -- Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA -+ Contains the protocol version 2 DSA or RSA - authentication identity of the user. This file should not be - readable by anyone but the user. It is possible to specify a - passphrase when generating the key; that passphrase will be used -@@ -538,10 +531,8 @@ FILES - read this file when a login attempt is made. - - ~/.ssh/id_dsa.pub -- ~/.ssh/id_ecdsa.pub -- ~/.ssh/id_ed25519.pub - ~/.ssh/id_rsa.pub -- Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public -+ Contains the protocol version 2 DSA or RSA public - key for authentication. The contents of this file should be - added to ~/.ssh/authorized_keys on all machines where the user - wishes to log in using public key authentication. There is no -diff -pur old/ssh-keygen.1 new/ssh-keygen.1 ---- old/ssh-keygen.1 -+++ new/ssh-keygen.1 -@@ -46,7 +46,7 @@ - .Nm ssh-keygen - .Op Fl q - .Op Fl b Ar bits --.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1 -+.Op Fl t Cm dsa | rsa | rsa1 - .Op Fl N Ar new_passphrase - .Op Fl C Ar comment - .Op Fl f Ar output_keyfile -@@ -142,7 +142,7 @@ generates, manages and converts authenti - .Xr ssh 1 . - .Nm - can create RSA keys for use by SSH protocol version 1 and --DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2. -+DSA or RSA keys for use by SSH protocol version 2. - The type of key to be generated is specified with the - .Fl t - option. -@@ -170,8 +170,6 @@ with public key authentication runs this - key in - .Pa ~/.ssh/identity , - .Pa ~/.ssh/id_dsa , --.Pa ~/.ssh/id_ecdsa , --.Pa ~/.ssh/id_ed25519 - or - .Pa ~/.ssh/id_rsa . - Additionally, the system administrator may use this to generate host keys, -@@ -219,7 +217,7 @@ should be placed to be activated. - The options are as follows: - .Bl -tag -width Ds - .It Fl A --For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) -+For each of the key types (rsa1, rsa and dsa) - for which host keys - do not exist, generate the host keys with the default key file path, - an empty passphrase, default bits for the key type, and default comment. -@@ -227,7 +225,7 @@ This is used by - .Pa /etc/rc - to generate new host keys. - .It Fl a Ar rounds --When saving a new-format private key (i.e. an ed25519 key or any SSH protocol -+When saving a new-format private key (i.e. SSH protocol - 2 key when the - .Fl o - flag is set), this option specifies the number of KDF (key derivation function) -@@ -247,15 +245,6 @@ Specifies the number of bits in the key - For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. - Generally, 2048 bits is considered sufficient. - DSA keys must be exactly 1024 bits as specified by FIPS 186-2. --For ECDSA keys, the --.Fl b --flag determines the key length by selecting from one of three elliptic --curve sizes: 256, 384 or 521 bits. --Attempting to use bit lengths other than these three values for ECDSA keys --will fail. --Ed25519 keys have a fixed length and the --.Fl b --flag will be ignored. - .It Fl C Ar comment - Provides a new comment. - .It Fl c -@@ -478,7 +467,6 @@ to save SSH protocol 2 private keys usin - the more compatible PEM format. - The new format has increased resistance to brute-force password cracking - but is not supported by versions of OpenSSH prior to 6.5. --Ed25519 keys always use the new private key format. - .It Fl P Ar passphrase - Provides the (old) passphrase. - .It Fl p -@@ -524,14 +512,12 @@ section for details. - Test DH group exchange candidate primes (generated using the - .Fl G - option) for safety. --.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1 -+.It Fl t Cm dsa | rsa | rsa1 - Specifies the type of key to create. - The possible values are - .Dq rsa1 - for protocol version 1 and - .Dq dsa , --.Dq ecdsa , --.Dq ed25519 , - or - .Dq rsa - for protocol version 2. -@@ -810,10 +796,8 @@ where the user wishes to log in using RS - There is no need to keep the contents of this file secret. - .Pp - .It Pa ~/.ssh/id_dsa --.It Pa ~/.ssh/id_ecdsa --.It Pa ~/.ssh/id_ed25519 - .It Pa ~/.ssh/id_rsa --Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA -+Contains the protocol version 2 DSA or RSA - authentication identity of the user. - This file should not be readable by anyone but the user. - It is possible to -@@ -826,10 +810,8 @@ but it is offered as the default file fo - will read this file when a login attempt is made. - .Pp - .It Pa ~/.ssh/id_dsa.pub --.It Pa ~/.ssh/id_ecdsa.pub --.It Pa ~/.ssh/id_ed25519.pub - .It Pa ~/.ssh/id_rsa.pub --Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA -+Contains the protocol version 2 DSA or RSA - public key for authentication. - The contents of this file should be added to - .Pa ~/.ssh/authorized_keys -diff -pur old/ssh-keygen.c new/ssh-keygen.c ---- old/ssh-keygen.c -+++ new/ssh-keygen.c -@@ -217,7 +217,11 @@ type_bits_valid(int type, const char *na - fatal("key bits exceeds maximum %d", maxbits); - if (type == KEY_DSA && *bitsp != 1024) - fatal("DSA keys must be 1024 bits"); -- else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024) -+ else if (type != KEY_ECDSA && -+#ifndef WITHOUT_ED25519 -+ type != KEY_ED25519 && -+#endif /* WITHOUT_ED25519 */ -+ *bitsp < 1024) - fatal("Key must at least be 1024 bits"); - else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1) - fatal("Invalid ECDSA key length - valid lengths are " -@@ -252,10 +256,12 @@ ask_filename(struct passwd *pw, const ch - case KEY_RSA: - name = _PATH_SSH_CLIENT_ID_RSA; - break; -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - name = _PATH_SSH_CLIENT_ID_ED25519; - break; -+#endif /* WITHOUT_ED25519 */ - default: - fatal("bad key type"); - } -@@ -939,7 +945,9 @@ do_gen_all_hostkeys(struct passwd *pw) - { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, - #endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -- { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, -+#ifndef WITHOUT_ED25519 -+ { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, -+#endif /* WITHOUT_ED25519 */ - { NULL, NULL, NULL } - }; - -@@ -1605,7 +1613,10 @@ do_ca_sign(struct passwd *pw, int argc, - fatal("%s: unable to open \"%s\": %s", - __func__, tmp, ssh_err(r)); - if (public->type != KEY_RSA && public->type != KEY_DSA && -- public->type != KEY_ECDSA && public->type != KEY_ED25519) -+#ifndef WITHOUT_ED25519 -+ public->type != KEY_ED25519 && -+#endif /* WITHOUT_ED25519 */ -+ public->type != KEY_ECDSA) - fatal("%s: key \"%s\" type %s cannot be certified", - __func__, tmp, sshkey_type(public)); - -@@ -2502,8 +2513,10 @@ main(int argc, char **argv) - _PATH_HOST_DSA_KEY_FILE, rr_hostname); - n += do_print_resource_record(pw, - _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); -+#ifndef WITHOUT_ED25519 - n += do_print_resource_record(pw, - _PATH_HOST_ED25519_KEY_FILE, rr_hostname); -+#endif /* WITHOUT_ED25519 */ - if (n == 0) - fatal("no keys found."); - exit(0); -diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0 ---- old/ssh-keyscan.0 -+++ new/ssh-keyscan.0 -@@ -48,9 +48,9 @@ DESCRIPTION - -t type - Specifies the type of the key to fetch from the scanned hosts. - The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], -- M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2. Multiple -+ or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2. Multiple - values may be specified by separating them with commas. The -- default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys. -+ default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^] keys. - - -v Verbose mode. Causes ssh-keyscan to print debugging messages - about its progress. -@@ -72,12 +72,11 @@ FILES - - host-or-namelist bits exponent modulus - -- Output format for RSA, DSA, ECDSA, and Ed25519 keys: -+ Output format for RSA, and DSA keys: - - host-or-namelist keytype base64-encoded-key - -- Where keytype is either M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], -- M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. -+ Where keytype is either M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. - - /etc/ssh/ssh_known_hosts - -@@ -89,7 +88,7 @@ EXAMPLES - Find all hosts from the file ssh_hosts which have new or different keys - from those in the sorted file ssh_known_hosts: - -- $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \ -+ $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ - sort -u - ssh_known_hosts | diff ssh_known_hosts - - - SEE ALSO -diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1 ---- old/ssh-keyscan.1 -+++ new/ssh-keyscan.1 -@@ -90,18 +90,13 @@ Specifies the type of the key to fetch f - The possible values are - .Dq rsa1 - for protocol version 1 and --.Dq dsa , --.Dq ecdsa , --.Dq ed25519 , -+.Dq dsa - or - .Dq rsa - for protocol version 2. - Multiple values may be specified by separating them with commas. - The default is to fetch --.Dq rsa , --.Dq ecdsa , --and --.Dq ed25519 -+.Dq rsa - keys. - .It Fl v - Verbose mode. -@@ -130,7 +125,7 @@ Output format for RSA1 keys: - host-or-namelist bits exponent modulus - .Ed - .Pp --Output format for RSA, DSA, ECDSA, and Ed25519 keys: -+Output format for RSA and DSA keys: - .Bd -literal - host-or-namelist keytype base64-encoded-key - .Ed -@@ -138,10 +133,6 @@ host-or-namelist keytype base64-encoded- - Where - .Ar keytype - is either --.Dq ecdsa-sha2-nistp256 , --.Dq ecdsa-sha2-nistp384 , --.Dq ecdsa-sha2-nistp521 , --.Dq ssh-ed25519 , - .Dq ssh-dss - or - .Dq ssh-rsa . -@@ -159,7 +150,7 @@ Find all hosts from the file - which have new or different keys from those in the sorted file - .Pa ssh_known_hosts : - .Bd -literal --$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e -+$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e - sort -u - ssh_known_hosts | diff ssh_known_hosts - - .Ed - .Sh SEE ALSO -diff -pur old/ssh-keyscan.c new/ssh-keyscan.c ---- old/ssh-keyscan.c -+++ new/ssh-keyscan.c -@@ -286,7 +286,9 @@ keygrab_ssh2(con *c) - c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client; - # endif - #endif -+#ifndef WITHOUT_ED25519 - c->c_ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client; -+#endif /* WITHOUT_ED25519 */ - ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper); - /* - * do the key-exchange until an error occurs or until -@@ -612,10 +614,15 @@ do_host(char *host) - { - char *name = strnnsep(&host, " \t\n"); - int j; -+#ifndef WITHOUT_ED25519 -+ int max_kt = KT_ED25519; -+#else -+ int max_kt = KT_ECDSA; -+#endif /* WITHOUT_ED25519 */ - - if (name == NULL) - return; -- for (j = KT_RSA1; j <= KT_ED25519; j *= 2) { -+ for (j = KT_RSA1; j <= max_kt; j *= 2) { - if (get_keytypes & j) { - while (ncon >= MAXCON) - conloop(); -@@ -719,9 +726,11 @@ main(int argc, char **argv) - case KEY_RSA: - get_keytypes |= KT_RSA; - break; -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - get_keytypes |= KT_ED25519; - break; -+#endif /* WITHOUT_ED25519 */ - case KEY_UNSPEC: - fatal("unknown key type %s", tname); - } -diff -pur old/ssh-keysign.0 new/ssh-keysign.0 ---- old/ssh-keysign.0 -+++ new/ssh-keysign.0 -@@ -24,8 +24,6 @@ FILES - Controls whether ssh-keysign is enabled. - - /etc/ssh/ssh_host_dsa_key -- /etc/ssh/ssh_host_ecdsa_key -- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key - These files contain the private parts of the host keys used to - generate the digital signature. They should be owned by root, -@@ -34,8 +32,6 @@ FILES - host-based authentication is used. - - /etc/ssh/ssh_host_dsa_key-cert.pub -- /etc/ssh/ssh_host_ecdsa_key-cert.pub -- /etc/ssh/ssh_host_ed25519_key-cert.pub - /etc/ssh/ssh_host_rsa_key-cert.pub - If these files exist they are assumed to contain public - certificate information corresponding with the private keys -diff -pur old/ssh-keysign.8 new/ssh-keysign.8 ---- old/ssh-keysign.8 -+++ new/ssh-keysign.8 -@@ -62,8 +62,6 @@ Controls whether - is enabled. - .Pp - .It Pa /etc/ssh/ssh_host_dsa_key --.It Pa /etc/ssh/ssh_host_ecdsa_key --.It Pa /etc/ssh/ssh_host_ed25519_key - .It Pa /etc/ssh/ssh_host_rsa_key - These files contain the private parts of the host keys used to - generate the digital signature. -@@ -74,8 +72,6 @@ Since they are readable only by root, - must be set-uid root if host-based authentication is used. - .Pp - .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub --.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub --.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub - .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub - If these files exist they are assumed to contain public certificate - information corresponding with the private keys above. -diff -pur old/ssh-keysign.c new/ssh-keysign.c ---- old/ssh-keysign.c -+++ new/ssh-keysign.c -@@ -168,7 +168,7 @@ main(int argc, char **argv) - { - struct sshbuf *b; - Options options; --#define NUM_KEYTYPES 4 -+#define NUM_KEYTYPES 3 - struct sshkey *keys[NUM_KEYTYPES], *key = NULL; - struct passwd *pw; - int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd; -@@ -190,7 +190,9 @@ main(int argc, char **argv) - /* XXX This really needs to read sshd_config for the paths */ - key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); - key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); -+#ifndef WITHOUT_ED25519 - key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY); -+#endif /* WITHOUT_ED25519 */ - key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); - - original_real_uid = getuid(); /* XXX readconf.c needs this */ -diff -pur old/ssh.0 new/ssh.0 ---- old/ssh.0 -+++ new/ssh.0 -@@ -140,8 +140,8 @@ DESCRIPTION - -i identity_file - Selects a file from which the identity (private key) for public - key authentication is read. The default is ~/.ssh/identity for -- protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, -- ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. -+ protocol version 1, and ~/.ssh/id_dsa -+ and ~/.ssh/id_rsa for protocol version 2. - Identity files may also be specified on a per-host basis in the - configuration file. It is possible to have multiple -i options - (and multiple identities specified in configuration files). ssh -@@ -463,7 +463,7 @@ AUTHENTICATION - creates a public/private key pair for authentication purposes. The - server knows the public key, and only the user knows the private key. - ssh implements public key authentication protocol automatically, using -- one of the DSA, ECDSA, Ed25519 or RSA algorithms. Protocol 1 is -+ one of the DSA or RSA algorithms. Protocol 1 is - restricted to using only RSA keys, but protocol 2 may use any. The - HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA - algorithms. -@@ -476,11 +476,9 @@ AUTHENTICATION - - The user creates his/her key pair by running ssh-keygen(1). This stores - the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol -- 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2 -- Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in -- ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), -- ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2 -- Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home -+ 2 DSA) or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in -+ ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA) -+ or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home - directory. The user should then copy the public key to - ~/.ssh/authorized_keys in his/her home directory on the remote machine. - The authorized_keys file corresponds to the conventional ~/.rhosts file, -@@ -825,7 +823,7 @@ FILES - for the user, and not accessible by others. - - ~/.ssh/authorized_keys -- Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used -+ Lists the public keys (DSA, RSA) that can be used - for logging in as this user. The format of this file is - described in the sshd(8) manual page. This file is not highly - sensitive, but the recommended permissions are read/write for the -@@ -843,8 +841,6 @@ FILES - - ~/.ssh/identity - ~/.ssh/id_dsa -- ~/.ssh/id_ecdsa -- ~/.ssh/id_ed25519 - ~/.ssh/id_rsa - Contains the private key for authentication. These files contain - sensitive data and should be readable by the user but not -@@ -856,8 +852,6 @@ FILES - - ~/.ssh/identity.pub - ~/.ssh/id_dsa.pub -- ~/.ssh/id_ecdsa.pub -- ~/.ssh/id_ed25519.pub - ~/.ssh/id_rsa.pub - Contains the public key for authentication. These files are not - sensitive and can (but need not) be readable by anyone. -@@ -888,8 +882,6 @@ FILES - - /etc/ssh/ssh_host_key - /etc/ssh/ssh_host_dsa_key -- /etc/ssh/ssh_host_ecdsa_key -- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key - These files contain the private parts of the host keys and are - used for host-based authentication. If protocol version 1 is -diff -pur old/ssh.1 new/ssh.1 ---- old/ssh.1 -+++ new/ssh.1 -@@ -292,9 +292,7 @@ public key authentication is read. - The default is - .Pa ~/.ssh/identity - for protocol version 1, and --.Pa ~/.ssh/id_dsa , --.Pa ~/.ssh/id_ecdsa , --.Pa ~/.ssh/id_ed25519 -+.Pa ~/.ssh/id_dsa - and - .Pa ~/.ssh/id_rsa - for protocol version 2. -@@ -848,7 +846,7 @@ key pair for authentication purposes. - The server knows the public key, and only the user knows the private key. - .Nm - implements public key authentication protocol automatically, --using one of the DSA, ECDSA, Ed25519 or RSA algorithms. -+using one of the DSA or RSA algorithms. - Protocol 1 is restricted to using only RSA keys, - but protocol 2 may use any. - The HISTORY section of -@@ -873,10 +871,6 @@ This stores the private key in - (protocol 1), - .Pa ~/.ssh/id_dsa - (protocol 2 DSA), --.Pa ~/.ssh/id_ecdsa --(protocol 2 ECDSA), --.Pa ~/.ssh/id_ed25519 --(protocol 2 Ed25519), - or - .Pa ~/.ssh/id_rsa - (protocol 2 RSA) -@@ -885,10 +879,6 @@ and stores the public key in - (protocol 1), - .Pa ~/.ssh/id_dsa.pub - (protocol 2 DSA), --.Pa ~/.ssh/id_ecdsa.pub --(protocol 2 ECDSA), --.Pa ~/.ssh/id_ed25519.pub --(protocol 2 Ed25519), - or - .Pa ~/.ssh/id_rsa.pub - (protocol 2 RSA) -@@ -1444,7 +1434,7 @@ secret, but the recommended permissions - and not accessible by others. - .Pp - .It Pa ~/.ssh/authorized_keys --Lists the public keys (DSA, ECDSA, Ed25519, RSA) -+Lists the public keys (DSA, RSA) - that can be used for logging in as this user. - The format of this file is described in the - .Xr sshd 8 -@@ -1466,8 +1456,6 @@ above. - .Pp - .It Pa ~/.ssh/identity - .It Pa ~/.ssh/id_dsa --.It Pa ~/.ssh/id_ecdsa --.It Pa ~/.ssh/id_ed25519 - .It Pa ~/.ssh/id_rsa - Contains the private key for authentication. - These files -@@ -1481,8 +1469,6 @@ sensitive part of this file using 3DES. - .Pp - .It Pa ~/.ssh/identity.pub - .It Pa ~/.ssh/id_dsa.pub --.It Pa ~/.ssh/id_ecdsa.pub --.It Pa ~/.ssh/id_ed25519.pub - .It Pa ~/.ssh/id_rsa.pub - Contains the public key for authentication. - These files are not -@@ -1521,8 +1507,6 @@ The file format and configuration option - .Pp - .It Pa /etc/ssh/ssh_host_key - .It Pa /etc/ssh/ssh_host_dsa_key --.It Pa /etc/ssh/ssh_host_ecdsa_key --.It Pa /etc/ssh/ssh_host_ed25519_key - .It Pa /etc/ssh/ssh_host_rsa_key - These files contain the private parts of the host keys - and are used for host-based authentication. -diff -pur old/ssh.c new/ssh.c ---- old/ssh.c -+++ new/ssh.c -@@ -1233,8 +1233,10 @@ main(int ac, char **av) - sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA, - _PATH_HOST_ECDSA_KEY_FILE, "", NULL); - #endif -+#ifndef WITHOUT_ED25519 - sensitive_data.keys[2] = key_load_private_cert(KEY_ED25519, - _PATH_HOST_ED25519_KEY_FILE, "", NULL); -+#endif /* WITHOUT_ED25519 */ - sensitive_data.keys[3] = key_load_private_cert(KEY_RSA, - _PATH_HOST_RSA_KEY_FILE, "", NULL); - sensitive_data.keys[4] = key_load_private_cert(KEY_DSA, -@@ -1243,8 +1245,10 @@ main(int ac, char **av) - sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA, - _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL); - #endif -+#ifndef WITHOUT_ED25519 - sensitive_data.keys[6] = key_load_private_type(KEY_ED25519, - _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL); -+#endif /* WITHOUT_ED25519 */ - sensitive_data.keys[7] = key_load_private_type(KEY_RSA, - _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); - sensitive_data.keys[8] = key_load_private_type(KEY_DSA, -@@ -1261,8 +1265,10 @@ main(int ac, char **av) - sensitive_data.keys[1] = key_load_cert( - _PATH_HOST_ECDSA_KEY_FILE); - #endif -+#ifndef WITHOUT_ED25519 - sensitive_data.keys[2] = key_load_cert( - _PATH_HOST_ED25519_KEY_FILE); -+#endif /* WITHOUT_ED25519 */ - sensitive_data.keys[3] = key_load_cert( - _PATH_HOST_RSA_KEY_FILE); - sensitive_data.keys[4] = key_load_cert( -@@ -1271,8 +1277,10 @@ main(int ac, char **av) - sensitive_data.keys[5] = key_load_public( - _PATH_HOST_ECDSA_KEY_FILE, NULL); - #endif -+#ifndef WITHOUT_ED25519 - sensitive_data.keys[6] = key_load_public( - _PATH_HOST_ED25519_KEY_FILE, NULL); -+#endif /* WITHOUT_ED25519 */ - sensitive_data.keys[7] = key_load_public( - _PATH_HOST_RSA_KEY_FILE, NULL); - sensitive_data.keys[8] = key_load_public( -diff -pur old/ssh_api.c new/ssh_api.c ---- old/ssh_api.c -+++ new/ssh_api.c -@@ -109,7 +109,9 @@ ssh_init(struct ssh **sshp, int is_serve - ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_server; - # endif - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_server; -+#endif /* WITHOUT_ED25519 */ - ssh->kex->load_host_public_key=&_ssh_host_public_key; - ssh->kex->load_host_private_key=&_ssh_host_private_key; - ssh->kex->sign=&_ssh_host_key_sign; -@@ -123,7 +125,9 @@ ssh_init(struct ssh **sshp, int is_serve - ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client; - # endif - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client; -+#endif /* WITHOUT_ED25519 */ - ssh->kex->verify_host_key =&_ssh_verify_host_key; - } - *sshp = ssh; -diff -pur old/ssh_config.0 new/ssh_config.0 ---- old/ssh_config.0 -+++ new/ssh_config.0 -@@ -444,13 +444,8 @@ DESCRIPTION - specified key types will be appended to the default set instead - of replacing them. The default for this option is: - -- ecdsa-sha2-nistp256-cert-v01@openssh.com, -- ecdsa-sha2-nistp384-cert-v01@openssh.com, -- ecdsa-sha2-nistp521-cert-v01@openssh.com, -- ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, -- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -- ssh-ed25519,ssh-rsa -+ ssh-rsa - - The -Q option of ssh(1) may be used to list supported key types. - -@@ -461,13 +456,8 @@ DESCRIPTION - key types will be appended to the default set instead of - replacing them. The default for this option is: - -- ecdsa-sha2-nistp256-cert-v01@openssh.com, -- ecdsa-sha2-nistp384-cert-v01@openssh.com, -- ecdsa-sha2-nistp521-cert-v01@openssh.com, -- ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, -- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -- ssh-ed25519,ssh-rsa -+ ssh-rsa - - If hostkeys are known for the destination host then this default - is modified to prefer their algorithms. -@@ -503,10 +493,10 @@ DESCRIPTION - default is M-bM-^@M-^\noM-bM-^@M-^]. - - IdentityFile -- Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA -+ Specifies a file from which the user's DSA or RSA - authentication identity is read. The default is ~/.ssh/identity -- for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, -- ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. -+ for protocol version 1, and ~/.ssh/id_dsa -+ and ~/.ssh/id_rsa for protocol version 2. - Additionally, any identities represented by the authentication - agent will be used for authentication unless IdentitiesOnly is - set. ssh(1) will try to load certificate information from the -@@ -569,7 +559,6 @@ DESCRIPTION - will be appended to the default set instead of replacing them. - The default is: - -- curve25519-sha256@libssh.org, - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, - diffie-hellman-group-exchange-sha256, - diffie-hellman-group-exchange-sha1, -@@ -727,13 +716,8 @@ DESCRIPTION - types after it will be appended to the default instead of - replacing it. The default for this option is: - -- ecdsa-sha2-nistp256-cert-v01@openssh.com, -- ecdsa-sha2-nistp384-cert-v01@openssh.com, -- ecdsa-sha2-nistp521-cert-v01@openssh.com, -- ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, -- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -- ssh-ed25519,ssh-rsa -+ ssh-rsa - - The -Q option of ssh(1) may be used to list supported key types. - -diff -pur old/ssh_config.5 new/ssh_config.5 ---- old/ssh_config.5 -+++ new/ssh_config.5 -@@ -806,13 +806,8 @@ character, then the specified key types - instead of replacing them. - The default for this option is: - .Bd -literal -offset 3n --ecdsa-sha2-nistp256-cert-v01@openssh.com, --ecdsa-sha2-nistp384-cert-v01@openssh.com, --ecdsa-sha2-nistp521-cert-v01@openssh.com, --ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, --ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,ssh-rsa -+ssh-rsa - .Ed - .Pp - The -@@ -829,13 +824,8 @@ character, then the specified key types - instead of replacing them. - The default for this option is: - .Bd -literal -offset 3n --ecdsa-sha2-nistp256-cert-v01@openssh.com, --ecdsa-sha2-nistp384-cert-v01@openssh.com, --ecdsa-sha2-nistp521-cert-v01@openssh.com, --ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, --ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,ssh-rsa -+ssh-rsa - .Ed - .Pp - If hostkeys are known for the destination host then this default is modified -@@ -890,14 +880,12 @@ offers many different identities. - The default is - .Dq no . - .It Cm IdentityFile --Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication -+Specifies a file from which the user's DSA or RSA authentication - identity is read. - The default is - .Pa ~/.ssh/identity - for protocol version 1, and - .Pa ~/.ssh/id_dsa , --.Pa ~/.ssh/id_ecdsa , --.Pa ~/.ssh/id_ed25519 - and - .Pa ~/.ssh/id_rsa - for protocol version 2. -@@ -1014,7 +1002,6 @@ character, then the specified methods wi - instead of replacing them. - The default is: - .Bd -literal -offset indent --curve25519-sha256@libssh.org, - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, - diffie-hellman-group-exchange-sha256, - diffie-hellman-group-exchange-sha1, -@@ -1259,13 +1246,8 @@ character, then the key types after it w - instead of replacing it. - The default for this option is: - .Bd -literal -offset 3n --ecdsa-sha2-nistp256-cert-v01@openssh.com, --ecdsa-sha2-nistp384-cert-v01@openssh.com, --ecdsa-sha2-nistp521-cert-v01@openssh.com, --ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, --ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,ssh-rsa -+ssh-rsa - .Ed - .Pp - The -diff -pur old/sshconnect.c new/sshconnect.c ---- old/sshconnect.c -+++ new/sshconnect.c -@@ -1392,7 +1392,9 @@ show_other_keys(struct hostkeys *hostkey - KEY_RSA, - KEY_DSA, - KEY_ECDSA, -+#ifndef WITHOUT_ED25519 - KEY_ED25519, -+#endif /* WITHOUT_ED25519 */ - -1 - }; - int i, ret = 0; -diff -pur old/sshconnect2.c new/sshconnect2.c ---- old/sshconnect2.c -+++ new/sshconnect2.c -@@ -247,7 +247,9 @@ ssh_kex2(char *host, struct sockaddr *ho - kex->kex[KEX_ECDH_SHA2] = kexecdh_client; - # endif - #endif -+#ifndef WITHOUT_ED25519 - kex->kex[KEX_C25519_SHA256] = kexc25519_client; -+#endif /* WITHOUT_ED25519 */ - #ifdef GSSAPI - if (options.gss_keyex) { - kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; -diff -pur old/sshd.0 new/sshd.0 ---- old/sshd.0 -+++ new/sshd.0 -@@ -81,8 +81,7 @@ DESCRIPTION - be given if sshd is not run as root (as the normal host key files - are normally not readable by anyone but root). The default is - /etc/ssh/ssh_host_key for protocol version 1, and -- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key. -- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for -+ /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for - protocol version 2. It is possible to have multiple host key - files for the different protocol versions and host key - algorithms. -@@ -146,7 +145,7 @@ DESCRIPTION - AUTHENTICATION - The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to - use protocol 2 only, though this can be changed via the Protocol option -- in sshd_config(5). Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; -+ in sshd_config(5). Protocol 2 supports DSA and RSA keys; - protocol 1 only supports RSA keys. For both protocols, each host has a - host-specific key, normally 2048 bits, used to identify the host. - -@@ -279,15 +278,13 @@ AUTHORIZED_KEYS FILE FORMAT - starts with a number). The bits, exponent, modulus, and comment fields - give the RSA key for protocol version 1; the comment field is not used - for anything (but may be convenient for the user to identify the key). -- For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], -- M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or -- M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. -+ For protocol version 2 the keytype is M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. - - Note that lines in this file are usually several hundred bytes long - (because of the size of the public key encoding) up to a limit of 8 - kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 - kilobits. You don't want to type them in; instead, copy the -- identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub -+ identity.pub, id_dsa.pub or the id_rsa.pub - file and edit it. - - sshd enforces a minimum RSA key modulus size for protocol 1 and protocol -@@ -514,7 +511,7 @@ FILES - for the user, and not accessible by others. - - ~/.ssh/authorized_keys -- Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used -+ Lists the public keys (DSA, RSA) that can be used - for logging in as this user. The format of this file is - described above. The content of the file is not highly - sensitive, but the recommended permissions are read/write for the -@@ -570,8 +567,6 @@ FILES - - /etc/ssh/ssh_host_key - /etc/ssh/ssh_host_dsa_key -- /etc/ssh/ssh_host_ecdsa_key -- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key - These files contain the private parts of the host keys. These - files should only be owned by root, readable only by root, and -@@ -580,8 +575,6 @@ FILES - - /etc/ssh/ssh_host_key.pub - /etc/ssh/ssh_host_dsa_key.pub -- /etc/ssh/ssh_host_ecdsa_key.pub -- /etc/ssh/ssh_host_ed25519_key.pub - /etc/ssh/ssh_host_rsa_key.pub - These files contain the public parts of the host keys. These - files should be world-readable but writable only by root. Their -diff -pur old/sshd.8 new/sshd.8 ---- old/sshd.8 -+++ new/sshd.8 -@@ -172,8 +172,6 @@ The default is - .Pa /etc/ssh/ssh_host_key - for protocol version 1, and - .Pa /etc/ssh/ssh_host_dsa_key , --.Pa /etc/ssh/ssh_host_ecdsa_key . --.Pa /etc/ssh/ssh_host_ed25519_key - and - .Pa /etc/ssh/ssh_host_rsa_key - for protocol version 2. -@@ -275,7 +273,7 @@ though this can be changed via the - .Cm Protocol - option in - .Xr sshd_config 5 . --Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; -+Protocol 2 supports DSA and RSA keys; - protocol 1 only supports RSA keys. - For both protocols, - each host has a host-specific key, -@@ -491,10 +489,6 @@ protocol version 1; the - comment field is not used for anything (but may be convenient for the - user to identify the key). - For protocol version 2 the keytype is --.Dq ecdsa-sha2-nistp256 , --.Dq ecdsa-sha2-nistp384 , --.Dq ecdsa-sha2-nistp521 , --.Dq ssh-ed25519 , - .Dq ssh-dss - or - .Dq ssh-rsa . -@@ -506,8 +500,6 @@ keys up to 16 kilobits. - You don't want to type them in; instead, copy the - .Pa identity.pub , - .Pa id_dsa.pub , --.Pa id_ecdsa.pub , --.Pa id_ed25519.pub , - or the - .Pa id_rsa.pub - file and edit it. -@@ -807,7 +799,7 @@ secret, but the recommended permissions - and not accessible by others. - .Pp - .It Pa ~/.ssh/authorized_keys --Lists the public keys (DSA, ECDSA, Ed25519, RSA) -+Lists the public keys (DSA, RSA) - that can be used for logging in as this user. - The format of this file is described above. - The content of the file is not highly sensitive, but the recommended -@@ -881,8 +873,6 @@ rlogin/rsh. - .Pp - .It Pa /etc/ssh/ssh_host_key - .It Pa /etc/ssh/ssh_host_dsa_key --.It Pa /etc/ssh/ssh_host_ecdsa_key --.It Pa /etc/ssh/ssh_host_ed25519_key - .It Pa /etc/ssh/ssh_host_rsa_key - These files contain the private parts of the host keys. - These files should only be owned by root, readable only by root, and not -@@ -893,8 +883,6 @@ does not start if these files are group/ - .Pp - .It Pa /etc/ssh/ssh_host_key.pub - .It Pa /etc/ssh/ssh_host_dsa_key.pub --.It Pa /etc/ssh/ssh_host_ecdsa_key.pub --.It Pa /etc/ssh/ssh_host_ed25519_key.pub - .It Pa /etc/ssh/ssh_host_rsa_key.pub - These files contain the public parts of the host keys. - These files should be world-readable but writable only by -diff -pur old/sshd.c new/sshd.c ---- old/sshd.c -+++ new/sshd.c -@@ -811,7 +811,9 @@ list_hostkey_types(void) - case KEY_RSA: - case KEY_DSA: - case KEY_ECDSA: -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: -+#endif /* WITHOUT_ED25519 */ - if (buffer_len(&b) > 0) - buffer_append(&b, ",", 1); - p = key_ssh_name(key); -@@ -826,7 +828,9 @@ list_hostkey_types(void) - case KEY_RSA_CERT: - case KEY_DSA_CERT: - case KEY_ECDSA_CERT: -+#ifndef WITHOUT_ED25519 - case KEY_ED25519_CERT: -+#endif /* WITHOUT_ED25519 */ - if (buffer_len(&b) > 0) - buffer_append(&b, ",", 1); - p = key_ssh_name(key); -@@ -852,7 +856,9 @@ get_hostkey_by_type(int type, int nid, i - case KEY_RSA_CERT: - case KEY_DSA_CERT: - case KEY_ECDSA_CERT: -+#ifndef WITHOUT_ED25519 - case KEY_ED25519_CERT: -+#endif /* WITHOUT_ED25519 */ - key = sensitive_data.host_certificates[i]; - break; - default: -@@ -1810,7 +1816,9 @@ main(int ac, char **av) - case KEY_RSA: - case KEY_DSA: - case KEY_ECDSA: -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: -+#endif /* WITHOUT_ED25519 */ - if (have_agent || key != NULL) - sensitive_data.have_ssh2_key = 1; - break; -@@ -2646,7 +2654,9 @@ do_ssh2_kex(void) - kex->kex[KEX_ECDH_SHA2] = kexecdh_server; - # endif - #endif -+#ifndef WITHOUT_ED25519 - kex->kex[KEX_C25519_SHA256] = kexc25519_server; -+#endif /* WITHOUT_ED25519 */ - #ifdef GSSAPI - if (options.gss_keyex) { - kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; -diff -pur old/sshd_config.0 new/sshd_config.0 ---- old/sshd_config.0 -+++ new/sshd_config.0 -@@ -403,13 +403,8 @@ DESCRIPTION - specified key types will be appended to the default set instead - of replacing them. The default for this option is: - -- ecdsa-sha2-nistp256-cert-v01@openssh.com, -- ecdsa-sha2-nistp384-cert-v01@openssh.com, -- ecdsa-sha2-nistp521-cert-v01@openssh.com, -- ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, -- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -- ssh-ed25519,ssh-rsa -+ ssh-rsa - - The -Q option of ssh(1) may be used to list supported key types. - -@@ -438,8 +433,7 @@ DESCRIPTION - HostKey - Specifies a file containing a private host key used by SSH. The - default is /etc/ssh/ssh_host_key for protocol version 1, and -- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, -- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for -+ /etc/ssh/ssh_host_dsa_key, and /etc/ssh/ssh_host_rsa_key for - protocol version 2. - - Note that sshd(8) will refuse to use a file if it is group/world- -@@ -447,7 +441,7 @@ DESCRIPTION - of the keys are actually used by sshd(8). - - It is possible to have multiple host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are -- used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are -+ used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] are - used for version 2 of the SSH protocol. It is also possible to - specify public host key files instead. In this case operations - on the private key will be delegated to an ssh-agent(1). -@@ -462,13 +456,8 @@ DESCRIPTION - Specifies the protocol version 2 host key algorithms that the - server offers. The default for this option is: - -- ecdsa-sha2-nistp256-cert-v01@openssh.com, -- ecdsa-sha2-nistp384-cert-v01@openssh.com, -- ecdsa-sha2-nistp521-cert-v01@openssh.com, -- ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, -- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -- ssh-ed25519,ssh-rsa -+ ssh-rsa - - The list of available key types may also be obtained using the -Q - option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. -@@ -532,7 +521,6 @@ DESCRIPTION - will be appended to the default set instead of replacing them. - The supported algorithms are: - -- curve25519-sha256@libssh.org - diffie-hellman-group1-sha1 - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 -@@ -543,7 +531,6 @@ DESCRIPTION - - The default is: - -- curve25519-sha256@libssh.org, - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, - diffie-hellman-group-exchange-sha256, - diffie-hellman-group14-sha1 -@@ -787,13 +774,8 @@ DESCRIPTION - specified key types will be appended to the default set instead - of replacing them. The default for this option is: - -- ecdsa-sha2-nistp256-cert-v01@openssh.com, -- ecdsa-sha2-nistp384-cert-v01@openssh.com, -- ecdsa-sha2-nistp521-cert-v01@openssh.com, -- ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, -- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -- ssh-ed25519,ssh-rsa -+ ssh-rsa - - The -Q option of ssh(1) may be used to list supported key types. - -diff -pur old/sshd_config.5 new/sshd_config.5 ---- old/sshd_config.5 -+++ new/sshd_config.5 -@@ -712,8 +712,6 @@ The default is - .Pa /etc/ssh/ssh_host_key - for protocol version 1, and - .Pa /etc/ssh/ssh_host_dsa_key , --.Pa /etc/ssh/ssh_host_ecdsa_key , --.Pa /etc/ssh/ssh_host_ed25519_key - and - .Pa /etc/ssh/ssh_host_rsa_key - for protocol version 2. -@@ -730,8 +728,6 @@ It is possible to have multiple host key - .Dq rsa1 - keys are used for version 1 and - .Dq dsa , --.Dq ecdsa , --.Dq ed25519 - or - .Dq rsa - are used for version 2 of the SSH protocol. -@@ -878,8 +874,6 @@ The supported algorithms are: - .Pp - .Bl -item -compact -offset indent - .It --curve25519-sha256@libssh.org --.It - diffie-hellman-group1-sha1 - .It - diffie-hellman-group14-sha1 -@@ -897,7 +891,6 @@ ecdh-sha2-nistp521 - .Pp - The default is: - .Bd -literal -offset indent --curve25519-sha256@libssh.org, - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, - diffie-hellman-group-exchange-sha256, - diffie-hellman-group14-sha1 -diff -pur old/sshkey.c new/sshkey.c ---- old/sshkey.c -+++ new/sshkey.c -@@ -85,9 +85,11 @@ struct keytype { - int cert; - }; - static const struct keytype keytypes[] = { -+#ifndef WITHOUT_ED25519 - { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, - { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", - KEY_ED25519_CERT, 0, 1 }, -+#endif /* WITHOUT_ED25519 */ - #ifdef WITH_OPENSSL - { NULL, "RSA1", KEY_RSA1, 0, 0 }, - { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, -@@ -278,8 +280,10 @@ sshkey_size(const struct sshkey *k) - case KEY_ECDSA_CERT: - return sshkey_curve_nid_to_bits(k->ecdsa_nid); - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: -+#endif /* WITHOUT_ED25519 */ - return 256; /* XXX */ - } - return 0; -@@ -292,7 +296,9 @@ sshkey_type_is_valid_ca(int type) - case KEY_RSA: - case KEY_DSA: - case KEY_ECDSA: -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: -+#endif /* WITHOUT_ED25519 */ - return 1; - default: - return 0; -@@ -318,8 +324,10 @@ sshkey_type_plain(int type) - return KEY_DSA; - case KEY_ECDSA_CERT: - return KEY_ECDSA; -+#ifndef WITHOUT_ED25519 - case KEY_ED25519_CERT: - return KEY_ED25519; -+#endif /* WITHOUT_ED25519 */ - default: - return type; - } -@@ -472,8 +480,10 @@ sshkey_new(int type) - k->dsa = NULL; - k->rsa = NULL; - k->cert = NULL; -+#ifndef WITHOUT_ED25519 - k->ed25519_sk = NULL; - k->ed25519_pk = NULL; -+#endif /* WITHOUT_ED25519 */ - switch (k->type) { - #ifdef WITH_OPENSSL - case KEY_RSA1: -@@ -508,10 +518,12 @@ sshkey_new(int type) - /* Cannot do anything until we know the group */ - break; - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - /* no need to prealloc */ - break; -+#endif /* WITHOUT_ED25519 */ - case KEY_UNSPEC: - break; - default: -@@ -558,10 +570,12 @@ sshkey_add_private(struct sshkey *k) - /* Cannot do anything until we know the group */ - break; - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - /* no need to prealloc */ - break; -+#endif /* WITHOUT_ED25519 */ - case KEY_UNSPEC: - break; - default: -@@ -613,6 +627,7 @@ sshkey_free(struct sshkey *k) - break; - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - if (k->ed25519_pk) { -@@ -626,6 +641,7 @@ sshkey_free(struct sshkey *k) - k->ed25519_sk = NULL; - } - break; -+#endif /* WITHOUT_ED25519 */ - case KEY_UNSPEC: - break; - default: -@@ -703,10 +719,12 @@ sshkey_equal_public(const struct sshkey - return 1; - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - return a->ed25519_pk != NULL && b->ed25519_pk != NULL && - memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; -+#endif /* WITHOUT_ED25519 */ - default: - return 0; - } -@@ -749,7 +767,9 @@ to_blob_buf(const struct sshkey *key, st - case KEY_ECDSA_CERT: - case KEY_RSA_CERT: - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519_CERT: -+#endif /* WITHOUT_ED25519 */ - /* Use the existing blob */ - /* XXX modified flag? */ - if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) -@@ -786,6 +806,7 @@ to_blob_buf(const struct sshkey *key, st - return ret; - break; - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - if (key->ed25519_pk == NULL) - return SSH_ERR_INVALID_ARGUMENT; -@@ -794,6 +815,7 @@ to_blob_buf(const struct sshkey *key, st - key->ed25519_pk, ED25519_PK_SZ)) != 0) - return ret; - break; -+#endif /* WITHOUT_ED25519 */ - default: - return SSH_ERR_KEY_TYPE_UNKNOWN; - } -@@ -1267,11 +1289,13 @@ sshkey_read(struct sshkey *ret, char **c - case KEY_RSA: - case KEY_DSA: - case KEY_ECDSA: -- case KEY_ED25519: -+#ifndef WITHOUT_ED25519 -+ case KEY_ED25519: -+ case KEY_ED25519_CERT: -+#endif /* WITHOUT_ED25519 */ - case KEY_DSA_CERT: - case KEY_ECDSA_CERT: - case KEY_RSA_CERT: -- case KEY_ED25519_CERT: - space = strchr(cp, ' '); - if (space == NULL) - return SSH_ERR_INVALID_FORMAT; -@@ -1363,6 +1387,7 @@ sshkey_read(struct sshkey *ret, char **c - } - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - if (sshkey_type_plain(ret->type) == KEY_ED25519) { - free(ret->ed25519_pk); - ret->ed25519_pk = k->ed25519_pk; -@@ -1371,6 +1396,7 @@ sshkey_read(struct sshkey *ret, char **c - /* XXX */ - #endif - } -+#endif /* WITHOUT_ED25519 */ - retval = 0; - /*XXXX*/ - sshkey_free(k); -@@ -1662,7 +1688,8 @@ sshkey_generate(int type, u_int bits, st - if ((k = sshkey_new(KEY_UNSPEC)) == NULL) - return SSH_ERR_ALLOC_FAIL; - switch (type) { -- case KEY_ED25519: -+#ifndef WITHOUT_ED25519 -+ case KEY_ED25519: - if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || - (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { - ret = SSH_ERR_ALLOC_FAIL; -@@ -1671,6 +1698,7 @@ sshkey_generate(int type, u_int bits, st - crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); - ret = 0; - break; -+#endif /* WITHOUT_ED25519 */ - #ifdef WITH_OPENSSL - case KEY_DSA: - ret = dsa_generate_private_key(bits, &k->dsa); -@@ -1806,6 +1834,7 @@ sshkey_from_private(const struct sshkey - } - break; - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - if ((n = sshkey_new(k->type)) == NULL) -@@ -1818,6 +1847,7 @@ sshkey_from_private(const struct sshkey - memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); - } - break; -+#endif /* WITHOUT_ED25519 */ - default: - return SSH_ERR_KEY_TYPE_UNKNOWN; - } -@@ -2084,6 +2114,7 @@ sshkey_from_blob_internal(struct sshbuf - break; - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519_CERT: - /* Skip nonce */ - if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { -@@ -2105,6 +2136,7 @@ sshkey_from_blob_internal(struct sshbuf - key->ed25519_pk = pk; - pk = NULL; - break; -+#endif /* WITHOUT_ED25519 */ - case KEY_UNSPEC: - if ((key = sshkey_new(type)) == NULL) { - ret = SSH_ERR_ALLOC_FAIL; -@@ -2197,9 +2229,11 @@ sshkey_sign(const struct sshkey *key, - case KEY_RSA: - return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); -+#endif /* WITHOUT_ED25519 */ - default: - return SSH_ERR_KEY_TYPE_UNKNOWN; - } -@@ -2229,9 +2263,11 @@ sshkey_verify(const struct sshkey *key, - case KEY_RSA: - return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - case KEY_ED25519_CERT: - return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); -+#endif /* WITHOUT_ED25519 */ - default: - return SSH_ERR_KEY_TYPE_UNKNOWN; - } -@@ -2255,8 +2291,10 @@ sshkey_demote(const struct sshkey *k, st - pk->dsa = NULL; - pk->ecdsa = NULL; - pk->rsa = NULL; -+#ifndef WITHOUT_ED25519 - pk->ed25519_pk = NULL; - pk->ed25519_sk = NULL; -+#endif /* WITHOUT_ED25519 */ - - switch (k->type) { - #ifdef WITH_OPENSSL -@@ -2306,6 +2344,7 @@ sshkey_demote(const struct sshkey *k, st - break; - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519_CERT: - if ((ret = sshkey_cert_copy(k, pk)) != 0) - goto fail; -@@ -2319,6 +2358,7 @@ sshkey_demote(const struct sshkey *k, st - memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); - } - break; -+#endif /* WITHOUT_ED25519 */ - default: - ret = SSH_ERR_KEY_TYPE_UNKNOWN; - fail: -@@ -2347,9 +2387,11 @@ sshkey_to_certified(struct sshkey *k) - newtype = KEY_ECDSA_CERT; - break; - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - newtype = KEY_ED25519_CERT; - break; -+#endif /* WITHOUT_ED25519 */ - default: - return SSH_ERR_INVALID_ARGUMENT; - } -@@ -2428,11 +2470,13 @@ sshkey_certify(struct sshkey *k, struct - goto out; - break; - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519_CERT: - if ((ret = sshbuf_put_string(cert, - k->ed25519_pk, ED25519_PK_SZ)) != 0) - goto out; - break; -+#endif /* WITHOUT_ED25519 */ - default: - ret = SSH_ERR_INVALID_ARGUMENT; - goto out; -@@ -2607,6 +2651,7 @@ sshkey_private_serialize(const struct ss - break; - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - if ((r = sshbuf_put_string(b, key->ed25519_pk, - ED25519_PK_SZ)) != 0 || -@@ -2626,6 +2671,7 @@ sshkey_private_serialize(const struct ss - ED25519_SK_SZ)) != 0) - goto out; - break; -+#endif /* WITHOUT_ED25519 */ - default: - r = SSH_ERR_INVALID_ARGUMENT; - goto out; -@@ -2750,6 +2796,7 @@ sshkey_private_deserialize(struct sshbuf - goto out; - break; - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - if ((k = sshkey_new_private(type)) == NULL) { - r = SSH_ERR_ALLOC_FAIL; -@@ -2780,6 +2827,7 @@ sshkey_private_deserialize(struct sshbuf - k->ed25519_sk = ed25519_sk; - ed25519_pk = ed25519_sk = NULL; - break; -+#endif /* WITHOUT_ED25519 */ - default: - r = SSH_ERR_KEY_TYPE_UNKNOWN; - goto out; -@@ -3545,9 +3593,11 @@ sshkey_private_to_fileblob(struct sshkey - return sshkey_private_pem_to_blob(key, blob, - passphrase, comment); - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - return sshkey_private_to_blob2(key, blob, passphrase, - comment, new_format_cipher, new_format_rounds); -+#endif /* WITHOUT_ED25519 */ - default: - return SSH_ERR_KEY_TYPE_UNKNOWN; - } -@@ -3853,9 +3903,11 @@ sshkey_parse_private_fileblob_type(struc - return sshkey_parse_private_pem_fileblob(blob, type, - passphrase, keyp); - #endif /* WITH_OPENSSL */ -+#ifndef WITHOUT_ED25519 - case KEY_ED25519: - return sshkey_parse_private2(blob, type, passphrase, - keyp, commentp); -+#endif /* WITHOUT_ED25519 */ - case KEY_UNSPEC: - if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, - commentp)) == 0) -diff -pur old/sshkey.h new/sshkey.h ---- old/sshkey.h -+++ new/sshkey.h -@@ -57,11 +57,15 @@ enum sshkey_types { - KEY_RSA, - KEY_DSA, - KEY_ECDSA, -- KEY_ED25519, -+#ifndef WITHOUT_ED25519 -+ KEY_ED25519, -+#endif /* WITHOUT_ED25519 */ - KEY_RSA_CERT, - KEY_DSA_CERT, - KEY_ECDSA_CERT, -+#ifndef WITHOUT_ED25519 - KEY_ED25519_CERT, -+#endif /* WITHOUT_ED25519 */ - KEY_NULL, - KEY_UNSPEC - }; -@@ -104,13 +108,17 @@ struct sshkey { - DSA *dsa; - int ecdsa_nid; /* NID of curve */ - EC_KEY *ecdsa; -+#ifndef WITHOUT_ED25519 - u_char *ed25519_sk; - u_char *ed25519_pk; -+#endif /* WITHOUT_ED25519 */ - struct sshkey_cert *cert; - }; - -+#ifndef WITHOUT_ED25519 - #define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES - #define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES -+#endif /* WITHOUT_ED25519 */ - - struct sshkey *sshkey_new(int); - int sshkey_add_private(struct sshkey *); -@@ -208,11 +216,13 @@ int ssh_ecdsa_sign(const struct sshkey * - int ssh_ecdsa_verify(const struct sshkey *key, - const u_char *signature, size_t signaturelen, - const u_char *data, size_t datalen, u_int compat); -+#ifndef WITHOUT_ED25519 - int ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, u_int compat); - int ssh_ed25519_verify(const struct sshkey *key, - const u_char *signature, size_t signaturelen, - const u_char *data, size_t datalen, u_int compat); -+#endif /* WITHOUT_ED25519 */ - #endif - - #if !defined(WITH_OPENSSL) diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/032-hang_on_closed_output.patch --- a/components/openssh/patches/032-hang_on_closed_output.patch Wed Apr 20 13:13:57 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,25 +0,0 @@ -# -# Fix possible hang on closed output. -# -# When there is a connectivity problem between the server and the client -# (network outage, server crash or reboot), the client indefinitely hangs. -# -# This patch fixes the issue by checking ssh_packet_write_poll return value -# in ssh_packet_write_wait and passing it through. -# -# The (updated) patch has been accepted upstream and will be part of 7.2 -# https://github.com/openssh/openssh-portable/commit/8408218 -# -diff -pur old/packet.c new/packet.c ---- old/packet.c -+++ new/packet.c -@@ -2040,7 +2040,8 @@ ssh_packet_write_wait(struct ssh *ssh) - NFDBITS), sizeof(fd_mask)); - if (setp == NULL) - return SSH_ERR_ALLOC_FAIL; -- ssh_packet_write_poll(ssh); -+ if ((r = ssh_packet_write_poll(ssh)) != 0) -+ return r; - while (ssh_packet_have_data_to_write(ssh)) { - memset(setp, 0, howmany(state->connection_out + 1, - NFDBITS) * sizeof(fd_mask)); diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/033-without_cast128.patch --- a/components/openssh/patches/033-without_cast128.patch Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/patches/033-without_cast128.patch Wed Apr 20 13:13:57 2016 -0700 @@ -28,43 +28,10 @@ { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 }, { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 }, { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 }, -diff -pur old/myproposal.h new/myproposal.h ---- old/myproposal.h -+++ new/myproposal.h -@@ -119,9 +119,16 @@ - "aes128-ctr,aes192-ctr,aes256-ctr" \ - AESGCM_CIPHER_MODES - -+#ifdef WITHOUT_CAST128 -+# define CAST128 -+#else -+# define CAST128 "cast128-cbc" -+#endif -+ - #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ - "arcfour256,arcfour128," \ -- "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ -+ "aes128-cbc,3des-cbc,blowfish-cbc," \ -+ CAST128 \ - "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" - - #define KEX_SERVER_MAC \ -diff -pur old/ssh.1 new/ssh.1 ---- old/ssh.1 -+++ new/ssh.1 -@@ -788,7 +788,7 @@ options (see above). - Both protocols support similar authentication methods, - but protocol 2 is the default since - it provides additional mechanisms for confidentiality --(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) -+(the traffic is encrypted using AES, 3DES, Blowfish, or Arcfour) - and integrity (hmac-md5, hmac-sha1, - hmac-sha2-256, hmac-sha2-512, - umac-64, umac-128, hmac-ripemd160). diff -pur old/ssh_config.5 new/ssh_config.5 --- old/ssh_config.5 +++ new/ssh_config.5 -@@ -408,8 +408,6 @@ arcfour256 +@@ -478,8 +478,6 @@ arcfour256 .It blowfish-cbc .It @@ -73,15 +40,6 @@ chacha20-poly1305@openssh.com .El .Pp -@@ -419,7 +417,7 @@ chacha20-poly1305@openssh.com, - aes128-ctr,aes192-ctr,aes256-ctr, - aes128-gcm@openssh.com,aes256-gcm@openssh.com, - arcfour256,arcfour128, --aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, -+aes128-cbc,3des-cbc,blowfish-cbc, - aes192-cbc,aes256-cbc,arcfour - .Ed - .Pp diff -pur old/sshd.8 new/sshd.8 --- old/sshd.8 +++ new/sshd.8 @@ -97,7 +55,7 @@ diff -pur old/sshd_config.5 new/sshd_config.5 --- old/sshd_config.5 +++ new/sshd_config.5 -@@ -469,8 +469,6 @@ arcfour256 +@@ -472,8 +472,6 @@ arcfour256 .It blowfish-cbc .It diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/035-fips.patch --- a/components/openssh/patches/035-fips.patch Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/patches/035-fips.patch Wed Apr 20 13:13:57 2016 -0700 @@ -135,6 +135,50 @@ gss_enc2oid[oidpos].oid = NULL; gss_enc2oid[oidpos].encoded = NULL; +diff -pur old/kex.c new/kex.c +--- old/kex.c ++++ new/kex.c +@@ -89,7 +89,40 @@ struct kexalg { + int ec_nid; + int hash_alg; + }; ++ ++#ifdef ENABLE_OPENSSL_FIPS ++/* in FIPS mode limit kexalgs to FIPS compliant only */ ++#define kexalgs (ssh_FIPS_mode() ? kexalgs_fips : kexalgs_dflt) ++static const struct kexalg kexalgs_fips[] = { ++#ifdef WITH_OPENSSL ++ { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, ++#ifdef HAVE_EVP_SHA256 ++ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, ++#endif /* HAVE_EVP_SHA256 */ ++#ifdef OPENSSL_HAS_ECC ++ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, ++ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, ++ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, ++ SSH_DIGEST_SHA384 }, ++# ifdef OPENSSL_HAS_NISTP521 ++ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, ++ SSH_DIGEST_SHA512 }, ++# endif /* OPENSSL_HAS_NISTP521 */ ++#endif /* OPENSSL_HAS_ECC */ ++#endif /* WITH_OPENSSL */ ++#ifdef GSSAPI ++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, ++#endif ++ { NULL, -1, -1, -1}, ++}; ++static const struct kexalg kexalgs_dflt[] = { ++#else + static const struct kexalg kexalgs[] = { ++#endif + #ifdef WITH_OPENSSL + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, diff -pur old/mac.c new/mac.c --- old/mac.c +++ new/mac.c @@ -175,7 +219,7 @@ diff -pur old/misc.c new/misc.c --- old/misc.c +++ new/misc.c -@@ -38,12 +38,15 @@ +@@ -39,12 +39,15 @@ #include #include #include @@ -191,7 +235,7 @@ #include #include #include -@@ -77,6 +80,60 @@ chop(char *s) +@@ -78,6 +81,60 @@ chop(char *s) } @@ -270,28 +314,86 @@ diff -pur old/myproposal.h new/myproposal.h --- old/myproposal.h +++ new/myproposal.h -@@ -131,6 +131,15 @@ - CAST128 \ - "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" +@@ -83,19 +83,31 @@ + # else + # define KEX_CURVE25519_METHODS "" + # endif +-#define KEX_COMMON_KEX \ ++ ++#define KEX_COMMON_KEX_DFLT \ + KEX_CURVE25519_METHODS \ + KEX_ECDH_METHODS \ + KEX_SHA256_METHODS + +-#define KEX_SERVER_KEX KEX_COMMON_KEX \ ++#define KEX_SERVER_KEX_DFLT KEX_COMMON_KEX_DFLT \ + "diffie-hellman-group14-sha1" \ + +-#define KEX_CLIENT_KEX KEX_COMMON_KEX \ ++#define KEX_CLIENT_KEX_DFLT KEX_COMMON_KEX_DFLT \ + "diffie-hellman-group-exchange-sha1," \ + "diffie-hellman-group14-sha1" -+#ifdef ENABLE_OPENSSL_FIPS -+#define KEX_FIPS_SERVER_ENCRYPT \ +-#define KEX_DEFAULT_PK_ALG \ ++#define KEX_COMMON_KEX_FIPS \ ++ KEX_ECDH_METHODS \ ++ KEX_SHA256_METHODS ++ ++#define KEX_SERVER_KEX_FIPS KEX_COMMON_KEX_FIPS \ ++ "diffie-hellman-group14-sha1" \ ++ ++#define KEX_CLIENT_KEX_FIPS KEX_COMMON_KEX_FIPS \ ++ "diffie-hellman-group-exchange-sha1," \ ++ "diffie-hellman-group14-sha1" ++ ++#define KEX_DEFAULT_PK_ALG_DFLT \ + HOSTKEY_ECDSA_CERT_METHODS \ + "ssh-ed25519-cert-v01@openssh.com," \ + "ssh-rsa-cert-v01@openssh.com," \ +@@ -105,17 +117,32 @@ + "rsa-sha2-256," \ + "ssh-rsa" + ++#define KEX_DEFAULT_PK_ALG_FIPS \ ++ HOSTKEY_ECDSA_CERT_METHODS \ ++ "ssh-rsa-cert-v01@openssh.com," \ ++ HOSTKEY_ECDSA_METHODS \ ++ "rsa-sha2-512," \ ++ "rsa-sha2-256," \ ++ "ssh-rsa" ++ + /* the actual algorithms */ + +-#define KEX_SERVER_ENCRYPT \ ++#define KEX_SERVER_ENCRYPT_DFLT \ + "chacha20-poly1305@openssh.com," \ + "aes128-ctr,aes192-ctr,aes256-ctr" \ + AESGCM_CIPHER_MODES + +-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ ++#define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \ ++ "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" ++ ++#define KEX_SERVER_ENCRYPT_FIPS \ + "aes128-ctr,aes192-ctr,aes256-ctr" \ + AESGCM_CIPHER_MODES + -+#define KEX_FIPS_CLIENT_ENCRYPT KEX_FIPS_SERVER_ENCRYPT "," \ -+ "aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" -+#endif /* ENABLE_OPENSSL_FIPS */ -+ - #define KEX_SERVER_MAC \ ++#define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \ + "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" + +-#define KEX_SERVER_MAC \ ++#define KEX_SERVER_MAC_DFLT \ "umac-64-etm@openssh.com," \ "umac-128-etm@openssh.com," \ -@@ -154,6 +163,20 @@ - "hmac-sha1-96," \ - "hmac-md5-96" + "hmac-sha2-256-etm@openssh.com," \ +@@ -127,7 +154,42 @@ + "hmac-sha2-512," \ + "hmac-sha1" -+#ifdef ENABLE_OPENSSL_FIPS -+#define KEX_FIPS_SERVER_MAC \ +-#define KEX_CLIENT_MAC KEX_SERVER_MAC ++#define KEX_CLIENT_MAC_DFLT KEX_SERVER_MAC_DFLT ++ ++#define KEX_SERVER_MAC_FIPS \ + "hmac-sha2-256-etm@openssh.com," \ + "hmac-sha2-512-etm@openssh.com," \ + "hmac-sha1-etm@openssh.com," \ @@ -299,79 +401,39 @@ + "hmac-sha2-512," \ + "hmac-sha1" + -+#define KEX_FIPS_CLIENT_MAC KEX_FIPS_SERVER_MAC "," \ -+ "hmac-sha1-96-etm@openssh.com," \ -+ "hmac-sha1-96" -+#endif /* ENABLE_OPENSSL_FIPS */ -+ - #else - - #define KEX_SERVER_KEX \ -diff -pur old/readconf.c new/readconf.c ---- old/readconf.c -+++ new/readconf.c -@@ -1760,6 +1760,11 @@ fill_default_options_for_canonicalizatio - void - fill_default_options(Options * options) - { -+#ifdef ENABLE_OPENSSL_FIPS -+ char *encs; -+ char *macs; -+#endif /* ENABLE_OPENSSL_FIPS */ ++#define KEX_CLIENT_MAC_FIPS KEX_SERVER_MAC_FIPS + - if (options->forward_agent == -1) - options->forward_agent = 0; - if (options->forward_x11 == -1) -@@ -1934,8 +1939,15 @@ fill_default_options(Options * options) - options->fingerprint_hash = SSH_FP_HASH_DEFAULT; - if (options->update_hostkeys == -1) - options->update_hostkeys = 0; -+#ifndef ENABLE_OPENSSL_FIPS - if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || - kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || -+#else -+ encs = ssh_FIPS_mode() ? KEX_FIPS_CLIENT_ENCRYPT : KEX_CLIENT_ENCRYPT; -+ macs = ssh_FIPS_mode() ? KEX_FIPS_CLIENT_MAC : KEX_CLIENT_MAC; -+ if (kex_assemble_names(encs, &options->ciphers) != 0 || -+ kex_assemble_names(macs, &options->macs) != 0 || -+#endif /* ENABLE_OPENSSL_FIPS */ - kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->hostbased_key_types) != 0 || -diff -pur old/servconf.c new/servconf.c ---- old/servconf.c -+++ new/servconf.c -@@ -195,6 +195,10 @@ void - fill_default_server_options(ServerOptions *options) - { - int i; +#ifdef ENABLE_OPENSSL_FIPS -+ char *encs; -+ char *macs; ++ #define KEX_SERVER_KEX \ ++ (ssh_FIPS_mode() ? (KEX_SERVER_KEX_FIPS) : (KEX_SERVER_KEX_DFLT) ) ++ #define KEX_CLIENT_KEX \ ++ (ssh_FIPS_mode() ? (KEX_CLIENT_KEX_FIPS) : (KEX_CLIENT_KEX_DFLT) ) ++ #define KEX_DEFAULT_PK_ALG \ ++ (ssh_FIPS_mode() ? (KEX_DEFAULT_PK_ALG_FIPS) : (KEX_DEFAULT_PK_ALG_DFLT) ) ++ #define KEX_SERVER_ENCRYPT \ ++ (ssh_FIPS_mode() ? (KEX_SERVER_ENCRYPT_FIPS) : (KEX_SERVER_ENCRYPT_DFLT)) ++ #define KEX_CLIENT_ENCRYPT \ ++ (ssh_FIPS_mode() ? (KEX_CLIENT_ENCRYPT_FIPS) : (KEX_CLIENT_ENCRYPT_DFLT)) ++ #define KEX_SERVER_MAC \ ++ (ssh_FIPS_mode() ? (KEX_SERVER_MAC_FIPS) : (KEX_SERVER_MAC_DFLT) ) ++ #define KEX_CLIENT_MAC \ ++ (ssh_FIPS_mode() ? (KEX_CLIENT_MAC_FIPS) : (KEX_CLIENT_MAC_DFLT) ) ++#else /* ENABLE_OPENSSL_FIPS */ ++ #define KEX_SERVER_KEX KEX_SERVER_KEX_DFLT ++ #define KEX_CLIENT_KEX KEX_CLIENT_KEX_DFLT ++ #define KEX_DEFAULT_PK_ALG KEX_DEFAULT_PK_ALG_DFLT ++ #define KEX_SERVER_ENCRYPT KEX_SERVER_ENCRYPT_DFLT ++ #define KEX_CLIENT_ENCRYPT KEX_CLIENT_ENCRYPT_DFLT ++ #define KEX_SERVER_MAC KEX_SERVER_MAC_DFLT ++ #define KEX_CLIENT_MAC KEX_CLIENT_MAC_DFLT +#endif /* ENABLE_OPENSSL_FIPS */ - /* Portable-specific options */ - if (options->use_pam == -1) -@@ -382,8 +386,15 @@ fill_default_server_options(ServerOption - if (options->fingerprint_hash == -1) - options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + #else /* WITH_OPENSSL */ -+#ifndef ENABLE_OPENSSL_FIPS - if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || - kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || -+#else -+ encs = ssh_FIPS_mode() ? KEX_FIPS_SERVER_ENCRYPT : KEX_SERVER_ENCRYPT; -+ macs = ssh_FIPS_mode() ? KEX_FIPS_SERVER_MAC : KEX_SERVER_MAC; -+ if (kex_assemble_names(encs, &options->ciphers) != 0 || -+ kex_assemble_names(macs, &options->macs) != 0 || -+#endif /* ENABLE_OPENSSL_FIPS */ - kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->hostbased_key_types) != 0 || diff -pur old/ssh-add.1 new/ssh-add.1 --- old/ssh-add.1 +++ new/ssh-add.1 -@@ -114,6 +114,8 @@ and +@@ -116,6 +116,8 @@ and .Dq sha256 . The default is .Dq sha256 . @@ -383,7 +445,7 @@ diff -pur old/ssh-add.c new/ssh-add.c --- old/ssh-add.c +++ new/ssh-add.c -@@ -493,6 +493,12 @@ main(int argc, char **argv) +@@ -488,6 +488,12 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); seed_rng(); @@ -399,7 +461,7 @@ diff -pur old/ssh-agent.1 new/ssh-agent.1 --- old/ssh-agent.1 +++ new/ssh-agent.1 -@@ -110,6 +110,8 @@ and +@@ -117,6 +117,8 @@ and .Dq sha256 . The default is .Dq sha256 . @@ -411,15 +473,15 @@ diff -pur old/ssh-agent.c new/ssh-agent.c --- old/ssh-agent.c +++ new/ssh-agent.c -@@ -1187,6 +1187,7 @@ main(int ac, char **av) +@@ -1199,6 +1199,7 @@ main(int ac, char **av) struct timeval *tvp = NULL; size_t len; mode_t prev_mask; + int fips_err; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ - sanitise_stdfd(); -@@ -1200,6 +1201,9 @@ main(int ac, char **av) +@@ -1213,6 +1214,9 @@ main(int ac, char **av) prctl(PR_SET_DUMPABLE, 0); #endif @@ -429,13 +491,14 @@ #ifdef WITH_OPENSSL OpenSSL_add_all_algorithms(); #endif -@@ -1330,7 +1334,18 @@ main(int ac, char **av) +@@ -1343,8 +1347,19 @@ main(int ac, char **av) printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, SSH_AUTHSOCKET_ENV_NAME); printf("echo Agent pid %ld;\n", (long)parent_pid); +#ifdef ENABLE_OPENSSL_FIPS + ssh_FIPS_check_status(); +#endif + fflush(stdout); goto skip; +#ifdef ENABLE_OPENSSL_FIPS + } else { @@ -451,7 +514,7 @@ diff -pur old/ssh-keygen.1 new/ssh-keygen.1 --- old/ssh-keygen.1 +++ new/ssh-keygen.1 -@@ -268,6 +268,8 @@ and +@@ -283,6 +283,8 @@ and .Dq sha256 . The default is .Dq sha256 . @@ -463,7 +526,7 @@ diff -pur old/ssh-keygen.c new/ssh-keygen.c --- old/ssh-keygen.c +++ new/ssh-keygen.c -@@ -2224,11 +2224,18 @@ main(int argc, char **argv) +@@ -2267,11 +2267,18 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); @@ -485,7 +548,7 @@ diff -pur old/ssh-keysign.c new/ssh-keysign.c --- old/ssh-keysign.c +++ new/ssh-keysign.c -@@ -175,6 +175,7 @@ main(int argc, char **argv) +@@ -178,6 +178,7 @@ main(int argc, char **argv) u_char *signature, *data, rver; char *host, *fp; size_t slen, dlen; @@ -493,7 +556,7 @@ #ifdef WITH_OPENSSL u_int32_t rnd[256]; #endif -@@ -223,6 +224,16 @@ main(int argc, char **argv) +@@ -228,6 +229,16 @@ main(int argc, char **argv) if (found == 0) fatal("could not open any host key"); @@ -513,7 +576,7 @@ diff -pur old/ssh.1 new/ssh.1 --- old/ssh.1 +++ new/ssh.1 -@@ -92,6 +92,9 @@ If +@@ -91,6 +91,9 @@ If is specified, it is executed on the remote host instead of a login shell. .Pp @@ -526,7 +589,7 @@ diff -pur old/ssh.c new/ssh.c --- old/ssh.c +++ new/ssh.c -@@ -588,6 +588,11 @@ main(int ac, char **av) +@@ -606,6 +606,11 @@ main(int ac, char **av) */ initialize_options(&options); @@ -538,7 +601,7 @@ /* Parse command-line arguments. */ host = NULL; use_syslog = 0; -@@ -997,6 +1002,10 @@ main(int ac, char **av) +@@ -1016,6 +1021,10 @@ main(int ac, char **av) #endif ); @@ -566,8 +629,8 @@ diff -pur old/ssh_config.5 new/ssh_config.5 --- old/ssh_config.5 +++ new/ssh_config.5 -@@ -423,6 +423,13 @@ aes128-cbc,3des-cbc,blowfish-cbc,cast128 - aes192-cbc,aes256-cbc,arcfour +@@ -489,6 +489,13 @@ aes128-gcm@openssh.com,aes256-gcm@openss + aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc .Ed .Pp +The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode: @@ -580,7 +643,7 @@ The list of available ciphers may also be obtained using the .Fl Q option of -@@ -662,6 +669,8 @@ and +@@ -738,6 +745,8 @@ and .Dq sha256 . The default is .Dq sha256 . @@ -589,8 +652,8 @@ .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -@@ -1110,6 +1119,16 @@ hmac-md5,hmac-sha1,hmac-ripemd160, - hmac-sha1-96,hmac-md5-96 +@@ -1200,6 +1209,16 @@ umac-64@openssh.com,umac-128@openssh.com + hmac-sha2-256,hmac-sha2-512,hmac-sha1 .Ed .Pp +The following MACs are FIPS-140 approved and are supported in FIPS-140 mode: @@ -609,7 +672,7 @@ diff -pur old/sshconnect.c new/sshconnect.c --- old/sshconnect.c +++ new/sshconnect.c -@@ -523,8 +523,14 @@ send_client_banner(int connection_out, i +@@ -530,8 +530,14 @@ send_client_banner(int connection_out, i { /* Send our own protocol version identification. */ if (compat20) { @@ -640,7 +703,7 @@ diff -pur old/sshd.c new/sshd.c --- old/sshd.c +++ new/sshd.c -@@ -431,10 +431,18 @@ sshd_exchange_identification(int sock_in +@@ -430,10 +430,18 @@ sshd_exchange_identification(int sock_in minor = PROTOCOL_MINOR_1; } @@ -658,8 +721,8 @@ +#endif /* Send our protocol version identification. */ - if (roaming_atomicio(vwrite, sock_out, server_version_string, -@@ -1501,6 +1509,10 @@ main(int ac, char **av) + if (atomicio(vwrite, sock_out, server_version_string, +@@ -1503,6 +1511,10 @@ main(int ac, char **av) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -684,7 +747,7 @@ diff -pur old/sshd_config.5 new/sshd_config.5 --- old/sshd_config.5 +++ new/sshd_config.5 -@@ -481,6 +481,13 @@ aes128-ctr,aes192-ctr,aes256-ctr, +@@ -482,6 +482,13 @@ aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com .Ed .Pp @@ -698,7 +761,7 @@ The list of available ciphers may also be obtained using the .Fl Q option of -@@ -577,6 +584,8 @@ and +@@ -576,6 +583,8 @@ and .Dq sha256 . The default is .Dq sha256 . @@ -707,8 +770,8 @@ .It Cm ForceCommand Forces the execution of the command specified by .Cm ForceCommand , -@@ -1023,6 +1032,16 @@ umac-64@openssh.com,umac-128@openssh.com - hmac-sha2-256,hmac-sha2-512 +@@ -1025,6 +1034,16 @@ umac-64@openssh.com,umac-128@openssh.com + hmac-sha2-256,hmac-sha2-512,hmac-sha1 .Ed .Pp +The following MACs are FIPS-140 approved and are supported in FIPS-140 mode: @@ -724,3 +787,53 @@ The list of available MAC algorithms may also be obtained using the .Fl Q option of +diff -pur old/sshkey.c new/sshkey.c +--- old/sshkey.c ++++ new/sshkey.c +@@ -85,7 +85,46 @@ struct keytype { + int cert; + int sigonly; + }; ++ ++#ifdef ENABLE_OPENSSL_FIPS ++/* in FIPS mode limit keytypes to FIPS compliant only */ ++#define keytypes (ssh_FIPS_mode() ? keytypes_fips : keytypes_dflt) ++ ++static const struct keytype keytypes_fips[] = { ++#ifdef WITH_OPENSSL ++ { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, ++ { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, ++ { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, ++ { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, ++ { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, ++# ifdef OPENSSL_HAS_ECC ++ { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, ++ { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, ++# ifdef OPENSSL_HAS_NISTP521 ++ { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, ++# endif /* OPENSSL_HAS_NISTP521 */ ++# endif /* OPENSSL_HAS_ECC */ ++ { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, ++ { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, ++# ifdef OPENSSL_HAS_ECC ++ { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", ++ KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, ++ { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", ++ KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, ++# ifdef OPENSSL_HAS_NISTP521 ++ { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", ++ KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, ++# endif /* OPENSSL_HAS_NISTP521 */ ++# endif /* OPENSSL_HAS_ECC */ ++#endif /* WITH_OPENSSL */ ++ { "null", "null", KEY_NULL, 0, 0 }, ++ { NULL, NULL, -1, -1, 0, 0 } ++}; ++ ++static const struct keytype keytypes_dflt[] = { ++#else /* ENABLE_OPENSSL_FIPS */ + static const struct keytype keytypes[] = { ++#endif /* ENABLE_OPENSSL_FIPS */ + { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, + { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", + KEY_ED25519_CERT, 0, 1, 0 }, diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/037-missing_or_misleading_error_messages.patch --- a/components/openssh/patches/037-missing_or_misleading_error_messages.patch Wed Apr 20 13:13:57 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,51 +0,0 @@ -# -# Add missing error() upon identity_sign() failure, fix typos in ssherr() calls. -# -# After OpenSSH code was refactored recently, DSA_do_sign() and RSA_sign() -# failures no longer result in error messages printed out. This is particularly -# inconvenient for FIPS mode, were these calls can fail due to non-compliant -# crypto algorithm options. -# -# Investigating other missing error messages spotted two calls to ssherr() -# with wrong error codes. -# -# Patch has been submitted upstream: -# https://bugzilla.mindrot.org/show_bug.cgi?id=2507 -# -# Update: patch has been accepted upstream, will be part of 7.2: -# https://github.com/openssh/openssh-portable/commit/39736be -# -# On uprev to 7.2+ we will drop this patch. -# -diff -pur old/ssh-agent.c new/ssh-agent.c ---- old/ssh-agent.c -+++ new/ssh-agent.c -@@ -389,7 +389,7 @@ process_sign_request2(SocketEntry *e) - if (flags & SSH_AGENT_OLD_SIGNATURE) - compat = SSH_BUG_SIGBLOB; - if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { -- error("%s: cannot parse key blob: %s", __func__, ssh_err(ok)); -+ error("%s: cannot parse key blob: %s", __func__, ssh_err(r)); - goto send; - } - if ((id = lookup_identity(key, 2)) == NULL) { -@@ -402,7 +402,7 @@ process_sign_request2(SocketEntry *e) - } - if ((r = sshkey_sign(id->key, &signature, &slen, - data, dlen, compat)) != 0) { -- error("%s: sshkey_sign: %s", __func__, ssh_err(ok)); -+ error("%s: sshkey_sign: %s", __func__, ssh_err(r)); - goto send; - } - /* Success */ -diff -pur old/sshconnect2.c new/sshconnect2.c ---- old/sshconnect2.c -+++ new/sshconnect2.c -@@ -1167,6 +1167,7 @@ sign_and_send_pubkey(Authctxt *authctxt, - ret = identity_sign(id, &signature, &slen, - buffer_ptr(&b), buffer_len(&b), datafellows); - if (ret != 0) { -+ error("%s: signing failed: %s", __func__, ssh_err(ret)); - free(blob); - buffer_free(&b); - return 0; diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/039-sshd_config_5_defaults.patch --- a/components/openssh/patches/039-sshd_config_5_defaults.patch Wed Apr 20 13:13:57 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,20 +0,0 @@ -# -# hmac-sha1 is heavily used in the world, and customers updating openssh should -# have up-to-date man pages -# -# Upstream has been notified of this typo and is correcting it, this patch -# will be removed when Solaris updates to an update including the fix. -# - -diff -rupN old/sshd_config.5 new/sshd_config.5 ---- old/sshd_config.5 2016-01-28 13:47:34.630632408 -0800 -+++ new/sshd_config.5 2016-01-28 13:48:34.129479936 -0800 -@@ -1018,7 +1018,7 @@ The default is: - umac-64-etm@openssh.com,umac-128-etm@openssh.com, - hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, - umac-64@openssh.com,umac-128@openssh.com, --hmac-sha2-256,hmac-sha2-512 -+hmac-sha2-256,hmac-sha2-512,hmac-sha1 - .Ed - .Pp - The list of available MAC algorithms may also be obtained using the diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/patches/040-default_config_files.patch --- a/components/openssh/patches/040-default_config_files.patch Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/patches/040-default_config_files.patch Wed Apr 20 13:13:57 2016 -0700 @@ -2,11 +2,12 @@ # This patch contains changes to the default SSH system configurations for # /etc/ssh/sshd_config and /etc/ssh/ssh_config on Solaris. # -# This is a Solaris specific patch and will not be contributed back to tge +# This is a Solaris specific patch and will not be contributed back to the # upstream community. # ---- orig/ssh_config Wed Feb 10 16:52:14 2016 -+++ new/ssh_config Wed Feb 10 18:32:20 2016 +diff -pur old/ssh_config new/ssh_config +--- old/ssh_config ++++ new/ssh_config @@ -24,8 +24,9 @@ # RSAAuthentication yes # PasswordAuthentication yes @@ -18,7 +19,7 @@ # BatchMode no # CheckHostIP yes # AddressFamily any -@@ -46,3 +47,7 @@ +@@ -48,3 +49,7 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h @@ -26,9 +27,12 @@ +# Send the LANG and LC_* environment variables to server. +SendEnv LANG +SendEnv LC_* ---- orig/sshd_config Wed Feb 10 16:52:20 2016 -+++ new/sshd_config Tue Feb 23 16:40:15 2016 -@@ -2,132 +2,95 @@ +diff -pur old/sshd_config new/sshd_config +--- old/sshd_config ++++ new/sshd_config +@@ -1,133 +1,96 @@ +-# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ ++# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -66,71 +70,74 @@ -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key +- +-# Lifetime and size of ephemeral version 1 server key +-#KeyRegenerationInterval 1h +-#ServerKeyBits 1024 +- +-# Ciphers and keying +-#RekeyLimit default none +- +-# Logging +-# obsoletes QuietMode and FascistLogging +-#SyslogFacility AUTH +-#LogLevel INFO +# X11 tunneling options +#X11DisplayOffset 10 +#X11UseLocalhost yes +X11Forwarding yes --# Lifetime and size of ephemeral version 1 server key --#KeyRegenerationInterval 1h --#ServerKeyBits 1024 +-# Authentication: +# The maximum number of concurrent unauthenticated connections to sshd. +# start:rate:full see sshd(1) for more information. +#MaxStartups 10:30:100 --# Ciphers and keying --#RekeyLimit default none -+# Banner to be printed before authentication starts. -+Banner /etc/issue - --# Logging --# obsoletes QuietMode and FascistLogging --#SyslogFacility AUTH --#LogLevel INFO -+# Should sshd print the /etc/motd file and check for mail. -+# On Solaris it is assumed that the login shell will do these (eg /etc/profile). -+PrintMotd no - --# Authentication: -+# KeepAlive specifies whether keep alive messages are sent to the client. -+# See sshd(1) for detailed description of what this means. -+# Note that the client may also be sending keep alive messages to the server. -+#KeepAlive yes - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 -+# Syslog facility and level -+#SyslogFacility auth -+#LogLevel info ++# Banner to be printed before authentication starts. ++Banner /etc/issue -#RSAAuthentication yes -#PubkeyAuthentication yes ++# Should sshd print the /etc/motd file and check for mail. ++# On Solaris it is assumed that the login shell will do these (eg /etc/profile). ++PrintMotd no ++ ++# KeepAlive specifies whether keep alive messages are sent to the client. ++# See sshd(1) for detailed description of what this means. ++# Note that the client may also be sending keep alive messages to the server. ++#KeepAlive yes ++ ++# Syslog facility and level ++#SyslogFacility auth ++#LogLevel info ++ +# +# Authentication configuration +# - --# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 --# but this is overridden so installations will only check .ssh/authorized_keys --AuthorizedKeysFile .ssh/authorized_keys ++ +# Host private key files +# Must be on a local disk and readable only by the root user (root:sys 600). +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key - --#AuthorizedPrincipalsFile none ++ +# sshd regenerates the key every KeyRegenerationInterval seconds. +# The key is never stored anywhere except the memory of sshd. +# The default is 1 hour (3600 seconds). +#KeyRegenerationInterval 3600 +-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +-# but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile .ssh/authorized_keys +- +-#AuthorizedPrincipalsFile none +- -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody -+# Ensure secure permissions on users .ssh directory. -+#StrictModes yes - +- -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 @@ -140,13 +147,16 @@ -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes ++# Ensure secure permissions on users .ssh directory. ++#StrictModes yes + +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes +# Length of time in seconds before a client that hasn't completed +# authentication is disconnected. +# Default is 120 seconds. 0 means no time limit. +#LoginGraceTime 120 - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes ++ +# Maximum number of retries for authentication +# Default is 6. +#MaxAuthTries 6 @@ -158,26 +168,17 @@ -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes -+# To disable tunneled clear text passwords, change PasswordAuthentication to no. -+#PasswordAuthentication yes - +- -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no -+# Are root logins permitted using sshd. -+# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user -+# maybe denied access by a PAM module regardless of this setting. -+# Valid options are yes, without-password, no. -+PermitRootLogin no - +- -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -+# sftp subsystem -+Subsystem sftp internal-sftp - +- -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and @@ -188,8 +189,8 @@ -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no -+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. -+#IgnoreUserKnownHosts yes ++# To disable tunneled clear text passwords, change PasswordAuthentication to no. ++#PasswordAuthentication yes -#AllowAgentForwarding yes -#AllowTcpForwarding yes @@ -202,7 +203,7 @@ -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no --UsePrivilegeSeparation sandbox # Default for new installations. +-#UsePrivilegeSeparation sandbox -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 @@ -226,6 +227,18 @@ -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server ++# Are root logins permitted using sshd. ++# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user ++# maybe denied access by a PAM module regardless of this setting. ++# Valid options are yes, without-password, no. ++PermitRootLogin no ++ ++# sftp subsystem ++Subsystem sftp internal-sftp ++ ++# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. ++#IgnoreUserKnownHosts yes ++ +# Accept the LANG and LC_* environment variables sent by the client. +AcceptEnv LANG +AcceptEnv LC_* diff -r 5f0e7a0f17c2 -r c5f05bd2a9bc components/openssh/service-network-ssh.p5m --- a/components/openssh/service-network-ssh.p5m Wed Apr 20 13:13:57 2016 -0700 +++ b/components/openssh/service-network-ssh.p5m Wed Apr 20 13:13:57 2016 -0700 @@ -32,7 +32,7 @@ value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2015/227 +set name=org.opensolaris.arc-caseid value=PSARC/2015/227 value=PSARC/2016/216 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) file path=etc/ssh/moduli group=sys mode=0644 overlay=allow preserve=renamenew file path=etc/ssh/sshd_config group=sys mode=0644 \