date: Thu Apr 09 12:53:33 2015 -0700 s11-update
authorTomas Kuthan <tomas.kuthan@oracle.com>
Wed, 15 Apr 2015 09:41:00 -0700
branchs11-update
changeset 4129 1b849fbbd264
parent 4128 5b637a305812
child 4132 bab2f80f1992
date: Thu Apr 09 12:53:33 2015 -0700 20820589 Disable Curve25519 in OpenSSH
components/openssh/Makefile
components/openssh/patches/024-disable_ed25519.patch
--- a/components/openssh/Makefile	Wed Apr 15 09:30:56 2015 -0700
+++ b/components/openssh/Makefile	Wed Apr 15 09:41:00 2015 -0700
@@ -57,6 +57,7 @@
 CFLAGS += -DPAM_ENHANCEMENT
 CFLAGS += -DPAM_BUGFIX
 CFLAGS += -DOPTION_DEFAULT_VALUE
+CFLAGS += -DWITHOUT_ED25519
 
 CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)" 
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/024-disable_ed25519.patch	Wed Apr 15 09:41:00 2015 -0700
@@ -0,0 +1,2080 @@
+diff -pur old/Makefile.in new/Makefile.in
+--- old/Makefile.in	2015-04-10 02:43:51.101312444 -0700
++++ new/Makefile.in	2015-04-10 02:43:51.156820521 -0700
[email protected]@ -138,7 +138,7 @@ $(SSHDOBJS): Makefile.in config.h
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+ 
+ LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
+-$(LIBCOMPAT): always
++$(LIBCOMPAT): always libssh.a
+ 	(cd openbsd-compat && $(MAKE))
+ always:
+ 
+Only in new: Makefile.in.orig
+diff -pur old/authfd.c new/authfd.c
+--- old/authfd.c	2013-12-28 22:49:56.000000000 -0800
++++ new/authfd.c	2015-04-10 02:43:51.157515880 -0700
[email protected]@ -508,8 +508,10 @@ ssh_add_identity_constrained(Authenticat
+ 	case KEY_DSA_CERT_V00:
+ 	case KEY_ECDSA:
+ 	case KEY_ECDSA_CERT:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 		type = constrained ?
+ 		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
+ 		    SSH2_AGENTC_ADD_IDENTITY;
+diff -pur old/authfile.c new/authfile.c
+--- old/authfile.c	2013-12-28 22:50:15.000000000 -0800
++++ new/authfile.c	2015-04-10 02:43:51.158405633 -0700
[email protected]@ -597,9 +597,11 @@ key_private_to_blob(Key *key, Buffer *bl
+ 			    comment, new_format_cipher, new_format_rounds);
+ 		}
+ 		return key_private_pem_to_blob(key, blob, passphrase, comment);
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		return key_private_to_blob2(key, blob, passphrase,
+ 		    comment, new_format_cipher, new_format_rounds);
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		error("%s: cannot save key type %d", __func__, key->type);
+ 		return 0;
[email protected]@ -1005,8 +1007,10 @@ key_parse_private_type(Buffer *blob, int
+ 	case KEY_ECDSA:
+ 	case KEY_RSA:
+ 		return key_parse_private_pem(blob, type, passphrase, commentp);
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		return key_parse_private2(blob, type, passphrase, commentp);
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		if ((k = key_parse_private2(blob, type, passphrase, commentp)))
+ 			return k;
[email protected]@ -1213,7 +1217,9 @@ key_load_private_cert(int type, const ch
+ 	case KEY_RSA:
+ 	case KEY_DSA:
+ 	case KEY_ECDSA:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+ 		break;
+ 	default:
+ 		error("%s: unsupported key type", __func__);
+diff -pur old/crypto_api.h new/crypto_api.h
+--- old/crypto_api.h	2014-01-16 17:31:34.000000000 -0800
++++ new/crypto_api.h	2015-04-10 02:43:51.158673341 -0700
[email protected]@ -26,7 +26,7 @@ int	crypto_hashblocks_sha512(unsigned ch
+ 
+ #define crypto_hash_sha512_BYTES 64U
+ 
+-int	crypto_hash_sha512(unsigned char *, const unsigned char *,
++extern int	crypto_hash_sha512(unsigned char *, const unsigned char *,
+     unsigned long long);
+ 
+ int	crypto_verify_32(const unsigned char *, const unsigned char *);
+diff -pur old/ed25519.c new/ed25519.c
+--- old/ed25519.c	2013-12-17 22:48:11.000000000 -0800
++++ new/ed25519.c	2015-04-10 02:43:51.158974499 -0700
[email protected]@ -6,6 +6,8 @@
+  * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ #include "crypto_api.h"
+ 
[email protected]@ -142,3 +144,4 @@ int crypto_sign_ed25519_open(
+   }
+   return ret;
+ }
++#endif /* WITHOUT_ED25519 */
+diff -pur old/fe25519.c new/fe25519.c
+--- old/fe25519.c	2014-01-16 17:43:44.000000000 -0800
++++ new/fe25519.c	2015-04-10 02:43:51.159348136 -0700
[email protected]@ -6,6 +6,8 @@
+  * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ 
+ #define WINDOWSIZE 1 /* Should be 1,2, or 4 */
[email protected]@ -335,3 +337,5 @@ void fe25519_pow2523(fe25519 *r, const f
+ 	/* 2^252 - 2^2 */ fe25519_square(&t,&t);
+ 	/* 2^252 - 3 */ fe25519_mul(r,&t,x);
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/fe25519.h new/fe25519.h
+--- old/fe25519.h	2013-12-17 22:48:11.000000000 -0800
++++ new/fe25519.h	2015-04-10 02:43:51.159633614 -0700
[email protected]@ -9,6 +9,8 @@
+ #ifndef FE25519_H
+ #define FE25519_H
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "crypto_api.h"
+ 
+ #define fe25519              crypto_sign_ed25519_ref_fe25519
[email protected]@ -67,4 +69,5 @@ void fe25519_invert(fe25519 *r, const fe
+ 
+ void fe25519_pow2523(fe25519 *r, const fe25519 *x);
+ 
++#endif /* WITHOUT_ED25519 */
+ #endif
+diff -pur old/ge25519.c new/ge25519.c
+--- old/ge25519.c	2014-01-16 17:43:44.000000000 -0800
++++ new/ge25519.c	2015-04-10 02:43:51.160002884 -0700
[email protected]@ -6,6 +6,8 @@
+  * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ 
+ #include "fe25519.h"
[email protected]@ -319,3 +321,5 @@ void ge25519_scalarmult_base(ge25519_p3 
+     ge25519_mixadd2(r, &t);
+   }
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/ge25519.h new/ge25519.h
+--- old/ge25519.h	2013-12-17 22:48:11.000000000 -0800
++++ new/ge25519.h	2015-04-10 02:43:51.160283095 -0700
[email protected]@ -8,6 +8,7 @@
+ 
+ #ifndef GE25519_H
+ #define GE25519_H
++#ifndef WITHOUT_ED25519
+ 
+ #include "fe25519.h"
+ #include "sc25519.h"
[email protected]@ -40,4 +41,5 @@ void ge25519_double_scalarmult_vartime(g
+ 
+ void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
+ 
++#endif /* WITHOUT_ED25519 */
+ #endif
+diff -pur old/kex.c new/kex.c
+--- old/kex.c	2014-01-25 14:38:04.000000000 -0800
++++ new/kex.c	2015-04-10 02:43:51.160754653 -0700
[email protected]@ -87,7 +87,7 @@ static const struct kexalg kexalgs[] = {
+ # endif
+ #endif
+ 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+-#ifdef HAVE_EVP_SHA256
++#if defined(HAVE_EVP_SHA256) && !defined(WITHOUT_ED25519)
+ 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+ #endif
+ 	{ NULL, -1, -1, -1},
+Only in new: kex.c.orig
+diff -pur old/kex.h new/kex.h
+--- old/kex.h	2014-01-25 14:37:26.000000000 -0800
++++ new/kex.h	2015-04-10 02:47:29.726358404 -0700
[email protected]@ -43,7 +43,9 @@
+ #define	KEX_ECDH_SHA2_NISTP256	"ecdh-sha2-nistp256"
+ #define	KEX_ECDH_SHA2_NISTP384	"ecdh-sha2-nistp384"
+ #define	KEX_ECDH_SHA2_NISTP521	"ecdh-sha2-nistp521"
++#ifndef WITHOUT_ED25519
+ #define	KEX_CURVE25519_SHA256	"[email protected]"
++#endif /* WITHOUT_ED25519 */
+ 
+ #define COMP_NONE	0
+ #define COMP_ZLIB	1
[email protected]@ -75,7 +77,9 @@ enum kex_exchange {
+ 	KEX_DH_GEX_SHA1,
+ 	KEX_DH_GEX_SHA256,
+ 	KEX_ECDH_SHA2,
++#ifndef WITHOUT_ED25519
+ 	KEX_C25519_SHA256,
++#endif /* WITHOUT_ED25519 */
+ 	KEX_MAX
+ };
+ 
[email protected]@ -165,8 +169,10 @@ void	 kexgex_client(Kex *);
+ void	 kexgex_server(Kex *);
+ void	 kexecdh_client(Kex *);
+ void	 kexecdh_server(Kex *);
++#ifndef WITHOUT_ED25519
+ void	 kexc25519_client(Kex *);
+ void	 kexc25519_server(Kex *);
++#endif /* WITHOUT_ED25519 */
+ 
+ void
+ kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
[email protected]@ -181,6 +187,7 @@ kex_ecdh_hash(int, const EC_GROUP *, cha
+     char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
+     const BIGNUM *, u_char **, u_int *);
+ #endif
++#ifndef WITHOUT_ED25519
+ void
+ kex_c25519_hash(int, char *, char *, char *, int,
+     char *, int, u_char *, int, const u_char *, const u_char *,
[email protected]@ -194,6 +201,7 @@ void kexc25519_shared_key(const u_char k
+     const u_char pub[CURVE25519_SIZE], Buffer *out)
+ 	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
+ 	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
++#endif /* WITHOUT_ED25519 */
+ 
+ void
+ derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
+Only in new: kex.h.orig
+Only in new: kex.h.rej
+diff -pur old/kexc25519.c new/kexc25519.c
+--- old/kexc25519.c	2014-01-12 00:21:23.000000000 -0800
++++ new/kexc25519.c	2015-04-10 02:43:51.161993727 -0700
[email protected]@ -25,6 +25,8 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ 
+ #include <sys/types.h>
[email protected]@ -120,3 +122,5 @@ kex_c25519_hash(
+ 	*hash = digest;
+ 	*hashlen = ssh_digest_bytes(hash_alg);
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/kexc25519c.c new/kexc25519c.c
+--- old/kexc25519c.c	2014-01-12 00:21:23.000000000 -0800
++++ new/kexc25519c.c	2015-04-10 02:43:51.162319004 -0700
[email protected]@ -25,6 +25,8 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ 
+ #include <sys/types.h>
[email protected]@ -127,3 +129,5 @@ kexc25519_client(Kex *kex)
+ 	buffer_free(&shared_secret);
+ 	kex_finish(kex);
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/kexc25519s.c new/kexc25519s.c
+--- old/kexc25519s.c	2014-01-12 00:21:23.000000000 -0800
++++ new/kexc25519s.c	2015-04-10 02:43:51.162628310 -0700
[email protected]@ -24,6 +24,8 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ 
+ #include <sys/types.h>
[email protected]@ -124,3 +126,5 @@ kexc25519_server(Kex *kex)
+ 	buffer_free(&shared_secret);
+ 	kex_finish(kex);
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/key.c new/key.c
+--- old/key.c	2014-01-09 15:58:53.000000000 -0800
++++ new/key.c	2015-04-10 02:48:40.602200617 -0700
[email protected]@ -89,8 +89,10 @@ key_new(int type)
+ 	k->dsa = NULL;
+ 	k->rsa = NULL;
+ 	k->cert = NULL;
++#ifndef WITHOUT_ED25519
+ 	k->ed25519_sk = NULL;
+ 	k->ed25519_pk = NULL;
++#endif /* WITHOUT_ED25519 */
+ 	switch (k->type) {
+ 	case KEY_RSA1:
+ 	case KEY_RSA:
[email protected]@ -125,10 +127,12 @@ key_new(int type)
+ 		/* Cannot do anything until we know the group */
+ 		break;
+ #endif
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		/* no need to prealloc */
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		break;
+ 	default:
[email protected]@ -173,10 +177,12 @@ key_add_private(Key *k)
+ 	case KEY_ECDSA_CERT:
+ 		/* Cannot do anything until we know the group */
+ 		break;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		/* no need to prealloc */
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		break;
+ 	default:
[email protected]@ -239,6 +245,7 @@ key_free(Key *k)
+ 		k->ecdsa = NULL;
+ 		break;
+ #endif
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		if (k->ed25519_pk) {
[email protected]@ -252,6 +259,7 @@ key_free(Key *k)
+ 			k->ed25519_sk = NULL;
+ 		}
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		break;
+ 	default:
[email protected]@ -333,10 +341,12 @@ key_equal_public(const Key *a, const Key
+ 		BN_CTX_free(bnctx);
+ 		return 1;
+ #endif /* OPENSSL_HAS_ECC */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
+ 		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		fatal("key_equal: bad key type %d", a->type);
+ 	}
[email protected]@ -392,7 +402,9 @@ key_fingerprint_raw(const Key *k, enum f
+ 	case KEY_DSA:
+ 	case KEY_ECDSA:
+ 	case KEY_RSA:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+ 		key_to_blob(k, &blob, &len);
+ 		break;
+ 	case KEY_DSA_CERT_V00:
[email protected]@ -400,7 +412,9 @@ key_fingerprint_raw(const Key *k, enum f
+ 	case KEY_DSA_CERT:
+ 	case KEY_ECDSA_CERT:
+ 	case KEY_RSA_CERT:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 		/* We want a fingerprint of the _key_ not of the cert */
+ 		to_blob(k, &blob, &len, 1);
+ 		break;
[email protected]@ -728,13 +742,17 @@ key_read(Key *ret, char **cpp)
+ 	case KEY_RSA:
+ 	case KEY_DSA:
+ 	case KEY_ECDSA:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_DSA_CERT_V00:
+ 	case KEY_RSA_CERT_V00:
+ 	case KEY_DSA_CERT:
+ 	case KEY_ECDSA_CERT:
+ 	case KEY_RSA_CERT:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 		space = strchr(cp, ' ');
+ 		if (space == NULL) {
+ 			debug3("key_read: missing whitespace");
[email protected]@ -836,6 +854,7 @@ key_read(Key *ret, char **cpp)
+ #endif
+ 		}
+ #endif
++#ifndef WITHOUT_ED25519
+ 		if (key_type_plain(ret->type) == KEY_ED25519) {
+ 			free(ret->ed25519_pk);
+ 			ret->ed25519_pk = k->ed25519_pk;
[email protected]@ -844,6 +863,7 @@ key_read(Key *ret, char **cpp)
+ 			/* XXX */
+ #endif
+ 		}
++#endif /* WITHOUT_ED25519 */
+ 		success = 1;
+ /*XXXX*/
+ 		key_free(k);
[email protected]@ -907,11 +927,13 @@ key_write(const Key *key, FILE *f)
+ 			return 0;
+ 		break;
+ #endif
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		if (key->ed25519_pk == NULL)
+ 			return 0;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_RSA:
+ 	case KEY_RSA_CERT_V00:
+ 	case KEY_RSA_CERT:
[email protected]@ -959,7 +981,9 @@ static const struct keytype keytypes[] =
+ 	{ NULL, "RSA1", KEY_RSA1, 0, 0 },
+ 	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
+ 	{ "ssh-dss", "DSA", KEY_DSA, 0, 0 },
++#ifndef WITHOUT_ED25519
+ 	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
++#endif /* WITHOUT_ED25519 */
+ #ifdef OPENSSL_HAS_ECC
+ 	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
+ 	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
[email protected]@ -983,8 +1007,10 @@ static const struct keytype keytypes[] =
+ 	    KEY_RSA_CERT_V00, 0, 1 },
+ 	{ "[email protected]", "DSA-CERT-V00",
+ 	    KEY_DSA_CERT_V00, 0, 1 },
++#ifndef WITHOUT_ED25519
+ 	{ "[email protected]", "ED25519-CERT",
+ 	    KEY_ED25519_CERT, 0, 1 },
++#endif /* WITHOUT_ED25519 */
+ 	{ NULL, NULL, -1, -1, 0 }
+ };
+ 
[email protected]@ -1096,7 +1122,9 @@ key_type_is_valid_ca(int type)
+ 	case KEY_RSA:
+ 	case KEY_DSA:
+ 	case KEY_ECDSA:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+ 		return 1;
+ 	default:
+ 		return 0;
[email protected]@ -1116,8 +1144,10 @@ key_size(const Key *k)
+ 	case KEY_DSA_CERT_V00:
+ 	case KEY_DSA_CERT:
+ 		return BN_num_bits(k->dsa->p);
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		return 256;	/* XXX */
++#endif /* WITHOUT_ED25519 */
+ #ifdef OPENSSL_HAS_ECC
+ 	case KEY_ECDSA:
+ 	case KEY_ECDSA_CERT:
[email protected]@ -1261,11 +1291,13 @@ key_generate(int type, u_int bits)
+ 	case KEY_RSA1:
+ 		k->rsa = rsa_generate_private_key(bits);
+ 		break;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		k->ed25519_pk = xmalloc(ED25519_PK_SZ);
+ 		k->ed25519_sk = xmalloc(ED25519_SK_SZ);
+ 		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_RSA_CERT_V00:
+ 	case KEY_DSA_CERT_V00:
+ 	case KEY_RSA_CERT:
[email protected]@ -1359,6 +1391,7 @@ key_from_private(const Key *k)
+ 		    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
+ 			fatal("key_from_private: BN_copy failed");
+ 		break;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		n = key_new(k->type);
[email protected]@ -1367,6 +1400,7 @@ key_from_private(const Key *k)
+ 			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+ 		}
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		fatal("key_from_private: unknown type %d", k->type);
+ 		break;
[email protected]@ -1628,6 +1662,7 @@ key_from_blob2(const u_char *blob, u_int
+ #endif
+ 		break;
+ #endif /* OPENSSL_HAS_ECC */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		(void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
+ 		/* FALLTHROUGH */
[email protected]@ -1645,6 +1680,7 @@ key_from_blob2(const u_char *blob, u_int
+ 		key->ed25519_pk = pk;
+ 		pk = NULL;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		key = key_new(type);
+ 		break;
[email protected]@ -1699,7 +1735,9 @@ to_blob(const Key *key, u_char **blobp, 
+ 	case KEY_DSA_CERT:
+ 	case KEY_ECDSA_CERT:
+ 	case KEY_RSA_CERT:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 		/* Use the existing blob */
+ 		buffer_append(&b, buffer_ptr(&key->cert->certblob),
+ 		    buffer_len(&key->cert->certblob));
[email protected]@ -1727,11 +1765,13 @@ to_blob(const Key *key, u_char **blobp, 
+ 		buffer_put_bignum2(&b, key->rsa->e);
+ 		buffer_put_bignum2(&b, key->rsa->n);
+ 		break;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		buffer_put_cstring(&b,
+ 		    key_ssh_name_from_type_nid(type, key->ecdsa_nid));
+ 		buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		error("key_to_blob: unsupported key type %d", key->type);
+ 		buffer_free(&b);
[email protected]@ -1775,9 +1815,11 @@ key_sign(
+ 	case KEY_RSA_CERT:
+ 	case KEY_RSA:
+ 		return ssh_rsa_sign(key, sigp, lenp, data, datalen);
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		error("key_sign: invalid key type %d", key->type);
+ 		return -1;
[email protected]@ -1811,9 +1853,11 @@ key_verify(
+ 	case KEY_RSA_CERT:
+ 	case KEY_RSA:
+ 		return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		error("key_verify: invalid key type %d", key->type);
+ 		return -1;
[email protected]@ -1833,8 +1877,10 @@ key_demote(const Key *k)
+ 	pk->dsa = NULL;
+ 	pk->ecdsa = NULL;
+ 	pk->rsa = NULL;
++#ifndef WITHOUT_ED25519
+ 	pk->ed25519_pk = NULL;
+ 	pk->ed25519_sk = NULL;
++#endif /* WITHOUT_ED25519 */
+ 
+ 	switch (k->type) {
+ 	case KEY_RSA_CERT_V00:
[email protected]@ -1878,6 +1924,7 @@ key_demote(const Key *k)
+ 			fatal("key_demote: EC_KEY_set_public_key failed");
+ 		break;
+ #endif
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		key_cert_copy(k, pk);
+ 		/* FALLTHROUGH */
[email protected]@ -1887,6 +1934,7 @@ key_demote(const Key *k)
+ 			memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+ 		}
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		fatal("key_demote: bad key type %d", k->type);
+ 		break;
[email protected]@ -1916,8 +1964,10 @@ key_type_plain(int type)
+ 		return KEY_DSA;
+ 	case KEY_ECDSA_CERT:
+ 		return KEY_ECDSA;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		return KEY_ED25519;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return type;
+ 	}
[email protected]@ -1943,6 +1993,7 @@ key_to_certified(Key *k, int legacy)
+ 		k->cert = cert_new();
+ 		k->type = KEY_ECDSA_CERT;
+ 		return 0;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		if (legacy)
+ 			fatal("%s: legacy ED25519 certificates are not "
[email protected]@ -1950,6 +2001,7 @@ key_to_certified(Key *k, int legacy)
+ 		k->cert = cert_new();
+ 		k->type = KEY_ED25519_CERT;
+ 		return 0;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		error("%s: key has incorrect type %s", __func__, key_type(k));
+ 		return -1;
[email protected]@ -2028,10 +2080,12 @@ key_certify(Key *k, Key *ca)
+ 		buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
+ 		buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
+ 		break;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		buffer_put_string(&k->cert->certblob,
+ 		    k->ed25519_pk, ED25519_PK_SZ);
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		error("%s: key has incorrect type %s", __func__, key_type(k));
+ 		buffer_clear(&k->cert->certblob);
[email protected]@ -2449,6 +2503,7 @@ key_private_serialize(const Key *key, Bu
+ 		buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
+ 		break;
+ #endif /* OPENSSL_HAS_ECC */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
+ 		buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
[email protected]@ -2461,6 +2516,7 @@ key_private_serialize(const Key *key, Bu
+ 		buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
+ 		buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	}
+ }
+ 
[email protected]@ -2575,6 +2631,7 @@ key_private_deserialize(Buffer *blob)
+ 		buffer_get_bignum2(blob, k->rsa->p);
+ 		buffer_get_bignum2(blob, k->rsa->q);
+ 		break;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		k = key_new_private(type);
+ 		k->ed25519_pk = buffer_get_string(blob, &pklen);
[email protected]@ -2601,6 +2658,7 @@ key_private_deserialize(Buffer *blob)
+ 			fatal("%s: ed25519 sklen %d != %d",
+ 			    __func__, sklen, ED25519_SK_SZ);
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		free(type_name);
+ 		buffer_clear(blob);
+Only in new: key.c.orig
+Only in new: key.c.rej
+diff -pur old/key.h new/key.h
+--- old/key.h	2014-01-09 15:58:53.000000000 -0800
++++ new/key.h	2015-04-10 02:43:51.166553603 -0700
[email protected]@ -39,11 +39,15 @@ enum types {
+ 	KEY_RSA,
+ 	KEY_DSA,
+ 	KEY_ECDSA,
++#ifndef WITHOUT_ED25519
+ 	KEY_ED25519,
++#endif /* WITHOUT_ED25519 */
+ 	KEY_RSA_CERT,
+ 	KEY_DSA_CERT,
+ 	KEY_ECDSA_CERT,
++#ifndef WITHOUT_ED25519
+ 	KEY_ED25519_CERT,
++#endif /* WITHOUT_ED25519 */
+ 	KEY_RSA_CERT_V00,
+ 	KEY_DSA_CERT_V00,
+ 	KEY_UNSPEC
[email protected]@ -88,12 +92,16 @@ struct Key {
+ 	void	*ecdsa;
+ #endif
+ 	struct KeyCert *cert;
++#ifndef WITHOUT_ED25519
+ 	u_char	*ed25519_sk;
+ 	u_char	*ed25519_pk;
++#endif /* WITHOUT_ED25519 */
+ };
+ 
++#ifndef WITHOUT_ED25519
+ #define	ED25519_SK_SZ	crypto_sign_ed25519_SECRETKEYBYTES
+ #define	ED25519_PK_SZ	crypto_sign_ed25519_PUBLICKEYBYTES
++#endif /* WITHOUT_ED25519 */
+ 
+ Key		*key_new(int);
+ void		 key_add_private(Key *);
[email protected]@ -152,8 +160,10 @@ int	 ssh_ecdsa_sign(const Key *, u_char 
+ int	 ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
+ int	 ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
+ int	 ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
++#ifndef WITHOUT_ED25519
+ int	 ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
+ int	 ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
++#endif /* WITHOUT_ED25519 */
+ 
+ #if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
+ void	key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
+Only in new: key.h.orig
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c	2015-04-10 02:43:51.067342317 -0700
++++ new/monitor.c	2015-04-10 02:49:10.399820034 -0700
[email protected]@ -1887,7 +1887,9 @@ mm_get_kex(Buffer *m)
+ 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+ 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+ 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
++#ifndef WITHOUT_ED25519
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#endif /* WITHOUT_ED25519 */
+ 	kex->server = 1;
+ 	kex->hostkey_type = buffer_get_int(m);
+ 	kex->kex_type = buffer_get_int(m);
+Only in new: monitor.c.orig
+Only in new: monitor.c.rej
+diff -pur old/myproposal.h new/myproposal.h
+--- old/myproposal.h	2013-12-06 16:24:02.000000000 -0800
++++ new/myproposal.h	2015-04-10 02:43:51.168744484 -0700
[email protected]@ -80,6 +80,24 @@
+ # define SHA2_HMAC_MODES
+ #endif
+ 
++#ifdef WITHOUT_ED25519
++# define KEX_DEFAULT_KEX \
++	KEX_ECDH_METHODS \
++	KEX_SHA256_METHODS \
++	"diffie-hellman-group-exchange-sha1," \
++	"diffie-hellman-group14-sha1," \
++	"diffie-hellman-group1-sha1"
++
++#define	KEX_DEFAULT_PK_ALG	\
++	HOSTKEY_ECDSA_CERT_METHODS \
++	"[email protected]," \
++	"[email protected]," \
++	"[email protected]," \
++	"[email protected]," \
++	HOSTKEY_ECDSA_METHODS \
++	"ssh-rsa," \
++	"ssh-dss"
++#else /* WITHOUT_ED25519 */
+ # define KEX_DEFAULT_KEX \
+ 	KEX_CURVE25519_METHODS \
+ 	KEX_ECDH_METHODS \
[email protected]@ -99,6 +117,7 @@
+ 	"ssh-ed25519," \
+ 	"ssh-rsa," \
+ 	"ssh-dss"
++#endif /* WITHOUT_ED25519 */
+ 
+ /* the actual algorithms */
+ 
+diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in
+--- old/openbsd-compat/Makefile.in	2013-12-06 17:37:54.000000000 -0800
++++ new/openbsd-compat/Makefile.in	2015-04-10 02:43:51.169041778 -0700
[email protected]@ -18,7 +18,7 @@ LDFLAGS=-L. @[email protected]
+ 
+ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
+ 
+-COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
++COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 
+ 
+ PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+ 
[email protected]@ -32,7 +32,7 @@ $(OPENBSD): ../config.h
+ $(PORTS): ../config.h
+ 
+ libopenbsd-compat.a:  $(COMPAT) $(OPENBSD) $(PORTS)
+-	$(AR) rv [email protected] $(COMPAT) $(OPENBSD) $(PORTS)
++	$(AR) rv [email protected] $(COMPAT) $(OPENBSD) $(PORTS) ../hash.o ../blocks.o
+ 	$(RANLIB) [email protected]
+ 
+ clean:
+diff -pur old/pathnames.h new/pathnames.h
+--- old/pathnames.h	2013-12-06 16:24:02.000000000 -0800
++++ new/pathnames.h	2015-04-10 02:43:51.169362243 -0700
[email protected]@ -39,7 +39,9 @@
+ #define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"
+ #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
+ #define _PATH_HOST_ECDSA_KEY_FILE	SSHDIR "/ssh_host_ecdsa_key"
++#ifndef WITHOUT_ED25519
+ #define _PATH_HOST_ED25519_KEY_FILE	SSHDIR "/ssh_host_ed25519_key"
++#endif /* WITHOUT_ED25519 */
+ #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
+ #define _PATH_DH_MODULI			SSHDIR "/moduli"
+ /* Backwards compatibility */
[email protected]@ -78,7 +80,9 @@
+ #define _PATH_SSH_CLIENT_ID_DSA		_PATH_SSH_USER_DIR "/id_dsa"
+ #define _PATH_SSH_CLIENT_ID_ECDSA	_PATH_SSH_USER_DIR "/id_ecdsa"
+ #define _PATH_SSH_CLIENT_ID_RSA		_PATH_SSH_USER_DIR "/id_rsa"
++#ifndef WITHOUT_ED25519
+ #define _PATH_SSH_CLIENT_ID_ED25519	_PATH_SSH_USER_DIR "/id_ed25519"
++#endif /* WITHOUT_ED25519 */
+ 
+ /*
+  * Configuration file in user's home directory.  This file need not be
+diff -pur old/readconf.c new/readconf.c
+--- old/readconf.c	2015-04-10 02:43:51.075573457 -0700
++++ new/readconf.c	2015-04-10 02:43:51.170150446 -0700
[email protected]@ -1702,8 +1702,10 @@ fill_default_options(Options * options)
+ 			add_identity_file(options, "~/",
+ 			    _PATH_SSH_CLIENT_ID_ECDSA, 0);
+ #endif
++#ifndef WITHOUT_ED25519
+ 			add_identity_file(options, "~/",
+ 			    _PATH_SSH_CLIENT_ID_ED25519, 0);
++#endif /* WITHOUT_ED25519 */
+ 		}
+ 	}
+ 	if (options->escape_char == -1)
+Only in new: readconf.c.orig
+diff -pur old/sc25519.c new/sc25519.c
+--- old/sc25519.c	2014-01-16 17:43:44.000000000 -0800
++++ new/sc25519.c	2015-04-10 02:43:51.170631841 -0700
[email protected]@ -6,6 +6,8 @@
+  * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ 
+ #include "sc25519.h"
[email protected]@ -306,3 +308,5 @@ void sc25519_2interleave2(unsigned char 
+   r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
+   r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/sc25519.h new/sc25519.h
+--- old/sc25519.h	2013-12-17 22:48:11.000000000 -0800
++++ new/sc25519.h	2015-04-10 02:43:51.170901036 -0700
[email protected]@ -8,6 +8,7 @@
+ 
+ #ifndef SC25519_H
+ #define SC25519_H
++#ifndef WITHOUT_ED25519
+ 
+ #include "crypto_api.h"
+ 
[email protected]@ -77,4 +78,5 @@ void sc25519_window5(signed char r[51], 
+ 
+ void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2);
+ 
++#endif /* WITHOUT_ED25519 */
+ #endif
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c	2015-04-10 02:43:51.086374994 -0700
++++ new/servconf.c	2015-04-10 02:43:51.171761969 -0700
[email protected]@ -189,8 +189,10 @@ fill_default_server_options(ServerOption
+ 			options->host_key_files[options->num_host_key_files++] =
+ 			    _PATH_HOST_ECDSA_KEY_FILE;
+ #endif
++#ifndef WITHOUT_ED25519
+ 			options->host_key_files[options->num_host_key_files++] =
+ 			    _PATH_HOST_ED25519_KEY_FILE;
++#endif /* WITHOUT_ED25519 */
+ 		}
+ 	}
+ 	/* No certificates by default */
+Only in new: servconf.c.orig
+diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c
+--- old/smult_curve25519_ref.c	2013-11-03 13:26:53.000000000 -0800
++++ new/smult_curve25519_ref.c	2015-04-10 02:43:51.172253244 -0700
[email protected]@ -6,6 +6,8 @@ Public domain.
+ Derived from public domain code by D. J. Bernstein.
+ */
+ 
++#ifndef WITHOUT_ED25519
++
+ int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *);
+ 
+ static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
[email protected]@ -263,3 +265,5 @@ int crypto_scalarmult_curve25519(unsigne
+   for (i = 0;i < 32;++i) q[i] = work[64 + i];
+   return 0;
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/ssh-add.0 new/ssh-add.0
+--- old/ssh-add.0	2014-01-29 17:52:47.000000000 -0800
++++ new/ssh-add.0	2015-04-10 02:43:51.172577448 -0700
[email protected]@ -11,7 +11,7 @@ SYNOPSIS
+ DESCRIPTION
+      ssh-add adds private key identities to the authentication agent,
+      ssh-agent(1).  When run without arguments, it adds the files
+-     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
++     ~/.ssh/id_rsa, ~/.ssh/id_dsa and
+      ~/.ssh/identity.  After loading a private key, ssh-add will try to load
+      corresponding certificate information from the filename obtained by
+      appending -cert.pub to the name of the private key file.  Alternative
[email protected]@ -91,14 +91,6 @@ FILES
+              Contains the protocol version 2 DSA authentication identity of
+              the user.
+ 
+-     ~/.ssh/id_ecdsa
+-             Contains the protocol version 2 ECDSA authentication identity of
+-             the user.
+-
+-     ~/.ssh/id_ed25519
+-             Contains the protocol version 2 ED25519 authentication identity
+-             of the user.
+-
+      ~/.ssh/id_rsa
+              Contains the protocol version 2 RSA authentication identity of
+              the user.
+diff -pur old/ssh-add.1 new/ssh-add.1
+--- old/ssh-add.1	2013-12-17 22:46:28.000000000 -0800
++++ new/ssh-add.1	2015-04-10 02:43:51.172897417 -0700
[email protected]@ -57,8 +57,6 @@ adds private key identities to the authe
+ When run without arguments, it adds the files
+ .Pa ~/.ssh/id_rsa ,
+ .Pa ~/.ssh/id_dsa ,
+-.Pa ~/.ssh/id_ecdsa ,
+-.Pa ~/.ssh/id_ed25519
+ and
+ .Pa ~/.ssh/identity .
+ After loading a private key,
[email protected]@ -168,10 +166,6 @@ socket used to communicate with the agen
+ Contains the protocol version 1 RSA authentication identity of the user.
+ .It Pa ~/.ssh/id_dsa
+ Contains the protocol version 2 DSA authentication identity of the user.
+-.It Pa ~/.ssh/id_ecdsa
+-Contains the protocol version 2 ECDSA authentication identity of the user.
+-.It Pa ~/.ssh/id_ed25519
+-Contains the protocol version 2 ED25519 authentication identity of the user.
+ .It Pa ~/.ssh/id_rsa
+ Contains the protocol version 2 RSA authentication identity of the user.
+ .El
+diff -pur old/ssh-add.c new/ssh-add.c
+--- old/ssh-add.c	2013-12-28 22:44:07.000000000 -0800
++++ new/ssh-add.c	2015-04-10 02:43:51.173249822 -0700
[email protected]@ -73,7 +73,9 @@ static char *default_files[] = {
+ #ifdef OPENSSL_HAS_ECC
+ 	_PATH_SSH_CLIENT_ID_ECDSA,
+ #endif
++#ifndef WITHOUT_ED25519
+ 	_PATH_SSH_CLIENT_ID_ED25519,
++#endif /* WITHOUT_ED25519 */
+ 	_PATH_SSH_CLIENT_IDENTITY,
+ 	NULL
+ };
+diff -pur old/ssh-agent.0 new/ssh-agent.0
+--- old/ssh-agent.0	2014-01-29 17:52:47.000000000 -0800
++++ new/ssh-agent.0	2015-04-10 02:43:51.173618938 -0700
[email protected]@ -9,7 +9,7 @@ SYNOPSIS
+ 
+ DESCRIPTION
+      ssh-agent is a program to hold private keys used for public key
+-     authentication (RSA, DSA, ECDSA, ED25519).  The idea is that ssh-agent is
++     authentication (RSA, DSA).  The idea is that ssh-agent is
+      started in the beginning of an X-session or a login session, and all
+      other windows or programs are started as clients to the ssh-agent
+      program.  Through use of environment variables the agent can be located
[email protected]@ -46,8 +46,8 @@ DESCRIPTION
+ 
+      The agent initially does not have any private keys.  Keys are added using
+      ssh-add(1).  When executed without arguments, ssh-add(1) adds the files
+-     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
+-     ~/.ssh/identity.  If the identity has a passphrase, ssh-add(1) asks for
++     ~/.ssh/id_rsa, ~/.ssh/id_dsa ~/.ssh/identity.  
++     If the identity has a passphrase, ssh-add(1) asks for
+      the passphrase on the terminal if it has one or from a small X11 program
+      if running under X11.  If neither of these is the case then the
+      authentication will fail.  It then sends the identity to the agent.
[email protected]@ -97,14 +97,6 @@ FILES
+              Contains the protocol version 2 DSA authentication identity of
+              the user.
+ 
+-     ~/.ssh/id_ecdsa
+-             Contains the protocol version 2 ECDSA authentication identity of
+-             the user.
+-
+-     ~/.ssh/id_ed25519
+-             Contains the protocol version 2 ED25519 authentication identity
+-             of the user.
+-
+      ~/.ssh/id_rsa
+              Contains the protocol version 2 RSA authentication identity of
+              the user.
+diff -pur old/ssh-agent.1 new/ssh-agent.1
+--- old/ssh-agent.1	2013-12-17 22:46:28.000000000 -0800
++++ new/ssh-agent.1	2015-04-10 02:43:51.173976932 -0700
[email protected]@ -53,7 +53,7 @@
+ .Sh DESCRIPTION
+ .Nm
+ is a program to hold private keys used for public key authentication
+-(RSA, DSA, ECDSA, ED25519).
++(RSA, DSA).
+ The idea is that
+ .Nm
+ is started in the beginning of an X-session or a login session, and
[email protected]@ -114,9 +114,7 @@ When executed without arguments,
+ .Xr ssh-add 1
+ adds the files
+ .Pa ~/.ssh/id_rsa ,
+-.Pa ~/.ssh/id_dsa ,
+-.Pa ~/.ssh/id_ecdsa ,
+-.Pa ~/.ssh/id_ed25519
++.Pa ~/.ssh/id_dsa 
+ and
+ .Pa ~/.ssh/identity .
+ If the identity has a passphrase,
[email protected]@ -189,10 +187,6 @@ line terminates.
+ Contains the protocol version 1 RSA authentication identity of the user.
+ .It Pa ~/.ssh/id_dsa
+ Contains the protocol version 2 DSA authentication identity of the user.
+-.It Pa ~/.ssh/id_ecdsa
+-Contains the protocol version 2 ECDSA authentication identity of the user.
+-.It Pa ~/.ssh/id_ed25519
+-Contains the protocol version 2 ED25519 authentication identity of the user.
+ .It Pa ~/.ssh/id_rsa
+ Contains the protocol version 2 RSA authentication identity of the user.
+ .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
+diff -pur old/ssh-ed25519.c new/ssh-ed25519.c
+--- old/ssh-ed25519.c	2013-12-06 17:37:54.000000000 -0800
++++ new/ssh-ed25519.c	2015-04-10 02:43:51.174245635 -0700
[email protected]@ -15,6 +15,8 @@
+  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#ifndef WITHOUT_ED25519
++
+ #include "includes.h"
+ 
+ #include <sys/types.h>
[email protected]@ -141,3 +143,5 @@ ssh_ed25519_verify(const Key *key, const
+ 	/* translate return code carefully */
+ 	return (ret == 0) ? 1 : -1;
+ }
++
++#endif /* WITHOUT_ED25519 */
+diff -pur old/ssh-keygen.0 new/ssh-keygen.0
+--- old/ssh-keygen.0	2014-01-29 17:52:47.000000000 -0800
++++ new/ssh-keygen.0	2015-04-10 02:43:51.175019524 -0700
[email protected]@ -32,7 +32,7 @@ SYNOPSIS
+ DESCRIPTION
+      ssh-keygen generates, manages and converts authentication keys for
+      ssh(1).  ssh-keygen can create RSA keys for use by SSH protocol version 1
+-     and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
++     and DSA or RSA keys for use by SSH protocol version 2.
+      The type of key to be generated is specified with the -t option.  If
+      invoked without any arguments, ssh-keygen will generate an RSA key for
+      use in SSH protocol 2 connections.
[email protected]@ -46,7 +46,7 @@ DESCRIPTION
+ 
+      Normally each user wishing to use SSH with public key authentication runs
+      this once to create the authentication key in ~/.ssh/identity,
+-     ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa.
++     ~/.ssh/id_dsa or ~/.ssh/id_rsa.
+      Additionally, the system administrator may use this to generate host
+      keys, as seen in /etc/rc.
+ 
[email protected]@ -79,14 +79,14 @@ DESCRIPTION
+ 
+      The options are as follows:
+ 
+-     -A      For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for
++     -A      For each of the key types (rsa1, rsa, and dsa) for
+              which host keys do not exist, generate the host keys with the
+              default key file path, an empty passphrase, default bits for the
+              key type, and default comment.  This is used by /etc/rc to
+              generate new host keys.
+ 
+      -a rounds
+-             When saving a new-format private key (i.e. an ed25519 key or any
++             When saving a new-format private key (i.e. any
+              SSH protocol 2 key when the -o flag is set), this option
+              specifies the number of KDF (key derivation function) rounds
+              used.  Higher numbers result in slower passphrase verification
[email protected]@ -103,12 +103,7 @@ DESCRIPTION
+              Specifies the number of bits in the key to create.  For RSA keys,
+              the minimum size is 768 bits and the default is 2048 bits.
+              Generally, 2048 bits is considered sufficient.  DSA keys must be
+-             exactly 1024 bits as specified by FIPS 186-2.  For ECDSA keys,
+-             the -b flag determines the key length by selecting from one of
+-             three elliptic curve sizes: 256, 384 or 521 bits.  Attempting to
+-             use bit lengths other than these three values for ECDSA keys will
+-             fail.  ED25519 keys have a fixed length and the -b flag will be
+-             ignored.
++             exactly 1024 bits as specified by FIPS 186-2.
+ 
+      -C comment
+              Provides a new comment.
[email protected]@ -274,7 +269,7 @@ DESCRIPTION
+              new OpenSSH format rather than the more compatible PEM format.
+              The new format has increased resistance to brute-force password
+              cracking but is not supported by versions of OpenSSH prior to
+-             6.5.  Ed25519 keys always use the new private key format.
++             6.5.
+ 
+      -P passphrase
+              Provides the (old) passphrase.
[email protected]@ -315,8 +310,8 @@ DESCRIPTION
+ 
+      -t type
+              Specifies the type of key to create.  The possible values are
+-             ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'',
+-             ``ed25519'', or ``rsa'' for protocol version 2.
++             ``rsa1'' for protocol version 1 and ``dsa'' or ``rsa'' for 
++             protocol version 2.
+ 
+      -u      Update a KRL.  When specified with -k, keys listed via the
+              command line are added to the existing KRL rather than a new KRL
[email protected]@ -521,10 +516,8 @@ FILES
+              contents of this file secret.
+ 
+      ~/.ssh/id_dsa
+-     ~/.ssh/id_ecdsa
+-     ~/.ssh/id_ed25519
+      ~/.ssh/id_rsa
+-             Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
++             Contains the protocol version 2 DSA or RSA
+              authentication identity of the user.  This file should not be
+              readable by anyone but the user.  It is possible to specify a
+              passphrase when generating the key; that passphrase will be used
[email protected]@ -534,10 +527,8 @@ FILES
+              read this file when a login attempt is made.
+ 
+      ~/.ssh/id_dsa.pub
+-     ~/.ssh/id_ecdsa.pub
+-     ~/.ssh/id_ed25519.pub
+      ~/.ssh/id_rsa.pub
+-             Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public
++             Contains the protocol version 2 DSA or RSA public
+              key for authentication.  The contents of this file should be
+              added to ~/.ssh/authorized_keys on all machines where the user
+              wishes to log in using public key authentication.  There is no
+diff -pur old/ssh-keygen.1 new/ssh-keygen.1
+--- old/ssh-keygen.1	2013-12-28 22:47:14.000000000 -0800
++++ new/ssh-keygen.1	2015-04-10 02:43:51.175831546 -0700
[email protected]@ -140,7 +140,7 @@ generates, manages and converts authenti
+ .Xr ssh 1 .
+ .Nm
+ can create RSA keys for use by SSH protocol version 1 and
+-DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
++DSA or RSA keys for use by SSH protocol version 2.
+ The type of key to be generated is specified with the
+ .Fl t
+ option.
[email protected]@ -168,8 +168,6 @@ with public key authentication runs this
+ key in
+ .Pa ~/.ssh/identity ,
+ .Pa ~/.ssh/id_dsa ,
+-.Pa ~/.ssh/id_ecdsa ,
+-.Pa ~/.ssh/id_ed25519
+ or
+ .Pa ~/.ssh/id_rsa .
+ Additionally, the system administrator may use this to generate host keys,
[email protected]@ -217,7 +215,7 @@ should be placed to be activated.
+ The options are as follows:
+ .Bl -tag -width Ds
+ .It Fl A
+-For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
++For each of the key types (rsa1, rsa, dsa)
+ for which host keys
+ do not exist, generate the host keys with the default key file path,
+ an empty passphrase, default bits for the key type, and default comment.
[email protected]@ -225,8 +223,7 @@ This is used by
+ .Pa /etc/rc
+ to generate new host keys.
+ .It Fl a Ar rounds
+-When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
+-2 key when the
++When saving a new-format private key (i.e. any SSH protocol 2 key when the
+ .Fl o
+ flag is set), this option specifies the number of KDF (key derivation function)
+ rounds used.
[email protected]@ -245,15 +242,6 @@ Specifies the number of bits in the key 
+ For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
+ Generally, 2048 bits is considered sufficient.
+ DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
+-For ECDSA keys, the
+-.Fl b
+-flag determines the key length by selecting from one of three elliptic
+-curve sizes: 256, 384 or 521 bits.
+-Attempting to use bit lengths other than these three values for ECDSA keys
+-will fail.
+-ED25519 keys have a fixed length and the
+-.Fl b
+-flag will be ignored.
+ .It Fl C Ar comment
+ Provides a new comment.
+ .It Fl c
[email protected]@ -468,7 +456,6 @@ to save SSH protocol 2 private keys usin
+ the more compatible PEM format.
+ The new format has increased resistance to brute-force password cracking
+ but is not supported by versions of OpenSSH prior to 6.5.
+-Ed25519 keys always use the new private key format.
+ .It Fl P Ar passphrase
+ Provides the (old) passphrase.
+ .It Fl p
[email protected]@ -520,8 +507,6 @@ The possible values are
+ .Dq rsa1
+ for protocol version 1 and
+ .Dq dsa ,
+-.Dq ecdsa ,
+-.Dq ed25519 ,
+ or
+ .Dq rsa
+ for protocol version 2.
[email protected]@ -800,10 +785,8 @@ where the user wishes to log in using RS
+ There is no need to keep the contents of this file secret.
+ .Pp
+ .It Pa ~/.ssh/id_dsa
+-.It Pa ~/.ssh/id_ecdsa
+-.It Pa ~/.ssh/id_ed25519
+ .It Pa ~/.ssh/id_rsa
+-Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
++Contains the protocol version 2 DSA or RSA
+ authentication identity of the user.
+ This file should not be readable by anyone but the user.
+ It is possible to
[email protected]@ -816,10 +799,8 @@ but it is offered as the default file fo
+ will read this file when a login attempt is made.
+ .Pp
+ .It Pa ~/.ssh/id_dsa.pub
+-.It Pa ~/.ssh/id_ecdsa.pub
+-.It Pa ~/.ssh/id_ed25519.pub
+ .It Pa ~/.ssh/id_rsa.pub
+-Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
++Contains the protocol version 2 DSA or RSA
+ public key for authentication.
+ The contents of this file should be added to
+ .Pa ~/.ssh/authorized_keys
+diff -pur old/ssh-keygen.c new/ssh-keygen.c
+--- old/ssh-keygen.c	2013-12-06 16:24:02.000000000 -0800
++++ new/ssh-keygen.c	2015-04-10 02:43:51.176894394 -0700
[email protected]@ -197,7 +197,11 @@ type_bits_valid(int type, u_int32_t *bit
+ 	}
+ 	if (type == KEY_DSA && *bitsp != 1024)
+ 		fatal("DSA keys must be 1024 bits");
++#ifdef WITHOUT_ED25519
++	else if (type != KEY_ECDSA && *bitsp < 768)
++#else /* WITHOUT_ED25519 */
+ 	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
++#endif /* WITHOUT_ED25519 */
+ 		fatal("Key must at least be 768 bits");
+ 	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
+ 		fatal("Invalid ECDSA key length - valid lengths are "
[email protected]@ -233,10 +237,12 @@ ask_filename(struct passwd *pw, const ch
+ 		case KEY_RSA:
+ 			name = _PATH_SSH_CLIENT_ID_RSA;
+ 			break;
++#ifndef WITHOUT_ED25519
+ 		case KEY_ED25519:
+ 		case KEY_ED25519_CERT:
+ 			name = _PATH_SSH_CLIENT_ID_ED25519;
+ 			break;
++#endif /* WITHOUT_ED25519 */
+ 		default:
+ 			fprintf(stderr, "bad key type\n");
+ 			exit(1);
[email protected]@ -900,7 +906,9 @@ do_gen_all_hostkeys(struct passwd *pw)
+ #ifdef OPENSSL_HAS_ECC
+ 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
+ #endif
++#ifndef WITHOUT_ED25519
+ 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
++#endif /* WITHOUT_ED25519 */
+ 		{ NULL, NULL, NULL }
+ 	};
+ 
[email protected]@ -1616,7 +1624,10 @@ do_ca_sign(struct passwd *pw, int argc, 
+ 		if ((public = key_load_public(tmp, &comment)) == NULL)
+ 			fatal("%s: unable to open \"%s\"", __func__, tmp);
+ 		if (public->type != KEY_RSA && public->type != KEY_DSA &&
+-		    public->type != KEY_ECDSA && public->type != KEY_ED25519)
++#ifndef WITHOUT_ED25519
++		    public->type != KEY_ED25519 &&
++#endif /* WITHOUT_ED25519 */
++		    public->type != KEY_ECDSA)
+ 			fatal("%s: key \"%s\" type %s cannot be certified",
+ 			    __func__, tmp, key_type(public));
+ 
+diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0
+--- old/ssh-keyscan.0	2014-01-29 17:52:47.000000000 -0800
++++ new/ssh-keyscan.0	2015-04-10 02:43:51.177179968 -0700
[email protected]@ -48,9 +48,9 @@ DESCRIPTION
+      -t type
+              Specifies the type of the key to fetch from the scanned hosts.
+              The possible values are ``rsa1'' for protocol version 1 and
+-             ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version
++             ``dsa'' or ``rsa'' for protocol version
+              2.  Multiple values may be specified by separating them with
+-             commas.  The default is to fetch ``rsa'' and ``ecdsa'' keys.
++             commas.  The default is to fetch ``rsa'' keys.
+ 
+      -v      Verbose mode.  Causes ssh-keyscan to print debugging messages
+              about its progress.
[email protected]@ -72,12 +72,11 @@ FILES
+ 
+      host-or-namelist bits exponent modulus
+ 
+-     Output format for rsa, dsa and ecdsa keys:
++     Output format for rsa and dsa keys:
+ 
+      host-or-namelist keytype base64-encoded-key
+ 
+-     Where keytype is either ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'',
+-     ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss'' or ``ssh-rsa''.
++     Where keytype is either ``ssh-dss'' or ``ssh-rsa''.
+ 
+      /etc/ssh/ssh_known_hosts
+ 
[email protected]@ -89,7 +88,7 @@ EXAMPLES
+      Find all hosts from the file ssh_hosts which have new or different keys
+      from those in the sorted file ssh_known_hosts:
+ 
+-     $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \
++     $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
+              sort -u - ssh_known_hosts | diff ssh_known_hosts -
+ 
+ SEE ALSO
+diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1
+--- old/ssh-keyscan.1	2013-12-17 22:46:28.000000000 -0800
++++ new/ssh-keyscan.1	2015-04-10 02:43:51.177539875 -0700
[email protected]@ -89,16 +89,12 @@ The possible values are
+ .Dq rsa1
+ for protocol version 1 and
+ .Dq dsa ,
+-.Dq ecdsa ,
+-.Dq ed25519 ,
+ or
+ .Dq rsa
+ for protocol version 2.
+ Multiple values may be specified by separating them with commas.
+ The default is to fetch
+ .Dq rsa
+-and
+-.Dq ecdsa
+ keys.
+ .It Fl v
+ Verbose mode.
[email protected]@ -127,7 +123,7 @@ attacks which have begun after the ssh_k
+ host-or-namelist bits exponent modulus
+ .Ed
+ .Pp
+-.Pa Output format for rsa, dsa and ecdsa keys:
++.Pa Output format for rsa and dsa keys:
+ .Bd -literal
+ host-or-namelist keytype base64-encoded-key
+ .Ed
[email protected]@ -135,10 +131,6 @@ host-or-namelist keytype base64-encoded-
+ Where
+ .Pa keytype
+ is either
+-.Dq ecdsa-sha2-nistp256 ,
+-.Dq ecdsa-sha2-nistp384 ,
+-.Dq ecdsa-sha2-nistp521 ,
+-.Dq ssh-ed25519 ,
+ .Dq ssh-dss
+ or
+ .Dq ssh-rsa .
[email protected]@ -158,7 +150,7 @@ Find all hosts from the file
+ which have new or different keys from those in the sorted file
+ .Pa ssh_known_hosts :
+ .Bd -literal
+-$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
++$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
+ 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
+ .Ed
+ .Sh SEE ALSO
+diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
+--- old/ssh-keyscan.c	2013-12-06 16:24:02.000000000 -0800
++++ new/ssh-keyscan.c	2015-04-10 02:43:51.178102053 -0700
[email protected]@ -56,7 +56,9 @@ int ssh_port = SSH_DEFAULT_PORT;
+ #define KT_DSA		2
+ #define KT_RSA		4
+ #define KT_ECDSA	8
++#ifndef WITHOUT_ED25519
+ #define KT_ED25519	16
++#endif /* WITHOUT_ED25519 */
+ 
+ int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */
+ 
[email protected]@ -247,9 +249,11 @@ keygrab_ssh2(con *c)
+ 	packet_set_connection(c->c_fd, c->c_fd);
+ 	enable_compat20();
+ 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+-	    c->c_keytype == KT_DSA ?  "ssh-dss" :
++#ifndef WITHOUT_ED25519
++	    c->c_keytype == KT_ED25519 ?  "ssh-ed25519" :
++#endif /* WITHOUT_ED25519 */
+ 	    (c->c_keytype == KT_RSA ? "ssh-rsa" :
+-	    (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
++	    (c->c_keytype == KT_DSA ? "ssh-dss" :
+ 	    "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
+ 	c->c_kex = kex_setup(myproposal);
+ 	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
[email protected]@ -257,7 +261,9 @@ keygrab_ssh2(con *c)
+ 	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+ 	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
+ 	c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
++#ifndef WITHOUT_ED25519
+ 	c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client;
++#endif /* WITHOUT_ED25519 */
+ 	c->c_kex->verify_host_key = hostjump;
+ 
+ 	if (!(j = setjmp(kexjmp))) {
[email protected]@ -575,10 +581,15 @@ do_host(char *host)
+ {
+ 	char *name = strnnsep(&host, " \t\n");
+ 	int j;
++#ifdef WITHOUT_ED25519
++	int max_kt = KT_ECDSA;
++#else
++	int max_kt = KT_ED25519;
++#endif
+ 
+ 	if (name == NULL)
+ 		return;
+-	for (j = KT_RSA1; j <= KT_ED25519; j *= 2) {
++	for (j = KT_RSA1; j <= max_kt; j *= 2) {
+ 		if (get_keytypes & j) {
+ 			while (ncon >= MAXCON)
+ 				conloop();
[email protected]@ -685,9 +696,11 @@ main(int argc, char **argv)
+ 				case KEY_RSA:
+ 					get_keytypes |= KT_RSA;
+ 					break;
++#ifndef WITHOUT_ED25519
+ 				case KEY_ED25519:
+ 					get_keytypes |= KT_ED25519;
+ 					break;
++#endif /* WITHOUT_ED25519 */
+ 				case KEY_UNSPEC:
+ 					fatal("unknown key type %s", tname);
+ 				}
+diff -pur old/ssh-keysign.0 new/ssh-keysign.0
+--- old/ssh-keysign.0	2014-01-29 17:52:48.000000000 -0800
++++ new/ssh-keysign.0	2015-04-10 02:43:51.178360839 -0700
[email protected]@ -24,8 +24,6 @@ FILES
+              Controls whether ssh-keysign is enabled.
+ 
+      /etc/ssh/ssh_host_dsa_key
+-     /etc/ssh/ssh_host_ecdsa_key
+-     /etc/ssh/ssh_host_ed25519_key
+      /etc/ssh/ssh_host_rsa_key
+              These files contain the private parts of the host keys used to
+              generate the digital signature.  They should be owned by root,
[email protected]@ -34,8 +32,6 @@ FILES
+              host-based authentication is used.
+ 
+      /etc/ssh/ssh_host_dsa_key-cert.pub
+-     /etc/ssh/ssh_host_ecdsa_key-cert.pub
+-     /etc/ssh/ssh_host_ed25519_key-cert.pub
+      /etc/ssh/ssh_host_rsa_key-cert.pub
+              If these files exist they are assumed to contain public
+              certificate information corresponding with the private keys
+diff -pur old/ssh-keysign.8 new/ssh-keysign.8
+--- old/ssh-keysign.8	2015-04-10 02:43:51.009217654 -0700
++++ new/ssh-keysign.8	2015-04-10 02:43:51.178615438 -0700
[email protected]@ -62,8 +62,6 @@ Controls whether
+ is enabled.
+ .Pp
+ .It Pa /etc/ssh/ssh_host_dsa_key
+-.It Pa /etc/ssh/ssh_host_ecdsa_key
+-.It Pa /etc/ssh/ssh_host_ed25519_key
+ .It Pa /etc/ssh/ssh_host_rsa_key
+ These files contain the private parts of the host keys used to
+ generate the digital signature.
[email protected]@ -74,8 +72,6 @@ Since they are readable only by root,
+ must be set-uid root if host-based authentication is used.
+ .Pp
+ .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
+-.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
+-.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
+ .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
+ If these files exist they are assumed to contain public certificate
+ information corresponding with the private keys above.
+diff -pur old/ssh-keysign.c new/ssh-keysign.c
+--- old/ssh-keysign.c	2013-12-06 16:24:02.000000000 -0800
++++ new/ssh-keysign.c	2015-04-10 02:43:51.178924008 -0700
[email protected]@ -150,7 +150,11 @@ main(int argc, char **argv)
+ {
+ 	Buffer b;
+ 	Options options;
++#ifdef WITHOUT_ED25519
++#define NUM_KEYTYPES 3
++#else
+ #define NUM_KEYTYPES 4
++#endif
+ 	Key *keys[NUM_KEYTYPES], *key = NULL;
+ 	struct passwd *pw;
+ 	int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
[email protected]@ -169,7 +173,9 @@ main(int argc, char **argv)
+ 	i = 0;
+ 	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+ 	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
++#ifndef WITHOUT_ED25519
+ 	key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
++#endif /* WITHOUT_ED25519 */
+ 	key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+ 
+ 	original_real_uid = getuid();	/* XXX readconf.c needs this */
+diff -pur old/ssh.0 new/ssh.0
+--- old/ssh.0	2014-01-29 17:52:47.000000000 -0800
++++ new/ssh.0	2015-04-10 02:43:51.179753862 -0700
[email protected]@ -142,8 +142,8 @@ DESCRIPTION
+      -i identity_file
+              Selects a file from which the identity (private key) for public
+              key authentication is read.  The default is ~/.ssh/identity for
+-             protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
+-             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
++             protocol version 1, and ~/.ssh/id_dsa, and ~/.ssh/id_rsa for
++             protocol version 2.
+              Identity files may also be specified on a per-host basis in the
+              configuration file.  It is possible to have multiple -i options
+              (and multiple identities specified in configuration files).  ssh
[email protected]@ -446,7 +446,7 @@ AUTHENTICATION
+      creates a public/private key pair for authentication purposes.  The
+      server knows the public key, and only the user knows the private key.
+      ssh implements public key authentication protocol automatically, using
+-     one of the DSA, ECDSA, ED25519 or RSA algorithms.  Protocol 1 is
++     one of the DSA or RSA algorithms.  Protocol 1 is
+      restricted to using only RSA keys, but protocol 2 may use any.  The
+      HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
+      algorithms.
[email protected]@ -459,11 +459,9 @@ AUTHENTICATION
+ 
+      The user creates his/her key pair by running ssh-keygen(1).  This stores
+      the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
+-     2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2
+-     ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
+-     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA),
+-     ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2
+-     ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
++     2 DSA) or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
++     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA)
++     or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
+      directory.  The user should then copy the public key to
+      ~/.ssh/authorized_keys in his/her home directory on the remote machine.
+      The authorized_keys file corresponds to the conventional ~/.rhosts file,
[email protected]@ -799,7 +797,7 @@ FILES
+              for the user, and not accessible by others.
+ 
+      ~/.ssh/authorized_keys
+-             Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
++             Lists the public keys (DSA, RSA) that can be used
+              for logging in as this user.  The format of this file is
+              described in the sshd(8) manual page.  This file is not highly
+              sensitive, but the recommended permissions are read/write for the
[email protected]@ -817,8 +815,6 @@ FILES
+ 
+      ~/.ssh/identity
+      ~/.ssh/id_dsa
+-     ~/.ssh/id_ecdsa
+-     ~/.ssh/id_ed25519
+      ~/.ssh/id_rsa
+              Contains the private key for authentication.  These files contain
+              sensitive data and should be readable by the user but not
[email protected]@ -830,8 +826,6 @@ FILES
+ 
+      ~/.ssh/identity.pub
+      ~/.ssh/id_dsa.pub
+-     ~/.ssh/id_ecdsa.pub
+-     ~/.ssh/id_ed25519.pub
+      ~/.ssh/id_rsa.pub
+              Contains the public key for authentication.  These files are not
+              sensitive and can (but need not) be readable by anyone.
[email protected]@ -862,8 +856,6 @@ FILES
+ 
+      /etc/ssh/ssh_host_key
+      /etc/ssh/ssh_host_dsa_key
+-     /etc/ssh/ssh_host_ecdsa_key
+-     /etc/ssh/ssh_host_ed25519_key
+      /etc/ssh/ssh_host_rsa_key
+              These files contain the private parts of the host keys and are
+              used for host-based authentication.  If protocol version 1 is
+diff -pur old/ssh.1 new/ssh.1
+--- old/ssh.1	2013-12-17 22:46:28.000000000 -0800
++++ new/ssh.1	2015-04-10 02:43:51.180632097 -0700
[email protected]@ -279,8 +279,6 @@ The default is
+ .Pa ~/.ssh/identity
+ for protocol version 1, and
+ .Pa ~/.ssh/id_dsa ,
+-.Pa ~/.ssh/id_ecdsa ,
+-.Pa ~/.ssh/id_ed25519
+ and
+ .Pa ~/.ssh/id_rsa
+ for protocol version 2.
[email protected]@ -758,7 +756,7 @@ key pair for authentication purposes.
+ The server knows the public key, and only the user knows the private key.
+ .Nm
+ implements public key authentication protocol automatically,
+-using one of the DSA, ECDSA, ED25519 or RSA algorithms.
++using one of the DSA or RSA algorithms.
+ Protocol 1 is restricted to using only RSA keys,
+ but protocol 2 may use any.
+ The HISTORY section of
[email protected]@ -783,10 +781,6 @@ This stores the private key in
+ (protocol 1),
+ .Pa ~/.ssh/id_dsa
+ (protocol 2 DSA),
+-.Pa ~/.ssh/id_ecdsa
+-(protocol 2 ECDSA),
+-.Pa ~/.ssh/id_ed25519
+-(protocol 2 ED25519),
+ or
+ .Pa ~/.ssh/id_rsa
+ (protocol 2 RSA)
[email protected]@ -795,10 +789,6 @@ and stores the public key in
+ (protocol 1),
+ .Pa ~/.ssh/id_dsa.pub
+ (protocol 2 DSA),
+-.Pa ~/.ssh/id_ecdsa.pub
+-(protocol 2 ECDSA),
+-.Pa ~/.ssh/id_ed25519.pub
+-(protocol 2 ED25519),
+ or
+ .Pa ~/.ssh/id_rsa.pub
+ (protocol 2 RSA)
[email protected]@ -1338,7 +1328,7 @@ secret, but the recommended permissions 
+ and not accessible by others.
+ .Pp
+ .It Pa ~/.ssh/authorized_keys
+-Lists the public keys (DSA, ECDSA, ED25519, RSA)
++Lists the public keys (DSA, RSA)
+ that can be used for logging in as this user.
+ The format of this file is described in the
+ .Xr sshd 8
[email protected]@ -1360,8 +1350,6 @@ above.
+ .Pp
+ .It Pa ~/.ssh/identity
+ .It Pa ~/.ssh/id_dsa
+-.It Pa ~/.ssh/id_ecdsa
+-.It Pa ~/.ssh/id_ed25519
+ .It Pa ~/.ssh/id_rsa
+ Contains the private key for authentication.
+ These files
[email protected]@ -1375,8 +1363,6 @@ sensitive part of this file using 3DES.
+ .Pp
+ .It Pa ~/.ssh/identity.pub
+ .It Pa ~/.ssh/id_dsa.pub
+-.It Pa ~/.ssh/id_ecdsa.pub
+-.It Pa ~/.ssh/id_ed25519.pub
+ .It Pa ~/.ssh/id_rsa.pub
+ Contains the public key for authentication.
+ These files are not
[email protected]@ -1415,8 +1401,6 @@ The file format and configuration option
+ .Pp
+ .It Pa /etc/ssh/ssh_host_key
+ .It Pa /etc/ssh/ssh_host_dsa_key
+-.It Pa /etc/ssh/ssh_host_ecdsa_key
+-.It Pa /etc/ssh/ssh_host_ed25519_key
+ .It Pa /etc/ssh/ssh_host_rsa_key
+ These files contain the private parts of the host keys
+ and are used for host-based authentication.
+diff -pur old/ssh.c new/ssh.c
+--- old/ssh.c	2013-12-28 22:53:40.000000000 -0800
++++ new/ssh.c	2015-04-10 02:43:51.181446718 -0700
[email protected]@ -1010,8 +1010,10 @@ main(int ac, char **av)
+ #endif
+ 		sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
+ 		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
++#ifndef WITHOUT_ED25519
+ 		sensitive_data.keys[4] = key_load_private_cert(KEY_ED25519,
+ 		    _PATH_HOST_ED25519_KEY_FILE, "", NULL);
++#endif /* WITHOUT_ED25519 */
+ 		sensitive_data.keys[5] = key_load_private_type(KEY_DSA,
+ 		    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
+ #ifdef OPENSSL_HAS_ECC
[email protected]@ -1020,8 +1022,10 @@ main(int ac, char **av)
+ #endif
+ 		sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
+ 		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
++#ifndef WITHOUT_ED25519
+ 		sensitive_data.keys[8] = key_load_private_type(KEY_ED25519,
+ 		    _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
++#endif /* WITHOUT_ED25519 */
+ 		PRIV_END;
+ 
+ 		if (options.hostbased_authentication == 1 &&
[email protected]@ -1038,8 +1042,10 @@ main(int ac, char **av)
+ #endif
+ 			sensitive_data.keys[3] = key_load_cert(
+ 			    _PATH_HOST_RSA_KEY_FILE);
++#ifndef WITHOUT_ED25519
+ 			sensitive_data.keys[4] = key_load_cert(
+ 			    _PATH_HOST_ED25519_KEY_FILE);
++#endif /* WITHOUT_ED25519 */
+ 			sensitive_data.keys[5] = key_load_public(
+ 			    _PATH_HOST_DSA_KEY_FILE, NULL);
+ #ifdef OPENSSL_HAS_ECC
[email protected]@ -1048,8 +1054,10 @@ main(int ac, char **av)
+ #endif
+ 			sensitive_data.keys[7] = key_load_public(
+ 			    _PATH_HOST_RSA_KEY_FILE, NULL);
++#ifndef WITHOUT_ED25519
+ 			sensitive_data.keys[8] = key_load_public(
+ 			    _PATH_HOST_ED25519_KEY_FILE, NULL);
++#endif /* WITHOUT_ED25519 */
+ 			sensitive_data.external_keysign = 1;
+ 		}
+ 	}
+diff -pur old/ssh_config.0 new/ssh_config.0
+--- old/ssh_config.0	2014-01-29 17:52:48.000000000 -0800
++++ new/ssh_config.0	2015-04-10 02:43:51.182117645 -0700
[email protected]@ -409,14 +409,9 @@ DESCRIPTION
+              client wants to use in order of preference.  The default for this
+              option is:
+ 
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+                 [email protected],[email protected],
+                 [email protected],[email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa,ssh-dss
++                ssh-rsa,ssh-dss
+ 
+              If hostkeys are known for the destination host then this default
+              is modified to prefer their algorithms.
[email protected]@ -446,10 +441,10 @@ DESCRIPTION
+              default is ``no''.
+ 
+      IdentityFile
+-             Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA
++             Specifies a file from which the user's DSA or RSA
+              authentication identity is read.  The default is ~/.ssh/identity
+-             for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
+-             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
++             for protocol version 1, and ~/.ssh/id_dsa and ~/.ssh/id_rsa for
++             protocol version 2.
+              Additionally, any identities represented by the authentication
+              agent will be used for authentication unless IdentitiesOnly is
+              set.  ssh(1) will try to load certificate information from the
[email protected]@ -509,8 +504,6 @@ DESCRIPTION
+              Specifies the available KEX (Key Exchange) algorithms.  Multiple
+              algorithms must be comma-separated.  The default is:
+ 
+-                   [email protected],
+-                   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+                    diffie-hellman-group-exchange-sha256,
+                    diffie-hellman-group-exchange-sha1,
+                    diffie-hellman-group14-sha1,
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5	2015-04-10 02:43:51.077725535 -0700
++++ new/ssh_config.5	2015-04-10 02:43:51.182862658 -0700
[email protected]@ -723,14 +723,9 @@ Specifies the protocol version 2 host ke
+ that the client wants to use in order of preference.
+ The default for this option is:
+ .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
+ [email protected],[email protected],
+ [email protected],[email protected],
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ssh-rsa,ssh-dss
++ssh-rsa,ssh-dss
+ .Ed
+ .Pp
+ If hostkeys are known for the destination host then this default is modified
[email protected]@ -772,14 +767,12 @@ offers many different identities.
+ The default is
+ .Dq no .
+ .It Cm IdentityFile
+-Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
++Specifies a file from which the user's DSA or RSA authentication
+ identity is read.
+ The default is
+ .Pa ~/.ssh/identity
+ for protocol version 1, and
+ .Pa ~/.ssh/id_dsa ,
+-.Pa ~/.ssh/id_ecdsa ,
+-.Pa ~/.ssh/id_ed25519
+ and
+ .Pa ~/.ssh/id_rsa
+ for protocol version 2.
[email protected]@ -892,8 +885,6 @@ Specifies the available KEX (Key Exchang
+ Multiple algorithms must be comma-separated.
+ The default is:
+ .Bd -literal -offset indent
[email protected],
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ diffie-hellman-group-exchange-sha256,
+ diffie-hellman-group-exchange-sha1,
+ diffie-hellman-group14-sha1,
+Only in new: ssh_config.5.orig
+diff -pur old/sshconnect.c new/sshconnect.c
+--- old/sshconnect.c	2015-04-10 02:43:51.092987117 -0700
++++ new/sshconnect.c	2015-04-10 02:43:51.183586425 -0700
[email protected]@ -1325,7 +1325,9 @@ show_other_keys(struct hostkeys *hostkey
+ 		KEY_RSA,
+ 		KEY_DSA,
+ 		KEY_ECDSA,
++#ifndef WITHOUT_ED25519
+ 		KEY_ED25519,
++#endif /* WITHOUT_ED25519 */
+ 		-1
+ 	};
+ 	int i, ret = 0;
+Only in new: sshconnect.c.orig
+diff -pur old/sshconnect2.c new/sshconnect2.c
+--- old/sshconnect2.c	2015-04-10 02:43:51.055621784 -0700
++++ new/sshconnect2.c	2015-04-10 02:49:31.451117756 -0700
[email protected]@ -213,7 +213,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+ 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+ 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
+ 	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
++#ifndef WITHOUT_ED25519
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
++#endif /* WITHOUT_ED25519 */
+ 	kex->client_version_string=client_version_string;
+ 	kex->server_version_string=server_version_string;
+ 	kex->verify_host_key=&verify_host_key_callback;
+Only in new: sshconnect2.c.orig
+Only in new: sshconnect2.c.rej
+diff -pur old/sshd.0 new/sshd.0
+--- old/sshd.0	2014-01-29 17:52:47.000000000 -0800
++++ new/sshd.0	2015-04-10 02:43:51.185708016 -0700
[email protected]@ -82,8 +82,7 @@ DESCRIPTION
+              be given if sshd is not run as root (as the normal host key files
+              are normally not readable by anyone but root).  The default is
+              /etc/ssh/ssh_host_key for protocol version 1, and
+-             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
+-             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
++             /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
+              protocol version 2.  It is possible to have multiple host key
+              files for the different protocol versions and host key
+              algorithms.
[email protected]@ -148,7 +147,7 @@ DESCRIPTION
+ AUTHENTICATION
+      The OpenSSH SSH daemon supports SSH protocols 1 and 2.  The default is to
+      use protocol 2 only, though this can be changed via the Protocol option
+-     in sshd_config(5).  Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
++     in sshd_config(5).  Protocol 2 supports DSA and RSA keys;
+      protocol 1 only supports RSA keys.  For both protocols, each host has a
+      host-specific key, normally 2048 bits, used to identify the host.
+ 
[email protected]@ -278,15 +277,13 @@ AUTHORIZED_KEYS FILE FORMAT
+      starts with a number).  The bits, exponent, modulus, and comment fields
+      give the RSA key for protocol version 1; the comment field is not used
+      for anything (but may be convenient for the user to identify the key).
+-     For protocol version 2 the keytype is ``ecdsa-sha2-nistp256'',
+-     ``ecdsa-sha2-nistp384'', ``ecdsa-sha2-nistp521'', ``ssh-ed25519'',
+-     ``ssh-dss'' or ``ssh-rsa''.
++     For protocol version 2 the keytype is ``ssh-dss'' or ``ssh-rsa''.
+ 
+      Note that lines in this file are usually several hundred bytes long
+      (because of the size of the public key encoding) up to a limit of 8
+      kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
+      kilobits.  You don't want to type them in; instead, copy the
+-     identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub
++     identity.pub, id_dsa.pub or the id_rsa.pub
+      file and edit it.
+ 
+      sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
[email protected]@ -513,7 +510,7 @@ FILES
+              for the user, and not accessible by others.
+ 
+      ~/.ssh/authorized_keys
+-             Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
++             Lists the public keys (DSA, RSA) that can be used
+              for logging in as this user.  The format of this file is
+              described above.  The content of the file is not highly
+              sensitive, but the recommended permissions are read/write for the
[email protected]@ -574,8 +571,6 @@ FILES
+ 
+      /etc/ssh/ssh_host_key
+      /etc/ssh/ssh_host_dsa_key
+-     /etc/ssh/ssh_host_ecdsa_key
+-     /etc/ssh/ssh_host_ed25519_key
+      /etc/ssh/ssh_host_rsa_key
+              These files contain the private parts of the host keys.  These
+              files should only be owned by root, readable only by root, and
[email protected]@ -584,8 +579,6 @@ FILES
+ 
+      /etc/ssh/ssh_host_key.pub
+      /etc/ssh/ssh_host_dsa_key.pub
+-     /etc/ssh/ssh_host_ecdsa_key.pub
+-     /etc/ssh/ssh_host_ed25519_key.pub
+      /etc/ssh/ssh_host_rsa_key.pub
+              These files contain the public parts of the host keys.  These
+              files should be world-readable but writable only by root.  Their
+diff -pur old/sshd.8 new/sshd.8
+--- old/sshd.8	2015-04-10 02:43:51.068793178 -0700
++++ new/sshd.8	2015-04-10 02:43:51.186397825 -0700
[email protected]@ -175,8 +175,6 @@ The default is
+ .Pa /etc/ssh/ssh_host_key
+ for protocol version 1, and
+ .Pa /etc/ssh/ssh_host_dsa_key ,
+-.Pa /etc/ssh/ssh_host_ecdsa_key .
+-.Pa /etc/ssh/ssh_host_ed25519_key
+ and
+ .Pa /etc/ssh/ssh_host_rsa_key
+ for protocol version 2.
[email protected]@ -281,7 +279,7 @@ though this can be changed via the
+ .Cm Protocol
+ option in
+ .Xr sshd_config 4 .
+-Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
++Protocol 2 supports DSA and RSA keys;
+ protocol 1 only supports RSA keys.
+ For both protocols,
+ each host has a host-specific key,
[email protected]@ -492,10 +490,6 @@ protocol version 1; the
+ comment field is not used for anything (but may be convenient for the
+ user to identify the key).
+ For protocol version 2 the keytype is
+-.Dq ecdsa-sha2-nistp256 ,
+-.Dq ecdsa-sha2-nistp384 ,
+-.Dq ecdsa-sha2-nistp521 ,
+-.Dq ssh-ed25519 ,
+ .Dq ssh-dss
+ or
+ .Dq ssh-rsa .
[email protected]@ -507,8 +501,6 @@ keys up to 16 kilobits.
+ You don't want to type them in; instead, copy the
+ .Pa identity.pub ,
+ .Pa id_dsa.pub ,
+-.Pa id_ecdsa.pub ,
+-.Pa id_ed25519.pub ,
+ or the
+ .Pa id_rsa.pub
+ file and edit it.
[email protected]@ -808,7 +800,7 @@ secret, but the recommended permissions 
+ and not accessible by others.
+ .Pp
+ .It Pa ~/.ssh/authorized_keys
+-Lists the public keys (DSA, ECDSA, ED25519, RSA)
++Lists the public keys (DSA, RSA)
+ that can be used for logging in as this user.
+ The format of this file is described above.
+ The content of the file is not highly sensitive, but the recommended
[email protected]@ -888,8 +880,6 @@ rlogin/rsh.
+ .Pp
+ .It Pa /etc/ssh/ssh_host_key
+ .It Pa /etc/ssh/ssh_host_dsa_key
+-.It Pa /etc/ssh/ssh_host_ecdsa_key
+-.It Pa /etc/ssh/ssh_host_ed25519_key
+ .It Pa /etc/ssh/ssh_host_rsa_key
+ These files contain the private parts of the host keys.
+ These files should only be owned by root, readable only by root, and not
[email protected]@ -900,8 +890,6 @@ does not start if these files are group/
+ .Pp
+ .It Pa /etc/ssh/ssh_host_key.pub
+ .It Pa /etc/ssh/ssh_host_dsa_key.pub
+-.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
+-.It Pa /etc/ssh/ssh_host_ed25519_key.pub
+ .It Pa /etc/ssh/ssh_host_rsa_key.pub
+ These files contain the public parts of the host keys.
+ These files should be world-readable but writable only by
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c	2015-04-10 02:43:51.101980137 -0700
++++ new/sshd.c	2015-04-10 02:49:46.274593753 -0700
[email protected]@ -797,7 +797,9 @@ list_hostkey_types(void)
+ 		case KEY_RSA:
+ 		case KEY_DSA:
+ 		case KEY_ECDSA:
++#ifndef WITHOUT_ED25519
+ 		case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+ 			if (buffer_len(&b) > 0)
+ 				buffer_append(&b, ",", 1);
+ 			p = key_ssh_name(key);
[email protected]@ -814,7 +816,9 @@ list_hostkey_types(void)
+ 		case KEY_RSA_CERT:
+ 		case KEY_DSA_CERT:
+ 		case KEY_ECDSA_CERT:
++#ifndef WITHOUT_ED25519
+ 		case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 			if (buffer_len(&b) > 0)
+ 				buffer_append(&b, ",", 1);
+ 			p = key_ssh_name(key);
[email protected]@ -842,7 +846,9 @@ get_hostkey_by_type(int type, int need_p
+ 		case KEY_RSA_CERT:
+ 		case KEY_DSA_CERT:
+ 		case KEY_ECDSA_CERT:
++#ifndef WITHOUT_ED25519
+ 		case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 			key = sensitive_data.host_certificates[i];
+ 			break;
+ 		default:
[email protected]@ -1719,7 +1725,9 @@ main(int ac, char **av)
+ 		case KEY_RSA:
+ 		case KEY_DSA:
+ 		case KEY_ECDSA:
++#ifndef WITHOUT_ED25519
+ 		case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+ 			sensitive_data.have_ssh2_key = 1;
+ 			break;
+ 		}
[email protected]@ -2501,7 +2509,9 @@ do_ssh2_kex(void)
+ 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+ 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+ 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
++#ifndef WITHOUT_ED25519
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#endif /* WITHOUT_ED25519 */
+ 	kex->server = 1;
+ 	kex->client_version_string=client_version_string;
+ 	kex->server_version_string=server_version_string;
+Only in new: sshd.c.orig
+Only in new: sshd.c.rej
+diff -pur old/sshd_config.0 new/sshd_config.0
+--- old/sshd_config.0	2014-01-29 17:52:48.000000000 -0800
++++ new/sshd_config.0	2015-04-10 02:43:51.188313577 -0700
[email protected]@ -332,12 +332,11 @@ DESCRIPTION
+      HostKey
+              Specifies a file containing a private host key used by SSH.  The
+              default is /etc/ssh/ssh_host_key for protocol version 1, and
+-             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
+-             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
++             /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
+              protocol version 2.  Note that sshd(8) will refuse to use a file
+              if it is group/world-accessible.  It is possible to have multiple
+              host key files.  ``rsa1'' keys are used for version 1 and
+-             ``dsa'', ``ecdsa'', ``ed25519'' or ``rsa'' are used for version 2
++             ``dsa'' or ``rsa'' are used for version 2
+              of the SSH protocol.  It is also possible to specify public host
+              key files instead.  In this case operations on the private key
+              will be delegated to an ssh-agent(1).
[email protected]@ -399,8 +398,6 @@ DESCRIPTION
+              Specifies the available KEX (Key Exchange) algorithms.  Multiple
+              algorithms must be comma-separated.  The default is
+ 
+-                   [email protected],
+-                   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+                    diffie-hellman-group-exchange-sha256,
+                    diffie-hellman-group-exchange-sha1,
+                    diffie-hellman-group14-sha1,
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5	2015-04-10 02:43:51.078482159 -0700
++++ new/sshd_config.5	2015-04-10 02:43:51.189013912 -0700
[email protected]@ -540,8 +540,6 @@ The default is
+ .Pa /etc/ssh/ssh_host_key
+ for protocol version 1, and
+ .Pa /etc/ssh/ssh_host_dsa_key ,
+-.Pa /etc/ssh/ssh_host_ecdsa_key ,
+-.Pa /etc/ssh/ssh_host_ed25519_key
+ and
+ .Pa /etc/ssh/ssh_host_rsa_key
+ for protocol version 2.
[email protected]@ -552,8 +550,6 @@ It is possible to have multiple host key
+ .Dq rsa1
+ keys are used for version 1 and
+ .Dq dsa ,
+-.Dq ecdsa ,
+-.Dq ed25519
+ or
+ .Dq rsa
+ are used for version 2 of the SSH protocol.
[email protected]@ -663,8 +659,6 @@ Specifies the available KEX (Key Exchang
+ Multiple algorithms must be comma-separated.
+ The default is
+ .Bd -literal -offset indent
[email protected],
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ diffie-hellman-group-exchange-sha256,
+ diffie-hellman-group-exchange-sha1,
+ diffie-hellman-group14-sha1,
+Only in new: sshd_config.5.orig
+diff -pur old/verify.c new/verify.c
+--- old/verify.c	2014-01-16 17:43:44.000000000 -0800
++++ new/verify.c	2015-04-10 02:43:51.189372783 -0700
[email protected]@ -9,6 +9,8 @@
+ 
+ #include "crypto_api.h"
+ 
++#ifndef WITHOUT_ED25519
++
+ int crypto_verify_32(const unsigned char *x,const unsigned char *y)
+ {
+   unsigned int differentbits = 0;
[email protected]@ -47,3 +49,4 @@ int crypto_verify_32(const unsigned char
+   F(31)
+   return (1 & ((differentbits - 1) >> 8)) - 1;
+ }
++#endif /* WITHOUT_ED25519 */