PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates
authorTomas Kuthan <tomas.kuthan@oracle.com>
Wed, 20 Apr 2016 13:13:57 -0700
changeset 5819 c5f05bd2a9bc
parent 5818 5f0e7a0f17c2
child 5820 cef0da89f9ee
PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates 22931214 upgrade OpenSSH to 7.2p2 22931349 problem in UTILITY/OPENSSH 20955968 remove servconf.c portion of 003-last_login.patch when upgrading to OpenSSH 7.2 22489925 Re-enable Curve25519 in OpenSSH
components/openssh/Makefile
components/openssh/network-ssh.p5m
components/openssh/patches/003-last_login.patch
components/openssh/patches/013-dtrace_sftp.patch
components/openssh/patches/017-option_default_value.patch
components/openssh/patches/019-no_uid_restoration_test.patch
components/openssh/patches/023-gsskex.patch
components/openssh/patches/024-disable_ed25519.patch
components/openssh/patches/032-hang_on_closed_output.patch
components/openssh/patches/033-without_cast128.patch
components/openssh/patches/035-fips.patch
components/openssh/patches/037-missing_or_misleading_error_messages.patch
components/openssh/patches/039-sshd_config_5_defaults.patch
components/openssh/patches/040-default_config_files.patch
components/openssh/service-network-ssh.p5m
--- a/components/openssh/Makefile	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/Makefile	Wed Apr 20 13:13:57 2016 -0700
@@ -27,16 +27,16 @@
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		openssh
-COMPONENT_VERSION=	7.1p2
+COMPONENT_VERSION=	7.2p2
 HUMAN_VERSION=		$(COMPONENT_VERSION)
 
 # Version for IPS.  The encoding rules are:
 #   OpenSSH <x>.<y>p<n>     => IPS <x>.<y>.0.<n>
 #   OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION=	7.1.0.2
+IPS_COMPONENT_VERSION=	7.2.0.2
 
 COMPONENT_PROJECT_URL=	http://www.openssh.org/
-COMPONENT_ARCHIVE_HASH=	sha256:dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd
+COMPONENT_ARCHIVE_HASH=	sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
 COMPONENT_ARCHIVE_URL=	http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
 
 TPNO_OPENSSH=		26419
--- a/components/openssh/network-ssh.p5m	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/network-ssh.p5m	Wed Apr 20 13:13:57 2016 -0700
@@ -32,7 +32,7 @@
     value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2012/335
+set name=org.opensolaris.arc-caseid value=PSARC/2012/335 value=PSARC/2016/216
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 file path=etc/ssh/ssh_config group=sys mode=0644 \
     original_name=SUNWssh:etc/ssh/ssh_config overlay=allow preserve=renamenew
--- a/components/openssh/patches/003-last_login.patch	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/patches/003-last_login.patch	Wed Apr 20 13:13:57 2016 -0700
@@ -4,6 +4,9 @@
 # their consideration:
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2278
 #
+# Update - accepted upstream:
+# https://github.com/openssh/openssh-portable/commit/ac908c1eeacccfa
+#
 # OpenSSH normally updates lastlog when users login and reads lastlog to
 # determine the last login time of the user however on Solaris the
 # pam_unix_session(5) module handles both of these tasks so we compile
@@ -12,31 +15,6 @@
 # can't be changed so we update sshd's configuration parsing to flag
 # this as unsupported and update the man page here.
 #
-diff -pur old/servconf.c new/servconf.c
---- old/servconf.c
-+++ new/servconf.c
[email protected]@ -504,7 +504,11 @@ static struct {
- 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
- 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
- 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
-+#ifdef DISABLE_LASTLOG
-+	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
-+#else
- 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
-+#endif
- 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
- 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
- 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
[email protected]@ -2268,7 +2272,9 @@ dump_config(ServerOptions *o)
- 	dump_cfg_fmtint(sChallengeResponseAuthentication,
- 	    o->challenge_response_authentication);
- 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
-+#ifndef DISABLE_LASTLOG
- 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
-+#endif /* !DISABLE_LASTLOG */
- 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
- 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
- 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
--- a/components/openssh/patches/013-dtrace_sftp.patch	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/patches/013-dtrace_sftp.patch	Wed Apr 20 13:13:57 2016 -0700
@@ -5,8 +5,8 @@
 # contribute the changes to the upstream community.
 #
 diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in	2015-03-28 14:10:39.426859283 +0100
-+++ new/Makefile.in	2015-03-28 14:16:12.472203388 +0100
+--- old/Makefile.in
++++ new/Makefile.in
 @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@@ -23,18 +23,18 @@
  	ssh-pkcs11.o smult_curve25519_ref.o \
  	poly1305.o chacha.o cipher-chachapoly.o \
  	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
[email protected]@ -110,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
- 	sftp-server.o sftp-common.o \
- 	roaming_common.o roaming_serv.o \
[email protected]@ -107,7 +109,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+ 	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
+ 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+-	sftp-server.o sftp-common.o \
++	sftp-server.o sftp-common.o sftp_provider.o \
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
--	sandbox-seccomp-filter.o sandbox-capsicum.o
-+	sandbox-seccomp-filter.o sandbox-capsicum.o sftp_provider.o
- 
- MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
- MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
+ 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
+ 	sandbox-solaris.o
 @@ -187,8 +189,8 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- 	$(LD) -o [email protected] ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ 	$(LD) -o [email protected] ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
  
 -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 -	$(LD) -o [email protected] sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -63,18 +63,18 @@
  	rm -f regress/unittests/test_helper/*.a
  	rm -f regress/unittests/test_helper/*.o
  	rm -f regress/unittests/sshbuf/*.o
[email protected]@ -340,6 +351,7 @@ install-files:
- 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
- 	ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
[email protected]@ -336,6 +347,7 @@ install-files:
+ 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+ 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+ 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
 +	mkdir -p $(ROOTDLIBDIR64) && cp $(srcdir)/sftp64.d $(ROOTDLIBDIR64)/sftp64.d
  
  install-sysconf:
  	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
 diff -pur old/sftp-server.c new/sftp-server.c
---- old/sftp-server.c	2015-03-17 06:49:20.000000000 +0100
-+++ new/sftp-server.c	2015-03-28 14:27:55.661510029 +0100
[email protected]@ -55,6 +55,9 @@
+--- old/sftp-server.c
++++ new/sftp-server.c
[email protected]@ -54,6 +54,9 @@
  
  #include "sftp.h"
  #include "sftp-common.h"
@@ -84,7 +84,7 @@
  
  /* Our verbosity */
  static LogLevel log_level = SYSLOG_LEVEL_ERROR;
[email protected]@ -741,14 +744,17 @@ process_read(u_int32_t id)
[email protected]@ -740,14 +743,17 @@ process_read(u_int32_t id)
  	u_int32_t len;
  	int r, handle, fd, ret, status = SSH2_FX_FAILURE;
  	u_int64_t off;
@@ -104,7 +104,7 @@
  	if (len > sizeof buf) {
  		len = sizeof buf;
  		debug2("read change len %d", len);
[email protected]@ -759,7 +765,13 @@ process_read(u_int32_t id)
[email protected]@ -758,7 +764,13 @@ process_read(u_int32_t id)
  			error("process_read: seek failed");
  			status = errno_to_portable(errno);
  		} else {
@@ -118,7 +118,7 @@
  			if (ret < 0) {
  				status = errno_to_portable(errno);
  			} else if (ret == 0) {
[email protected]@ -782,14 +794,16 @@ process_write(u_int32_t id)
[email protected]@ -781,14 +793,16 @@ process_write(u_int32_t id)
  	size_t len;
  	int r, handle, fd, ret, status;
  	u_char *data;
@@ -136,7 +136,7 @@
  	fd = handle_to_fd(handle);
  
  	if (fd < 0)
[email protected]@ -801,7 +815,14 @@ process_write(u_int32_t id)
[email protected]@ -800,7 +814,14 @@ process_write(u_int32_t id)
  			error("process_write: seek failed");
  		} else {
  /* XXX ATOMICIO ? */
--- a/components/openssh/patches/017-option_default_value.patch	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/patches/017-option_default_value.patch	Wed Apr 20 13:13:57 2016 -0700
@@ -10,9 +10,10 @@
 # This is for Solaris only, we will not contribute back these changes to the
 # upstream.
 #
---- orig/readconf.c	Thu Sep  4 17:27:04 2014
-+++ new/readconf.c	Tue Sep  9 17:33:50 2014
[email protected]@ -1575,7 +1575,11 @@
+diff -pur old/readconf.c new/readconf.c
+--- old/readconf.c
++++ new/readconf.c
[email protected]@ -1803,7 +1803,11 @@ fill_default_options(Options * options)
  	if (options->forward_x11 == -1)
  		options->forward_x11 = 0;
  	if (options->forward_x11_trusted == -1)
@@ -24,7 +25,7 @@
  	if (options->forward_x11_timeout == -1)
  		options->forward_x11_timeout = 1200;
  	if (options->exit_on_forward_failure == -1)
[email protected]@ -1593,7 +1597,11 @@
[email protected]@ -1825,7 +1829,11 @@ fill_default_options(Options * options)
  	if (options->challenge_response_authentication == -1)
  		options->challenge_response_authentication = 1;
  	if (options->gss_authentication == -1)
@@ -36,9 +37,10 @@
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
  	if (options->password_authentication == -1)
---- orig/servconf.c	Thu Sep  4 17:17:58 2014
-+++ new/servconf.c	Tue Sep  9 17:36:32 2014
[email protected]@ -208,7 +208,11 @@
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -265,7 +265,11 @@ fill_default_server_options(ServerOption
  	if (options->print_lastlog == -1)
  		options->print_lastlog = 1;
  	if (options->x11_forwarding == -1)
@@ -50,7 +52,7 @@
  	if (options->x11_display_offset == -1)
  		options->x11_display_offset = 10;
  	if (options->x11_use_localhost == -1)
[email protected]@ -244,7 +248,11 @@
[email protected]@ -303,7 +307,11 @@ fill_default_server_options(ServerOption
  	if (options->kerberos_get_afs_token == -1)
  		options->kerberos_get_afs_token = 0;
  	if (options->gss_authentication == -1)
@@ -61,10 +63,11 @@
 +#endif
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
- 	if (options->password_authentication == -1)
---- orig/ssh_config.5	Thu Sep  4 17:58:05 2014
-+++ new/ssh_config.5	Tue Sep  9 17:48:39 2014
[email protected]@ -643,8 +643,8 @@
+ 	if (options->gss_strict_acceptor == -1)
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5
++++ new/ssh_config.5
[email protected]@ -802,8 +802,8 @@ Furthermore, the
  token used for the session will be set to expire after 20 minutes.
  Remote clients will be refused access after this time.
  .Pp
@@ -75,7 +78,7 @@
  .Pp
  See the X11 SECURITY extension specification for full details on
  the restrictions imposed on untrusted clients.
[email protected]@ -673,8 +673,8 @@
[email protected]@ -832,8 +832,8 @@ The default is
  .Pa /etc/ssh/ssh_known_hosts2 .
  .It Cm GSSAPIAuthentication
  Specifies whether user authentication based on GSSAPI is allowed.
@@ -83,12 +86,13 @@
 -.Dq no .
 +The default on Solaris is
 +.Dq yes .
- Note that this option applies to protocol version 2 only.
  .It Cm GSSAPIDelegateCredentials
  Forward (delegate) credentials to the server.
---- orig/sshd_config.5	Thu Sep  4 17:58:07 2014
-+++ new/sshd_config.5	Tue Sep  9 17:49:58 2014
[email protected]@ -490,8 +490,8 @@
+ The default is
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
[email protected]@ -621,8 +621,8 @@ The default is
  .Dq no .
  .It Cm GSSAPIAuthentication
  Specifies whether user authentication based on GSSAPI is allowed.
@@ -96,10 +100,10 @@
 -.Dq no .
 +The default on Solaris is
 +.Dq yes .
- Note that this option applies to protocol version 2 only.
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
[email protected]@ -1239,8 +1239,8 @@
+ on logout.
[email protected]@ -1637,8 +1637,8 @@ The argument must be
  .Dq yes
  or
  .Dq no .
--- a/components/openssh/patches/019-no_uid_restoration_test.patch	Wed Apr 20 13:13:57 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,70 +0,0 @@
-#
-# OpenSSH verifies, that changing [ug]id back to 0 fails, after it
-# was set to the values of the user logging in.
-# On Solaris, if that user was given PRIV_PROC_SETUID privilege,
-# set[gu]id(0) succeeds. But in this case this is not an error in
-# dropping privilege, such user is supposed to be able to do that.
-#
-# This fix removes this check entirely. Skipping the check only in
-# case PRIV_PROC_SETUID is asserted in the effective set was considered
-# but decided against. The check is redundant, because inability to
-# restore uid=0 can be inferred from successful run of setreuid(uid, uid).
-#
-# The fix is implemented by replacing an OS-related HAVE_CYGWIN guard
-# with a functional NO_UID_RESTORATION_TEST and by defining the new
-# symbol in the component Makefile.
-#
-# This patch was submitted upstream:
-#
-# https://bugzilla.mindrot.org/show_bug.cgi?id=2299
-#
-# See the above URL for details on if/when it might be accepted.
-#
-diff -ur old/uidswap.c new/uidswap.c
---- old/uidswap.c	2014-01-18 01:43:50.000000000 -0800
-+++ new/uidswap.c	2014-09-04 06:26:32.965065384 -0700
[email protected]@ -134,7 +134,7 @@
- void
- permanently_drop_suid(uid_t uid)
- {
--#ifndef HAVE_CYGWIN
-+#ifndef NO_UID_RESTORATION_TEST
- 	uid_t old_uid = getuid();
- #endif
- 
[email protected]@ -142,7 +142,7 @@
- 	if (setresuid(uid, uid, uid) < 0)
- 		fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
- 
--#ifndef HAVE_CYGWIN
-+#ifndef NO_UID_RESTORATION_TEST
- 	/* Try restoration of UID if changed (test clearing of saved uid) */
- 	if (old_uid != uid &&
- 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
[email protected]@ -199,7 +199,7 @@
- void
- permanently_set_uid(struct passwd *pw)
- {
--#ifndef HAVE_CYGWIN
-+#ifndef NO_UID_RESTORATION_TEST
- 	uid_t old_uid = getuid();
- 	gid_t old_gid = getgid();
- #endif
[email protected]@ -227,7 +227,7 @@
- 	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
- 		fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
- 
--#ifndef HAVE_CYGWIN
-+#ifndef NO_UID_RESTORATION_TEST
- 	/* Try restoration of GID if changed (test clearing of saved gid) */
- 	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
- 	    (setgid(old_gid) != -1 || setegid(old_gid) != -1))
[email protected]@ -241,7 +241,7 @@
- 		    (u_int)pw->pw_gid);
- 	}
- 
--#ifndef HAVE_CYGWIN
-+#ifndef NO_UID_RESTORATION_TEST
- 	/* Try restoration of UID if changed (test clearing of saved uid) */
- 	if (old_uid != pw->pw_uid &&
- 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
--- a/components/openssh/patches/023-gsskex.patch	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/patches/023-gsskex.patch	Wed Apr 20 13:13:57 2016 -0700
@@ -26,8 +26,8 @@
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
  	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- 	sftp-server.o sftp-common.o \
- 	roaming_common.o roaming_serv.o \
+ 	sftp-server.o sftp-common.o sftp_provider.o \
+ 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 diff -pur old/auth2-gss.c new/auth2-gss.c
 --- old/auth2-gss.c
 +++ new/auth2-gss.c
@@ -420,7 +420,7 @@
 diff -pur old/kex.c new/kex.c
 --- old/kex.c
 +++ new/kex.c
[email protected]@ -55,6 +55,10 @@
[email protected]@ -54,6 +54,10 @@
  #include "sshbuf.h"
  #include "digest.h"
  
@@ -431,7 +431,7 @@
  #if OPENSSL_VERSION_NUMBER >= 0x00907000L
  # if defined(HAVE_EVP_SHA256)
  # define evp_ssh_sha256 EVP_sha256
[email protected]@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = {
[email protected]@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
  #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
  	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
@@ -443,7 +443,7 @@
  	{ NULL, -1, -1, -1},
  };
  
[email protected]@ -126,7 +135,7 @@ kex_alg_by_name(const char *name)
[email protected]@ -138,7 +147,7 @@ kex_alg_by_name(const char *name)
  	const struct kexalg *k;
  
  	for (k = kexalgs; k->name != NULL; k++) {
@@ -455,7 +455,7 @@
 diff -pur old/kex.h new/kex.h
 --- old/kex.h
 +++ new/kex.h
[email protected]@ -93,6 +93,9 @@ enum kex_exchange {
[email protected]@ -92,6 +92,9 @@ enum kex_exchange {
  	KEX_DH_GEX_SHA256,
  	KEX_ECDH_SHA2,
  	KEX_C25519_SHA256,
@@ -465,7 +465,7 @@
  	KEX_MAX
  };
  
[email protected]@ -139,6 +142,10 @@ struct kex {
[email protected]@ -140,6 +143,10 @@ struct kex {
  	u_int	flags;
  	int	hash_alg;
  	int	ec_nid;
@@ -476,7 +476,7 @@
  	char	*client_version_string;
  	char	*server_version_string;
  	char	*failed_choice;
[email protected]@ -186,6 +193,10 @@ int	 kexecdh_client(struct ssh *);
[email protected]@ -189,6 +196,10 @@ int	 kexecdh_client(struct ssh *);
  int	 kexecdh_server(struct ssh *);
  int	 kexc25519_client(struct ssh *);
  int	 kexc25519_server(struct ssh *);
@@ -490,7 +490,7 @@
 diff -pur old/monitor.c new/monitor.c
 --- old/monitor.c
 +++ new/monitor.c
[email protected]@ -160,6 +160,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
[email protected]@ -159,6 +159,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
  int mm_answer_gss_accept_ctx(int, Buffer *);
  int mm_answer_gss_userok(int, Buffer *);
  int mm_answer_gss_checkmic(int, Buffer *);
@@ -498,7 +498,7 @@
  #endif
  
  #ifdef SSH_AUDIT_EVENTS
[email protected]@ -244,11 +245,17 @@ struct mon_table mon_dispatch_proto20[]
[email protected]@ -243,11 +244,17 @@ struct mon_table mon_dispatch_proto20[]
      {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
      {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
      {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -516,7 +516,7 @@
  #ifdef WITH_OPENSSL
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
  #endif
[email protected]@ -363,6 +370,10 @@ monitor_child_preauth(Authctxt *_authctx
[email protected]@ -362,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctx
  		/* Permit requests for moduli and signatures */
  		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -527,7 +527,7 @@
  	} else {
  		mon_dispatch = mon_dispatch_proto15;
  
[email protected]@ -502,6 +513,10 @@ monitor_child_postauth(struct monitor *p
[email protected]@ -501,6 +512,10 @@ monitor_child_postauth(struct monitor *p
  		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -538,7 +538,7 @@
  	} else {
  		mon_dispatch = mon_dispatch_postauth15;
  		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
[email protected]@ -1927,6 +1942,13 @@ monitor_apply_keystate(struct monitor *p
[email protected]@ -1924,6 +1939,13 @@ monitor_apply_keystate(struct monitor *p
  # endif
  #endif /* WITH_OPENSSL */
  		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -552,7 +552,7 @@
  		kex->load_host_public_key=&get_hostkey_public_by_type;
  		kex->load_host_private_key=&get_hostkey_private_by_type;
  		kex->host_key_index=&get_hostkey_index;
[email protected]@ -2026,6 +2048,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
[email protected]@ -2023,6 +2045,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
  	OM_uint32 major;
  	u_int len;
  
@@ -562,7 +562,7 @@
  	goid.elements = buffer_get_string(m, &len);
  	goid.length = len;
  
[email protected]@ -2053,6 +2078,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
[email protected]@ -2050,6 +2075,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
  	OM_uint32 flags = 0; /* GSI needs this */
  	u_int len;
  
@@ -572,7 +572,7 @@
  	in.value = buffer_get_string(m, &len);
  	in.length = len;
  	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
[email protected]@ -2070,6 +2098,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
[email protected]@ -2067,6 +2095,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -580,7 +580,7 @@
  	}
  	return (0);
  }
[email protected]@ -2081,6 +2110,9 @@ mm_answer_gss_checkmic(int sock, Buffer
[email protected]@ -2078,6 +2107,9 @@ mm_answer_gss_checkmic(int sock, Buffer
  	OM_uint32 ret;
  	u_int len;
  
@@ -590,7 +590,7 @@
  	gssbuf.value = buffer_get_string(m, &len);
  	gssbuf.length = len;
  	mic.value = buffer_get_string(m, &len);
[email protected]@ -2107,6 +2139,9 @@ mm_answer_gss_userok(int sock, Buffer *m
[email protected]@ -2104,6 +2136,9 @@ mm_answer_gss_userok(int sock, Buffer *m
  {
  	int authenticated;
  
@@ -600,7 +600,7 @@
  	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
  
  	buffer_clear(m);
[email protected]@ -2120,5 +2155,47 @@ mm_answer_gss_userok(int sock, Buffer *m
[email protected]@ -2117,5 +2152,47 @@ mm_answer_gss_userok(int sock, Buffer *m
  	/* Monitor loop will terminate if authenticated */
  	return (authenticated);
  }
@@ -707,7 +707,7 @@
 diff -pur old/readconf.c new/readconf.c
 --- old/readconf.c
 +++ new/readconf.c
[email protected]@ -147,6 +147,7 @@ typedef enum {
[email protected]@ -148,6 +148,7 @@ typedef enum {
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
  	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -715,7 +715,7 @@
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
[email protected]@ -198,11 +199,15 @@ static struct {
[email protected]@ -199,11 +200,15 @@ static struct {
  	{ "gssauthentication", oGssAuthentication },                /* alias */
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
  	{ "gssdelegatecreds", oGssDelegateCreds },                  /* alias */
@@ -731,7 +731,7 @@
  #endif
  	{ "fallbacktorsh", oDeprecated },
  	{ "usersh", oDeprecated },
[email protected]@ -933,6 +938,10 @@ parse_time:
[email protected]@ -965,6 +970,10 @@ parse_time:
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -742,7 +742,7 @@
  	case oGssDelegateCreds:
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
[email protected]@ -1647,6 +1656,7 @@ initialize_options(Options * options)
[email protected]@ -1694,6 +1703,7 @@ initialize_options(Options * options)
  	options->pubkey_authentication = -1;
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
@@ -750,7 +750,7 @@
  	options->gss_deleg_creds = -1;
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
[email protected]@ -1786,6 +1796,12 @@ fill_default_options(Options * options)
[email protected]@ -1834,6 +1844,12 @@ fill_default_options(Options * options)
  #else
  		options->gss_authentication = 0;
  #endif
@@ -785,7 +785,7 @@
  	options->gss_cleanup_creds = -1;
  	options->gss_strict_acceptor = -1;
  	options->password_authentication = -1;
[email protected]@ -300,6 +301,12 @@ fill_default_server_options(ServerOption
[email protected]@ -312,6 +313,12 @@ fill_default_server_options(ServerOption
  #else
  		options->gss_authentication = 0;
  #endif
@@ -798,7 +798,7 @@
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
  	if (options->gss_strict_acceptor == -1)
[email protected]@ -442,6 +449,7 @@ typedef enum {
[email protected]@ -449,6 +456,7 @@ typedef enum {
  	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
  	sHostKeyAlgorithms,
  	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -806,7 +806,7 @@
  	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
  	sAcceptEnv, sPermitTunnel,
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
[email protected]@ -519,6 +527,8 @@ static struct {
[email protected]@ -526,6 +534,8 @@ static struct {
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssauthentication", sGssAuthentication, SSHCFG_ALL },   /* alias */
@@ -815,7 +815,7 @@
  #ifdef USE_GSS_STORE_CRED
  	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
  #else /* USE_GSS_STORE_CRED */
[email protected]@ -528,6 +538,8 @@ static struct {
[email protected]@ -535,6 +545,8 @@ static struct {
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
  	{ "gssauthentication", sUnsupported, SSHCFG_ALL },          /* alias */
@@ -824,7 +824,7 @@
  	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
  	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
  #endif
[email protected]@ -1311,6 +1323,10 @@ process_server_config_line(ServerOptions
[email protected]@ -1319,6 +1331,10 @@ process_server_config_line(ServerOptions
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -835,7 +835,7 @@
  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
[email protected]@ -2357,6 +2373,7 @@ dump_config(ServerOptions *o)
[email protected]@ -2373,6 +2389,7 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
  	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -907,10 +907,10 @@
 diff -pur old/ssh_config.5 new/ssh_config.5
 --- old/ssh_config.5
 +++ new/ssh_config.5
[email protected]@ -757,6 +757,12 @@ Specifies whether user authentication ba
[email protected]@ -834,6 +834,12 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
  The default on Solaris is
  .Dq yes .
- Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI may be used. When using
 +GSSAPI key exchange the server need not have a host key.
@@ -923,19 +923,19 @@
 diff -pur old/sshconnect2.c new/sshconnect2.c
 --- old/sshconnect2.c
 +++ new/sshconnect2.c
[email protected]@ -163,12 +163,37 @@ ssh_kex2(char *host, struct sockaddr *ho
- 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
[email protected]@ -164,11 +164,35 @@ ssh_kex2(char *host, struct sockaddr *ho
+ 	char *s;
  	struct kex *kex;
  	int r;
 +#ifdef GSSAPI
 +	char *orig = NULL, *gss = NULL;
 +	char *gss_host = NULL;
 +#endif
-+
  
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  
+-	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
 +	if (options.kex_algorithms != NULL)
 +		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +
@@ -956,13 +956,11 @@
 +	}
 +#endif
 +
- 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
--	    options.kex_algorithms);
-+	    myproposal[PROPOSAL_KEX_ALGS]);
++	if (!(s = kex_names_cat(myproposal[PROPOSAL_KEX_ALGS], "ext-info-c")))
+ 		fatal("%s: kex_names_cat", __func__);
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- 	    compat_cipher_proposal(options.ciphers);
- 	myproposal[PROPOSAL_ENC_ALGS_STOC] =
[email protected]@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *ho
[email protected]@ -199,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho
  		    order_hostkeyalgs(host, hostaddr, port));
  	}
  
@@ -980,7 +978,7 @@
  	if (options.rekey_limit || options.rekey_interval)
  		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
  		    (time_t)options.rekey_interval);
[email protected]@ -215,9 +251,22 @@ ssh_kex2(char *host, struct sockaddr *ho
[email protected]@ -217,9 +252,22 @@ ssh_kex2(char *host, struct sockaddr *ho
  # endif
  #endif
  	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -1003,7 +1001,7 @@
  
  	dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
  
[email protected]@ -310,6 +359,7 @@ int	input_gssapi_token(int type, u_int32
[email protected]@ -315,6 +363,7 @@ int	input_gssapi_token(int type, u_int32
  int	input_gssapi_hash(int type, u_int32_t, void *);
  int	input_gssapi_error(int, u_int32_t, void *);
  int	input_gssapi_errtok(int, u_int32_t, void *);
@@ -1011,7 +1009,7 @@
  #endif
  
  void	userauth(Authctxt *, char *);
[email protected]@ -325,6 +375,11 @@ static char *authmethods_get(void);
[email protected]@ -330,6 +379,11 @@ static char *authmethods_get(void);
  
  Authmethod authmethods[] = {
  #ifdef GSSAPI
@@ -1023,7 +1021,7 @@
  	{"gssapi-with-mic",
  		userauth_gssapi,
  		NULL,
[email protected]@ -649,7 +704,10 @@ userauth_gssapi(Authctxt *authctxt)
[email protected]@ -678,7 +732,10 @@ userauth_gssapi(Authctxt *authctxt)
  	 * once. */
  
  	if (gss_supported == NULL)
@@ -1035,7 +1033,7 @@
  
  	/* Check to see if the mechanism is usable before we offer it */
  	while (mech < gss_supported->count && !ok) {
[email protected]@ -753,8 +811,8 @@ input_gssapi_response(int type, u_int32_
[email protected]@ -782,8 +839,8 @@ input_gssapi_response(int type, u_int32_
  {
  	Authctxt *authctxt = ctxt;
  	Gssctxt *gssctxt;
@@ -1046,7 +1044,7 @@
  
  	if (authctxt == NULL)
  		fatal("input_gssapi_response: no authentication context");
[email protected]@ -867,6 +925,48 @@ input_gssapi_error(int type, u_int32_t p
[email protected]@ -896,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
  	free(lang);
  	return 0;
  }
@@ -1098,7 +1096,7 @@
 diff -pur old/sshd.c new/sshd.c
 --- old/sshd.c
 +++ new/sshd.c
[email protected]@ -1827,10 +1827,13 @@ main(int ac, char **av)
[email protected]@ -1833,10 +1833,13 @@ main(int ac, char **av)
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
  	}
@@ -1112,7 +1110,7 @@
  	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
  		logit("sshd: no hostkeys available -- exiting.");
  		exit(1);
[email protected]@ -2588,6 +2591,48 @@ do_ssh2_kex(void)
[email protected]@ -2596,6 +2599,48 @@ do_ssh2_kex(void)
  	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
  	    list_hostkey_types());
  
@@ -1161,7 +1159,7 @@
  	/* start key exchange */
  	if ((r = kex_setup(active_state, myproposal)) != 0)
  		fatal("kex_setup: %s", ssh_err(r));
[email protected]@ -2602,6 +2647,13 @@ do_ssh2_kex(void)
[email protected]@ -2610,6 +2655,13 @@ do_ssh2_kex(void)
  # endif
  #endif
  	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -1178,28 +1176,27 @@
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
[email protected]@ -621,6 +621,12 @@ Specifies whether user authentication ba
[email protected]@ -623,6 +623,11 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
  The default on Solaris is
  .Dq yes .
- Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
 +doesn't rely on ssh keys to verify host identity.
 +The default on Solaris is
 +.Dq yes .
-+Note that this option applies to protocol version 2 only.
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
 diff -pur old/sshkey.c new/sshkey.c
 --- old/sshkey.c
 +++ new/sshkey.c
[email protected]@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
[email protected]@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
  #  endif /* OPENSSL_HAS_NISTP521 */
  # endif /* OPENSSL_HAS_ECC */
  #endif /* WITH_OPENSSL */
 +	{ "null", "null", KEY_NULL, 0, 0 },
- 	{ NULL, NULL, -1, -1, 0 }
+ 	{ NULL, NULL, -1, -1, 0, 0 }
  };
  
 diff -pur old/sshkey.h new/sshkey.h
--- a/components/openssh/patches/024-disable_ed25519.patch	Wed Apr 20 13:13:57 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,2140 +0,0 @@
-#
-# Per Solaris crypto team recommendation, we need to remove support for
-# Curve25519 from OpenSSH.
-#
-# Patch offered upstream but rejected:
-#     https://bugzilla.mindrot.org/show_bug.cgi?id=2376
-#
-diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in
-+++ new/Makefile.in
[email protected]@ -155,7 +155,7 @@ $(SSHDOBJS): Makefile.in config.h
- 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o [email protected]
- 
- LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
--$(LIBCOMPAT): always
-+$(LIBCOMPAT): always libssh.a
- 	(cd openbsd-compat && $(MAKE))
- always:
- 
-diff -pur old/authfd.c new/authfd.c
---- old/authfd.c
-+++ new/authfd.c
[email protected]@ -565,8 +565,10 @@ ssh_add_identity_constrained(int sock, s
- 	case KEY_ECDSA:
- 	case KEY_ECDSA_CERT:
- #endif
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 		type = constrained ?
- 		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
- 		    SSH2_AGENTC_ADD_IDENTITY;
-diff -pur old/authfile.c new/authfile.c
---- old/authfile.c
-+++ new/authfile.c
[email protected]@ -449,7 +449,9 @@ sshkey_load_private_cert(int type, const
- 	case KEY_DSA:
- 	case KEY_ECDSA:
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		break;
- 	default:
-diff -pur old/dns.c new/dns.c
---- old/dns.c
-+++ new/dns.c
[email protected]@ -100,11 +100,13 @@ dns_read_key(u_int8_t *algorithm, u_int8
- 		if (!*digest_type)
- 			*digest_type = SSHFP_HASH_SHA256;
- 		break;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		*algorithm = SSHFP_KEY_ED25519;
- 		if (!*digest_type)
- 			*digest_type = SSHFP_HASH_SHA256;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
- 		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
-diff -pur old/dns.h new/dns.h
---- old/dns.h
-+++ new/dns.h
[email protected]@ -33,7 +33,9 @@ enum sshfp_types {
- 	SSHFP_KEY_RSA = 1,
- 	SSHFP_KEY_DSA = 2,
- 	SSHFP_KEY_ECDSA = 3,
--	SSHFP_KEY_ED25519 = 4
-+#ifndef WITHOUT_ED25519
-+ 	SSHFP_KEY_ED25519 = 4 
-+#endif /* WITHOUT_ED25519 */
- };
- 
- enum sshfp_hashes {
-diff -pur old/ed25519.c new/ed25519.c
---- old/ed25519.c
-+++ new/ed25519.c
[email protected]@ -7,6 +7,7 @@
-  */
- 
- #include "includes.h"
-+#ifndef WITHOUT_ED25519
- #include "crypto_api.h"
- 
- #include "ge25519.h"
[email protected]@ -142,3 +143,4 @@ int crypto_sign_ed25519_open(
-   }
-   return ret;
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/fe25519.c new/fe25519.c
---- old/fe25519.c
-+++ new/fe25519.c
[email protected]@ -8,6 +8,7 @@
- 
- #include "includes.h"
- 
-+#ifndef WITHOUT_ED25519
- #define WINDOWSIZE 1 /* Should be 1,2, or 4 */
- #define WINDOWMASK ((1<<WINDOWSIZE)-1)
- 
[email protected]@ -335,3 +336,4 @@ void fe25519_pow2523(fe25519 *r, const f
- 	/* 2^252 - 2^2 */ fe25519_square(&t,&t);
- 	/* 2^252 - 3 */ fe25519_mul(r,&t,x);
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/fe25519.h new/fe25519.h
---- old/fe25519.h
-+++ new/fe25519.h
[email protected]@ -8,6 +8,7 @@
- 
- #ifndef FE25519_H
- #define FE25519_H
-+#ifndef WITHOUT_ED25519
- 
- #include "crypto_api.h"
- 
[email protected]@ -67,4 +68,5 @@ void fe25519_invert(fe25519 *r, const fe
- 
- void fe25519_pow2523(fe25519 *r, const fe25519 *x);
- 
-+#endif /* WITHOUT_ED25519 */
- #endif
-diff -pur old/ge25519.c new/ge25519.c
---- old/ge25519.c
-+++ new/ge25519.c
[email protected]@ -7,6 +7,7 @@
-  */
- 
- #include "includes.h"
-+#ifndef WITHOUT_ED25519
- 
- #include "fe25519.h"
- #include "sc25519.h"
[email protected]@ -319,3 +320,4 @@ void ge25519_scalarmult_base(ge25519_p3
-     ge25519_mixadd2(r, &t);
-   }
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/ge25519.h new/ge25519.h
---- old/ge25519.h
-+++ new/ge25519.h
[email protected]@ -8,6 +8,7 @@
- 
- #ifndef GE25519_H
- #define GE25519_H
-+#ifndef WITHOUT_ED25519
- 
- #include "fe25519.h"
- #include "sc25519.h"
[email protected]@ -40,4 +41,5 @@ void ge25519_double_scalarmult_vartime(g
- 
- void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
- 
-+#endif /* WITHOUT_ED25519 */
- #endif
-diff -pur old/kex.c new/kex.c
---- old/kex.c
-+++ new/kex.c
[email protected]@ -96,9 +96,11 @@ static const struct kexalg kexalgs[] = {
- # endif /* OPENSSL_HAS_NISTP521 */
- #endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
- 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
- #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
-+#endif /* WITHOUT_ED25519 */
- #ifdef GSSAPI
- 	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
- 	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-diff -pur old/kex.h new/kex.h
---- old/kex.h
-+++ new/kex.h
[email protected]@ -58,13 +58,17 @@
- #define	KEX_ECDH_SHA2_NISTP256	"ecdh-sha2-nistp256"
- #define	KEX_ECDH_SHA2_NISTP384	"ecdh-sha2-nistp384"
- #define	KEX_ECDH_SHA2_NISTP521	"ecdh-sha2-nistp521"
-+#ifndef WITHOUT_ED25519
- #define	KEX_CURVE25519_SHA256	"[email protected]"
-+#endif /* WITHOUT_ED25519 */
- 
- #define COMP_NONE	0
- #define COMP_ZLIB	1
- #define COMP_DELAYED	2
- 
-+#ifndef WITHOUT_ED25519
- #define CURVE25519_SIZE 32
-+#endif /* WITHOUT_ED25519 */
- 
- enum kex_init_proposals {
- 	PROPOSAL_KEX_ALGS,
[email protected]@ -92,7 +96,9 @@ enum kex_exchange {
- 	KEX_DH_GEX_SHA1,
- 	KEX_DH_GEX_SHA256,
- 	KEX_ECDH_SHA2,
-+#ifndef WITHOUT_ED25519
- 	KEX_C25519_SHA256,
-+#endif /* WITHOUT_ED25519 */
- 	KEX_GSS_GRP1_SHA1,
- 	KEX_GSS_GRP14_SHA1,
- 	KEX_GSS_GEX_SHA1,
[email protected]@ -161,8 +167,10 @@ struct kex {
- 	u_int	min, max, nbits;	/* GEX */
- 	EC_KEY	*ec_client_key;		/* ECDH */
- 	const EC_GROUP *ec_group;	/* ECDH */
-+#ifndef WITHOUT_ED25519
- 	u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 */
- 	u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
-+#endif /* WITHOUT_ED25519 */
- };
- 
- int	 kex_names_valid(const char *);
[email protected]@ -191,8 +199,10 @@ int	 kexgex_client(struct ssh *);
- int	 kexgex_server(struct ssh *);
- int	 kexecdh_client(struct ssh *);
- int	 kexecdh_server(struct ssh *);
-+#ifndef WITHOUT_ED25519
- int	 kexc25519_client(struct ssh *);
- int	 kexc25519_server(struct ssh *);
-+#endif /* WITHOUT_ED25519 */
- #ifdef GSSAPI
- int	 kexgss_client(struct ssh *);
- int	 kexgss_server(struct ssh *);
[email protected]@ -213,6 +223,7 @@ int kex_ecdh_hash(int, const EC_GROUP *,
-     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-     const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
- 
-+#ifndef WITHOUT_ED25519
- int	 kex_c25519_hash(int, const char *, const char *, const char *, size_t,
-     const char *, size_t, const u_char *, size_t, const u_char *, const u_char *,
-     const u_char *, size_t, u_char *, size_t *);
[email protected]@ -224,6 +235,7 @@ int	kexc25519_shared_key(const u_char ke
-     const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
- 	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
- 	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
-+#endif /* WITHOUT_ED25519 */
- 
- int
- derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
-diff -pur old/kexc25519.c new/kexc25519.c
---- old/kexc25519.c
-+++ new/kexc25519.c
[email protected]@ -27,6 +27,7 @@
- 
- #include "includes.h"
- 
-+#ifndef WITHOUT_ED25519
- #include <sys/types.h>
- 
- #include <signal.h>
[email protected]@ -131,3 +132,4 @@ kex_c25519_hash(
- #endif
- 	return 0;
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/kexc25519c.c new/kexc25519c.c
---- old/kexc25519c.c
-+++ new/kexc25519c.c
[email protected]@ -27,6 +27,7 @@
- 
- #include "includes.h"
- 
-+#ifndef WITHOUT_ED25519
- #include <sys/types.h>
- 
- #include <stdio.h>
[email protected]@ -168,3 +169,4 @@ out:
- 	sshbuf_free(shared_secret);
- 	return r;
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/kexc25519s.c new/kexc25519s.c
---- old/kexc25519s.c
-+++ new/kexc25519s.c
[email protected]@ -26,6 +26,8 @@
- 
- #include "includes.h"
- 
-+#ifndef WITHOUT_ED25519
-+
- #include <sys/types.h>
- #include <stdio.h>
- #include <string.h>
[email protected]@ -157,3 +159,4 @@ out:
- 	sshbuf_free(shared_secret);
- 	return r;
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/monitor.c new/monitor.c
---- old/monitor.c
-+++ new/monitor.c
[email protected]@ -1941,7 +1941,9 @@ monitor_apply_keystate(struct monitor *p
- 		kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
- # endif
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
-+#endif /* WITHOUT_ED25519 */
- #ifdef GSSAPI
- 		if (options.gss_keyex) {
- 			kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
-diff -pur old/myproposal.h new/myproposal.h
---- old/myproposal.h
-+++ new/myproposal.h
[email protected]@ -59,6 +59,20 @@
- # define HOSTKEY_ECDSA_METHODS
- #endif
- 
-+#ifndef WITHOUT_ED25519
-+# if defined(WITH_OPENSSL) && defined(HAVE_EVP_SHA256)
-+#  define KEX_CURVE25519_METHODS "[email protected],"
-+# else
-+#  define KEX_CURVE25519_METHODS
-+# endif
-+# define HOSTKEY_CURVE25519_CERT_METHODS "[email protected],"
-+# define HOSTKEY_CURVE25519_METHODS "ssh-ed25519,"
-+#else
-+# define KEX_CURVE25519_METHODS
-+# define HOSTKEY_CURVE25519_CERT_METHODS
-+# define HOSTKEY_CURVE25519_METHODS
-+#endif /* WITHOUT_ED25519 */
-+
- #ifdef OPENSSL_HAVE_EVPGCM
- # define AESGCM_CIPHER_MODES \
- 	",[email protected],[email protected]"
[email protected]@ -78,11 +92,6 @@
- #endif
- 
- #ifdef WITH_OPENSSL
--# ifdef HAVE_EVP_SHA256
--#  define KEX_CURVE25519_METHODS "[email protected],"
--# else
--#  define KEX_CURVE25519_METHODS ""
--# endif
- #define KEX_COMMON_KEX \
- 	KEX_CURVE25519_METHODS \
- 	KEX_ECDH_METHODS \
[email protected]@ -97,10 +106,10 @@
- 
- #define	KEX_DEFAULT_PK_ALG	\
- 	HOSTKEY_ECDSA_CERT_METHODS \
--	"[email protected]," \
-+	HOSTKEY_CURVE25519_CERT_METHODS \
- 	"[email protected]," \
- 	HOSTKEY_ECDSA_METHODS \
--	"ssh-ed25519," \
-+	HOSTKEY_CURVE25519_METHODS \
- 	"ssh-rsa" \
- 
- /* the actual algorithms */
[email protected]@ -141,10 +150,10 @@
- #else
- 
- #define KEX_SERVER_KEX		\
--	"[email protected]"
-+	KEX_CURVE25519_METHODS
- #define	KEX_DEFAULT_PK_ALG	\
--	"[email protected]," \
--	"ssh-ed25519"
-+	HOSTKEY_CURVE25519_CERT_METHODS \
-+	HOSTKEY_CURVE25519_METHODS
- #define	KEX_SERVER_ENCRYPT \
- 	"[email protected]," \
- 	"aes128-ctr,aes192-ctr,aes256-ctr"
-diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in
---- old/openbsd-compat/Makefile.in
-+++ new/openbsd-compat/Makefile.in
[email protected]@ -32,7 +32,7 @@ $(OPENBSD): ../config.h
- $(PORTS): ../config.h
- 
- libopenbsd-compat.a:  $(COMPAT) $(OPENBSD) $(PORTS)
--	$(AR) rv [email protected] $(COMPAT) $(OPENBSD) $(PORTS)
-+	$(AR) rv [email protected] $(COMPAT) $(OPENBSD) $(PORTS) ../hash.o ../blocks.o
- 	$(RANLIB) [email protected]
- 
- clean:
-diff -pur old/pathnames.h new/pathnames.h
---- old/pathnames.h
-+++ new/pathnames.h
[email protected]@ -39,7 +39,9 @@
- #define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"
- #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
- #define _PATH_HOST_ECDSA_KEY_FILE	SSHDIR "/ssh_host_ecdsa_key"
-+#ifndef WITHOUT_ED25519
- #define _PATH_HOST_ED25519_KEY_FILE	SSHDIR "/ssh_host_ed25519_key"
-+#endif /* WITHOUT_ED25519 */
- #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
- #define _PATH_DH_MODULI			SSHDIR "/moduli"
- /* Backwards compatibility */
[email protected]@ -78,7 +80,9 @@
- #define _PATH_SSH_CLIENT_ID_DSA		_PATH_SSH_USER_DIR "/id_dsa"
- #define _PATH_SSH_CLIENT_ID_ECDSA	_PATH_SSH_USER_DIR "/id_ecdsa"
- #define _PATH_SSH_CLIENT_ID_RSA		_PATH_SSH_USER_DIR "/id_rsa"
-+#ifndef WITHOUT_ED25519
- #define _PATH_SSH_CLIENT_ID_ED25519	_PATH_SSH_USER_DIR "/id_ed25519"
-+#endif /* WITHOUT_ED25519 */
- 
- /*
-  * Configuration file in user's home directory.  This file need not be
-diff -pur old/readconf.c new/readconf.c
---- old/readconf.c
-+++ new/readconf.c
[email protected]@ -1846,8 +1846,10 @@ fill_default_options(Options * options)
- 			add_identity_file(options, "~/",
- 			    _PATH_SSH_CLIENT_ID_ECDSA, 0);
- #endif
-+#ifndef WITHOUT_ED25519
- 			add_identity_file(options, "~/",
- 			    _PATH_SSH_CLIENT_ID_ED25519, 0);
-+#endif /* WITHOUT_ED25519 */
- 		}
- 	}
- 	if (options->escape_char == -1)
-diff -pur old/servconf.c new/servconf.c
---- old/servconf.c
-+++ new/servconf.c
[email protected]@ -222,8 +222,10 @@ fill_default_server_options(ServerOption
- 			options->host_key_files[options->num_host_key_files++] =
- 			    _PATH_HOST_ECDSA_KEY_FILE;
- #endif
-+#ifndef WITHOUT_ED25519
- 			options->host_key_files[options->num_host_key_files++] =
- 			    _PATH_HOST_ED25519_KEY_FILE;
-+#endif /* WITHOUT_ED25519 */
- 		}
- 	}
- 	/* No certificates by default */
-diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c
---- old/smult_curve25519_ref.c
-+++ new/smult_curve25519_ref.c
[email protected]@ -6,6 +6,8 @@ Public domain.
- Derived from public domain code by D. J. Bernstein.
- */
- 
-+#ifndef WITHOUT_ED25519
-+
- int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *);
- 
- static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
[email protected]@ -263,3 +265,4 @@ int crypto_scalarmult_curve25519(unsigne
-   for (i = 0;i < 32;++i) q[i] = work[64 + i];
-   return 0;
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/ssh-add.0 new/ssh-add.0
---- old/ssh-add.0
-+++ new/ssh-add.0
[email protected]@ -11,7 +11,7 @@ SYNOPSIS
- DESCRIPTION
-      ssh-add adds private key identities to the authentication agent,
-      ssh-agent(1).  When run without arguments, it adds the files
--     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
-+     ~/.ssh/id_rsa, ~/.ssh/id_dsa, and
-      ~/.ssh/identity.  After loading a private key, ssh-add will try to load
-      corresponding certificate information from the filename obtained by
-      appending -cert.pub to the name of the private key file.  Alternative
[email protected]@ -97,14 +97,6 @@ FILES
-              Contains the protocol version 2 DSA authentication identity of
-              the user.
- 
--     ~/.ssh/id_ecdsa
--             Contains the protocol version 2 ECDSA authentication identity of
--             the user.
--
--     ~/.ssh/id_ed25519
--             Contains the protocol version 2 Ed25519 authentication identity
--             of the user.
--
-      ~/.ssh/id_rsa
-              Contains the protocol version 2 RSA authentication identity of
-              the user.
-diff -pur old/ssh-add.1 new/ssh-add.1
---- old/ssh-add.1
-+++ new/ssh-add.1
[email protected]@ -58,8 +58,6 @@ adds private key identities to the authe
- When run without arguments, it adds the files
- .Pa ~/.ssh/id_rsa ,
- .Pa ~/.ssh/id_dsa ,
--.Pa ~/.ssh/id_ecdsa ,
--.Pa ~/.ssh/id_ed25519
- and
- .Pa ~/.ssh/identity .
- After loading a private key,
[email protected]@ -178,10 +176,6 @@ socket used to communicate with the agen
- Contains the protocol version 1 RSA authentication identity of the user.
- .It Pa ~/.ssh/id_dsa
- Contains the protocol version 2 DSA authentication identity of the user.
--.It Pa ~/.ssh/id_ecdsa
--Contains the protocol version 2 ECDSA authentication identity of the user.
--.It Pa ~/.ssh/id_ed25519
--Contains the protocol version 2 Ed25519 authentication identity of the user.
- .It Pa ~/.ssh/id_rsa
- Contains the protocol version 2 RSA authentication identity of the user.
- .El
-diff -pur old/ssh-add.c new/ssh-add.c
---- old/ssh-add.c
-+++ new/ssh-add.c
[email protected]@ -78,7 +78,9 @@ static char *default_files[] = {
- 	_PATH_SSH_CLIENT_ID_ECDSA,
- #endif
- #endif /* WITH_OPENSSL */
--	_PATH_SSH_CLIENT_ID_ED25519,
-+#ifndef WITHOUT_ED25519
-+ 	_PATH_SSH_CLIENT_ID_ED25519,
-+#endif /* WITHOUT_ED25519 */
- #ifdef WITH_SSH1
- 	_PATH_SSH_CLIENT_IDENTITY,
- #endif
-diff -pur old/ssh-agent.0 new/ssh-agent.0
---- old/ssh-agent.0
-+++ new/ssh-agent.0
[email protected]@ -10,7 +10,7 @@ SYNOPSIS
- 
- DESCRIPTION
-      ssh-agent is a program to hold private keys used for public key
--     authentication (RSA, DSA, ECDSA, Ed25519).  ssh-agent is usually started
-+     authentication (RSA, DSA).  ssh-agent is usually started
-      in the beginning of an X-session or a login session, and all other
-      windows or programs are started as clients to the ssh-agent program.
-      Through use of environment variables the agent can be located and
-diff -pur old/ssh-agent.1 new/ssh-agent.1
---- old/ssh-agent.1
-+++ new/ssh-agent.1
[email protected]@ -54,7 +54,7 @@
- .Sh DESCRIPTION
- .Nm
- is a program to hold private keys used for public key authentication
--(RSA, DSA, ECDSA, Ed25519).
-+(RSA, DSA).
- .Nm
- is usually started in the beginning of an X-session or a login session, and
- all other windows or programs are started as clients to the ssh-agent
-diff -pur old/ssh-ed25519.c new/ssh-ed25519.c
---- old/ssh-ed25519.c
-+++ new/ssh-ed25519.c
[email protected]@ -17,6 +17,8 @@
- 
- #include "includes.h"
- 
-+#ifndef WITHOUT_ED25519
-+
- #include <sys/types.h>
- #include <limits.h>
- 
[email protected]@ -164,3 +166,4 @@ ssh_ed25519_verify(const struct sshkey *
- 	free(ktype);
- 	return r;
- }
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/ssh-keygen.0 new/ssh-keygen.0
---- old/ssh-keygen.0
-+++ new/ssh-keygen.0
[email protected]@ -4,7 +4,7 @@ NAME
-      ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion
- 
- SYNOPSIS
--     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
-+     ssh-keygen [-q] [-b bits] [-t dsa | rsa | rsa1]
-                 [-N new_passphrase] [-C comment] [-f output_keyfile]
-      ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
-      ssh-keygen -i [-m key_format] [-f input_keyfile]
[email protected]@ -32,7 +32,7 @@ SYNOPSIS
- DESCRIPTION
-      ssh-keygen generates, manages and converts authentication keys for
-      ssh(1).  ssh-keygen can create RSA keys for use by SSH protocol version 1
--     and DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
-+     and DSA or RSA keys for use by SSH protocol version 2.
-      The type of key to be generated is specified with the -t option.  If
-      invoked without any arguments, ssh-keygen will generate an RSA key for
-      use in SSH protocol 2 connections.
[email protected]@ -46,7 +46,7 @@ DESCRIPTION
- 
-      Normally each user wishing to use SSH with public key authentication runs
-      this once to create the authentication key in ~/.ssh/identity,
--     ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa.
-+     ~/.ssh/id_dsa or ~/.ssh/id_rsa.
-      Additionally, the system administrator may use this to generate host
-      keys, as seen in /etc/rc.
- 
[email protected]@ -79,14 +79,14 @@ DESCRIPTION
- 
-      The options are as follows:
- 
--     -A      For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for
-+     -A      For each of the key types (rsa1, rsa and dsa) for
-              which host keys do not exist, generate the host keys with the
-              default key file path, an empty passphrase, default bits for the
-              key type, and default comment.  This is used by /etc/rc to
-              generate new host keys.
- 
-      -a rounds
--             When saving a new-format private key (i.e. an ed25519 key or any
-+             When saving a new-format private key (i.e. 
-              SSH protocol 2 key when the -o flag is set), this option
-              specifies the number of KDF (key derivation function) rounds
-              used.  Higher numbers result in slower passphrase verification
[email protected]@ -103,12 +103,7 @@ DESCRIPTION
-              Specifies the number of bits in the key to create.  For RSA keys,
-              the minimum size is 1024 bits and the default is 2048 bits.
-              Generally, 2048 bits is considered sufficient.  DSA keys must be
--             exactly 1024 bits as specified by FIPS 186-2.  For ECDSA keys,
--             the -b flag determines the key length by selecting from one of
--             three elliptic curve sizes: 256, 384 or 521 bits.  Attempting to
--             use bit lengths other than these three values for ECDSA keys will
--             fail.  Ed25519 keys have a fixed length and the -b flag will be
--             ignored.
-+             exactly 1024 bits as specified by FIPS 186-2.
- 
-      -C comment
-              Provides a new comment.
[email protected]@ -279,7 +274,7 @@ DESCRIPTION
-              new OpenSSH format rather than the more compatible PEM format.
-              The new format has increased resistance to brute-force password
-              cracking but is not supported by versions of OpenSSH prior to
--             6.5.  Ed25519 keys always use the new private key format.
-+             6.5.
- 
-      -P passphrase
-              Provides the (old) passphrase.
[email protected]@ -318,9 +313,9 @@ DESCRIPTION
-              Test DH group exchange candidate primes (generated using the -G
-              option) for safety.
- 
--     -t dsa | ecdsa | ed25519 | rsa | rsa1
-+     -t dsa |  rsa | rsa1
-              Specifies the type of key to create.  The possible values are
--             M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or
-+             M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or
-              M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.
- 
-      -u      Update a KRL.  When specified with -k, keys listed via the
[email protected]@ -525,10 +520,8 @@ FILES
-              contents of this file secret.
- 
-      ~/.ssh/id_dsa
--     ~/.ssh/id_ecdsa
--     ~/.ssh/id_ed25519
-      ~/.ssh/id_rsa
--             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
-+             Contains the protocol version 2 DSA or RSA
-              authentication identity of the user.  This file should not be
-              readable by anyone but the user.  It is possible to specify a
-              passphrase when generating the key; that passphrase will be used
[email protected]@ -538,10 +531,8 @@ FILES
-              read this file when a login attempt is made.
- 
-      ~/.ssh/id_dsa.pub
--     ~/.ssh/id_ecdsa.pub
--     ~/.ssh/id_ed25519.pub
-      ~/.ssh/id_rsa.pub
--             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public
-+             Contains the protocol version 2 DSA or RSA public
-              key for authentication.  The contents of this file should be
-              added to ~/.ssh/authorized_keys on all machines where the user
-              wishes to log in using public key authentication.  There is no
-diff -pur old/ssh-keygen.1 new/ssh-keygen.1
---- old/ssh-keygen.1
-+++ new/ssh-keygen.1
[email protected]@ -46,7 +46,7 @@
- .Nm ssh-keygen
- .Op Fl q
- .Op Fl b Ar bits
--.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
-+.Op Fl t Cm dsa | rsa | rsa1
- .Op Fl N Ar new_passphrase
- .Op Fl C Ar comment
- .Op Fl f Ar output_keyfile
[email protected]@ -142,7 +142,7 @@ generates, manages and converts authenti
- .Xr ssh 1 .
- .Nm
- can create RSA keys for use by SSH protocol version 1 and
--DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
-+DSA or RSA keys for use by SSH protocol version 2.
- The type of key to be generated is specified with the
- .Fl t
- option.
[email protected]@ -170,8 +170,6 @@ with public key authentication runs this
- key in
- .Pa ~/.ssh/identity ,
- .Pa ~/.ssh/id_dsa ,
--.Pa ~/.ssh/id_ecdsa ,
--.Pa ~/.ssh/id_ed25519
- or
- .Pa ~/.ssh/id_rsa .
- Additionally, the system administrator may use this to generate host keys,
[email protected]@ -219,7 +217,7 @@ should be placed to be activated.
- The options are as follows:
- .Bl -tag -width Ds
- .It Fl A
--For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
-+For each of the key types (rsa1, rsa and dsa)
- for which host keys
- do not exist, generate the host keys with the default key file path,
- an empty passphrase, default bits for the key type, and default comment.
[email protected]@ -227,7 +225,7 @@ This is used by
- .Pa /etc/rc
- to generate new host keys.
- .It Fl a Ar rounds
--When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
-+When saving a new-format private key (i.e. SSH protocol
- 2 key when the
- .Fl o
- flag is set), this option specifies the number of KDF (key derivation function)
[email protected]@ -247,15 +245,6 @@ Specifies the number of bits in the key
- For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
- Generally, 2048 bits is considered sufficient.
- DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
--For ECDSA keys, the
--.Fl b
--flag determines the key length by selecting from one of three elliptic
--curve sizes: 256, 384 or 521 bits.
--Attempting to use bit lengths other than these three values for ECDSA keys
--will fail.
--Ed25519 keys have a fixed length and the
--.Fl b
--flag will be ignored.
- .It Fl C Ar comment
- Provides a new comment.
- .It Fl c
[email protected]@ -478,7 +467,6 @@ to save SSH protocol 2 private keys usin
- the more compatible PEM format.
- The new format has increased resistance to brute-force password cracking
- but is not supported by versions of OpenSSH prior to 6.5.
--Ed25519 keys always use the new private key format.
- .It Fl P Ar passphrase
- Provides the (old) passphrase.
- .It Fl p
[email protected]@ -524,14 +512,12 @@ section for details.
- Test DH group exchange candidate primes (generated using the
- .Fl G
- option) for safety.
--.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
-+.It Fl t Cm dsa | rsa | rsa1
- Specifies the type of key to create.
- The possible values are
- .Dq rsa1
- for protocol version 1 and
- .Dq dsa ,
--.Dq ecdsa ,
--.Dq ed25519 ,
- or
- .Dq rsa
- for protocol version 2.
[email protected]@ -810,10 +796,8 @@ where the user wishes to log in using RS
- There is no need to keep the contents of this file secret.
- .Pp
- .It Pa ~/.ssh/id_dsa
--.It Pa ~/.ssh/id_ecdsa
--.It Pa ~/.ssh/id_ed25519
- .It Pa ~/.ssh/id_rsa
--Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
-+Contains the protocol version 2 DSA or RSA
- authentication identity of the user.
- This file should not be readable by anyone but the user.
- It is possible to
[email protected]@ -826,10 +810,8 @@ but it is offered as the default file fo
- will read this file when a login attempt is made.
- .Pp
- .It Pa ~/.ssh/id_dsa.pub
--.It Pa ~/.ssh/id_ecdsa.pub
--.It Pa ~/.ssh/id_ed25519.pub
- .It Pa ~/.ssh/id_rsa.pub
--Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
-+Contains the protocol version 2 DSA or RSA
- public key for authentication.
- The contents of this file should be added to
- .Pa ~/.ssh/authorized_keys
-diff -pur old/ssh-keygen.c new/ssh-keygen.c
---- old/ssh-keygen.c
-+++ new/ssh-keygen.c
[email protected]@ -217,7 +217,11 @@ type_bits_valid(int type, const char *na
- 		fatal("key bits exceeds maximum %d", maxbits);
- 	if (type == KEY_DSA && *bitsp != 1024)
- 		fatal("DSA keys must be 1024 bits");
--	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)
-+	else if (type != KEY_ECDSA &&
-+#ifndef WITHOUT_ED25519
-+		 type != KEY_ED25519 &&
-+#endif /* WITHOUT_ED25519 */
-+		 *bitsp < 1024)
- 		fatal("Key must at least be 1024 bits");
- 	else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)
- 		fatal("Invalid ECDSA key length - valid lengths are "
[email protected]@ -252,10 +256,12 @@ ask_filename(struct passwd *pw, const ch
- 		case KEY_RSA:
- 			name = _PATH_SSH_CLIENT_ID_RSA;
- 			break;
-+#ifndef WITHOUT_ED25519
- 		case KEY_ED25519:
- 		case KEY_ED25519_CERT:
- 			name = _PATH_SSH_CLIENT_ID_ED25519;
- 			break;
-+#endif /* WITHOUT_ED25519 */
- 		default:
- 			fatal("bad key type");
- 		}
[email protected]@ -939,7 +945,9 @@ do_gen_all_hostkeys(struct passwd *pw)
- 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
- #endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
--		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
-+#ifndef WITHOUT_ED25519
-+ 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
-+#endif /* WITHOUT_ED25519 */
- 		{ NULL, NULL, NULL }
- 	};
- 
[email protected]@ -1605,7 +1613,10 @@ do_ca_sign(struct passwd *pw, int argc,
- 			fatal("%s: unable to open \"%s\": %s",
- 			    __func__, tmp, ssh_err(r));
- 		if (public->type != KEY_RSA && public->type != KEY_DSA &&
--		    public->type != KEY_ECDSA && public->type != KEY_ED25519)
-+#ifndef WITHOUT_ED25519
-+		    public->type != KEY_ED25519 && 
-+#endif /* WITHOUT_ED25519 */
-+		    public->type != KEY_ECDSA)
- 			fatal("%s: key \"%s\" type %s cannot be certified",
- 			    __func__, tmp, sshkey_type(public));
- 
[email protected]@ -2502,8 +2513,10 @@ main(int argc, char **argv)
- 			    _PATH_HOST_DSA_KEY_FILE, rr_hostname);
- 			n += do_print_resource_record(pw,
- 			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
-+#ifndef WITHOUT_ED25519
- 			n += do_print_resource_record(pw,
- 			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
-+#endif /* WITHOUT_ED25519 */
- 			if (n == 0)
- 				fatal("no keys found.");
- 			exit(0);
-diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0
---- old/ssh-keyscan.0
-+++ new/ssh-keyscan.0
[email protected]@ -48,9 +48,9 @@ DESCRIPTION
-      -t type
-              Specifies the type of the key to fetch from the scanned hosts.
-              The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],
--             M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.  Multiple
-+             or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.  Multiple
-              values may be specified by separating them with commas.  The
--             default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys.
-+             default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^] keys.
- 
-      -v      Verbose mode.  Causes ssh-keyscan to print debugging messages
-              about its progress.
[email protected]@ -72,12 +72,11 @@ FILES
- 
-      host-or-namelist bits exponent modulus
- 
--     Output format for RSA, DSA, ECDSA, and Ed25519 keys:
-+     Output format for RSA, and DSA keys:
- 
-      host-or-namelist keytype base64-encoded-key
- 
--     Where keytype is either M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^],
--     M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
-+     Where keytype is either M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
- 
-      /etc/ssh/ssh_known_hosts
- 
[email protected]@ -89,7 +88,7 @@ EXAMPLES
-      Find all hosts from the file ssh_hosts which have new or different keys
-      from those in the sorted file ssh_known_hosts:
- 
--     $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
-+     $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
-              sort -u - ssh_known_hosts | diff ssh_known_hosts -
- 
- SEE ALSO
-diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1
---- old/ssh-keyscan.1
-+++ new/ssh-keyscan.1
[email protected]@ -90,18 +90,13 @@ Specifies the type of the key to fetch f
- The possible values are
- .Dq rsa1
- for protocol version 1 and
--.Dq dsa ,
--.Dq ecdsa ,
--.Dq ed25519 ,
-+.Dq dsa 
- or
- .Dq rsa
- for protocol version 2.
- Multiple values may be specified by separating them with commas.
- The default is to fetch
--.Dq rsa ,
--.Dq ecdsa ,
--and
--.Dq ed25519
-+.Dq rsa 
- keys.
- .It Fl v
- Verbose mode.
[email protected]@ -130,7 +125,7 @@ Output format for RSA1 keys:
- host-or-namelist bits exponent modulus
- .Ed
- .Pp
--Output format for RSA, DSA, ECDSA, and Ed25519 keys:
-+Output format for RSA and DSA keys:
- .Bd -literal
- host-or-namelist keytype base64-encoded-key
- .Ed
[email protected]@ -138,10 +133,6 @@ host-or-namelist keytype base64-encoded-
- Where
- .Ar keytype
- is either
--.Dq ecdsa-sha2-nistp256 ,
--.Dq ecdsa-sha2-nistp384 ,
--.Dq ecdsa-sha2-nistp521 ,
--.Dq ssh-ed25519 ,
- .Dq ssh-dss
- or
- .Dq ssh-rsa .
[email protected]@ -159,7 +150,7 @@ Find all hosts from the file
- which have new or different keys from those in the sorted file
- .Pa ssh_known_hosts :
- .Bd -literal
--$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
-+$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
- 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
- .Ed
- .Sh SEE ALSO
-diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
---- old/ssh-keyscan.c
-+++ new/ssh-keyscan.c
[email protected]@ -286,7 +286,9 @@ keygrab_ssh2(con *c)
- 	c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
- # endif
- #endif
-+#ifndef WITHOUT_ED25519
- 	c->c_ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
-+#endif /* WITHOUT_ED25519 */
- 	ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
- 	/*
- 	 * do the key-exchange until an error occurs or until
[email protected]@ -612,10 +614,15 @@ do_host(char *host)
- {
- 	char *name = strnnsep(&host, " \t\n");
- 	int j;
-+#ifndef WITHOUT_ED25519
-+	int max_kt = KT_ED25519;
-+#else
-+	int max_kt = KT_ECDSA;
-+#endif /* WITHOUT_ED25519 */
- 
- 	if (name == NULL)
- 		return;
--	for (j = KT_RSA1; j <= KT_ED25519; j *= 2) {
-+	for (j = KT_RSA1; j <= max_kt; j *= 2) {
- 		if (get_keytypes & j) {
- 			while (ncon >= MAXCON)
- 				conloop();
[email protected]@ -719,9 +726,11 @@ main(int argc, char **argv)
- 				case KEY_RSA:
- 					get_keytypes |= KT_RSA;
- 					break;
-+#ifndef WITHOUT_ED25519
- 				case KEY_ED25519:
- 					get_keytypes |= KT_ED25519;
- 					break;
-+#endif /* WITHOUT_ED25519 */
- 				case KEY_UNSPEC:
- 					fatal("unknown key type %s", tname);
- 				}
-diff -pur old/ssh-keysign.0 new/ssh-keysign.0
---- old/ssh-keysign.0
-+++ new/ssh-keysign.0
[email protected]@ -24,8 +24,6 @@ FILES
-              Controls whether ssh-keysign is enabled.
- 
-      /etc/ssh/ssh_host_dsa_key
--     /etc/ssh/ssh_host_ecdsa_key
--     /etc/ssh/ssh_host_ed25519_key
-      /etc/ssh/ssh_host_rsa_key
-              These files contain the private parts of the host keys used to
-              generate the digital signature.  They should be owned by root,
[email protected]@ -34,8 +32,6 @@ FILES
-              host-based authentication is used.
- 
-      /etc/ssh/ssh_host_dsa_key-cert.pub
--     /etc/ssh/ssh_host_ecdsa_key-cert.pub
--     /etc/ssh/ssh_host_ed25519_key-cert.pub
-      /etc/ssh/ssh_host_rsa_key-cert.pub
-              If these files exist they are assumed to contain public
-              certificate information corresponding with the private keys
-diff -pur old/ssh-keysign.8 new/ssh-keysign.8
---- old/ssh-keysign.8
-+++ new/ssh-keysign.8
[email protected]@ -62,8 +62,6 @@ Controls whether
- is enabled.
- .Pp
- .It Pa /etc/ssh/ssh_host_dsa_key
--.It Pa /etc/ssh/ssh_host_ecdsa_key
--.It Pa /etc/ssh/ssh_host_ed25519_key
- .It Pa /etc/ssh/ssh_host_rsa_key
- These files contain the private parts of the host keys used to
- generate the digital signature.
[email protected]@ -74,8 +72,6 @@ Since they are readable only by root,
- must be set-uid root if host-based authentication is used.
- .Pp
- .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
--.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
--.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
- .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
- If these files exist they are assumed to contain public certificate
- information corresponding with the private keys above.
-diff -pur old/ssh-keysign.c new/ssh-keysign.c
---- old/ssh-keysign.c
-+++ new/ssh-keysign.c
[email protected]@ -168,7 +168,7 @@ main(int argc, char **argv)
- {
- 	struct sshbuf *b;
- 	Options options;
--#define NUM_KEYTYPES 4
-+#define NUM_KEYTYPES 3
- 	struct sshkey *keys[NUM_KEYTYPES], *key = NULL;
- 	struct passwd *pw;
- 	int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
[email protected]@ -190,7 +190,9 @@ main(int argc, char **argv)
- 	/* XXX This really needs to read sshd_config for the paths */
- 	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
- 	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
-+#ifndef WITHOUT_ED25519
- 	key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
-+#endif /* WITHOUT_ED25519 */
- 	key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
- 
- 	original_real_uid = getuid();	/* XXX readconf.c needs this */
-diff -pur old/ssh.0 new/ssh.0
---- old/ssh.0
-+++ new/ssh.0
[email protected]@ -140,8 +140,8 @@ DESCRIPTION
-      -i identity_file
-              Selects a file from which the identity (private key) for public
-              key authentication is read.  The default is ~/.ssh/identity for
--             protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
--             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
-+             protocol version 1, and ~/.ssh/id_dsa
-+             and ~/.ssh/id_rsa for protocol version 2.
-              Identity files may also be specified on a per-host basis in the
-              configuration file.  It is possible to have multiple -i options
-              (and multiple identities specified in configuration files).  ssh
[email protected]@ -463,7 +463,7 @@ AUTHENTICATION
-      creates a public/private key pair for authentication purposes.  The
-      server knows the public key, and only the user knows the private key.
-      ssh implements public key authentication protocol automatically, using
--     one of the DSA, ECDSA, Ed25519 or RSA algorithms.  Protocol 1 is
-+     one of the DSA or RSA algorithms.  Protocol 1 is
-      restricted to using only RSA keys, but protocol 2 may use any.  The
-      HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
-      algorithms.
[email protected]@ -476,11 +476,9 @@ AUTHENTICATION
- 
-      The user creates his/her key pair by running ssh-keygen(1).  This stores
-      the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
--     2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2
--     Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
--     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA),
--     ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2
--     Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
-+     2 DSA) or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
-+     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA)
-+     or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
-      directory.  The user should then copy the public key to
-      ~/.ssh/authorized_keys in his/her home directory on the remote machine.
-      The authorized_keys file corresponds to the conventional ~/.rhosts file,
[email protected]@ -825,7 +823,7 @@ FILES
-              for the user, and not accessible by others.
- 
-      ~/.ssh/authorized_keys
--             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
-+             Lists the public keys (DSA, RSA) that can be used
-              for logging in as this user.  The format of this file is
-              described in the sshd(8) manual page.  This file is not highly
-              sensitive, but the recommended permissions are read/write for the
[email protected]@ -843,8 +841,6 @@ FILES
- 
-      ~/.ssh/identity
-      ~/.ssh/id_dsa
--     ~/.ssh/id_ecdsa
--     ~/.ssh/id_ed25519
-      ~/.ssh/id_rsa
-              Contains the private key for authentication.  These files contain
-              sensitive data and should be readable by the user but not
[email protected]@ -856,8 +852,6 @@ FILES
- 
-      ~/.ssh/identity.pub
-      ~/.ssh/id_dsa.pub
--     ~/.ssh/id_ecdsa.pub
--     ~/.ssh/id_ed25519.pub
-      ~/.ssh/id_rsa.pub
-              Contains the public key for authentication.  These files are not
-              sensitive and can (but need not) be readable by anyone.
[email protected]@ -888,8 +882,6 @@ FILES
- 
-      /etc/ssh/ssh_host_key
-      /etc/ssh/ssh_host_dsa_key
--     /etc/ssh/ssh_host_ecdsa_key
--     /etc/ssh/ssh_host_ed25519_key
-      /etc/ssh/ssh_host_rsa_key
-              These files contain the private parts of the host keys and are
-              used for host-based authentication.  If protocol version 1 is
-diff -pur old/ssh.1 new/ssh.1
---- old/ssh.1
-+++ new/ssh.1
[email protected]@ -292,9 +292,7 @@ public key authentication is read.
- The default is
- .Pa ~/.ssh/identity
- for protocol version 1, and
--.Pa ~/.ssh/id_dsa ,
--.Pa ~/.ssh/id_ecdsa ,
--.Pa ~/.ssh/id_ed25519
-+.Pa ~/.ssh/id_dsa
- and
- .Pa ~/.ssh/id_rsa
- for protocol version 2.
[email protected]@ -848,7 +846,7 @@ key pair for authentication purposes.
- The server knows the public key, and only the user knows the private key.
- .Nm
- implements public key authentication protocol automatically,
--using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
-+using one of the DSA or RSA algorithms.
- Protocol 1 is restricted to using only RSA keys,
- but protocol 2 may use any.
- The HISTORY section of
[email protected]@ -873,10 +871,6 @@ This stores the private key in
- (protocol 1),
- .Pa ~/.ssh/id_dsa
- (protocol 2 DSA),
--.Pa ~/.ssh/id_ecdsa
--(protocol 2 ECDSA),
--.Pa ~/.ssh/id_ed25519
--(protocol 2 Ed25519),
- or
- .Pa ~/.ssh/id_rsa
- (protocol 2 RSA)
[email protected]@ -885,10 +879,6 @@ and stores the public key in
- (protocol 1),
- .Pa ~/.ssh/id_dsa.pub
- (protocol 2 DSA),
--.Pa ~/.ssh/id_ecdsa.pub
--(protocol 2 ECDSA),
--.Pa ~/.ssh/id_ed25519.pub
--(protocol 2 Ed25519),
- or
- .Pa ~/.ssh/id_rsa.pub
- (protocol 2 RSA)
[email protected]@ -1444,7 +1434,7 @@ secret, but the recommended permissions
- and not accessible by others.
- .Pp
- .It Pa ~/.ssh/authorized_keys
--Lists the public keys (DSA, ECDSA, Ed25519, RSA)
-+Lists the public keys (DSA, RSA)
- that can be used for logging in as this user.
- The format of this file is described in the
- .Xr sshd 8
[email protected]@ -1466,8 +1456,6 @@ above.
- .Pp
- .It Pa ~/.ssh/identity
- .It Pa ~/.ssh/id_dsa
--.It Pa ~/.ssh/id_ecdsa
--.It Pa ~/.ssh/id_ed25519
- .It Pa ~/.ssh/id_rsa
- Contains the private key for authentication.
- These files
[email protected]@ -1481,8 +1469,6 @@ sensitive part of this file using 3DES.
- .Pp
- .It Pa ~/.ssh/identity.pub
- .It Pa ~/.ssh/id_dsa.pub
--.It Pa ~/.ssh/id_ecdsa.pub
--.It Pa ~/.ssh/id_ed25519.pub
- .It Pa ~/.ssh/id_rsa.pub
- Contains the public key for authentication.
- These files are not
[email protected]@ -1521,8 +1507,6 @@ The file format and configuration option
- .Pp
- .It Pa /etc/ssh/ssh_host_key
- .It Pa /etc/ssh/ssh_host_dsa_key
--.It Pa /etc/ssh/ssh_host_ecdsa_key
--.It Pa /etc/ssh/ssh_host_ed25519_key
- .It Pa /etc/ssh/ssh_host_rsa_key
- These files contain the private parts of the host keys
- and are used for host-based authentication.
-diff -pur old/ssh.c new/ssh.c
---- old/ssh.c
-+++ new/ssh.c
[email protected]@ -1233,8 +1233,10 @@ main(int ac, char **av)
- 		sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA,
- 		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL);
- #endif
-+#ifndef WITHOUT_ED25519
- 		sensitive_data.keys[2] = key_load_private_cert(KEY_ED25519,
- 		    _PATH_HOST_ED25519_KEY_FILE, "", NULL);
-+#endif /* WITHOUT_ED25519 */
- 		sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
- 		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
- 		sensitive_data.keys[4] = key_load_private_cert(KEY_DSA,
[email protected]@ -1243,8 +1245,10 @@ main(int ac, char **av)
- 		sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA,
- 		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
- #endif
-+#ifndef WITHOUT_ED25519
- 		sensitive_data.keys[6] = key_load_private_type(KEY_ED25519,
- 		    _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
-+#endif /* WITHOUT_ED25519 */
- 		sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
- 		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
- 		sensitive_data.keys[8] = key_load_private_type(KEY_DSA,
[email protected]@ -1261,8 +1265,10 @@ main(int ac, char **av)
- 			sensitive_data.keys[1] = key_load_cert(
- 			    _PATH_HOST_ECDSA_KEY_FILE);
- #endif
-+#ifndef WITHOUT_ED25519
- 			sensitive_data.keys[2] = key_load_cert(
- 			    _PATH_HOST_ED25519_KEY_FILE);
-+#endif /* WITHOUT_ED25519 */
- 			sensitive_data.keys[3] = key_load_cert(
- 			    _PATH_HOST_RSA_KEY_FILE);
- 			sensitive_data.keys[4] = key_load_cert(
[email protected]@ -1271,8 +1277,10 @@ main(int ac, char **av)
- 			sensitive_data.keys[5] = key_load_public(
- 			    _PATH_HOST_ECDSA_KEY_FILE, NULL);
- #endif
-+#ifndef WITHOUT_ED25519
- 			sensitive_data.keys[6] = key_load_public(
- 			    _PATH_HOST_ED25519_KEY_FILE, NULL);
-+#endif /* WITHOUT_ED25519 */
- 			sensitive_data.keys[7] = key_load_public(
- 			    _PATH_HOST_RSA_KEY_FILE, NULL);
- 			sensitive_data.keys[8] = key_load_public(
-diff -pur old/ssh_api.c new/ssh_api.c
---- old/ssh_api.c
-+++ new/ssh_api.c
[email protected]@ -109,7 +109,9 @@ ssh_init(struct ssh **sshp, int is_serve
- 		ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
- # endif
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 		ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_server;
-+#endif /* WITHOUT_ED25519 */
- 		ssh->kex->load_host_public_key=&_ssh_host_public_key;
- 		ssh->kex->load_host_private_key=&_ssh_host_private_key;
- 		ssh->kex->sign=&_ssh_host_key_sign;
[email protected]@ -123,7 +125,9 @@ ssh_init(struct ssh **sshp, int is_serve
- 		ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
- # endif
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 		ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
-+#endif /* WITHOUT_ED25519 */
- 		ssh->kex->verify_host_key =&_ssh_verify_host_key;
- 	}
- 	*sshp = ssh;
-diff -pur old/ssh_config.0 new/ssh_config.0
---- old/ssh_config.0
-+++ new/ssh_config.0
[email protected]@ -444,13 +444,8 @@ DESCRIPTION
-              specified key types will be appended to the default set instead
-              of replacing them.  The default for this option is:
- 
--                [email protected],
--                [email protected],
--                [email protected],
--                [email protected],
-                 [email protected],
--                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa
-+                ssh-rsa
- 
-              The -Q option of ssh(1) may be used to list supported key types.
- 
[email protected]@ -461,13 +456,8 @@ DESCRIPTION
-              key types will be appended to the default set instead of
-              replacing them.  The default for this option is:
- 
--                [email protected],
--                [email protected],
--                [email protected],
--                [email protected],
-                 [email protected],
--                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa
-+                ssh-rsa
- 
-              If hostkeys are known for the destination host then this default
-              is modified to prefer their algorithms.
[email protected]@ -503,10 +493,10 @@ DESCRIPTION
-              default is M-bM-^@M-^\noM-bM-^@M-^].
- 
-      IdentityFile
--             Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA
-+             Specifies a file from which the user's DSA or RSA
-              authentication identity is read.  The default is ~/.ssh/identity
--             for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
--             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
-+             for protocol version 1, and ~/.ssh/id_dsa
-+             and ~/.ssh/id_rsa for protocol version 2.
-              Additionally, any identities represented by the authentication
-              agent will be used for authentication unless IdentitiesOnly is
-              set.  ssh(1) will try to load certificate information from the
[email protected]@ -569,7 +559,6 @@ DESCRIPTION
-              will be appended to the default set instead of replacing them.
-              The default is:
- 
--                   [email protected],
-                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-                    diffie-hellman-group-exchange-sha256,
-                    diffie-hellman-group-exchange-sha1,
[email protected]@ -727,13 +716,8 @@ DESCRIPTION
-              types after it will be appended to the default instead of
-              replacing it.  The default for this option is:
- 
--                [email protected],
--                [email protected],
--                [email protected],
--                [email protected],
-                 [email protected],
--                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa
-+                ssh-rsa
- 
-              The -Q option of ssh(1) may be used to list supported key types.
- 
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5
-+++ new/ssh_config.5
[email protected]@ -806,13 +806,8 @@ character, then the specified key types
- instead of replacing them.
- The default for this option is:
- .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
- [email protected],
--ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--ssh-ed25519,ssh-rsa
-+ssh-rsa
- .Ed
- .Pp
- The
[email protected]@ -829,13 +824,8 @@ character, then the specified key types
- instead of replacing them.
- The default for this option is:
- .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
- [email protected],
--ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--ssh-ed25519,ssh-rsa
-+ssh-rsa
- .Ed
- .Pp
- If hostkeys are known for the destination host then this default is modified
[email protected]@ -890,14 +880,12 @@ offers many different identities.
- The default is
- .Dq no .
- .It Cm IdentityFile
--Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
-+Specifies a file from which the user's DSA or RSA authentication
- identity is read.
- The default is
- .Pa ~/.ssh/identity
- for protocol version 1, and
- .Pa ~/.ssh/id_dsa ,
--.Pa ~/.ssh/id_ecdsa ,
--.Pa ~/.ssh/id_ed25519
- and
- .Pa ~/.ssh/id_rsa
- for protocol version 2.
[email protected]@ -1014,7 +1002,6 @@ character, then the specified methods wi
- instead of replacing them.
- The default is:
- .Bd -literal -offset indent
[email protected],
- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
- diffie-hellman-group-exchange-sha256,
- diffie-hellman-group-exchange-sha1,
[email protected]@ -1259,13 +1246,8 @@ character, then the key types after it w
- instead of replacing it.
- The default for this option is:
- .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
- [email protected],
--ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--ssh-ed25519,ssh-rsa
-+ssh-rsa
- .Ed
- .Pp
- The
-diff -pur old/sshconnect.c new/sshconnect.c
---- old/sshconnect.c
-+++ new/sshconnect.c
[email protected]@ -1392,7 +1392,9 @@ show_other_keys(struct hostkeys *hostkey
- 		KEY_RSA,
- 		KEY_DSA,
- 		KEY_ECDSA,
-+#ifndef WITHOUT_ED25519
- 		KEY_ED25519,
-+#endif /* WITHOUT_ED25519 */
- 		-1
- 	};
- 	int i, ret = 0;
-diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c
-+++ new/sshconnect2.c
[email protected]@ -247,7 +247,9 @@ ssh_kex2(char *host, struct sockaddr *ho
- 	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
- # endif
- #endif
-+#ifndef WITHOUT_ED25519
- 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
-+#endif /* WITHOUT_ED25519 */
- #ifdef GSSAPI
- 	if (options.gss_keyex) {
- 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
-diff -pur old/sshd.0 new/sshd.0
---- old/sshd.0
-+++ new/sshd.0
[email protected]@ -81,8 +81,7 @@ DESCRIPTION
-              be given if sshd is not run as root (as the normal host key files
-              are normally not readable by anyone but root).  The default is
-              /etc/ssh/ssh_host_key for protocol version 1, and
--             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
--             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
-+             /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
-              protocol version 2.  It is possible to have multiple host key
-              files for the different protocol versions and host key
-              algorithms.
[email protected]@ -146,7 +145,7 @@ DESCRIPTION
- AUTHENTICATION
-      The OpenSSH SSH daemon supports SSH protocols 1 and 2.  The default is to
-      use protocol 2 only, though this can be changed via the Protocol option
--     in sshd_config(5).  Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
-+     in sshd_config(5).  Protocol 2 supports DSA and RSA keys;
-      protocol 1 only supports RSA keys.  For both protocols, each host has a
-      host-specific key, normally 2048 bits, used to identify the host.
- 
[email protected]@ -279,15 +278,13 @@ AUTHORIZED_KEYS FILE FORMAT
-      starts with a number).  The bits, exponent, modulus, and comment fields
-      give the RSA key for protocol version 1; the comment field is not used
-      for anything (but may be convenient for the user to identify the key).
--     For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
--     M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or
--     M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
-+     For protocol version 2 the keytype is M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
- 
-      Note that lines in this file are usually several hundred bytes long
-      (because of the size of the public key encoding) up to a limit of 8
-      kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
-      kilobits.  You don't want to type them in; instead, copy the
--     identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub
-+     identity.pub, id_dsa.pub or the id_rsa.pub
-      file and edit it.
- 
-      sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
[email protected]@ -514,7 +511,7 @@ FILES
-              for the user, and not accessible by others.
- 
-      ~/.ssh/authorized_keys
--             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
-+             Lists the public keys (DSA, RSA) that can be used
-              for logging in as this user.  The format of this file is
-              described above.  The content of the file is not highly
-              sensitive, but the recommended permissions are read/write for the
[email protected]@ -570,8 +567,6 @@ FILES
- 
-      /etc/ssh/ssh_host_key
-      /etc/ssh/ssh_host_dsa_key
--     /etc/ssh/ssh_host_ecdsa_key
--     /etc/ssh/ssh_host_ed25519_key
-      /etc/ssh/ssh_host_rsa_key
-              These files contain the private parts of the host keys.  These
-              files should only be owned by root, readable only by root, and
[email protected]@ -580,8 +575,6 @@ FILES
- 
-      /etc/ssh/ssh_host_key.pub
-      /etc/ssh/ssh_host_dsa_key.pub
--     /etc/ssh/ssh_host_ecdsa_key.pub
--     /etc/ssh/ssh_host_ed25519_key.pub
-      /etc/ssh/ssh_host_rsa_key.pub
-              These files contain the public parts of the host keys.  These
-              files should be world-readable but writable only by root.  Their
-diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8
-+++ new/sshd.8
[email protected]@ -172,8 +172,6 @@ The default is
- .Pa /etc/ssh/ssh_host_key
- for protocol version 1, and
- .Pa /etc/ssh/ssh_host_dsa_key ,
--.Pa /etc/ssh/ssh_host_ecdsa_key .
--.Pa /etc/ssh/ssh_host_ed25519_key
- and
- .Pa /etc/ssh/ssh_host_rsa_key
- for protocol version 2.
[email protected]@ -275,7 +273,7 @@ though this can be changed via the
- .Cm Protocol
- option in
- .Xr sshd_config 5 .
--Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
-+Protocol 2 supports DSA and RSA keys;
- protocol 1 only supports RSA keys.
- For both protocols,
- each host has a host-specific key,
[email protected]@ -491,10 +489,6 @@ protocol version 1; the
- comment field is not used for anything (but may be convenient for the
- user to identify the key).
- For protocol version 2 the keytype is
--.Dq ecdsa-sha2-nistp256 ,
--.Dq ecdsa-sha2-nistp384 ,
--.Dq ecdsa-sha2-nistp521 ,
--.Dq ssh-ed25519 ,
- .Dq ssh-dss
- or
- .Dq ssh-rsa .
[email protected]@ -506,8 +500,6 @@ keys up to 16 kilobits.
- You don't want to type them in; instead, copy the
- .Pa identity.pub ,
- .Pa id_dsa.pub ,
--.Pa id_ecdsa.pub ,
--.Pa id_ed25519.pub ,
- or the
- .Pa id_rsa.pub
- file and edit it.
[email protected]@ -807,7 +799,7 @@ secret, but the recommended permissions
- and not accessible by others.
- .Pp
- .It Pa ~/.ssh/authorized_keys
--Lists the public keys (DSA, ECDSA, Ed25519, RSA)
-+Lists the public keys (DSA, RSA)
- that can be used for logging in as this user.
- The format of this file is described above.
- The content of the file is not highly sensitive, but the recommended
[email protected]@ -881,8 +873,6 @@ rlogin/rsh.
- .Pp
- .It Pa /etc/ssh/ssh_host_key
- .It Pa /etc/ssh/ssh_host_dsa_key
--.It Pa /etc/ssh/ssh_host_ecdsa_key
--.It Pa /etc/ssh/ssh_host_ed25519_key
- .It Pa /etc/ssh/ssh_host_rsa_key
- These files contain the private parts of the host keys.
- These files should only be owned by root, readable only by root, and not
[email protected]@ -893,8 +883,6 @@ does not start if these files are group/
- .Pp
- .It Pa /etc/ssh/ssh_host_key.pub
- .It Pa /etc/ssh/ssh_host_dsa_key.pub
--.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
--.It Pa /etc/ssh/ssh_host_ed25519_key.pub
- .It Pa /etc/ssh/ssh_host_rsa_key.pub
- These files contain the public parts of the host keys.
- These files should be world-readable but writable only by
-diff -pur old/sshd.c new/sshd.c
---- old/sshd.c
-+++ new/sshd.c
[email protected]@ -811,7 +811,9 @@ list_hostkey_types(void)
- 		case KEY_RSA:
- 		case KEY_DSA:
- 		case KEY_ECDSA:
-+#ifndef WITHOUT_ED25519
- 		case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
- 			if (buffer_len(&b) > 0)
- 				buffer_append(&b, ",", 1);
- 			p = key_ssh_name(key);
[email protected]@ -826,7 +828,9 @@ list_hostkey_types(void)
- 		case KEY_RSA_CERT:
- 		case KEY_DSA_CERT:
- 		case KEY_ECDSA_CERT:
-+#ifndef WITHOUT_ED25519
- 		case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 			if (buffer_len(&b) > 0)
- 				buffer_append(&b, ",", 1);
- 			p = key_ssh_name(key);
[email protected]@ -852,7 +856,9 @@ get_hostkey_by_type(int type, int nid, i
- 		case KEY_RSA_CERT:
- 		case KEY_DSA_CERT:
- 		case KEY_ECDSA_CERT:
-+#ifndef WITHOUT_ED25519
- 		case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 			key = sensitive_data.host_certificates[i];
- 			break;
- 		default:
[email protected]@ -1810,7 +1816,9 @@ main(int ac, char **av)
- 		case KEY_RSA:
- 		case KEY_DSA:
- 		case KEY_ECDSA:
-+#ifndef WITHOUT_ED25519
- 		case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
- 			if (have_agent || key != NULL)
- 				sensitive_data.have_ssh2_key = 1;
- 			break;
[email protected]@ -2646,7 +2654,9 @@ do_ssh2_kex(void)
- 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
- # endif
- #endif
-+#ifndef WITHOUT_ED25519
- 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
-+#endif /* WITHOUT_ED25519 */
- #ifdef GSSAPI
- 	if (options.gss_keyex) {
- 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
-diff -pur old/sshd_config.0 new/sshd_config.0
---- old/sshd_config.0
-+++ new/sshd_config.0
[email protected]@ -403,13 +403,8 @@ DESCRIPTION
-              specified key types will be appended to the default set instead
-              of replacing them.  The default for this option is:
- 
--                [email protected],
--                [email protected],
--                [email protected],
--                [email protected],
-                 [email protected],
--                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa
-+                ssh-rsa
- 
-              The -Q option of ssh(1) may be used to list supported key types.
- 
[email protected]@ -438,8 +433,7 @@ DESCRIPTION
-      HostKey
-              Specifies a file containing a private host key used by SSH.  The
-              default is /etc/ssh/ssh_host_key for protocol version 1, and
--             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
--             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
-+             /etc/ssh/ssh_host_dsa_key, and /etc/ssh/ssh_host_rsa_key for
-              protocol version 2.
- 
-              Note that sshd(8) will refuse to use a file if it is group/world-
[email protected]@ -447,7 +441,7 @@ DESCRIPTION
-              of the keys are actually used by sshd(8).
- 
-              It is possible to have multiple host key files.  M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
--             used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
-+             used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] are
-              used for version 2 of the SSH protocol.  It is also possible to
-              specify public host key files instead.  In this case operations
-              on the private key will be delegated to an ssh-agent(1).
[email protected]@ -462,13 +456,8 @@ DESCRIPTION
-              Specifies the protocol version 2 host key algorithms that the
-              server offers.  The default for this option is:
- 
--                [email protected],
--                [email protected],
--                [email protected],
--                [email protected],
-                 [email protected],
--                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa
-+                ssh-rsa
- 
-              The list of available key types may also be obtained using the -Q
-              option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
[email protected]@ -532,7 +521,6 @@ DESCRIPTION
-              will be appended to the default set instead of replacing them.
-              The supported algorithms are:
- 
--                   [email protected]
-                    diffie-hellman-group1-sha1
-                    diffie-hellman-group14-sha1
-                    diffie-hellman-group-exchange-sha1
[email protected]@ -543,7 +531,6 @@ DESCRIPTION
- 
-              The default is:
- 
--                   [email protected],
-                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-                    diffie-hellman-group-exchange-sha256,
-                    diffie-hellman-group14-sha1
[email protected]@ -787,13 +774,8 @@ DESCRIPTION
-              specified key types will be appended to the default set instead
-              of replacing them.  The default for this option is:
- 
--                [email protected],
--                [email protected],
--                [email protected],
--                [email protected],
-                 [email protected],
--                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa
-+                ssh-rsa
- 
-              The -Q option of ssh(1) may be used to list supported key types.
- 
-diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5
-+++ new/sshd_config.5
[email protected]@ -712,8 +712,6 @@ The default is
- .Pa /etc/ssh/ssh_host_key
- for protocol version 1, and
- .Pa /etc/ssh/ssh_host_dsa_key ,
--.Pa /etc/ssh/ssh_host_ecdsa_key ,
--.Pa /etc/ssh/ssh_host_ed25519_key
- and
- .Pa /etc/ssh/ssh_host_rsa_key
- for protocol version 2.
[email protected]@ -730,8 +728,6 @@ It is possible to have multiple host key
- .Dq rsa1
- keys are used for version 1 and
- .Dq dsa ,
--.Dq ecdsa ,
--.Dq ed25519
- or
- .Dq rsa
- are used for version 2 of the SSH protocol.
[email protected]@ -878,8 +874,6 @@ The supported algorithms are:
- .Pp
- .Bl -item -compact -offset indent
- .It
[email protected]
--.It
- diffie-hellman-group1-sha1
- .It
- diffie-hellman-group14-sha1
[email protected]@ -897,7 +891,6 @@ ecdh-sha2-nistp521
- .Pp
- The default is:
- .Bd -literal -offset indent
[email protected],
- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
- diffie-hellman-group-exchange-sha256,
- diffie-hellman-group14-sha1
-diff -pur old/sshkey.c new/sshkey.c
---- old/sshkey.c
-+++ new/sshkey.c
[email protected]@ -85,9 +85,11 @@ struct keytype {
- 	int cert;
- };
- static const struct keytype keytypes[] = {
-+#ifndef WITHOUT_ED25519
- 	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
- 	{ "[email protected]", "ED25519-CERT",
- 	    KEY_ED25519_CERT, 0, 1 },
-+#endif /* WITHOUT_ED25519 */
- #ifdef WITH_OPENSSL
- 	{ NULL, "RSA1", KEY_RSA1, 0, 0 },
- 	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
[email protected]@ -278,8 +280,10 @@ sshkey_size(const struct sshkey *k)
- 	case KEY_ECDSA_CERT:
- 		return sshkey_curve_nid_to_bits(k->ecdsa_nid);
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 		return 256;	/* XXX */
- 	}
- 	return 0;
[email protected]@ -292,7 +296,9 @@ sshkey_type_is_valid_ca(int type)
- 	case KEY_RSA:
- 	case KEY_DSA:
- 	case KEY_ECDSA:
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
- 		return 1;
- 	default:
- 		return 0;
[email protected]@ -318,8 +324,10 @@ sshkey_type_plain(int type)
- 		return KEY_DSA;
- 	case KEY_ECDSA_CERT:
- 		return KEY_ECDSA;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		return KEY_ED25519;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return type;
- 	}
[email protected]@ -472,8 +480,10 @@ sshkey_new(int type)
- 	k->dsa = NULL;
- 	k->rsa = NULL;
- 	k->cert = NULL;
-+#ifndef WITHOUT_ED25519
- 	k->ed25519_sk = NULL;
- 	k->ed25519_pk = NULL;
-+#endif /* WITHOUT_ED25519 */
- 	switch (k->type) {
- #ifdef WITH_OPENSSL
- 	case KEY_RSA1:
[email protected]@ -508,10 +518,12 @@ sshkey_new(int type)
- 		/* Cannot do anything until we know the group */
- 		break;
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		/* no need to prealloc */
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		break;
- 	default:
[email protected]@ -558,10 +570,12 @@ sshkey_add_private(struct sshkey *k)
- 		/* Cannot do anything until we know the group */
- 		break;
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		/* no need to prealloc */
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		break;
- 	default:
[email protected]@ -613,6 +627,7 @@ sshkey_free(struct sshkey *k)
- 		break;
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		if (k->ed25519_pk) {
[email protected]@ -626,6 +641,7 @@ sshkey_free(struct sshkey *k)
- 			k->ed25519_sk = NULL;
- 		}
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		break;
- 	default:
[email protected]@ -703,10 +719,12 @@ sshkey_equal_public(const struct sshkey
- 		return 1;
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
- 		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return 0;
- 	}
[email protected]@ -749,7 +767,9 @@ to_blob_buf(const struct sshkey *key, st
- 	case KEY_ECDSA_CERT:
- 	case KEY_RSA_CERT:
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 		/* Use the existing blob */
- 		/* XXX modified flag? */
- 		if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
[email protected]@ -786,6 +806,7 @@ to_blob_buf(const struct sshkey *key, st
- 			return ret;
- 		break;
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		if (key->ed25519_pk == NULL)
- 			return SSH_ERR_INVALID_ARGUMENT;
[email protected]@ -794,6 +815,7 @@ to_blob_buf(const struct sshkey *key, st
- 		    key->ed25519_pk, ED25519_PK_SZ)) != 0)
- 			return ret;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return SSH_ERR_KEY_TYPE_UNKNOWN;
- 	}
[email protected]@ -1267,11 +1289,13 @@ sshkey_read(struct sshkey *ret, char **c
- 	case KEY_RSA:
- 	case KEY_DSA:
- 	case KEY_ECDSA:
--	case KEY_ED25519:
-+#ifndef WITHOUT_ED25519
-+ 	case KEY_ED25519:
-+	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_DSA_CERT:
- 	case KEY_ECDSA_CERT:
- 	case KEY_RSA_CERT:
--	case KEY_ED25519_CERT:
- 		space = strchr(cp, ' ');
- 		if (space == NULL)
- 			return SSH_ERR_INVALID_FORMAT;
[email protected]@ -1363,6 +1387,7 @@ sshkey_read(struct sshkey *ret, char **c
- 		}
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 		if (sshkey_type_plain(ret->type) == KEY_ED25519) {
- 			free(ret->ed25519_pk);
- 			ret->ed25519_pk = k->ed25519_pk;
[email protected]@ -1371,6 +1396,7 @@ sshkey_read(struct sshkey *ret, char **c
- 			/* XXX */
- #endif
- 		}
-+#endif /* WITHOUT_ED25519 */
- 		retval = 0;
- /*XXXX*/
- 		sshkey_free(k);
[email protected]@ -1662,7 +1688,8 @@ sshkey_generate(int type, u_int bits, st
- 	if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
- 		return SSH_ERR_ALLOC_FAIL;
- 	switch (type) {
--	case KEY_ED25519:
-+#ifndef WITHOUT_ED25519
-+		case KEY_ED25519:
- 		if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
- 		    (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
- 			ret = SSH_ERR_ALLOC_FAIL;
[email protected]@ -1671,6 +1698,7 @@ sshkey_generate(int type, u_int bits, st
- 		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
- 		ret = 0;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- #ifdef WITH_OPENSSL
- 	case KEY_DSA:
- 		ret = dsa_generate_private_key(bits, &k->dsa);
[email protected]@ -1806,6 +1834,7 @@ sshkey_from_private(const struct sshkey
- 		}
- 		break;
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		if ((n = sshkey_new(k->type)) == NULL)
[email protected]@ -1818,6 +1847,7 @@ sshkey_from_private(const struct sshkey
- 			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
- 		}
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return SSH_ERR_KEY_TYPE_UNKNOWN;
- 	}
[email protected]@ -2084,6 +2114,7 @@ sshkey_from_blob_internal(struct sshbuf
- 		break;
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		/* Skip nonce */
- 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
[email protected]@ -2105,6 +2136,7 @@ sshkey_from_blob_internal(struct sshbuf
- 		key->ed25519_pk = pk;
- 		pk = NULL;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		if ((key = sshkey_new(type)) == NULL) {
- 			ret = SSH_ERR_ALLOC_FAIL;
[email protected]@ -2197,9 +2229,11 @@ sshkey_sign(const struct sshkey *key,
- 	case KEY_RSA:
- 		return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return SSH_ERR_KEY_TYPE_UNKNOWN;
- 	}
[email protected]@ -2229,9 +2263,11 @@ sshkey_verify(const struct sshkey *key,
- 	case KEY_RSA:
- 		return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return SSH_ERR_KEY_TYPE_UNKNOWN;
- 	}
[email protected]@ -2255,8 +2291,10 @@ sshkey_demote(const struct sshkey *k, st
- 	pk->dsa = NULL;
- 	pk->ecdsa = NULL;
- 	pk->rsa = NULL;
-+#ifndef WITHOUT_ED25519
- 	pk->ed25519_pk = NULL;
- 	pk->ed25519_sk = NULL;
-+#endif /* WITHOUT_ED25519 */
- 
- 	switch (k->type) {
- #ifdef WITH_OPENSSL
[email protected]@ -2306,6 +2344,7 @@ sshkey_demote(const struct sshkey *k, st
- 		break;
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		if ((ret = sshkey_cert_copy(k, pk)) != 0)
- 			goto fail;
[email protected]@ -2319,6 +2358,7 @@ sshkey_demote(const struct sshkey *k, st
- 			memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
- 		}
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		ret = SSH_ERR_KEY_TYPE_UNKNOWN;
-  fail:
[email protected]@ -2347,9 +2387,11 @@ sshkey_to_certified(struct sshkey *k)
- 		newtype = KEY_ECDSA_CERT;
- 		break;
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		newtype = KEY_ED25519_CERT;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return SSH_ERR_INVALID_ARGUMENT;
- 	}
[email protected]@ -2428,11 +2470,13 @@ sshkey_certify(struct sshkey *k, struct
- 			goto out;
- 		break;
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		if ((ret = sshbuf_put_string(cert,
- 		    k->ed25519_pk, ED25519_PK_SZ)) != 0)
- 			goto out;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		ret = SSH_ERR_INVALID_ARGUMENT;
- 		goto out;
[email protected]@ -2607,6 +2651,7 @@ sshkey_private_serialize(const struct ss
- 		break;
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		if ((r = sshbuf_put_string(b, key->ed25519_pk,
- 		    ED25519_PK_SZ)) != 0 ||
[email protected]@ -2626,6 +2671,7 @@ sshkey_private_serialize(const struct ss
- 		    ED25519_SK_SZ)) != 0)
- 			goto out;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		r = SSH_ERR_INVALID_ARGUMENT;
- 		goto out;
[email protected]@ -2750,6 +2796,7 @@ sshkey_private_deserialize(struct sshbuf
- 			goto out;
- 		break;
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		if ((k = sshkey_new_private(type)) == NULL) {
- 			r = SSH_ERR_ALLOC_FAIL;
[email protected]@ -2780,6 +2827,7 @@ sshkey_private_deserialize(struct sshbuf
- 		k->ed25519_sk = ed25519_sk;
- 		ed25519_pk = ed25519_sk = NULL;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		r = SSH_ERR_KEY_TYPE_UNKNOWN;
- 		goto out;
[email protected]@ -3545,9 +3593,11 @@ sshkey_private_to_fileblob(struct sshkey
- 		return sshkey_private_pem_to_blob(key, blob,
- 		    passphrase, comment);
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		return sshkey_private_to_blob2(key, blob, passphrase,
- 		    comment, new_format_cipher, new_format_rounds);
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return SSH_ERR_KEY_TYPE_UNKNOWN;
- 	}
[email protected]@ -3853,9 +3903,11 @@ sshkey_parse_private_fileblob_type(struc
- 		return sshkey_parse_private_pem_fileblob(blob, type,
- 		    passphrase, keyp);
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		return sshkey_parse_private2(blob, type, passphrase,
- 		    keyp, commentp);
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
- 		    commentp)) == 0)
-diff -pur old/sshkey.h new/sshkey.h
---- old/sshkey.h
-+++ new/sshkey.h
[email protected]@ -57,11 +57,15 @@ enum sshkey_types {
- 	KEY_RSA,
- 	KEY_DSA,
- 	KEY_ECDSA,
--	KEY_ED25519,
-+#ifndef WITHOUT_ED25519
-+ 	KEY_ED25519,
-+#endif /* WITHOUT_ED25519 */
- 	KEY_RSA_CERT,
- 	KEY_DSA_CERT,
- 	KEY_ECDSA_CERT,
-+#ifndef WITHOUT_ED25519
- 	KEY_ED25519_CERT,
-+#endif /* WITHOUT_ED25519 */
- 	KEY_NULL,
- 	KEY_UNSPEC
- };
[email protected]@ -104,13 +108,17 @@ struct sshkey {
- 	DSA	*dsa;
- 	int	 ecdsa_nid;	/* NID of curve */
- 	EC_KEY	*ecdsa;
-+#ifndef WITHOUT_ED25519
- 	u_char	*ed25519_sk;
- 	u_char	*ed25519_pk;
-+#endif /* WITHOUT_ED25519 */
- 	struct sshkey_cert *cert;
- };
- 
-+#ifndef WITHOUT_ED25519
- #define	ED25519_SK_SZ	crypto_sign_ed25519_SECRETKEYBYTES
- #define	ED25519_PK_SZ	crypto_sign_ed25519_PUBLICKEYBYTES
-+#endif /* WITHOUT_ED25519 */
- 
- struct sshkey	*sshkey_new(int);
- int		 sshkey_add_private(struct sshkey *);
[email protected]@ -208,11 +216,13 @@ int ssh_ecdsa_sign(const struct sshkey *
- int ssh_ecdsa_verify(const struct sshkey *key,
-     const u_char *signature, size_t signaturelen,
-     const u_char *data, size_t datalen, u_int compat);
-+#ifndef WITHOUT_ED25519
- int ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
-     const u_char *data, size_t datalen, u_int compat);
- int ssh_ed25519_verify(const struct sshkey *key,
-     const u_char *signature, size_t signaturelen,
-     const u_char *data, size_t datalen, u_int compat);
-+#endif /* WITHOUT_ED25519 */
- #endif
- 
- #if !defined(WITH_OPENSSL)
--- a/components/openssh/patches/032-hang_on_closed_output.patch	Wed Apr 20 13:13:57 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,25 +0,0 @@
-#
-# Fix possible hang on closed output.
-#
-# When there is a connectivity problem between the server and the client
-# (network outage, server crash or reboot), the client indefinitely hangs.
-#
-# This patch fixes the issue by checking ssh_packet_write_poll return value
-# in ssh_packet_write_wait and passing it through.
-#
-# The (updated) patch has been accepted upstream and will be part of 7.2
-# https://github.com/openssh/openssh-portable/commit/8408218
-#
-diff -pur old/packet.c new/packet.c
---- old/packet.c
-+++ new/packet.c
[email protected]@ -2040,7 +2040,8 @@ ssh_packet_write_wait(struct ssh *ssh)
- 	    NFDBITS), sizeof(fd_mask));
- 	if (setp == NULL)
- 		return SSH_ERR_ALLOC_FAIL;
--	ssh_packet_write_poll(ssh);
-+	if ((r = ssh_packet_write_poll(ssh)) != 0)
-+		return r;
- 	while (ssh_packet_have_data_to_write(ssh)) {
- 		memset(setp, 0, howmany(state->connection_out + 1,
- 		    NFDBITS) * sizeof(fd_mask));
--- a/components/openssh/patches/033-without_cast128.patch	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/patches/033-without_cast128.patch	Wed Apr 20 13:13:57 2016 -0700
@@ -28,43 +28,10 @@
  	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
  	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
  	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
-diff -pur old/myproposal.h new/myproposal.h
---- old/myproposal.h
-+++ new/myproposal.h
[email protected]@ -119,9 +119,16 @@
- 	"aes128-ctr,aes192-ctr,aes256-ctr" \
- 	AESGCM_CIPHER_MODES
- 
-+#ifdef WITHOUT_CAST128
-+# define CAST128
-+#else
-+# define CAST128 "cast128-cbc"
-+#endif
-+
- #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
- 	"arcfour256,arcfour128," \
--	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
-+	"aes128-cbc,3des-cbc,blowfish-cbc," \
-+	CAST128 \
- 	"aes192-cbc,aes256-cbc,arcfour,[email protected]"
- 
- #define KEX_SERVER_MAC \
-diff -pur old/ssh.1 new/ssh.1
---- old/ssh.1
-+++ new/ssh.1
[email protected]@ -788,7 +788,7 @@ options (see above).
- Both protocols support similar authentication methods,
- but protocol 2 is the default since
- it provides additional mechanisms for confidentiality
--(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
-+(the traffic is encrypted using AES, 3DES, Blowfish, or Arcfour)
- and integrity (hmac-md5, hmac-sha1,
- hmac-sha2-256, hmac-sha2-512,
- umac-64, umac-128, hmac-ripemd160).
 diff -pur old/ssh_config.5 new/ssh_config.5
 --- old/ssh_config.5
 +++ new/ssh_config.5
[email protected]@ -408,8 +408,6 @@ arcfour256
[email protected]@ -478,8 +478,6 @@ arcfour256
  .It
  blowfish-cbc
  .It
@@ -73,15 +40,6 @@
  [email protected]
  .El
  .Pp
[email protected]@ -419,7 +417,7 @@ [email protected],
- aes128-ctr,aes192-ctr,aes256-ctr,
- [email protected],[email protected],
- arcfour256,arcfour128,
--aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
-+aes128-cbc,3des-cbc,blowfish-cbc,
- aes192-cbc,aes256-cbc,arcfour
- .Ed
- .Pp
 diff -pur old/sshd.8 new/sshd.8
 --- old/sshd.8
 +++ new/sshd.8
@@ -97,7 +55,7 @@
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
[email protected]@ -469,8 +469,6 @@ arcfour256
[email protected]@ -472,8 +472,6 @@ arcfour256
  .It
  blowfish-cbc
  .It
--- a/components/openssh/patches/035-fips.patch	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/patches/035-fips.patch	Wed Apr 20 13:13:57 2016 -0700
@@ -135,6 +135,50 @@
  	gss_enc2oid[oidpos].oid = NULL;
  	gss_enc2oid[oidpos].encoded = NULL;
  
+diff -pur old/kex.c new/kex.c
+--- old/kex.c
++++ new/kex.c
[email protected]@ -89,7 +89,40 @@ struct kexalg {
+ 	int ec_nid;
+ 	int hash_alg;
+ };
++
++#ifdef ENABLE_OPENSSL_FIPS
++/* in FIPS mode limit kexalgs to FIPS compliant only */
++#define        kexalgs (ssh_FIPS_mode() ? kexalgs_fips : kexalgs_dflt)
++static const struct kexalg kexalgs_fips[] = {
++#ifdef WITH_OPENSSL
++	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++#ifdef HAVE_EVP_SHA256
++	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
++#endif /* HAVE_EVP_SHA256 */
++#ifdef OPENSSL_HAS_ECC
++	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
++	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
++	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
++	    SSH_DIGEST_SHA384 },
++# ifdef OPENSSL_HAS_NISTP521
++	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
++	    SSH_DIGEST_SHA512 },
++# endif /* OPENSSL_HAS_NISTP521 */
++#endif /* OPENSSL_HAS_ECC */
++#endif /* WITH_OPENSSL */
++#ifdef GSSAPI
++	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++#endif
++	{ NULL, -1, -1, -1},
++};
++static const struct kexalg kexalgs_dflt[] = {
++#else
+ static const struct kexalg kexalgs[] = {
++#endif 
+ #ifdef WITH_OPENSSL
+ 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+ 	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 diff -pur old/mac.c new/mac.c
 --- old/mac.c
 +++ new/mac.c
@@ -175,7 +219,7 @@
 diff -pur old/misc.c new/misc.c
 --- old/misc.c
 +++ new/misc.c
[email protected]@ -38,12 +38,15 @@
[email protected]@ -39,12 +39,15 @@
  #include <string.h>
  #include <time.h>
  #include <unistd.h>
@@ -191,7 +235,7 @@
  #include <ctype.h>
  #include <errno.h>
  #include <fcntl.h>
[email protected]@ -77,6 +80,60 @@ chop(char *s)
[email protected]@ -78,6 +81,60 @@ chop(char *s)
  
  }
  
@@ -270,28 +314,86 @@
 diff -pur old/myproposal.h new/myproposal.h
 --- old/myproposal.h
 +++ new/myproposal.h
[email protected]@ -131,6 +131,15 @@
- 	CAST128 \
- 	"aes192-cbc,aes256-cbc,arcfour,[email protected]"
[email protected]@ -83,19 +83,31 @@
+ # else
+ #  define KEX_CURVE25519_METHODS ""
+ # endif
+-#define KEX_COMMON_KEX \
++
++#define KEX_COMMON_KEX_DFLT \
+ 	KEX_CURVE25519_METHODS \
+ 	KEX_ECDH_METHODS \
+ 	KEX_SHA256_METHODS
+ 
+-#define KEX_SERVER_KEX KEX_COMMON_KEX \
++#define KEX_SERVER_KEX_DFLT KEX_COMMON_KEX_DFLT \
+ 	"diffie-hellman-group14-sha1" \
+ 
+-#define KEX_CLIENT_KEX KEX_COMMON_KEX \
++#define KEX_CLIENT_KEX_DFLT KEX_COMMON_KEX_DFLT \
+ 	"diffie-hellman-group-exchange-sha1," \
+ 	"diffie-hellman-group14-sha1"
  
-+#ifdef ENABLE_OPENSSL_FIPS
-+#define KEX_FIPS_SERVER_ENCRYPT \
+-#define	KEX_DEFAULT_PK_ALG	\
++#define KEX_COMMON_KEX_FIPS \
++	KEX_ECDH_METHODS \
++	KEX_SHA256_METHODS
++
++#define KEX_SERVER_KEX_FIPS KEX_COMMON_KEX_FIPS \
++	"diffie-hellman-group14-sha1" \
++
++#define KEX_CLIENT_KEX_FIPS KEX_COMMON_KEX_FIPS \
++	"diffie-hellman-group-exchange-sha1," \
++	"diffie-hellman-group14-sha1"
++
++#define	KEX_DEFAULT_PK_ALG_DFLT	\
+ 	HOSTKEY_ECDSA_CERT_METHODS \
+ 	"[email protected]," \
+ 	"[email protected]," \
[email protected]@ -105,17 +117,32 @@
+ 	"rsa-sha2-256," \
+ 	"ssh-rsa"
+ 
++#define	KEX_DEFAULT_PK_ALG_FIPS	\
++	HOSTKEY_ECDSA_CERT_METHODS \
++	"[email protected]," \
++	HOSTKEY_ECDSA_METHODS \
++	"rsa-sha2-512," \
++	"rsa-sha2-256," \
++	"ssh-rsa"
++
+ /* the actual algorithms */
+ 
+-#define KEX_SERVER_ENCRYPT \
++#define KEX_SERVER_ENCRYPT_DFLT \
+ 	"[email protected]," \
+ 	"aes128-ctr,aes192-ctr,aes256-ctr" \
+ 	AESGCM_CIPHER_MODES
+ 
+-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
++#define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
++	"aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
++
++#define KEX_SERVER_ENCRYPT_FIPS \
 +	"aes128-ctr,aes192-ctr,aes256-ctr" \
 +	AESGCM_CIPHER_MODES
 +
-+#define KEX_FIPS_CLIENT_ENCRYPT KEX_FIPS_SERVER_ENCRYPT "," \
-+	"aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,[email protected]"
-+#endif /* ENABLE_OPENSSL_FIPS */
-+
- #define KEX_SERVER_MAC \
++#define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \
+ 	"aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+ 
+-#define KEX_SERVER_MAC \
++#define KEX_SERVER_MAC_DFLT \
  	"[email protected]," \
  	"[email protected]," \
[email protected]@ -154,6 +163,20 @@
- 	"hmac-sha1-96," \
- 	"hmac-md5-96"
+ 	"[email protected]," \
[email protected]@ -127,7 +154,42 @@
+ 	"hmac-sha2-512," \
+ 	"hmac-sha1"
  
-+#ifdef ENABLE_OPENSSL_FIPS
-+#define KEX_FIPS_SERVER_MAC \
+-#define KEX_CLIENT_MAC KEX_SERVER_MAC
++#define KEX_CLIENT_MAC_DFLT KEX_SERVER_MAC_DFLT
++
++#define KEX_SERVER_MAC_FIPS \
 +	"[email protected]," \
 +	"[email protected]," \
 +	"[email protected]," \
@@ -299,79 +401,39 @@
 +	"hmac-sha2-512," \
 +	"hmac-sha1"
 +
-+#define KEX_FIPS_CLIENT_MAC KEX_FIPS_SERVER_MAC "," \
-+	"[email protected]," \
-+	"hmac-sha1-96"
-+#endif /* ENABLE_OPENSSL_FIPS */
-+
- #else
- 
- #define KEX_SERVER_KEX		\
-diff -pur old/readconf.c new/readconf.c
---- old/readconf.c
-+++ new/readconf.c
[email protected]@ -1760,6 +1760,11 @@ fill_default_options_for_canonicalizatio
- void
- fill_default_options(Options * options)
- {
-+#ifdef ENABLE_OPENSSL_FIPS
-+	char *encs;
-+	char *macs;
-+#endif /* ENABLE_OPENSSL_FIPS */
++#define KEX_CLIENT_MAC_FIPS KEX_SERVER_MAC_FIPS
 +
- 	if (options->forward_agent == -1)
- 		options->forward_agent = 0;
- 	if (options->forward_x11 == -1)
[email protected]@ -1934,8 +1939,15 @@ fill_default_options(Options * options)
- 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- 	if (options->update_hostkeys == -1)
- 		options->update_hostkeys = 0;
-+#ifndef ENABLE_OPENSSL_FIPS
- 	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
- 	    kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
-+#else
-+	encs = ssh_FIPS_mode() ? KEX_FIPS_CLIENT_ENCRYPT : KEX_CLIENT_ENCRYPT;
-+	macs = ssh_FIPS_mode() ? KEX_FIPS_CLIENT_MAC : KEX_CLIENT_MAC;
-+	if (kex_assemble_names(encs, &options->ciphers) != 0 ||
-+	    kex_assemble_names(macs, &options->macs) != 0 ||
-+#endif /* ENABLE_OPENSSL_FIPS */
- 	    kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
- 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
- 	    &options->hostbased_key_types) != 0 ||
-diff -pur old/servconf.c new/servconf.c
---- old/servconf.c
-+++ new/servconf.c
[email protected]@ -195,6 +195,10 @@ void
- fill_default_server_options(ServerOptions *options)
- {
- 	int i;
 +#ifdef ENABLE_OPENSSL_FIPS
-+	char *encs;
-+	char *macs;
++ #define KEX_SERVER_KEX \
++     (ssh_FIPS_mode() ? (KEX_SERVER_KEX_FIPS) : (KEX_SERVER_KEX_DFLT) )
++ #define KEX_CLIENT_KEX \
++     (ssh_FIPS_mode() ? (KEX_CLIENT_KEX_FIPS) : (KEX_CLIENT_KEX_DFLT) )
++ #define KEX_DEFAULT_PK_ALG \
++     (ssh_FIPS_mode() ? (KEX_DEFAULT_PK_ALG_FIPS) : (KEX_DEFAULT_PK_ALG_DFLT) )
++ #define KEX_SERVER_ENCRYPT \
++    (ssh_FIPS_mode() ? (KEX_SERVER_ENCRYPT_FIPS) : (KEX_SERVER_ENCRYPT_DFLT))
++ #define KEX_CLIENT_ENCRYPT \
++    (ssh_FIPS_mode() ? (KEX_CLIENT_ENCRYPT_FIPS) : (KEX_CLIENT_ENCRYPT_DFLT))
++ #define KEX_SERVER_MAC \
++    (ssh_FIPS_mode() ? (KEX_SERVER_MAC_FIPS) : (KEX_SERVER_MAC_DFLT) )
++ #define KEX_CLIENT_MAC \
++    (ssh_FIPS_mode() ? (KEX_CLIENT_MAC_FIPS) : (KEX_CLIENT_MAC_DFLT) )
++#else /* ENABLE_OPENSSL_FIPS */
++ #define KEX_SERVER_KEX KEX_SERVER_KEX_DFLT
++ #define KEX_CLIENT_KEX KEX_CLIENT_KEX_DFLT
++ #define KEX_DEFAULT_PK_ALG KEX_DEFAULT_PK_ALG_DFLT
++ #define KEX_SERVER_ENCRYPT KEX_SERVER_ENCRYPT_DFLT
++ #define KEX_CLIENT_ENCRYPT KEX_CLIENT_ENCRYPT_DFLT
++ #define KEX_SERVER_MAC KEX_SERVER_MAC_DFLT
++ #define KEX_CLIENT_MAC KEX_CLIENT_MAC_DFLT
 +#endif /* ENABLE_OPENSSL_FIPS */
  
- 	/* Portable-specific options */
- 	if (options->use_pam == -1)
[email protected]@ -382,8 +386,15 @@ fill_default_server_options(ServerOption
- 	if (options->fingerprint_hash == -1)
- 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ #else /* WITH_OPENSSL */
  
-+#ifndef ENABLE_OPENSSL_FIPS
- 	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
- 	    kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
-+#else
-+	encs = ssh_FIPS_mode() ? KEX_FIPS_SERVER_ENCRYPT : KEX_SERVER_ENCRYPT;
-+	macs = ssh_FIPS_mode() ? KEX_FIPS_SERVER_MAC : KEX_SERVER_MAC;
-+	if (kex_assemble_names(encs, &options->ciphers) != 0 ||
-+	    kex_assemble_names(macs, &options->macs) != 0 ||
-+#endif /* ENABLE_OPENSSL_FIPS */
- 	    kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
- 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
- 	    &options->hostbased_key_types) != 0 ||
 diff -pur old/ssh-add.1 new/ssh-add.1
 --- old/ssh-add.1
 +++ new/ssh-add.1
[email protected]@ -114,6 +114,8 @@ and
[email protected]@ -116,6 +116,8 @@ and
  .Dq sha256 .
  The default is
  .Dq sha256 .
@@ -383,7 +445,7 @@
 diff -pur old/ssh-add.c new/ssh-add.c
 --- old/ssh-add.c
 +++ new/ssh-add.c
[email protected]@ -493,6 +493,12 @@ main(int argc, char **argv)
[email protected]@ -488,6 +488,12 @@ main(int argc, char **argv)
  	__progname = ssh_get_progname(argv[0]);
  	seed_rng();
  
@@ -399,7 +461,7 @@
 diff -pur old/ssh-agent.1 new/ssh-agent.1
 --- old/ssh-agent.1
 +++ new/ssh-agent.1
[email protected]@ -110,6 +110,8 @@ and
[email protected]@ -117,6 +117,8 @@ and
  .Dq sha256 .
  The default is
  .Dq sha256 .
@@ -411,15 +473,15 @@
 diff -pur old/ssh-agent.c new/ssh-agent.c
 --- old/ssh-agent.c
 +++ new/ssh-agent.c
[email protected]@ -1187,6 +1187,7 @@ main(int ac, char **av)
[email protected]@ -1199,6 +1199,7 @@ main(int ac, char **av)
  	struct timeval *tvp = NULL;
  	size_t len;
  	mode_t prev_mask;
 +	int fips_err;
  
+ 	ssh_malloc_init();	/* must be called before any mallocs */
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
- 	sanitise_stdfd();
[email protected]@ -1200,6 +1201,9 @@ main(int ac, char **av)
[email protected]@ -1213,6 +1214,9 @@ main(int ac, char **av)
  	prctl(PR_SET_DUMPABLE, 0);
  #endif
  
@@ -429,13 +491,14 @@
  #ifdef WITH_OPENSSL
  	OpenSSL_add_all_algorithms();
  #endif
[email protected]@ -1330,7 +1334,18 @@ main(int ac, char **av)
[email protected]@ -1343,8 +1347,19 @@ main(int ac, char **av)
  		printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
  		    SSH_AUTHSOCKET_ENV_NAME);
  		printf("echo Agent pid %ld;\n", (long)parent_pid);
 +#ifdef ENABLE_OPENSSL_FIPS
 +		ssh_FIPS_check_status();
 +#endif
+ 		fflush(stdout);
  		goto skip;
 +#ifdef ENABLE_OPENSSL_FIPS
 +	} else {
@@ -451,7 +514,7 @@
 diff -pur old/ssh-keygen.1 new/ssh-keygen.1
 --- old/ssh-keygen.1
 +++ new/ssh-keygen.1
[email protected]@ -268,6 +268,8 @@ and
[email protected]@ -283,6 +283,8 @@ and
  .Dq sha256 .
  The default is
  .Dq sha256 .
@@ -463,7 +526,7 @@
 diff -pur old/ssh-keygen.c new/ssh-keygen.c
 --- old/ssh-keygen.c
 +++ new/ssh-keygen.c
[email protected]@ -2224,11 +2224,18 @@ main(int argc, char **argv)
[email protected]@ -2267,11 +2267,18 @@ main(int argc, char **argv)
  
  	__progname = ssh_get_progname(argv[0]);
  
@@ -485,7 +548,7 @@
 diff -pur old/ssh-keysign.c new/ssh-keysign.c
 --- old/ssh-keysign.c
 +++ new/ssh-keysign.c
[email protected]@ -175,6 +175,7 @@ main(int argc, char **argv)
[email protected]@ -178,6 +178,7 @@ main(int argc, char **argv)
  	u_char *signature, *data, rver;
  	char *host, *fp;
  	size_t slen, dlen;
@@ -493,7 +556,7 @@
  #ifdef WITH_OPENSSL
  	u_int32_t rnd[256];
  #endif
[email protected]@ -223,6 +224,16 @@ main(int argc, char **argv)
[email protected]@ -228,6 +229,16 @@ main(int argc, char **argv)
  	if (found == 0)
  		fatal("could not open any host key");
  
@@ -513,7 +576,7 @@
 diff -pur old/ssh.1 new/ssh.1
 --- old/ssh.1
 +++ new/ssh.1
[email protected]@ -92,6 +92,9 @@ If
[email protected]@ -91,6 +91,9 @@ If
  is specified,
  it is executed on the remote host instead of a login shell.
  .Pp
@@ -526,7 +589,7 @@
 diff -pur old/ssh.c new/ssh.c
 --- old/ssh.c
 +++ new/ssh.c
[email protected]@ -588,6 +588,11 @@ main(int ac, char **av)
[email protected]@ -606,6 +606,11 @@ main(int ac, char **av)
  	 */
  	initialize_options(&options);
  
@@ -538,7 +601,7 @@
  	/* Parse command-line arguments. */
  	host = NULL;
  	use_syslog = 0;
[email protected]@ -997,6 +1002,10 @@ main(int ac, char **av)
[email protected]@ -1016,6 +1021,10 @@ main(int ac, char **av)
  #endif
  		);
  
@@ -566,8 +629,8 @@
 diff -pur old/ssh_config.5 new/ssh_config.5
 --- old/ssh_config.5
 +++ new/ssh_config.5
[email protected]@ -423,6 +423,13 @@ aes128-cbc,3des-cbc,blowfish-cbc,cast128
- aes192-cbc,aes256-cbc,arcfour
[email protected]@ -489,6 +489,13 @@ [email protected],[email protected]
+ aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
  .Ed
  .Pp
 +The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
@@ -580,7 +643,7 @@
  The list of available ciphers may also be obtained using the
  .Fl Q
  option of
[email protected]@ -662,6 +669,8 @@ and
[email protected]@ -738,6 +745,8 @@ and
  .Dq sha256 .
  The default is
  .Dq sha256 .
@@ -589,8 +652,8 @@
  .It Cm ForwardAgent
  Specifies whether the connection to the authentication agent (if any)
  will be forwarded to the remote machine.
[email protected]@ -1110,6 +1119,16 @@ hmac-md5,hmac-sha1,hmac-ripemd160,
- hmac-sha1-96,hmac-md5-96
[email protected]@ -1200,6 +1209,16 @@ [email protected],[email protected]
+ hmac-sha2-256,hmac-sha2-512,hmac-sha1
  .Ed
  .Pp
 +The following MACs are FIPS-140 approved and are supported in FIPS-140 mode:
@@ -609,7 +672,7 @@
 diff -pur old/sshconnect.c new/sshconnect.c
 --- old/sshconnect.c
 +++ new/sshconnect.c
[email protected]@ -523,8 +523,14 @@ send_client_banner(int connection_out, i
[email protected]@ -530,8 +530,14 @@ send_client_banner(int connection_out, i
  {
  	/* Send our own protocol version identification. */
  	if (compat20) {
@@ -640,7 +703,7 @@
 diff -pur old/sshd.c new/sshd.c
 --- old/sshd.c
 +++ new/sshd.c
[email protected]@ -431,10 +431,18 @@ sshd_exchange_identification(int sock_in
[email protected]@ -430,10 +430,18 @@ sshd_exchange_identification(int sock_in
  		minor = PROTOCOL_MINOR_1;
  	}
  
@@ -658,8 +721,8 @@
 +#endif
  
  	/* Send our protocol version identification. */
- 	if (roaming_atomicio(vwrite, sock_out, server_version_string,
[email protected]@ -1501,6 +1509,10 @@ main(int ac, char **av)
+ 	if (atomicio(vwrite, sock_out, server_version_string,
[email protected]@ -1503,6 +1511,10 @@ main(int ac, char **av)
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
  
@@ -684,7 +747,7 @@
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
[email protected]@ -481,6 +481,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
[email protected]@ -482,6 +482,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
  [email protected],[email protected]
  .Ed
  .Pp
@@ -698,7 +761,7 @@
  The list of available ciphers may also be obtained using the
  .Fl Q
  option of
[email protected]@ -577,6 +584,8 @@ and
[email protected]@ -576,6 +583,8 @@ and
  .Dq sha256 .
  The default is
  .Dq sha256 .
@@ -707,8 +770,8 @@
  .It Cm ForceCommand
  Forces the execution of the command specified by
  .Cm ForceCommand ,
[email protected]@ -1023,6 +1032,16 @@ [email protected],[email protected]
- hmac-sha2-256,hmac-sha2-512
[email protected]@ -1025,6 +1034,16 @@ [email protected],[email protected]
+ hmac-sha2-256,hmac-sha2-512,hmac-sha1
  .Ed
  .Pp
 +The following MACs are FIPS-140 approved and are supported in FIPS-140 mode:
@@ -724,3 +787,53 @@
  The list of available MAC algorithms may also be obtained using the
  .Fl Q
  option of
+diff -pur old/sshkey.c new/sshkey.c
+--- old/sshkey.c
++++ new/sshkey.c
[email protected]@ -85,7 +85,46 @@ struct keytype {
+ 	int cert;
+ 	int sigonly;
+ };
++
++#ifdef ENABLE_OPENSSL_FIPS
++/* in FIPS mode limit keytypes to FIPS compliant only */
++#define	keytypes (ssh_FIPS_mode() ? keytypes_fips : keytypes_dflt)
++
++static const struct keytype keytypes_fips[] = {
++#ifdef WITH_OPENSSL
++	{ NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
++	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
++	{ "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
++	{ "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
++	{ "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
++# ifdef OPENSSL_HAS_ECC
++	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
++	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
++#  ifdef OPENSSL_HAS_NISTP521
++	{ "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
++#  endif /* OPENSSL_HAS_NISTP521 */
++# endif /* OPENSSL_HAS_ECC */
++	{ "[email protected]", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
++	{ "[email protected]", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
++# ifdef OPENSSL_HAS_ECC
++	{ "[email protected]", "ECDSA-CERT",
++	    KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
++	{ "[email protected]", "ECDSA-CERT",
++	    KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
++#  ifdef OPENSSL_HAS_NISTP521
++	{ "[email protected]", "ECDSA-CERT",
++	    KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
++#  endif /* OPENSSL_HAS_NISTP521 */
++# endif /* OPENSSL_HAS_ECC */
++#endif /* WITH_OPENSSL */
++	{ "null", "null", KEY_NULL, 0, 0 },
++	{ NULL, NULL, -1, -1, 0, 0 }
++};
++
++static const struct keytype keytypes_dflt[] = {
++#else /* ENABLE_OPENSSL_FIPS */
+ static const struct keytype keytypes[] = {
++#endif /* ENABLE_OPENSSL_FIPS */
+ 	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
+ 	{ "[email protected]", "ED25519-CERT",
+ 	    KEY_ED25519_CERT, 0, 1, 0 },
--- a/components/openssh/patches/037-missing_or_misleading_error_messages.patch	Wed Apr 20 13:13:57 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-#
-# Add missing error() upon identity_sign() failure, fix typos in ssherr() calls.
-#
-# After OpenSSH code was refactored recently, DSA_do_sign() and RSA_sign()
-# failures no longer result in error messages printed out. This is particularly
-# inconvenient for FIPS mode, were these calls can fail due to non-compliant
-# crypto algorithm options.
-#
-# Investigating other missing error messages spotted two calls to ssherr()
-# with wrong error codes.
-#
-# Patch has been submitted upstream:
-# https://bugzilla.mindrot.org/show_bug.cgi?id=2507
-#
-# Update: patch has been accepted upstream, will be part of 7.2:
-# https://github.com/openssh/openssh-portable/commit/39736be
-#
-# On uprev to 7.2+ we will drop this patch.
-#
-diff -pur old/ssh-agent.c new/ssh-agent.c
---- old/ssh-agent.c
-+++ new/ssh-agent.c
[email protected]@ -389,7 +389,7 @@ process_sign_request2(SocketEntry *e)
- 	if (flags & SSH_AGENT_OLD_SIGNATURE)
- 		compat = SSH_BUG_SIGBLOB;
- 	if ((r = sshkey_from_blob(blob, blen, &key)) != 0) {
--		error("%s: cannot parse key blob: %s", __func__, ssh_err(ok));
-+		error("%s: cannot parse key blob: %s", __func__, ssh_err(r));
- 		goto send;
- 	}
- 	if ((id = lookup_identity(key, 2)) == NULL) {
[email protected]@ -402,7 +402,7 @@ process_sign_request2(SocketEntry *e)
- 	}
- 	if ((r = sshkey_sign(id->key, &signature, &slen,
- 	    data, dlen, compat)) != 0) {
--		error("%s: sshkey_sign: %s", __func__, ssh_err(ok));
-+		error("%s: sshkey_sign: %s", __func__, ssh_err(r));
- 		goto send;
- 	}
- 	/* Success */
-diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c
-+++ new/sshconnect2.c
[email protected]@ -1167,6 +1167,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
- 	ret = identity_sign(id, &signature, &slen,
- 	    buffer_ptr(&b), buffer_len(&b), datafellows);
- 	if (ret != 0) {
-+		error("%s: signing failed: %s", __func__, ssh_err(ret));
- 		free(blob);
- 		buffer_free(&b);
- 		return 0;
--- a/components/openssh/patches/039-sshd_config_5_defaults.patch	Wed Apr 20 13:13:57 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,20 +0,0 @@
-#
-# hmac-sha1 is heavily used in the world, and customers updating openssh should
-# have up-to-date man pages
-#
-# Upstream has been notified of this typo and is correcting it, this patch
-# will be removed when Solaris updates to an update including the fix.
-# 
-
-diff -rupN old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5	2016-01-28 13:47:34.630632408 -0800
-+++ new/sshd_config.5	2016-01-28 13:48:34.129479936 -0800
[email protected]@ -1018,7 +1018,7 @@ The default is:
- [email protected],[email protected],
- [email protected],[email protected],
- [email protected],[email protected],
--hmac-sha2-256,hmac-sha2-512
-+hmac-sha2-256,hmac-sha2-512,hmac-sha1
- .Ed
- .Pp
- The list of available MAC algorithms may also be obtained using the
--- a/components/openssh/patches/040-default_config_files.patch	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/patches/040-default_config_files.patch	Wed Apr 20 13:13:57 2016 -0700
@@ -2,11 +2,12 @@
 # This patch contains changes to the default SSH system configurations for
 # /etc/ssh/sshd_config and /etc/ssh/ssh_config on Solaris.
 #
-# This is a Solaris specific patch and will not be contributed back to tge
+# This is a Solaris specific patch and will not be contributed back to the
 # upstream community.
 #
---- orig/ssh_config	Wed Feb 10 16:52:14 2016
-+++ new/ssh_config	Wed Feb 10 18:32:20 2016
+diff -pur old/ssh_config new/ssh_config
+--- old/ssh_config
++++ new/ssh_config
 @@ -24,8 +24,9 @@
  #   RSAAuthentication yes
  #   PasswordAuthentication yes
@@ -18,7 +19,7 @@
  #   BatchMode no
  #   CheckHostIP yes
  #   AddressFamily any
[email protected]@ -46,3 +47,7 @@
[email protected]@ -48,3 +49,7 @@
  #   VisualHostKey no
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
@@ -26,9 +27,12 @@
 +# Send the LANG and LC_* environment variables to server.
 +SendEnv LANG
 +SendEnv LC_*
---- orig/sshd_config	Wed Feb 10 16:52:20 2016
-+++ new/sshd_config	Tue Feb 23 16:40:15 2016
[email protected]@ -2,132 +2,95 @@
+diff -pur old/sshd_config new/sshd_config
+--- old/sshd_config
++++ new/sshd_config
[email protected]@ -1,133 +1,96 @@
+-#	$OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
++#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
  
  # This is the sshd server system-wide configuration file.  See
  # sshd_config(5) for more information.
@@ -66,71 +70,74 @@
 -#HostKey /etc/ssh/ssh_host_dsa_key
 -#HostKey /etc/ssh/ssh_host_ecdsa_key
 -#HostKey /etc/ssh/ssh_host_ed25519_key
+-
+-# Lifetime and size of ephemeral version 1 server key
+-#KeyRegenerationInterval 1h
+-#ServerKeyBits 1024
+-
+-# Ciphers and keying
+-#RekeyLimit default none
+-
+-# Logging
+-# obsoletes QuietMode and FascistLogging
+-#SyslogFacility AUTH
+-#LogLevel INFO
 +# X11 tunneling options
 +#X11DisplayOffset 10
 +#X11UseLocalhost yes
 +X11Forwarding yes
  
--# Lifetime and size of ephemeral version 1 server key
--#KeyRegenerationInterval 1h
--#ServerKeyBits 1024
+-# Authentication:
 +# The maximum number of concurrent unauthenticated connections to sshd.
 +# start:rate:full see sshd(1) for more information.
 +#MaxStartups 10:30:100
  
--# Ciphers and keying
--#RekeyLimit default none
-+# Banner to be printed before authentication starts.
-+Banner /etc/issue
- 
--# Logging
--# obsoletes QuietMode and FascistLogging
--#SyslogFacility AUTH
--#LogLevel INFO
-+# Should sshd print the /etc/motd file and check for mail.
-+# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
-+PrintMotd no
- 
--# Authentication:
-+# KeepAlive specifies whether keep alive messages are sent to the client.
-+# See sshd(1) for detailed description of what this means.
-+# Note that the client may also be sending keep alive messages to the server.
-+#KeepAlive yes
- 
 -#LoginGraceTime 2m
 -#PermitRootLogin prohibit-password
 -#StrictModes yes
 -#MaxAuthTries 6
 -#MaxSessions 10
-+# Syslog facility and level 
-+#SyslogFacility auth
-+#LogLevel info
++# Banner to be printed before authentication starts.
++Banner /etc/issue
  
 -#RSAAuthentication yes
 -#PubkeyAuthentication yes
++# Should sshd print the /etc/motd file and check for mail.
++# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
++PrintMotd no
++
++# KeepAlive specifies whether keep alive messages are sent to the client.
++# See sshd(1) for detailed description of what this means.
++# Note that the client may also be sending keep alive messages to the server.
++#KeepAlive yes
++
++# Syslog facility and level 
++#SyslogFacility auth
++#LogLevel info
++
 +#
 +# Authentication configuration
 +# 
- 
--# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
--# but this is overridden so installations will only check .ssh/authorized_keys
--AuthorizedKeysFile	.ssh/authorized_keys
++
 +# Host private key files
 +# Must be on a local disk and readable only by the root user (root:sys 600).
 +HostKey /etc/ssh/ssh_host_rsa_key
 +HostKey /etc/ssh/ssh_host_dsa_key
- 
--#AuthorizedPrincipalsFile none
++
 +# sshd regenerates the key every KeyRegenerationInterval seconds.
 +# The key is never stored anywhere except the memory of sshd.
 +# The default is 1 hour (3600 seconds).
 +#KeyRegenerationInterval 3600
  
+-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile	.ssh/authorized_keys
+-
+-#AuthorizedPrincipalsFile none
+-
 -#AuthorizedKeysCommand none
 -#AuthorizedKeysCommandUser nobody
-+# Ensure secure permissions on users .ssh directory.
-+#StrictModes yes
- 
+-
 -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 -#RhostsRSAAuthentication no
 -# similar for protocol version 2
@@ -140,13 +147,16 @@
 -#IgnoreUserKnownHosts no
 -# Don't read the user's ~/.rhosts and ~/.shosts files
 -#IgnoreRhosts yes
++# Ensure secure permissions on users .ssh directory.
++#StrictModes yes
+ 
+-# To disable tunneled clear text passwords, change to no here!
+-#PasswordAuthentication yes
 +# Length of time in seconds before a client that hasn't completed
 +# authentication is disconnected.
 +# Default is 120 seconds. 0 means no time limit.
 +#LoginGraceTime 120
- 
--# To disable tunneled clear text passwords, change to no here!
--#PasswordAuthentication yes
++
 +# Maximum number of retries for authentication
 +# Default is 6.
 +#MaxAuthTries	6
@@ -158,26 +168,17 @@
  
 -# Change to no to disable s/key passwords
 -#ChallengeResponseAuthentication yes
-+# To disable tunneled clear text passwords, change PasswordAuthentication to no.
-+#PasswordAuthentication yes
- 
+-
 -# Kerberos options
 -#KerberosAuthentication no
 -#KerberosOrLocalPasswd yes
 -#KerberosTicketCleanup yes
 -#KerberosGetAFSToken no
-+# Are root logins permitted using sshd.
-+# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
-+# maybe denied access by a PAM module regardless of this setting.
-+# Valid options are yes, without-password, no.
-+PermitRootLogin no
- 
+-
 -# GSSAPI options
 -#GSSAPIAuthentication no
 -#GSSAPICleanupCredentials yes
-+# sftp subsystem
-+Subsystem	sftp	internal-sftp
- 
+-
 -# Set this to 'yes' to enable PAM authentication, account processing,
 -# and session processing. If this is enabled, PAM authentication will
 -# be allowed through the ChallengeResponseAuthentication and
@@ -188,8 +189,8 @@
 -# PAM authentication, then enable this but set PasswordAuthentication
 -# and ChallengeResponseAuthentication to 'no'.
 -#UsePAM no
-+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
-+#IgnoreUserKnownHosts yes
++# To disable tunneled clear text passwords, change PasswordAuthentication to no.
++#PasswordAuthentication yes
  
 -#AllowAgentForwarding yes
 -#AllowTcpForwarding yes
@@ -202,7 +203,7 @@
 -#PrintLastLog yes
 -#TCPKeepAlive yes
 -#UseLogin no
--UsePrivilegeSeparation sandbox		# Default for new installations.
+-#UsePrivilegeSeparation sandbox
 -#PermitUserEnvironment no
 -#Compression delayed
 -#ClientAliveInterval 0
@@ -226,6 +227,18 @@
 -#	AllowTcpForwarding no
 -#	PermitTTY no
 -#	ForceCommand cvs server
++# Are root logins permitted using sshd.
++# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
++# maybe denied access by a PAM module regardless of this setting.
++# Valid options are yes, without-password, no.
++PermitRootLogin no
++
++# sftp subsystem
++Subsystem	sftp	internal-sftp
++
++# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
++#IgnoreUserKnownHosts yes
++
 +# Accept the LANG and LC_* environment variables sent by the client.
 +AcceptEnv LANG
 +AcceptEnv LC_*
--- a/components/openssh/service-network-ssh.p5m	Wed Apr 20 13:13:57 2016 -0700
+++ b/components/openssh/service-network-ssh.p5m	Wed Apr 20 13:13:57 2016 -0700
@@ -32,7 +32,7 @@
     value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2015/227
+set name=org.opensolaris.arc-caseid value=PSARC/2015/227 value=PSARC/2016/216
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 file path=etc/ssh/moduli group=sys mode=0644 overlay=allow preserve=renamenew
 file path=etc/ssh/sshd_config group=sys mode=0644 \