Proposed patch to use openssl for ed25519 crypto.
Jeremy Allison
jallison at ciq.com
Thu Oct 30 06:00:51 AEDT 2025
Hi all,
Currently openssh uses its own implementation of ed25519.c for the
operations:
crypto_sign_ed25519()
crypto_sign_ed25519_open()
crypto_sign_ed25519_keypair()
but can use the openssl library for other crypto operations.
configure.ac already checks openssl for OPENSSL_HAS_ED25519,
so here is a patch that adds openssl-based implementations of
the three functions above in a new file ed25519-openssl.c
and uses these if OPENSSL_HAS_ED25519 was defined.
I created this as CIQ (in Rocky Linux) publishes FIPS certified
versions of openssl in this public git repo:
https://github.com/ciq-rocky-fips/openssl
and being able to use a FIPS certified openssl library for ed25519
crypto allows users to use ed25519 keys in openssh instead of
being forced to use RSA keys when the system is in FIPS mode.
Full disclosure, claude code was used to help create ed25519-openssl.c
and was edited and carefully reviewed by myself and another CIQ engineer to
make sure this is not "AI-slop". The code is simple enough that it should
be clear and easy to review.
Thanks for considering this !
Jeremy Allison,
CIQ.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-ed25519-use-openssl.patch
Type: text/x-patch
Size: 8033 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20251029/38e36e11/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list