Hi all, Currently openssh uses its own implementation of ed25519.c for the operations: crypto_sign_ed25519() crypto_sign_ed25519_open() crypto_sign_ed25519_keypair() but can use the openssl library for other crypto operations. configure.ac already checks openssl for OPENSSL_HAS_ED25519, so here is a patch that adds openssl-based implementations of the three functions above in a new file ed25519-openssl.c and uses these if OPENSSL_HAS_ED25519 was defined. I created this as CIQ (in Rocky Linux) publishes FIPS certified versions of openssl in this public git repo: https://github.com/ciq-rocky-fips/openssl and being able to use a FIPS certified openssl library for ed25519 crypto allows users to use ed25519 keys in openssh instead of being forced to use RSA keys when the system is in FIPS mode. Full disclosure, claude code was used to help create ed25519-openssl.c and was edited and carefully reviewed by myself and another CIQ engineer to make sure this is not "AI-slop". The code is simple enough that it should be clear and easy to review. Thanks for considering this ! Jeremy Allison, CIQ. -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-ed25519-use-openssl.patch Type: text/x-patch Size: 8033 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20251029/38e36e11/attachment-0001.bin>