- markus@cvs.openbsd.org 2013/12/06 13:39:49

     [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@

17 files changed, 267 insertions, 29 deletions

diff --git a/authfd.c b/authfd.c
index 2cda8b30..0971cee3 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.89 2013/12/06 13:30:08 markus Exp $ */
+/* $OpenBSD: authfd.c,v 1.90 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -508,6 +508,8 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
 	case KEY_DSA_CERT_V00:
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
 		type = constrained ?
 		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
 		    SSH2_AGENTC_ADD_IDENTITY;
diff --git a/authfile.c b/authfile.c
index e38a3dd1..b0fc23e6 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.99 2013/12/06 13:34:54 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.100 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -50,6 +50,8 @@
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
 
+#include "crypto_api.h"
+
 #include <errno.h>
 #include <fcntl.h>
 #include <stdarg.h>
@@ -593,6 +595,9 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase,
 			    comment, new_format_cipher, new_format_rounds);
 		}
 		return key_private_pem_to_blob(key, blob, passphrase, comment);
+	case KEY_ED25519:
+		return key_private_to_blob2(key, blob, passphrase,
+		    comment, new_format_cipher, new_format_rounds);
 	default:
 		error("%s: cannot save key type %d", __func__, key->type);
 		return 0;
@@ -997,6 +1002,9 @@ key_parse_private_type(Buffer *blob, int type, const char *passphrase,
 	case KEY_DSA:
 	case KEY_ECDSA:
 	case KEY_RSA:
+		return key_parse_private_pem(blob, type, passphrase, commentp);
+	case KEY_ED25519:
+		return key_parse_private2(blob, type, passphrase, commentp);
 	case KEY_UNSPEC:
 		if ((k = key_parse_private2(blob, type, passphrase, commentp)))
 			return k;
diff --git a/crypto_api.h b/crypto_api.h
new file mode 100644
index 00000000..633463dc
--- /dev/null
+++ b/crypto_api.h
@@ -0,0 +1,43 @@
+/* $OpenBSD: crypto_api.h,v 1.1 2013/12/06 13:39:49 markus Exp $ */
+
+/* Placed in the public domain. */
+
+#ifndef crypto_api_h
+#define crypto_api_h
+
+#include <stdint.h>
+#include <stdlib.h>
+
+typedef int32_t crypto_int32;
+typedef uint32_t crypto_uint32;
+
+#define randombytes(buf, buf_len) arc4random_buf((buf), (buf_len))
+
+#define crypto_hashblocks_sha512_STATEBYTES 64U
+#define crypto_hashblocks_sha512_BLOCKBYTES 128U
+
+int	crypto_hashblocks_sha512(unsigned char *, const unsigned char *,
+     unsigned long long);
+
+#define crypto_hash_sha512_BYTES 64U
+
+int	crypto_hash_sha512(unsigned char *, const unsigned char *,
+    unsigned long long);
+
+int	crypto_verify_32(const unsigned char *, const unsigned char *);
+
+#define crypto_sign_BYTES crypto_sign_ed25519_BYTES
+#define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES
+#define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES
+
+#define crypto_sign_ed25519_SECRETKEYBYTES 64U
+#define crypto_sign_ed25519_PUBLICKEYBYTES 32U
+#define crypto_sign_ed25519_BYTES 64U
+
+int	crypto_sign_ed25519(unsigned char *, unsigned long long *,
+    const unsigned char *, unsigned long long, const unsigned char *);
+int	crypto_sign_ed25519_open(unsigned char *, unsigned long long *,
+    const unsigned char *, unsigned long long, const unsigned char *);
+int	crypto_sign_ed25519_keypair(unsigned char *, unsigned char *);
+
+#endif /* crypto_api_h */
diff --git a/key.h b/key.h
index efa71176..6a049d27 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.39 2013/12/06 13:30:08 markus Exp $ */
+/* $OpenBSD: key.h,v 1.40 2013/12/06 13:39:49 markus Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -39,9 +39,11 @@ enum types {
 	KEY_RSA,
 	KEY_DSA,
 	KEY_ECDSA,
+	KEY_ED25519,
 	KEY_RSA_CERT,
 	KEY_DSA_CERT,
 	KEY_ECDSA_CERT,
+	KEY_ED25519_CERT,
 	KEY_RSA_CERT_V00,
 	KEY_DSA_CERT_V00,
 	KEY_UNSPEC
@@ -86,8 +88,13 @@ struct Key {
 	void	*ecdsa;
 #endif
 	struct KeyCert *cert;
+	u_char	*ed25519_sk;
+	u_char	*ed25519_pk;
 };
 
+#define	ED25519_SK_SZ	crypto_sign_ed25519_SECRETKEYBYTES
+#define	ED25519_PK_SZ	crypto_sign_ed25519_PUBLICKEYBYTES
+
 Key		*key_new(int);
 void		 key_add_private(Key *);
 Key		*key_new_private(int);
@@ -128,7 +135,7 @@ const EVP_MD	*key_ec_nid_to_evpmd(int nid);
 int		 key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
 int		 key_ec_validate_private(const EC_KEY *);
 #endif
-char		*key_alg_list(void);
+char		*key_alg_list(int, int);
 
 Key		*key_from_blob(const u_char *, u_int);
 int		 key_to_blob(const Key *, u_char **, u_int *);
@@ -145,6 +152,8 @@ int	 ssh_ecdsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
 int	 ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
 int	 ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
 int	 ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
+int	 ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
+int	 ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
 
 #if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
 void	key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
diff --git a/myproposal.h b/myproposal.h
index 71dbc997..3a0f5aea 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.34 2013/11/21 00:45:44 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -90,11 +90,13 @@
 
 #define	KEX_DEFAULT_PK_ALG	\
 	HOSTKEY_ECDSA_CERT_METHODS \
+	"ssh-ed25519-cert-v01@openssh.com," \
 	"ssh-rsa-cert-v01@openssh.com," \
 	"ssh-dss-cert-v01@openssh.com," \
 	"ssh-rsa-cert-v00@openssh.com," \
 	"ssh-dss-cert-v00@openssh.com," \
 	HOSTKEY_ECDSA_METHODS \
+	"ssh-ed25519," \
 	"ssh-rsa," \
 	"ssh-dss"
 
diff --git a/pathnames.h b/pathnames.h
index 5027fbae..ec89fc66 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.23 2013/04/05 00:31:49 djm Exp $ */
+/* $OpenBSD: pathnames.h,v 1.24 2013/12/06 13:39:49 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -39,6 +39,7 @@
 #define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"
 #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
 #define _PATH_HOST_ECDSA_KEY_FILE	SSHDIR "/ssh_host_ecdsa_key"
+#define _PATH_HOST_ED25519_KEY_FILE	SSHDIR "/ssh_host_ed25519_key"
 #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
 #define _PATH_DH_MODULI			SSHDIR "/moduli"
 /* Backwards compatibility */
@@ -77,6 +78,7 @@
 #define _PATH_SSH_CLIENT_ID_DSA		_PATH_SSH_USER_DIR "/id_dsa"
 #define _PATH_SSH_CLIENT_ID_ECDSA	_PATH_SSH_USER_DIR "/id_ecdsa"
 #define _PATH_SSH_CLIENT_ID_RSA		_PATH_SSH_USER_DIR "/id_rsa"
+#define _PATH_SSH_CLIENT_ID_ED25519	_PATH_SSH_USER_DIR "/id_ed25519"
 
 /*
  * Configuration file in user's home directory.  This file need not be
diff --git a/readconf.c b/readconf.c
index 0e1030d0..08e16852 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.214 2013/11/20 20:54:10 deraadt Exp $ */
+/* $OpenBSD: readconf.c,v 1.215 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1645,6 +1645,8 @@ fill_default_options(Options * options)
 			add_identity_file(options, "~/",
 			    _PATH_SSH_CLIENT_ID_ECDSA, 0);
 #endif
+			add_identity_file(options, "~/",
+			    _PATH_SSH_CLIENT_ID_ED25519, 0);
 		}
 	}
 	if (options->escape_char == -1)
diff --git a/servconf.c b/servconf.c
index 6db89f7c..9bcd05bf 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.247 2013/12/05 01:16:41 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -180,6 +180,8 @@ fill_default_server_options(ServerOptions *options)
 			options->host_key_files[options->num_host_key_files++] =
 			    _PATH_HOST_ECDSA_KEY_FILE;
 #endif
+			options->host_key_files[options->num_host_key_files++] =
+			    _PATH_HOST_ED25519_KEY_FILE;
 		}
 	}
 	/* No certificates by default */
diff --git a/ssh-agent.c b/ssh-agent.c
index 579ee384..8210a8e3 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.179 2013/12/06 13:34:54 markus Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.180 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -484,6 +484,7 @@ process_add_identity(SocketEntry *e, int version)
 		/* Generate additional parameters */
 		rsa_generate_additional_parameters(k->rsa);
 
+		/* enable blinding */
 		if (RSA_blinding_on(k->rsa, NULL) != 1) {
 			error("process_add_identity: RSA_blinding_on failed");
 			key_free(k);
diff --git a/ssh-ed25519.c b/ssh-ed25519.c
new file mode 100644
index 00000000..c03c1634
--- /dev/null
+++ b/ssh-ed25519.c
@@ -0,0 +1,141 @@
+/* $OpenBSD: ssh-ed25519.c,v 1.1 2013/12/06 13:39:49 markus Exp $ */
+/*
+ * Copyright (c) 2013 Markus Friedl <markus@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+#include "crypto_api.h"
+
+#include <string.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
+#include "log.h"
+#include "buffer.h"
+#include "key.h"
+#include "ssh.h"
+
+int
+ssh_ed25519_sign(const Key *key, u_char **sigp, u_int *lenp,
+    const u_char *data, u_int datalen)
+{
+	u_char *sig;
+	u_int slen, len;
+	unsigned long long smlen;
+	int ret;
+	Buffer b;
+
+	if (key == NULL || key_type_plain(key->type) != KEY_ED25519 ||
+	    key->ed25519_sk == NULL) {
+		error("%s: no ED25519 key", __func__);
+		return -1;
+	}
+	smlen = slen = datalen + crypto_sign_ed25519_BYTES;
+	sig = xmalloc(slen);
+
+	if ((ret = crypto_sign_ed25519(sig, &smlen, data, datalen,
+	    key->ed25519_sk)) != 0 || smlen <= datalen) {
+		error("%s: crypto_sign_ed25519 failed: %d", __func__, ret);
+		free(sig);
+		return -1;
+	}
+	/* encode signature */
+	buffer_init(&b);
+	buffer_put_cstring(&b, "ssh-ed25519");
+	buffer_put_string(&b, sig, smlen - datalen);
+	len = buffer_len(&b);
+	if (lenp != NULL)
+		*lenp = len;
+	if (sigp != NULL) {
+		*sigp = xmalloc(len);
+		memcpy(*sigp, buffer_ptr(&b), len);
+	}
+	buffer_free(&b);
+	memset(sig, 's', slen);
+	free(sig);
+
+	return 0;
+}
+
+int
+ssh_ed25519_verify(const Key *key, const u_char *signature, u_int signaturelen,
+    const u_char *data, u_int datalen)
+{
+	Buffer b;
+	char *ktype;
+	u_char *sigblob, *sm, *m;
+	u_int len;
+	unsigned long long smlen, mlen;
+	int rlen, ret;
+
+	if (key == NULL || key_type_plain(key->type) != KEY_ED25519 ||
+	    key->ed25519_pk == NULL) {
+		error("%s: no ED25519 key", __func__);
+		return -1;
+	}
+	buffer_init(&b);
+	buffer_append(&b, signature, signaturelen);
+	ktype = buffer_get_cstring(&b, NULL);
+	if (strcmp("ssh-ed25519", ktype) != 0) {
+		error("%s: cannot handle type %s", __func__, ktype);
+		buffer_free(&b);
+		free(ktype);
+		return -1;
+	}
+	free(ktype);
+	sigblob = buffer_get_string(&b, &len);
+	rlen = buffer_len(&b);
+	buffer_free(&b);
+	if (rlen != 0) {
+		error("%s: remaining bytes in signature %d", __func__, rlen);
+		free(sigblob);
+		return -1;
+	}
+	if (len > crypto_sign_ed25519_BYTES) {
+		error("%s: len %u > crypto_sign_ed25519_BYTES %u", __func__,
+		    len, crypto_sign_ed25519_BYTES);
+		free(sigblob);
+		return -1;
+	}
+	smlen = len + datalen;
+	sm = xmalloc(smlen);
+	memcpy(sm, sigblob, len);
+	memcpy(sm+len, data, datalen);
+	mlen = smlen;
+	m = xmalloc(mlen);
+	if ((ret = crypto_sign_ed25519_open(m, &mlen, sm, smlen,
+	    key->ed25519_pk)) != 0) {
+		debug2("%s: crypto_sign_ed25519_open failed: %d",
+		    __func__, ret);
+	}
+	if (ret == 0 && mlen != datalen) {
+		debug2("%s: crypto_sign_ed25519_open "
+		    "mlen != datalen (%llu != %u)", __func__, mlen, datalen);
+		ret = -1;
+	}
+	/* XXX compare 'm' and 'data' ? */
+
+	memset(sigblob, 's', len);
+	memset(sm, 'S', smlen);
+	memset(m, 'm', smlen); /* NB. mlen may be invalid if ret != 0 */
+	free(sigblob);
+	free(sm);
+	free(m);
+	debug("%s: signature %scorrect", __func__, (ret != 0) ? "in" : "");
+
+	/* translate return code carefully */
+	return (ret == 0) ? 1 : -1;
+}
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 533eed29..eae83a46 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.237 2013/12/06 13:34:54 markus Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.238 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -197,7 +197,7 @@ type_bits_valid(int type, u_int32_t *bitsp)
 	}
 	if (type == KEY_DSA && *bitsp != 1024)
 		fatal("DSA keys must be 1024 bits");
-	else if (type != KEY_ECDSA && *bitsp < 768)
+	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
 		fatal("Key must at least be 768 bits");
 	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
 		fatal("Invalid ECDSA key length - valid lengths are "
@@ -233,6 +233,10 @@ ask_filename(struct passwd *pw, const char *prompt)
 		case KEY_RSA:
 			name = _PATH_SSH_CLIENT_ID_RSA;
 			break;
+		case KEY_ED25519:
+		case KEY_ED25519_CERT:
+			name = _PATH_SSH_CLIENT_ID_ED25519;
+			break;
 		default:
 			fprintf(stderr, "bad key type\n");
 			exit(1);
@@ -896,6 +900,7 @@ do_gen_all_hostkeys(struct passwd *pw)
 #ifdef OPENSSL_HAS_ECC
 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
 #endif
+		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
 		{ NULL, NULL, NULL }
 	};
 
@@ -1611,7 +1616,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
 		if ((public = key_load_public(tmp, &comment)) == NULL)
 			fatal("%s: unable to open \"%s\"", __func__, tmp);
 		if (public->type != KEY_RSA && public->type != KEY_DSA &&
-		    public->type != KEY_ECDSA)
+		    public->type != KEY_ECDSA && public->type != KEY_ED25519)
 			fatal("%s: key \"%s\" type %s cannot be certified",
 			    __func__, tmp, key_type(public));
 
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index c35ea05e..79dd6aa1 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.31 2013/07/16 00:07:52 schwarze Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.32 2013/12/06 13:39:49 markus Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: July 16 2013 $
+.Dd $Mdocdate: December 6 2013 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -137,6 +137,7 @@ is either
 .Dq ecdsa-sha2-nistp256 ,
 .Dq ecdsa-sha2-nistp384 ,
 .Dq ecdsa-sha2-nistp521 ,
+.Dq ssh-ed25519 ,
 .Dq ssh-dss
 or
 .Dq ssh-rsa .
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index c5f658d7..8d0a6b8d 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.88 2013/11/02 21:59:15 markus Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.89 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -56,6 +56,7 @@ int ssh_port = SSH_DEFAULT_PORT;
 #define KT_DSA		2
 #define KT_RSA		4
 #define KT_ECDSA	8
+#define KT_ED25519	16
 
 int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */
 
@@ -245,9 +246,11 @@ keygrab_ssh2(con *c)
 
 	packet_set_connection(c->c_fd, c->c_fd);
 	enable_compat20();
-	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA?
-	    "ssh-dss" : (c->c_keytype == KT_RSA ? "ssh-rsa" :
-	    "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521");
+	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+	    c->c_keytype == KT_DSA ?  "ssh-dss" :
+	    (c->c_keytype == KT_RSA ? "ssh-rsa" :
+	    (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
+	    "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
 	c->c_kex = kex_setup(myproposal);
 	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
 	c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
@@ -575,7 +578,7 @@ do_host(char *host)
 
 	if (name == NULL)
 		return;
-	for (j = KT_RSA1; j <= KT_ECDSA; j *= 2) {
+	for (j = KT_RSA1; j <= KT_ED25519; j *= 2) {
 		if (get_keytypes & j) {
 			while (ncon >= MAXCON)
 				conloop();
@@ -682,6 +685,9 @@ main(int argc, char **argv)
 				case KEY_RSA:
 					get_keytypes |= KT_RSA;
 					break;
+				case KEY_ED25519:
+					get_keytypes |= KT_ED25519;
+					break;
 				case KEY_UNSPEC:
 					fatal("unknown key type %s", tname);
 				}
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 518373bf..6bde8ad1 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keysign.c,v 1.38 2013/10/14 22:22:04 djm Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.39 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Copyright (c) 2002 Markus Friedl.  All rights reserved.
  *
@@ -150,7 +150,7 @@ main(int argc, char **argv)
 {
 	Buffer b;
 	Options options;
-#define NUM_KEYTYPES 3
+#define NUM_KEYTYPES 4
 	Key *keys[NUM_KEYTYPES], *key = NULL;
 	struct passwd *pw;
 	int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
@@ -169,6 +169,7 @@ main(int argc, char **argv)
 	i = 0;
 	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
 	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+	key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
 	key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
 
 	original_real_uid = getuid();	/* XXX readconf.c needs this */
diff --git a/ssh.c b/ssh.c
index 6c8cd731..543a3baf 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.395 2013/11/26 12:14:54 jmc Exp $ */
+/* $OpenBSD: ssh.c,v 1.396 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -528,7 +528,11 @@ main(int ac, char **av)
 			else if (strcmp(optarg, "kex") == 0)
 				cp = kex_alg_list('\n');
 			else if (strcmp(optarg, "key") == 0)
-				cp = key_alg_list();
+				cp = key_alg_list(0, 0);
+			else if (strcmp(optarg, "key-cert") == 0)
+				cp = key_alg_list(1, 0);
+			else if (strcmp(optarg, "key-plain") == 0)
+				cp = key_alg_list(0, 1);
 			if (cp == NULL)
 				fatal("Unsupported query \"%s\"", optarg);
 			printf("%s\n", cp);
@@ -989,7 +993,7 @@ main(int ac, char **av)
 	sensitive_data.external_keysign = 0;
 	if (options.rhosts_rsa_authentication ||
 	    options.hostbased_authentication) {
-		sensitive_data.nkeys = 7;
+		sensitive_data.nkeys = 8;
 		sensitive_data.keys = xcalloc(sensitive_data.nkeys,
 		    sizeof(Key));
 		for (i = 0; i < sensitive_data.nkeys; i++)
@@ -1014,13 +1018,16 @@ main(int ac, char **av)
 #endif
 		sensitive_data.keys[6] = key_load_private_type(KEY_RSA,
 		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
+		sensitive_data.keys[7] = key_load_private_type(KEY_ED25519,
+		    _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
 		PRIV_END;
 
 		if (options.hostbased_authentication == 1 &&
 		    sensitive_data.keys[0] == NULL &&
 		    sensitive_data.keys[4] == NULL &&
 		    sensitive_data.keys[5] == NULL &&
-		    sensitive_data.keys[6] == NULL) {
+		    sensitive_data.keys[6] == NULL &&
+		    sensitive_data.keys[7] == NULL) {
 			sensitive_data.keys[1] = key_load_cert(
 			    _PATH_HOST_DSA_KEY_FILE);
 #ifdef OPENSSL_HAS_ECC
@@ -1037,6 +1044,8 @@ main(int ac, char **av)
 #endif
 			sensitive_data.keys[6] = key_load_public(
 			    _PATH_HOST_RSA_KEY_FILE, NULL);
+			sensitive_data.keys[7] = key_load_public(
+			    _PATH_HOST_ED25519_KEY_FILE, NULL);
 			sensitive_data.external_keysign = 1;
 		}
 	}
diff --git a/ssh_config.5 b/ssh_config.5
index 0e6fd862..43455342 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.181 2013/11/21 08:05:09 jmc Exp $
-.Dd $Mdocdate: November 21 2013 $
+.\" $OpenBSD: ssh_config.5,v 1.182 2013/12/06 13:39:49 markus Exp $
+.Dd $Mdocdate: December 6 2013 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -721,7 +721,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
 ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-rsa,ssh-dss
+ssh-ed25519,ssh-rsa,ssh-dss
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
diff --git a/sshd.c b/sshd.c
index a53deab3..786d9ff9 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.411 2013/11/20 02:19:01 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.412 2013/12/06 13:39:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -785,6 +785,7 @@ list_hostkey_types(void)
 		case KEY_RSA:
 		case KEY_DSA:
 		case KEY_ECDSA:
+		case KEY_ED25519:
 			if (buffer_len(&b) > 0)
 				buffer_append(&b, ",", 1);
 			p = key_ssh_name(key);
@@ -801,6 +802,7 @@ list_hostkey_types(void)
 		case KEY_RSA_CERT:
 		case KEY_DSA_CERT:
 		case KEY_ECDSA_CERT:
+		case KEY_ED25519_CERT:
 			if (buffer_len(&b) > 0)
 				buffer_append(&b, ",", 1);
 			p = key_ssh_name(key);
@@ -828,6 +830,7 @@ get_hostkey_by_type(int type, int need_private)
 		case KEY_RSA_CERT:
 		case KEY_DSA_CERT:
 		case KEY_ECDSA_CERT:
+		case KEY_ED25519_CERT:
 			key = sensitive_data.host_certificates[i];
 			break;
 		default:
@@ -1700,6 +1703,7 @@ main(int ac, char **av)
 		case KEY_RSA:
 		case KEY_DSA:
 		case KEY_ECDSA:
+		case KEY_ED25519:
 			sensitive_data.have_ssh2_key = 1;
 			break;
 		}