Hi everyone. I'm currently running through FIPS validation, and this year CAVP requires KDF tests for SSH. I'm running OpenSSH v5.6p1 and I see that the 6 keys that I need are derived in kex_derived_keys in kex.c. However, I don't yet see any way for me to access this function from an existing command line tool, being able to pass in K, H, and the session_id from the test vector. Is my only option to build a custom executable, linking in key derivation function I need, or am I missing something? Thank you. Eric
On Thu, 30 Aug 2012, Eric Ferguson wrote:> Hi everyone. > I'm currently running through FIPS validation, and this year CAVP > requires KDF tests for SSH. I'm running OpenSSH v5.6p1 and I see that > the 6 keys that I need are derived in kex_derived_keys in kex.c. > However, I don't yet see any way for me to access this function from an > existing command line tool, being able to pass in K, H, and the > session_id from the test vector. Is my only option to build a custom > executable, linking in key derivation function I need, or am I missing > something?No, there is definitely no way to invoke the KEX KDF from the shell. You'll have to make you own executable. In the future, we hope to make bits like this available in a more friendly library form but I don't think we will ever expose them via a command interface directly. If there are specific tests that need to be done then I'd certainly consider adding them as unit tests though. -d
>> Hi everyone. >> I'm currently running through FIPS validation, and this year CAVP >> requires KDF tests for SSH. I'm running OpenSSH v5.6p1 and I see that >> the 6 keys that I need are derived in kex_derived_keys in kex.c. >> However, I don't yet see any way for me to access this function from an >> existing command line tool, being able to pass in K, H, and the >> session_id from the test vector. Is my only option to build a custom >> executable, linking in key derivation function I need, or am I missing >> something? > >No, there is definitely no way to invoke the KEX KDF from the shell. You'll >have to make you own executable. > >In the future, we hope to make bits like this available in a more friendly >library form but I don't think we will ever expose them via a command >interface directly. If there are specific tests that need to be done then >I'd certainly consider adding them as unit tests though. > >-dThank you for your prompt reply. Will do. Assuming the KDF certifications are here to stay for future FIPS validations, a small test harness for CAVP test vectors is likely something several others may benefit from. Thanks again. Eric