Shell access to SSH KDF

Eric Ferguson eric at
Fri Aug 31 21:01:38 EST 2012

>> Hi everyone.
>> I'm currently running through FIPS validation, and this year CAVP
>> requires KDF tests for SSH. I'm running OpenSSH v5.6p1 and I see that
>> the 6 keys that I need are derived in kex_derived_keys in kex.c. 
>> However, I don't yet see any way for me to access this function from an
>> existing command line tool, being able to pass in K, H, and the
>> session_id from the test vector. Is my only option to build a custom
>> executable, linking in key derivation function I need, or am I missing
>> something?
>No, there is definitely no way to invoke the KEX KDF from the shell. You'll
>have to make you own executable.
>In the future, we hope to make bits like this available in a more friendly
>library form but I don't think we will ever expose them via a command
>interface directly. If there are specific tests that need to be done then
>I'd certainly consider adding them as unit tests though.

Thank you for your prompt reply.  Will do.  Assuming the KDF
certifications are here to stay for future FIPS validations, a small
test harness for CAVP test vectors is likely something several others
may benefit from.  Thanks again.


More information about the openssh-unix-dev mailing list