Index: generic/tlsUtil.c
==================================================================
--- generic/tlsUtil.c
+++ generic/tlsUtil.c
@@ -214,10 +214,46 @@
     }
     return salt;
 }
 
 /*******************************************************************/
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * Util_GetBinaryArray --
+ *
+ *	Get binary array from TclObj
+ *
+ * Returns:
+ *	Pointer to type or NULL, and size
+ *
+ * Side effects:
+ *	None
+ *
+ *-------------------------------------------------------------------
+ */
+unsigned char *Util_GetBinaryArray(Tcl_Interp *interp, Tcl_Obj *dataObj, int *len, char *name, int min, int max, int no_null) {
+    unsigned char *data = NULL;
+    *len = 0;
+
+    if (dataObj != NULL) {
+	data = Tcl_GetByteArrayFromObj(dataObj, len);
+    } else if (no_null) {
+	Tcl_AppendResult(interp, "no ", name, (char *) NULL);
+	return NULL;
+    }
+
+    if (*len < min) {
+	Tcl_SetObjResult(interp, Tcl_ObjPrintf("Invalid length for \"%s\": must be >= %d", name, min));
+	return NULL;
+    } else if (max > 0 && *len > max) {
+	Tcl_SetObjResult(interp, Tcl_ObjPrintf("Invalid length for \"%s\": must be <= %d", name, max));
+	return NULL;
+    }
+    return data;
+}
 
 /*
  *-------------------------------------------------------------------
  *
  * Util_GetInt --

Index: tests/digest.csv
==================================================================
--- tests/digest.csv
+++ tests/digest.csv
@@ -76,17 +76,17 @@
 MD File,md5 hex,,,::tls::md -digest md5 -file $test_file -hex,,,962bf0803b4232ec23bd8427bb94ea09,,,
 ,,,,,,,,,,
 command,# MD Error Cases,,,,,,,,,
 MD Errors,Too few args,,,::tls::md,,,"wrong # args: should be ""::tls::md ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
 MD Errors,Too many args,,,::tls::md too many command line args to pass the test without an error or failing,,,"wrong # args: should be ""::tls::md ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
-MD Errors,Invalid digest,,,::tls::md bogus data,,,"Invalid digest ""bogus""",,,1
-MD Errors,Invalid digest Arg,,,::tls::md -digest bogus -data data,,,"Invalid digest ""bogus""",,,1
-MD Errors,No digest,,,::tls::md -hex -data value,,,No digest specified,,,1
+MD Errors,Invalid digest,,,::tls::md bogus data,,,"invalid digest ""bogus""",,,1
+MD Errors,Invalid digest Arg,,,::tls::md -digest bogus -data data,,,"invalid digest ""bogus""",,,1
+MD Errors,No digest,,,::tls::md -hex -data value,,,no digest,,,1
 MD Errors,Invalid option,,,::tls::md -digest sha256 -bogus value,,,"bad option ""-bogus"": must be -bin, -binary, -hex, -hexadecimal, -chan, -channel, -cipher, -command, -data, -digest, -file, -filename, -hash, -key, or -mac",,,1
 MD Errors,Invalid file,,,::tls::md -digest sha256 -file bogus,,,"couldn't open ""bogus"": no such file or directory",,,1
 MD Errors,Invalid channel,,,::tls::md -digest sha256 -channel bogus,,,"can not find channel named ""bogus""",,,1
-MD Errors,No operation,,,::tls::md -digest sha256 -bin,,,"No operation specified: Use -channel, -command, -data, or -file option",,,1
+MD Errors,No operation,,,::tls::md -digest sha256 -bin,,,"No operation: Use -channel, -command, -data, or -file option",,,1
 ,,,,,,,,,,
 ,,,,,,,,,,
 command,# Test CMAC command,,,,,,,,,
 command,"set test_cipher ""aes-128-cbc""",,,,,,,,,
 command,"set test_key ""Example key 1234""",,,,,,,,,
@@ -107,13 +107,13 @@
 CMAC Shortcut,data,,,::tls::cmac $test_cipher -key $test_key $test_data,,,baf5c20f9973e2d606b14c7efdfe52fa,,,
 ,,,,,,,,,,
 command,# CMAC Error Cases,,,,,,,,,
 CMAC Errors,Too few args,,,::tls::cmac,,,"wrong # args: should be ""::tls::cmac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
 CMAC Errors,Too many args,,,::tls::cmac too many command line args to pass the test without an error or failing,,,"wrong # args: should be ""::tls::cmac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
-CMAC Errors,No cipher,,,::tls::cmac -hex -data $test_data,,,No cipher specified,,,1
-CMAC Errors,No key,,,::tls::cmac -cipher $test_cipher -data $test_data,,,No key specified,,,1
-CMAC Errors,Invalid cipher,,,::tls::cmac -cipher bogus -data $test_data,,,"Invalid cipher ""bogus""",,,1
+CMAC Errors,No cipher,,,::tls::cmac -hex -data $test_data,,,no cipher,,,1
+CMAC Errors,No key,,,::tls::cmac -cipher $test_cipher -data $test_data,,,no key,,,1
+CMAC Errors,Invalid cipher,,,::tls::cmac -cipher bogus -data $test_data,,,"invalid cipher ""bogus""",,,1
 ,,,,,,,,,,
 ,,,,,,,,,,
 command,# Test HMAC command,,,,,,,,,
 command,set test_digest md5,,,,,,,,,
 command,"set test_key ""Example key""",,,,,,,,,
@@ -134,13 +134,13 @@
 HMAC Shortcut,data,,,::tls::hmac $test_digest -key $test_key $test_data,,,f98327ef3e20ab6d388f676c6a79d93d,,,
 ,,,,,,,,,,
 command,# HMAC Error Cases,,,,,,,,,
 HMAC Errors,Too few args,,,::tls::hmac,,,"wrong # args: should be ""::tls::hmac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
 HMAC Errors,Too many args,,,::tls::hmac too many command line args to pass the test without an error or failing,,,"wrong # args: should be ""::tls::hmac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
-HMAC Errors,No digest,,,::tls::hmac -hex -data $test_data,,,No digest specified,,,1
-HMAC Errors,No key,,,::tls::hmac -digest sha256 -data $test_data,,,No key specified,,,1
-HMAC Errors,Invalid digest,,,::tls::md -digest bogus -key $test_key -data $test_data,,,"Invalid digest ""bogus""",,,1
+HMAC Errors,No digest,,,::tls::hmac -hex -data $test_data,,,no digest,,,1
+HMAC Errors,No key,,,::tls::hmac -digest sha256 -data $test_data,,,no key,,,1
+HMAC Errors,Invalid digest,,,::tls::md -digest bogus -key $test_key -data $test_data,,,"invalid digest ""bogus""",,,1
 ,,,,,,,,,,
 ,,,,,,,,,,
 command,# Test MAC command,,,,,,,,,
 command,"set test_cipher ""aes-128-cbc""",,,,,,,,,
 command,set test_digest sha256,,,,,,,,,
@@ -150,13 +150,13 @@
 MAC,MD-CMAC,,,::tls::md -cipher $test_cipher -key $test_key -mac cmac -data $test_data,,,baf5c20f9973e2d606b14c7efdfe52fa,,,
 MAC,MD-HMAC,,,::tls::md -digest $test_digest -key $test_key -mac hmac -data $test_data,,,676daf96370d0e3c5598557da38a9a810a4fbacbb2d10c67f6dfa83f10f48e96,,,
 ,,,,,,,,,,
 command,# MAC Error Cases,,,,,,,,,
 MAC Errors,Too few args,,,::tls::mac,,,"wrong # args: should be ""::tls::mac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
-MAC Errors,No mac,,,::tls::mac -key $test_key -data $test_data,,,No MAC specified,,,1
-MAC Errors,No key,,,::tls::mac -mac hmac -data $test_data,,,No key specified,,,1
-MAC Errors,Invalid MAC,,,::tls::mac -mac scrypt -key $test_key -data $test_data,,,"Invalid MAC ""scrypt""",,,1
+MAC Errors,No mac,,,::tls::mac -key $test_key -data $test_data,,,no MAC,,,1
+MAC Errors,No key,,,::tls::mac -mac hmac -digest $test_digest -data $test_data,,,no key,,,1
+MAC Errors,Invalid MAC,,,::tls::mac -mac bogus -key $test_key -data $test_data,,,"invalid MAC ""bogus""",,,1
 MAC Errors,Too many args,,,::tls::mac too many command line args to pass the test without an error or failing,,,"wrong # args: should be ""::tls::mac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]""",,,1
 ,,,,,,,,,,
 ,,,,,,,,,,
 command,# RFC 1321 Message Digest 5,,,,,,,,,
 RFC1321-MD5,TC1,,,"::tls::md -digest md5 -data """"",,,d41d8cd98f00b204e9800998ecf8427e,,,

Index: tests/digest.test
==================================================================
--- tests/digest.test
+++ tests/digest.test
@@ -237,19 +237,19 @@
 	::tls::md too many command line args to pass the test without an error or failing
     } -result {wrong # args: should be "::tls::md ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]"} -returnCodes {1}
 
 test MD_Errors-8.3 {Invalid digest} -body {
 	::tls::md bogus data
-    } -result {Invalid digest "bogus"} -returnCodes {1}
+    } -result {invalid digest "bogus"} -returnCodes {1}
 
 test MD_Errors-8.4 {Invalid digest Arg} -body {
 	::tls::md -digest bogus -data data
-    } -result {Invalid digest "bogus"} -returnCodes {1}
+    } -result {invalid digest "bogus"} -returnCodes {1}
 
 test MD_Errors-8.5 {No digest} -body {
 	::tls::md -hex -data value
-    } -result {No digest specified} -returnCodes {1}
+    } -result {no digest} -returnCodes {1}
 
 test MD_Errors-8.6 {Invalid option} -body {
 	::tls::md -digest sha256 -bogus value
     } -result {bad option "-bogus": must be -bin, -binary, -hex, -hexadecimal, -chan, -channel, -cipher, -command, -data, -digest, -file, -filename, -hash, -key, or -mac} -returnCodes {1}
 
@@ -261,11 +261,11 @@
 	::tls::md -digest sha256 -channel bogus
     } -result {can not find channel named "bogus"} -returnCodes {1}
 
 test MD_Errors-8.9 {No operation} -body {
 	::tls::md -digest sha256 -bin
-    } -result {No operation specified: Use -channel, -command, -data, or -file option} -returnCodes {1}
+    } -result {No operation: Use -channel, -command, -data, or -file option} -returnCodes {1}
 
 
 # Test CMAC command
 set test_cipher "aes-128-cbc"
 set test_key "Example key 1234"
@@ -332,19 +332,19 @@
 	::tls::cmac too many command line args to pass the test without an error or failing
     } -result {wrong # args: should be "::tls::cmac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]"} -returnCodes {1}
 
 test CMAC_Errors-12.3 {No cipher} -body {
 	::tls::cmac -hex -data $test_data
-    } -result {No cipher specified} -returnCodes {1}
+    } -result {no cipher} -returnCodes {1}
 
 test CMAC_Errors-12.4 {No key} -body {
 	::tls::cmac -cipher $test_cipher -data $test_data
-    } -result {No key specified} -returnCodes {1}
+    } -result {no key} -returnCodes {1}
 
 test CMAC_Errors-12.5 {Invalid cipher} -body {
 	::tls::cmac -cipher bogus -data $test_data
-    } -result {Invalid cipher "bogus"} -returnCodes {1}
+    } -result {invalid cipher "bogus"} -returnCodes {1}
 
 
 # Test HMAC command
 set test_digest md5
 set test_key "Example key"
@@ -411,19 +411,19 @@
 	::tls::hmac too many command line args to pass the test without an error or failing
     } -result {wrong # args: should be "::tls::hmac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]"} -returnCodes {1}
 
 test HMAC_Errors-16.3 {No digest} -body {
 	::tls::hmac -hex -data $test_data
-    } -result {No digest specified} -returnCodes {1}
+    } -result {no digest} -returnCodes {1}
 
 test HMAC_Errors-16.4 {No key} -body {
 	::tls::hmac -digest sha256 -data $test_data
-    } -result {No key specified} -returnCodes {1}
+    } -result {no key} -returnCodes {1}
 
 test HMAC_Errors-16.5 {Invalid digest} -body {
 	::tls::md -digest bogus -key $test_key -data $test_data
-    } -result {Invalid digest "bogus"} -returnCodes {1}
+    } -result {invalid digest "bogus"} -returnCodes {1}
 
 
 # Test MAC command
 set test_cipher "aes-128-cbc"
 set test_digest sha256
@@ -453,19 +453,19 @@
 	::tls::mac
     } -result {wrong # args: should be "::tls::mac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]"} -returnCodes {1}
 
 test MAC_Errors-18.2 {No mac} -body {
 	::tls::mac -key $test_key -data $test_data
-    } -result {No MAC specified} -returnCodes {1}
+    } -result {no MAC} -returnCodes {1}
 
 test MAC_Errors-18.3 {No key} -body {
-	::tls::mac -mac hmac -data $test_data
-    } -result {No key specified} -returnCodes {1}
+	::tls::mac -mac hmac -digest $test_digest -data $test_data
+    } -result {no key} -returnCodes {1}
 
 test MAC_Errors-18.4 {Invalid MAC} -body {
-	::tls::mac -mac scrypt -key $test_key -data $test_data
-    } -result {Invalid MAC "scrypt"} -returnCodes {1}
+	::tls::mac -mac bogus -key $test_key -data $test_data
+    } -result {invalid MAC "bogus"} -returnCodes {1}
 
 test MAC_Errors-18.5 {Too many args} -body {
 	::tls::mac too many command line args to pass the test without an error or failing
     } -result {wrong # args: should be "::tls::mac ?-bin|-hex? ?-cipher name? ?-digest name? ?-key key? ?-mac name? [-channel chan | -command cmdName | -file filename | ?-data? data]"} -returnCodes {1}
 

Index: tests/info.csv
==================================================================
--- tests/info.csv
+++ tests/info.csv
@@ -54,11 +54,11 @@
 Ciphers Errors,TLS1.1,!tls1.1,,::tls::ciphers tls1.1,,,tls1.0: protocol not supported,,,1
 Ciphers Errors,TLS1.2,!tls1.2,,::tls::ciphers tls1.2,,,tls1.1: protocol not supported,,,1
 Ciphers Errors,TLS1.3,!tls1.3,,::tls::ciphers tls1.3,,,tls1.3: protocol not supported,,,1
 ,,,,,,,,,,
 command,# Test Cipher Info,,,,,,,,,
-Cipher Info,AES-256-CCM,,,tls::cipher aes-256-ccm,,,nid aes-256-ccm name id-aes256-CCM description {} block_size 1 key_length 32 iv_length 12 type aes-256-ccm provider {} mode CCM flags {{Variable Length} 0 {Always Call Init} 1 {Custom IV} 1 {Control Init} 1 {Custom Cipher} 1 {AEAD Cipher} 1 {Custom Copy} 1 {Non FIPS Allow} 0},,,
+Cipher Info,AES-256-CCM,,,tls::cipher aes-256-ccm,,,nid aes-256-ccm name id-aes256-CCM description {} block_size 1 key_length 32 iv_length 12 type aes-256-ccm provider {} mode CCM flags {{Variable Length} 0 {Always Call Init} 1 {Custom IV} 1 {Control Init} 1 {Custom Cipher} 1 {AEAD Cipher} 1 {Custom Copy} 1 {Non FIPS Allow} 0} tag_length 16 aad_length 13,,,
 ,,,,,,,,,,
 command,# Test list digests,,,,,,,,,
 Digests List,All,,,lcompare [lsort [exec_get_digests]] [lsort [tls::digests]],,,missing {} unexpected {},,,
 ,,,,,,,,,,
 command,# Test Digest Info,,,,,,,,,
@@ -76,12 +76,11 @@
 command,# Test show version,,,,,,,,,
 Version,All,,,::tls::version,,glob,*,,,
 Version,OpenSSL,OpenSSL,,::tls::version,,glob,OpenSSL*,,,
 ,,,,,,,,,,
 command,# Error Cases,,,,,,,,,
-Error Cases,Cipher Too few args,,,::tls::cipher,,,"wrong # args: should be ""::tls::cipher ?name?""",,,1
 Error Cases,Cipher Too many args,,,::tls::cipher too many args,,,"wrong # args: should be ""::tls::cipher ?name?""",,,1
 Error Cases,Digests Too many args,,,::tls::digests too many args,,,"wrong # args: should be ""::tls::digests ?name?""",,,1
 Error Cases,MACs Too many args,,,::tls::macs too many args,,,"wrong # args: should be ""::tls::macs ?name?""",,,1
 Error Cases,Pkeys Too many args,,,::tls::pkeys too many args,,,"wrong # args: should be ""::tls::pkeys ?name?""",,,1
 Error Cases,Protocols Too many args,,,::tls::protocols too many args,,,"wrong # args: should be ""::tls::protocols""",,,1
 Error Cases,Version Too many args,,,::tls::version too many args,,,"wrong # args: should be ""::tls::version""",,,1

Index: tests/info.test
==================================================================
--- tests/info.test
+++ tests/info.test
@@ -159,11 +159,11 @@
 # Test Cipher Info
 
 
 test Cipher_Info-6.1 {AES-256-CCM} -body {
 	tls::cipher aes-256-ccm
-    } -result {nid aes-256-ccm name id-aes256-CCM description {} block_size 1 key_length 32 iv_length 12 type aes-256-ccm provider {} mode CCM flags {{Variable Length} 0 {Always Call Init} 1 {Custom IV} 1 {Control Init} 1 {Custom Cipher} 1 {AEAD Cipher} 1 {Custom Copy} 1 {Non FIPS Allow} 0}}
+    } -result {nid aes-256-ccm name id-aes256-CCM description {} block_size 1 key_length 32 iv_length 12 type aes-256-ccm provider {} mode CCM flags {{Variable Length} 0 {Always Call Init} 1 {Custom IV} 1 {Control Init} 1 {Custom Cipher} 1 {AEAD Cipher} 1 {Custom Copy} 1 {Non FIPS Allow} 0} tag_length 16 aad_length 13}
 
 # Test list digests
 
 
 test Digests_List-7.1 {All} -body {
@@ -210,36 +210,32 @@
     } -match {glob} -result {OpenSSL*}
 
 # Error Cases
 
 
-test Error_Cases-13.1 {Cipher Too few args} -body {
-	::tls::cipher
-    } -result {wrong # args: should be "::tls::cipher ?name?"} -returnCodes {1}
-
-test Error_Cases-13.2 {Cipher Too many args} -body {
+test Error_Cases-13.1 {Cipher Too many args} -body {
 	::tls::cipher too many args
     } -result {wrong # args: should be "::tls::cipher ?name?"} -returnCodes {1}
 
-test Error_Cases-13.3 {Digests Too many args} -body {
+test Error_Cases-13.2 {Digests Too many args} -body {
 	::tls::digests too many args
     } -result {wrong # args: should be "::tls::digests ?name?"} -returnCodes {1}
 
-test Error_Cases-13.4 {MACs Too many args} -body {
+test Error_Cases-13.3 {MACs Too many args} -body {
 	::tls::macs too many args
     } -result {wrong # args: should be "::tls::macs ?name?"} -returnCodes {1}
 
-test Error_Cases-13.5 {Pkeys Too many args} -body {
+test Error_Cases-13.4 {Pkeys Too many args} -body {
 	::tls::pkeys too many args
     } -result {wrong # args: should be "::tls::pkeys ?name?"} -returnCodes {1}
 
-test Error_Cases-13.6 {Protocols Too many args} -body {
+test Error_Cases-13.5 {Protocols Too many args} -body {
 	::tls::protocols too many args
     } -result {wrong # args: should be "::tls::protocols"} -returnCodes {1}
 
-test Error_Cases-13.7 {Version Too many args} -body {
+test Error_Cases-13.6 {Version Too many args} -body {
 	::tls::version too many args
     } -result {wrong # args: should be "::tls::version"} -returnCodes {1}
 
 # Cleanup
 ::tcltest::cleanupTests
 return

ADDED   tests/kdf.csv
Index: tests/kdf.csv
==================================================================
--- /dev/null
+++ tests/kdf.csv
@@ -0,0 +1,80 @@
+# Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes
+command,package require tls,,,,,,,,,
+,,,,,,,,,,
+command,# PBKDF2 Error Cases,,,,,,,,,
+PBKDF2 Errors,Too few args,,,::tls::pbkdf2,,,"wrong # args: should be ""::tls::pbkdf2 [-cipher cipher | -size length] -digest digest ?-iterations count? ?-password string? ?-salt string?""",,,1
+PBKDF2 Errors,Too many args,,,::tls::pbkdf2 too many command line args to pass the test without an error or failing,,,"wrong # args: should be ""::tls::pbkdf2 [-cipher cipher | -size length] -digest digest ?-iterations count? ?-password string? ?-salt string?""",,,1
+PBKDF2 Errors,Invalid cipher,,,::tls::pbkdf2 -digest sha256 -password key -cipher bogus,,,"invalid cipher ""bogus""",,,1
+PBKDF2 Errors,Invalid digest,,,::tls::pbkdf2 -digest bogus -password key,,,"invalid digest ""bogus""",,,1
+PBKDF2 Errors,Invalid iterations,,,::tls::pbkdf2 -digest sha256 -password key -iterations -1,,,"invalid value ""-1"" for option ""iterations"": must be >= 1",,,1
+PBKDF2 Errors,No password value,,,::tls::pbkdf2 -digest sha256 -password,,,"No value for option ""-password""",,,1
+PBKDF2 Errors,No salt value,,,::tls::pbkdf2 -digest sha256 -password key -salt,,,"No value for option ""-salt""",,,1
+PBKDF2 Errors,Invalid size,,,::tls::pbkdf2 -digest sha256 -password key -size 0,,,"invalid value ""0"" for option ""-size"": must be >= 1",,,1
+PBKDF2 Errors,Too big size,,,::tls::pbkdf2 -digest sha256 -password key -size 400,,,"invalid value ""400"" for option ""-size"": must be <= 320",,,1
+,,,,,,,,,,
+command,# HKDF Error Cases,,,,,,,,,
+HKDF Errors,Too few args,,,::tls::hkdf,,,"wrong # args: should be ""::tls::hkdf -digest digest -key string ?-info string? ?-salt string? ?-size derived_length?""",,,1
+HKDF Errors,Too many args,,,::tls::hkdf too many command line args to pass the test without an error or failing,,,"wrong # args: should be ""::tls::hkdf -digest digest -key string ?-info string? ?-salt string? ?-size derived_length?""",,,1
+HKDF Errors,No digest,,,::tls::hkdf -key key -key key,,,no digest,,,1
+HKDF Errors,No key,,,::tls::hkdf -digest sha256 -digest sha256,,,no key,,,1
+HKDF Errors,No info value,,,::tls::hkdf -digest sha256 -key key -info,,,"No value for option ""-info""",,,1
+HKDF Errors,No salt value,,,::tls::hkdf -digest sha256 -password key -salt,,,"No value for option ""-salt""",,,1
+HKDF Errors,Invalid size,,,::tls::hkdf -digest sha256 -password key -size 0,,,"invalid value ""0"" for option ""-size"": must be >= 1",,,1
+HKDF Errors,Too big size,,,::tls::hkdf -digest sha256 -password key -size 8161,,,"""Key derivation failed: """,,,1
+,,,,,,,,,,
+command,# Scrypt Error Cases,,,,,,,,,
+Scrypt Errors,Too few args,,,::tls::scrypt,,,"wrong # args: should be ""::tls::scrypt -password string -salt string ?-N costParameter? ?-r blockSize? ?-p parallelization? ?-size derived_length?""",,,1
+Scrypt Errors,Too many args,,,::tls::scrypt too many command line args to pass the test without an error or failing,,,"wrong # args: should be ""::tls::scrypt -password string -salt string ?-N costParameter? ?-r blockSize? ?-p parallelization? ?-size derived_length?""",,,1
+Scrypt Errors,No password value,,,::tls::scrypt -salt salt -salt salt,,,no password,,,1
+Scrypt Errors,No salt value,,,::tls::scrypt -password key -password key,,,no salt,,,1
+Scrypt Errors,Invalid size,,,::tls::scrypt -password key -salt salt -size 0,,,"invalid value ""0"" for option ""-size"": must be >= 1",,,1
+Scrypt Errors,Invalid N costParameter,knownIgnored,,::tls::scrypt -password key -salt salt -N 0,,,,,,1
+Scrypt Errors,Invalid r blockSize,knownIgnored,,::tls::scrypt -password key -salt salt -r 0,,,,,,1
+Scrypt Errors,Invalid p parallelization,knownIgnored,,::tls::scrypt -password key -salt salt -p 0,,,,,,1
+,,,,,,,,,,
+command,set digest sha1,,,,,,,,,
+command,"set P ""password""",,,,,,,,,
+command,"set S ""salt""",,,,,,,,,
+command,set dkLen 20,,,,,,,,,
+,,,,,,,,,,
+command,# PBKDF2 RFC 6070,,,,,,,,,
+PBKDF2 RFC 6070,Test Case 1,,,binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 1 -size $dkLen],,,0c60c80f961f0e71f3a9b524af6012062fe037a6,,,
+PBKDF2 RFC 6070,Test Case 2,,,binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 2 -size $dkLen],,,ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957,,,
+PBKDF2 RFC 6070,Test Case 3,,,binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 4096 -size $dkLen],,,4b007901b765489abead49d926f721d065a429c1,,,
+PBKDF2 RFC 6070,Test Case 4,,,binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 16777216 -size $dkLen],,,eefe3d61cd4da4e4e9945b3d6ba2158c2634e984,,,
+,,,,,,,,,,
+command,set digest sha1,,,,,,,,,
+command,set key [binary decode hex 0b0b0b0b0b0b0b0b0b0b0b],,,,,,,,,
+command,set salt [binary decode hex 000102030405060708090a0b0c],,,,,,,,,
+command,set info [binary decode hex f0f1f2f3f4f5f6f7f8f9],,,,,,,,,
+command,set size 42,,,,,,,,,
+,,,,,,,,,,
+command,# HKDF RFC 6234,,,,,,,,,
+HKDF RFC 6234,"A.4.  Test Case 4, Basic test case with SHA-1",,,binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size],,,085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896,,,
+,,,,,,,,,,
+command,set key [binary decode hex 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f],,,,,,,,,
+command,set salt [binary decode hex 606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf],,,,,,,,,
+command,set info [binary decode hex b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff],,,,,,,,,
+command,set size 82,,,,,,,,,
+,,,,,,,,,,
+HKDF RFC 6234,"A.5.  Test Case 5, Test with SHA-1 and longer inputs/outputs",,,binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size],,,0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4,,,
+,,,,,,,,,,
+command,set key [binary decode hex 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b],,,,,,,,,
+command,"set salt """"",,,,,,,,,
+command,"set info """"",,,,,,,,,
+command,set size 42,,,,,,,,,
+,,,,,,,,,,
+HKDF RFC 6234,"A.6.  Test Case 6, Test with SHA-1 and zero-length salt/info",,,binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size],,,0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918,,,
+,,,,,,,,,,
+command,set key [binary decode hex 0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c],,,,,,,,,
+command,"set salt """"",,,,,,,,,
+command,"set info """"",,,,,,,,,
+command,set size 42,,,,,,,,,
+,,,,,,,,,,
+HKDF RFC 6234,"A.7.  Test Case 7, Test with SHA-1, salt not provided (defaults to HashLen zero octets), zero-length info",,,binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size],,,2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48,,,
+,,,,,,,,,,
+command,# Scrypt RFC 7914,,,,,,,,,
+Scrypt RFC 7914,Test Case 1,,,"binary encode hex [::tls::scrypt -password """" -salt """" -N 16 -r 1 -p 1 -size 64]",,,77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906,,,
+Scrypt RFC 7914,Test Case 2,,,"binary encode hex [::tls::scrypt -password ""password"" -salt ""NaCl"" -N 1024 -r 8 -p 16 -size 64]",,,fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640,,,
+Scrypt RFC 7914,Test Case 3,,,"binary encode hex [::tls::scrypt -password ""pleaseletmein"" -salt ""SodiumChloride"" -N 16384 -r 8 -p 1 -size 64]",,,7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887,,,
+Scrypt RFC 7914,Test Case 4,,,"binary encode hex [::tls::scrypt -password ""pleaseletmein"" -salt ""SodiumChloride"" -N 1048576 -r 8 -p 1 -size 64]",,,2101cb9b6a511aaeaddbbe09cf70f881ec568d574a2ffd4dabe5ee9820adaa478e56fd8f4ba5d09ffa1c6d927c40f4c337304049e8a952fbcbf45c6fa77a41a4,,,

ADDED   tests/kdf.test
Index: tests/kdf.test
==================================================================
--- /dev/null
+++ tests/kdf.test
@@ -0,0 +1,210 @@
+# Auto generated test cases for kdf.csv
+
+# Load Tcl Test package
+if {[lsearch [namespace children] ::tcltest] == -1} {
+	package require tcltest
+	namespace import ::tcltest::*
+}
+
+set auto_path [concat [list [file dirname [file dirname [info script]]]] $auto_path]
+
+package require tls
+
+# PBKDF2 Error Cases
+
+
+test PBKDF2_Errors-1.1 {Too few args} -body {
+	::tls::pbkdf2
+    } -result {wrong # args: should be "::tls::pbkdf2 [-cipher cipher | -size length] -digest digest ?-iterations count? ?-password string? ?-salt string?"} -returnCodes {1}
+
+test PBKDF2_Errors-1.2 {Too many args} -body {
+	::tls::pbkdf2 too many command line args to pass the test without an error or failing
+    } -result {wrong # args: should be "::tls::pbkdf2 [-cipher cipher | -size length] -digest digest ?-iterations count? ?-password string? ?-salt string?"} -returnCodes {1}
+
+test PBKDF2_Errors-1.3 {Invalid cipher} -body {
+	::tls::pbkdf2 -digest sha256 -password key -cipher bogus
+    } -result {invalid cipher "bogus"} -returnCodes {1}
+
+test PBKDF2_Errors-1.4 {Invalid digest} -body {
+	::tls::pbkdf2 -digest bogus -password key
+    } -result {invalid digest "bogus"} -returnCodes {1}
+
+test PBKDF2_Errors-1.5 {Invalid iterations} -body {
+	::tls::pbkdf2 -digest sha256 -password key -iterations -1
+    } -result {invalid value "-1" for option "iterations": must be >= 1} -returnCodes {1}
+
+test PBKDF2_Errors-1.6 {No password value} -body {
+	::tls::pbkdf2 -digest sha256 -password
+    } -result {No value for option "-password"} -returnCodes {1}
+
+test PBKDF2_Errors-1.7 {No salt value} -body {
+	::tls::pbkdf2 -digest sha256 -password key -salt
+    } -result {No value for option "-salt"} -returnCodes {1}
+
+test PBKDF2_Errors-1.8 {Invalid size} -body {
+	::tls::pbkdf2 -digest sha256 -password key -size 0
+    } -result {invalid value "0" for option "-size": must be >= 1} -returnCodes {1}
+
+test PBKDF2_Errors-1.9 {Too big size} -body {
+	::tls::pbkdf2 -digest sha256 -password key -size 400
+    } -result {invalid value "400" for option "-size": must be <= 320} -returnCodes {1}
+
+# HKDF Error Cases
+
+
+test HKDF_Errors-2.1 {Too few args} -body {
+	::tls::hkdf
+    } -result {wrong # args: should be "::tls::hkdf -digest digest -key string ?-info string? ?-salt string? ?-size derived_length?"} -returnCodes {1}
+
+test HKDF_Errors-2.2 {Too many args} -body {
+	::tls::hkdf too many command line args to pass the test without an error or failing
+    } -result {wrong # args: should be "::tls::hkdf -digest digest -key string ?-info string? ?-salt string? ?-size derived_length?"} -returnCodes {1}
+
+test HKDF_Errors-2.3 {No digest} -body {
+	::tls::hkdf -key key -key key
+    } -result {no digest} -returnCodes {1}
+
+test HKDF_Errors-2.4 {No key} -body {
+	::tls::hkdf -digest sha256 -digest sha256
+    } -result {no key} -returnCodes {1}
+
+test HKDF_Errors-2.5 {No info value} -body {
+	::tls::hkdf -digest sha256 -key key -info
+    } -result {No value for option "-info"} -returnCodes {1}
+
+test HKDF_Errors-2.6 {No salt value} -body {
+	::tls::hkdf -digest sha256 -password key -salt
+    } -result {No value for option "-salt"} -returnCodes {1}
+
+test HKDF_Errors-2.7 {Invalid size} -body {
+	::tls::hkdf -digest sha256 -password key -size 0
+    } -result {invalid value "0" for option "-size": must be >= 1} -returnCodes {1}
+
+test HKDF_Errors-2.8 {Too big size} -body {
+	::tls::hkdf -digest sha256 -password key -size 8161
+    } -result "Key derivation failed: " -returnCodes {1}
+
+# Scrypt Error Cases
+
+
+test Scrypt_Errors-3.1 {Too few args} -body {
+	::tls::scrypt
+    } -result {wrong # args: should be "::tls::scrypt -password string -salt string ?-N costParameter? ?-r blockSize? ?-p parallelization? ?-size derived_length?"} -returnCodes {1}
+
+test Scrypt_Errors-3.2 {Too many args} -body {
+	::tls::scrypt too many command line args to pass the test without an error or failing
+    } -result {wrong # args: should be "::tls::scrypt -password string -salt string ?-N costParameter? ?-r blockSize? ?-p parallelization? ?-size derived_length?"} -returnCodes {1}
+
+test Scrypt_Errors-3.3 {No password value} -body {
+	::tls::scrypt -salt salt -salt salt
+    } -result {no password} -returnCodes {1}
+
+test Scrypt_Errors-3.4 {No salt value} -body {
+	::tls::scrypt -password key -password key
+    } -result {no salt} -returnCodes {1}
+
+test Scrypt_Errors-3.5 {Invalid size} -body {
+	::tls::scrypt -password key -salt salt -size 0
+    } -result {invalid value "0" for option "-size": must be >= 1} -returnCodes {1}
+
+test Scrypt_Errors-3.6 {Invalid N costParameter} -constraints {knownIgnored} -body {
+	::tls::scrypt -password key -salt salt -N 0
+    } -returnCodes {1}
+
+test Scrypt_Errors-3.7 {Invalid r blockSize} -constraints {knownIgnored} -body {
+	::tls::scrypt -password key -salt salt -r 0
+    } -returnCodes {1}
+
+test Scrypt_Errors-3.8 {Invalid p parallelization} -constraints {knownIgnored} -body {
+	::tls::scrypt -password key -salt salt -p 0
+    } -returnCodes {1}
+
+set digest sha1
+set P "password"
+set S "salt"
+set dkLen 20
+
+# PBKDF2 RFC 6070
+
+
+test PBKDF2_RFC_6070-4.1 {Test Case 1} -body {
+	binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 1 -size $dkLen]
+    } -result {0c60c80f961f0e71f3a9b524af6012062fe037a6}
+
+test PBKDF2_RFC_6070-4.2 {Test Case 2} -body {
+	binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 2 -size $dkLen]
+    } -result {ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957}
+
+test PBKDF2_RFC_6070-4.3 {Test Case 3} -body {
+	binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 4096 -size $dkLen]
+    } -result {4b007901b765489abead49d926f721d065a429c1}
+
+test PBKDF2_RFC_6070-4.4 {Test Case 4} -body {
+	binary encode hex [::tls::pbkdf2 -digest $digest -password $P -salt $S -iterations 16777216 -size $dkLen]
+    } -result {eefe3d61cd4da4e4e9945b3d6ba2158c2634e984}
+
+set digest sha1
+set key [binary decode hex 0b0b0b0b0b0b0b0b0b0b0b]
+set salt [binary decode hex 000102030405060708090a0b0c]
+set info [binary decode hex f0f1f2f3f4f5f6f7f8f9]
+set size 42
+
+# HKDF RFC 6234
+
+
+test HKDF_RFC_6234-5.1 {A.4.  Test Case 4, Basic test case with SHA-1} -body {
+	binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size]
+    } -result {085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896}
+
+set key [binary decode hex 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f]
+set salt [binary decode hex 606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf]
+set info [binary decode hex b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff]
+set size 82
+
+
+test HKDF_RFC_6234-5.2 {A.5.  Test Case 5, Test with SHA-1 and longer inputs/outputs} -body {
+	binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size]
+    } -result {0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4}
+
+set key [binary decode hex 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b]
+set salt ""
+set info ""
+set size 42
+
+
+test HKDF_RFC_6234-5.3 {A.6.  Test Case 6, Test with SHA-1 and zero-length salt/info} -body {
+	binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size]
+    } -result {0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918}
+
+set key [binary decode hex 0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c]
+set salt ""
+set info ""
+set size 42
+
+
+test HKDF_RFC_6234-5.4 {A.7.  Test Case 7, Test with SHA-1, salt not provided (defaults to HashLen zero octets), zero-length info} -body {
+	binary encode hex [::tls::hkdf -digest $digest -password $key -salt $salt -info $info -size $size]
+    } -result {2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48}
+
+# Scrypt RFC 7914
+
+
+test Scrypt_RFC_7914-6.1 {Test Case 1} -body {
+	binary encode hex [::tls::scrypt -password "" -salt "" -N 16 -r 1 -p 1 -size 64]
+    } -result {77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906}
+
+test Scrypt_RFC_7914-6.2 {Test Case 2} -body {
+	binary encode hex [::tls::scrypt -password "password" -salt "NaCl" -N 1024 -r 8 -p 16 -size 64]
+    } -result {fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640}
+
+test Scrypt_RFC_7914-6.3 {Test Case 3} -body {
+	binary encode hex [::tls::scrypt -password "pleaseletmein" -salt "SodiumChloride" -N 16384 -r 8 -p 1 -size 64]
+    } -result {7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887}
+
+test Scrypt_RFC_7914-6.4 {Test Case 4} -body {
+	binary encode hex [::tls::scrypt -password "pleaseletmein" -salt "SodiumChloride" -N 1048576 -r 8 -p 1 -size 64]
+    } -result {2101cb9b6a511aaeaddbbe09cf70f881ec568d574a2ffd4dabe5ee9820adaa478e56fd8f4ba5d09ffa1c6d927c40f4c337304049e8a952fbcbf45c6fa77a41a4}
+
+# Cleanup
+::tcltest::cleanupTests
+return