Add KDF support to pkeyutl. Update documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2016-03-01 16:29:47 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2016-03-03 16:07:25 +0000
commit: 924ec89a2499ad18009412c6688b02452735a858 (patch)
tree: 872ea98de4bd6352d90f93745703a03c6c391492 /doc
parent: 8185e649f8faf04ad0e1896e8b1c1702d3509088 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod
index a2da2558f6..0426009094 100644
--- a/doc/apps/pkeyutl.pod
+++ b/doc/apps/pkeyutl.pod
@@ -25,6 +25,8 @@ B<openssl> B<pkeyutl>
 [B<-encrypt>]
 [B<-decrypt>]
 [B<-derive>]
+[B<-kdf algorithm>]
+[B<-kdflen length>]
 [B<-pkeyopt opt:value>]
 [B<-hexdump>]
 [B<-asn1parse>]
@@ -119,6 +121,15 @@ decrypt the input data using a private key.
 
 derive a shared secret using the peer key.
 
+=item B<-kdf algorithm>
+
+Use key derivation function B<algorithm>. Note: additional paramers
+will normally have to be set and the KDF output length for this to work.
+
+=item B<-kdflen length>
+
+Set the ouput length for KDF.
+
 =item B<-pkeyopt opt:value>
 
 Public key options specified as opt:value. See NOTES below for more details.
@@ -249,6 +260,12 @@ Derive a shared secret value:
 
  openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret
 
+Hexdump 48 bytes of TLS1 PRF using digest B<SHA256> and shared secret and
+seed consisting of the single byte 0xFF.
+
+ openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
+    -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump
+
 =head1 SEE ALSO
 
 L<genpkey(1)>, L<pkey(1)>, L<rsautl(1)>
author	Dr. Stephen Henson <steve@openssl.org>	2016-03-01 16:29:47 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2016-03-03 16:07:25 +0000
commit	924ec89a2499ad18009412c6688b02452735a858 (patch)
tree	872ea98de4bd6352d90f93745703a03c6c391492 /doc
parent	8185e649f8faf04ad0e1896e8b1c1702d3509088 (diff)