Reword the SSL_export_keying_material docs slightly
The reference to TLS 1.2's "master secret" (renamed to "main secret" in
rfc8446bis, but we haven't applied that yet) is wrong anyway because
it's derived from a different secret in TLS 1.3. Even in TLS 1.2, it's
misleading because TLS 1.2 resumptions share the master secret, but EKM
still exports different values by incorporating the client/server
randoms.
Change-Id: I21cb4f5ddde9d9fb520c770ca6a89c56daecef6b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75509
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 12ede3f..aa63b8f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1782,10 +1782,11 @@
// renegotiation (RFC 5746) or TLS 1.3. Otherwise, it returns zero.
OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl);
-// SSL_export_keying_material exports a value derived from the master secret, as
-// specified in RFC 5705. It writes |out_len| bytes to |out| given a label and
-// optional context. (Since a zero length context is allowed, the |use_context|
-// flag controls whether a context is included.)
+// SSL_export_keying_material exports a connection-specific secret from |ssl|,
+// as specified in RFC 5705. It writes |out_len| bytes to |out| given a label
+// and optional context. If |use_context| is zero, the |context| parameter is
+// ignored. Prior to TLS 1.3, using a zero-length context and using no context
+// would give different output.
//
// It returns one on success and zero otherwise.
OPENSSL_EXPORT int SSL_export_keying_material(