Reword the SSL_export_keying_material docs slightly The reference to TLS 1.2's "master secret" (renamed to "main secret" in rfc8446bis, but we haven't applied that yet) is wrong anyway because it's derived from a different secret in TLS 1.3. Even in TLS 1.2, it's misleading because TLS 1.2 resumptions share the master secret, but EKM still exports different values by incorporating the client/server randoms. Change-Id: I21cb4f5ddde9d9fb520c770ca6a89c56daecef6b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75509 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 12ede3f..aa63b8f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -1782,10 +1782,11 @@ // renegotiation (RFC 5746) or TLS 1.3. Otherwise, it returns zero. OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl); -// SSL_export_keying_material exports a value derived from the master secret, as -// specified in RFC 5705. It writes |out_len| bytes to |out| given a label and -// optional context. (Since a zero length context is allowed, the |use_context| -// flag controls whether a context is included.) +// SSL_export_keying_material exports a connection-specific secret from |ssl|, +// as specified in RFC 5705. It writes |out_len| bytes to |out| given a label +// and optional context. If |use_context| is zero, the |context| parameter is +// ignored. Prior to TLS 1.3, using a zero-length context and using no context +// would give different output. // // It returns one on success and zero otherwise. OPENSSL_EXPORT int SSL_export_keying_material(