Warn in SSL_export_keying_material API docs that lengths must match
Starting 1.3, the length figures into the derivation. The Firefox WebRTC
bug indicates that this is a surprising change in the (D)TLS 1.3
upgrade, so may as well write a warning in the API docs.
(This wouldn't have avoided the original bug. They use a different
library.)
Bug: 401460270
Change-Id: I8d0fc9df757ba7aa512a8b2cae78de97d691b817
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/77207
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 8f52682..4e21a14 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1823,8 +1823,13 @@
// SSL_export_keying_material exports a connection-specific secret from |ssl|,
// as specified in RFC 5705. It writes |out_len| bytes to |out| given a label
// and optional context. If |use_context| is zero, the |context| parameter is
-// ignored. Prior to TLS 1.3, using a zero-length context and using no context
-// would give different output.
+// ignored.
+//
+// To derive the same value, both sides of a connection must use the same output
+// length, label, and context. In TLS 1.2 and earlier, using a zero-length
+// context and using no context would give different output. In TLS 1.3 and
+// later, the output length impacts the derivation, so a truncated longer export
+// will not match a shorter export.
//
// It returns one on success and zero otherwise.
OPENSSL_EXPORT int SSL_export_keying_material(const SSL *ssl, uint8_t *out,
