ed in another application or protocol (e.g., in
an other TLS session using pre-shared keys).  The following describe
GnuTLS' implementation of RFC5705 to extract keys based on a session's
master secret.

The API to use is *note gnutls_prf_rfc5705::.  The function needs to be
provided with a label, and additional context data to mix in the
‘context’ parameter.

 -- Function: int gnutls_prf_rfc5705 (gnutls_session_t SESSION, size_t
          LABEL_SIZE, const char * LABEL, size_t CONTEXT_SIZE, const
          char * CONTEXT, size_t OUTSIZE, char * OUT)
     SESSION: is a ‘gnutls_session_t’ type.

     LABEL_SIZE: length of the ‘label’ variable.

     LABEL: label used in PRF computation, typically a short string.

     CONTEXT_SIZE: length of the ‘extra’ variable.

     CONTEXT: optional extra data to seed the PRF with.

     OUTSIZE: size of pre-allocated output buffer to hold the output.

     OUT: pre-allocated buffer to hold the generated data.

     Exports keying material from TLS/DTLS session to an application, as
     specified in RFC5705.

     In the TLS versions prior to 1.3, it applies the TLS
     Pseudo-Random-Function (PRF) on the master secret and the provided
     data, seeded with the client and server random fields.

     In TLS 1.3, it applies HKDF on the exporter master secret derived
     from the master secret.

     The ‘label’ variable usually contains a string denoting the purpose
     for the generated data.

     The ‘context’ variable can be used to add more data to the seed,
     after the random variables.  It can be used to make sure the
     generated output is strongly connected to some additional data
     (e.g., a string used in user authentication).

     The output is placed in ‘out’ , which must be pre-allocated.

     Note that, to provide the RFC5705 context, the ‘context’ variable
     must be non-null.

     *Returns:* ‘GNUTLS_E_SUCCESS’ on success, or an error code.

     *Since:* 3.4.4

For example, after establishing a TLS session using *note
gnutls_handshake::, you can obtain 32-bytes to be used as key, using
this call:

     #define MYLABEL "EXPORTER-My-protocol-name"
     #define MYCONTEXT "my-protocol's-1st-session"

     char out[32];
     rc = gnutls_prf_rfc5705 (session, sizeof(MYLABEL)-1, MYLABEL,
                              sizeof(MYCONTEXT)-1, MYCONTEXT, 32, out);

The output key depends on TLS' master secret, and is the same on both
client and server.

For legacy applications which need to use a more flexible API, there is
*note gnutls_prf::, which in addition, allows to switch the mix of the
client and server random nonces, using the ‘server_random_first’
parameter.  For additional flexibility and low-level access to the
TLS1.2 PRF, there is a low-level TLS PRF interface called *note
gnutls_prf_raw::.  That however is not functional under newer protocol
versions.