From 27310671886a209ae92c2308be802e54dc3c1d5e Mon Sep 17 00:00:00 2001
From: Quim Muntal <quimmuntal@gmail.com>
Date: Thu, 14 Sep 2023 20:49:07 +0200
Subject: [PATCH] Update tls1prf.go

Co-authored-by: Davis Goodin <dagood@users.noreply.github.com>
---
 tls1prf.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tls1prf.go b/tls1prf.go
index 4d83633e..3153fc81 100644
--- a/tls1prf.go
+++ b/tls1prf.go
@@ -94,7 +94,9 @@ func TLS1PRF(result, secret, label, seed []byte, h func() hash.Hash) error {
 		return newOpenSSLError("EVP_PKEY_derive")
 	}
 	// The Go standard library expects TLS1PRF to return the requested number of bytes,
-	// fail if it doesn't.
+	// fail if it doesn't. While there is no known situation where this will happen,
+	// EVP_PKEY_derive handles multiple algorithms and there could be a subtle mismatch
+	// after more code changes in the future.
 	if outLen != C.size_t(len(result)) {
 		return errors.New("tls1-prf: derived less bytes than requested")
 	}