From 585a8d22aa7afec4c45a8bea677b37bf9e702f58 Mon Sep 17 00:00:00 2001
From: jackctj117 <jackctj117@gmail.com>
Date: Mon, 15 Dec 2025 10:52:24 -0700
Subject: [PATCH] Added comment with empty hash imofrmation

---
 src/tls13.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/tls13.c b/src/tls13.c
index 44be6ad16..6eeabb4ee 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -1197,6 +1197,8 @@ int DeriveHandshakeSecret(WOLFSSL* ssl)
         return ret;
 #endif
 
+    /* Derive-Secret(., "derived", "") per RFC 8446 Section 7.1.
+     * Empty hash (NULL, 0) is required by the TLS 1.3 key schedule. */
     ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
                         derivedLabel, DERIVED_LABEL_SZ,
                         NULL, 0, ssl->specs.mac_algorithm);
@@ -1232,6 +1234,8 @@ int DeriveMasterSecret(WOLFSSL* ssl)
         return ret;
 #endif
 
+    /* Derive-Secret(., "derived", "") per RFC 8446 Section 7.1.
+     * Empty hash (NULL, 0) is required by the TLS 1.3 key schedule. */
     ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
                         derivedLabel, DERIVED_LABEL_SZ,
                         NULL, 0, ssl->specs.mac_algorithm);