commit 03299dcf5b8d58b4878acc2d16fd1bc0177fc3d8
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Apr 13 22:10:24 2021 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Thu Jun 03 18:10:04 2021 +0200
tree 14759b0c3727f3b92467e51f6baa114c08eee5cc
parent ebe9b6a51da1fa4f9ece249b80a2b47e826a6e83

DHM: add notes about leading zeros

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/dhm.c

diff --git a/library/dhm.c b/library/dhm.c
index e8055be..accd5a8 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -223,7 +223,8 @@
         goto cleanup;
 
     /*
-     * export P, G, GX
+     * Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
+     * not required". We omit leading zeros for compactness.
      */
 #define DHM_MPI_EXPORT( X, n )                                          \
     do {                                                                \
@@ -436,8 +437,9 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
     }
 
+    /* Output the secret without any leading zero byte. This is mandatory
+     * for TLS per RFC 5246 §8.1.2. */
     *olen = mbedtls_mpi_size( &ctx->K );
-
     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
 
 cleanup: