DHM: add notes about leading zeros
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/dhm.c b/library/dhm.c
index 6fa5435..535b698 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -263,7 +263,8 @@
goto cleanup;
/*
- * export P, G, GX
+ * Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
+ * not required". We omit leading zeros for compactness.
*/
#define DHM_MPI_EXPORT( X, n ) \
do { \
@@ -477,8 +478,9 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
}
+ /* Output the secret without any leading zero byte. This is mandatory
+ * for TLS per RFC 5246 §8.1.2. */
*olen = mbedtls_mpi_size( &ctx->K );
-
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
cleanup:
diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function
index 7dd9e97..43dcd56 100644
--- a/tests/suites/test_suite_dhm.function
+++ b/tests/suites/test_suite_dhm.function
@@ -14,6 +14,8 @@
TEST_ASSERT( size >= *offset + 2 );
n = ( buffer[*offset] << 8 ) | buffer[*offset + 1];
*offset += 2;
+ /* The DHM param output from Mbed TLS has leading zeros stripped, as
+ * permitted but not required by RFC 5246 \S4.4. */
TEST_EQUAL( n, mbedtls_mpi_size( expected ) );
TEST_ASSERT( size >= *offset + n );
TEST_EQUAL( 0, mbedtls_mpi_read_binary( &actual, buffer + *offset, n ) );