DHM: add notes about leading zeros

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/dhm.c

@@ -223,7 +223,8 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
         goto cleanup;
 
     /*
-     * export P, G, GX
+     * Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
+     * not required". We omit leading zeros for compactness.
      */
 #define DHM_MPI_EXPORT( X, n )                                          \
     do {                                                                \
@@ -436,8 +437,9 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
     }
 
+    /* Output the secret without any leading zero byte. This is mandatory
+     * for TLS per RFC 5246 §8.1.2. */
     *olen = mbedtls_mpi_size( &ctx->K );
-
     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
 
 cleanup:

tests/suites/test_suite_dhm.function

@@ -16,6 +16,8 @@ static int check_dhm_param_output( const mbedtls_mpi *expected,
     TEST_ASSERT( size >= *offset + 2 );
     n = ( buffer[*offset] << 8 ) | buffer[*offset + 1];
     *offset += 2;
+    /* The DHM param output from Mbed TLS has leading zeros stripped, as
+     * permitted but not required by RFC 5246 \S4.4. */
     TEST_EQUAL( n, mbedtls_mpi_size( expected ) );
     TEST_ASSERT( size >= *offset + n );
     TEST_EQUAL( 0, mbedtls_mpi_read_binary( &actual, buffer + *offset, n ) );