From d104ae39e3aefe752612a025478746b94ad1747e Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Mon, 20 Aug 2018 14:20:50 +1000
Subject: [PATCH] TLS 1.3: Always left-pad DH secret to length of prime

---
 src/tls.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/tls.c b/src/tls.c
index fcd864e50..ba577e0fd 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -6383,6 +6383,16 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
         ret = wc_AsyncWait(ret, dhKey.asyncDev, WC_ASYNC_FLAG_NONE);
     }
 #endif
+    /* RFC 8446 Section 7.4.1:
+     *     ... left-padded with zeros up to the size of the prime. ...
+     */
+    if (params->p_len > ssl->arrays->preMasterSz) {
+        word32 diff = params->p_len - ssl->arrays->preMasterSz;
+        XMEMMOVE(ssl->arrays->preMasterSecret + diff,
+                        ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
+        XMEMSET(ssl->arrays->preMasterSecret, 0, diff);
+        ssl->arrays->preMasterSz = params->p_len;
+    }
 
     wc_FreeDhKey(dhKey);
 #ifdef WOLFSSL_SMALL_STACK