Ben confirms that the MUST in rfc2631 is only for compatibility with X9.42, and isn't actually a security thing.

svn:r17685

src/common/crypto.c

@@ -1643,13 +1643,6 @@ crypto_dh_compute_secret(crypto_dh_env_t *dh,
     goto error;
   }
   secret_len = result;
-  /* sometimes secret_len might be less than 128, e.g., 127. that's ok. -RD */
-  /* Actually, http://www.faqs.org/rfcs/rfc2631.html says:
-   *   Leading zeros MUST be preserved, so that ZZ occupies as many
-   *   octets as p. For instance, if p is 1024 bits, ZZ should be 128
-   *   bytes long.
-   * XXX021 What are the security implications here? -NM
-   */
   if (crypto_expand_key_material(secret_tmp, secret_len,
                                  secret_out, secret_bytes_out)<0)
     goto error;