LibCrypto: Always handle SECPxxxr1 scalars with leading zeros

It may happen that the scalars used by SECPxxxr1 turn out to be slightly smaller than their actual size when serialized to `UnsignedBigInteger`, especially for P521. Handle this case by serializing zeros instead of failing. Originally discovered as a flaky WPT test.
Author: https://github.com/devgianlu Commit: https://github.com/LadybirdBrowser/ladybird/commit/12ca074671a Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3394 Reviewed-by: https://github.com/gmta ✅
2025-04-21 20:15:17 +00:00 · 2025-01-29 11:00:05 +01:00 · 2025-01-29 11:00:05 +01:00 · 12ca074671 · 2025-01-29 11:47:47 +00:00
commit 12ca074671
parent 0cb35c9294
1 changed files with 10 additions and 5 deletions
--- a/Libraries/LibCrypto/Curves/SECPxxxr1.h
+++ b/Libraries/LibCrypto/Curves/SECPxxxr1.h
@ -30,15 +30,20 @@ struct SECPxxxr1Point {
    {
        auto a_bytes = TRY(ByteBuffer::create_uninitialized(a.byte_length()));
        auto a_size = a.export_data(a_bytes.span());
-        VERIFY(a_size >= size);

-        for (size_t i = 0; i < a_size - size; i++) {
-            if (a_bytes[i] != 0) {
-                return Error::from_string_literal("Scalar is too large for the given size");
+        if (a_size >= size) {
+            for (size_t i = 0; i < a_size - size; i++) {
+                if (a_bytes[i] != 0) {
+                    return Error::from_string_literal("Scalar is too large for the given size");
+                }
            }
+
+            return a_bytes.slice(a_size - size, size);
        }

-        return a_bytes.slice(a_size - size, size);
+        auto a_extended_bytes = TRY(ByteBuffer::create_zeroed(size));
+        a_extended_bytes.overwrite(size - a_size, a_bytes.data(), a_size);
+        return a_extended_bytes;
    }

    static ErrorOr<SECPxxxr1Point> from_uncompressed(ReadonlyBytes data)