// an integer modulo N. This is the absolute worst of all worlds: we still
// have to reduce, because the result might still overflow N, but to take
// the left-most bits for P-521 we have to do a right shift.
- if size := c.N.Size(); len(hash) > size {
+ if size := c.N.Size(); len(hash) >= size {
hash = hash[:size]
if excess := len(hash)*8 - c.N.BitLen(); excess > 0 {
hash = bytes.Clone(hash)
"bytes"
"compress/bzip2"
"crypto/elliptic"
+ "crypto/internal/bigmod"
"crypto/rand"
"crypto/sha1"
"crypto/sha256"
}
}
+func TestHashToNat(t *testing.T) {
+ t.Run("P-224", func(t *testing.T) { testHashToNat(t, p224()) })
+ t.Run("P-256", func(t *testing.T) { testHashToNat(t, p256()) })
+ t.Run("P-384", func(t *testing.T) { testHashToNat(t, p384()) })
+ t.Run("P-521", func(t *testing.T) { testHashToNat(t, p521()) })
+}
+
+func testHashToNat[Point nistPoint[Point]](t *testing.T, c *nistCurve[Point]) {
+ for l := 0; l < 600; l++ {
+ h := bytes.Repeat([]byte{0xff}, l)
+ hashToNat(c, bigmod.NewNat(), h)
+ }
+}
+
func TestZeroSignature(t *testing.T) {
testAllCurves(t, testZeroSignature)
}