~mdw
/
catacomb
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge branch '2.3.x'
[catacomb]
/
pub
/
rsa-gen.c
diff --git
a/pub/rsa-gen.c
b/pub/rsa-gen.c
index
a7a2ca4
..
3b5334b
100644
(file)
--- a/
pub/rsa-gen.c
+++ b/
pub/rsa-gen.c
@@
-73,11
+73,14
@@
int rsa_gen(rsa_priv *rp, unsigned nbits, grand *r, unsigned n,
* conservative about that sort of thing.
*/
* conservative about that sort of thing.
*/
-again:
if ((rp->p = strongprime("p", MP_NEWSEC, nbits/2, r, n, event, ectx)) == 0)
goto fail_p;
if ((rp->p = strongprime("p", MP_NEWSEC, nbits/2, r, n, event, ectx)) == 0)
goto fail_p;
- /* --- Do painful fiddling with GCD steppers --- */
+ /* --- Do painful fiddling with GCD steppers --- *
+ *
+ * Also, arrange that %$q \ge \lceil 2^{N-1}/p \rceil$%, so that %$p q$%
+ * has the right length.
+ */
{
mp *q;
{
mp *q;
@@
-86,19
+89,17
@@
again:
if ((q = strongprime_setup("q", MP_NEWSEC, &g.jp, nbits / 2,
r, n, event, ectx)) == 0)
goto fail_q;
if ((q = strongprime_setup("q", MP_NEWSEC, &g.jp, nbits / 2,
r, n, event, ectx)) == 0)
goto fail_q;
+
g.r = mp_lsr(MP_NEW, rp->p, 1);
g.g = MP_NEW;
g.max = MP_256;
q = pgen("q", q, q, event, ectx, n, pgen_gcdstep, &g,
g.r = mp_lsr(MP_NEW, rp->p, 1);
g.g = MP_NEW;
g.max = MP_256;
q = pgen("q", q, q, event, ectx, n, pgen_gcdstep, &g,
-
rabin_iters(nbits/2), pgen_test, &rb);
+ rabin_iters(nbits/2), pgen_test, &rb);
pfilt_destroy(&g.jp);
mp_drop(g.r);
if (!q) {
mp_drop(g.g);
pfilt_destroy(&g.jp);
mp_drop(g.r);
if (!q) {
mp_drop(g.g);
- if (n)
- goto fail_q;
- mp_drop(rp->p);
- goto again;
+ goto fail_q;
}
rp->q = q;
}
}
rp->q = q;
}
@@
-114,10
+115,7
@@
again:
MP_LEN(phi) * 4 < MP_LEN(rp->q) * 3) {
mp_drop(rp->p);
mp_drop(g.g);
MP_LEN(phi) * 4 < MP_LEN(rp->q) * 3) {
mp_drop(rp->p);
mp_drop(g.g);
- if (n)
- goto fail_q;
- mp_drop(rp->q);
- goto again;
+ goto fail_q;
}
if (MP_NEGP(phi)) {
}
if (MP_NEGP(phi)) {
@@
-154,6
+152,8
@@
again:
mp_gcd(&g.g, 0, &rp->d, phi, rp->e);
if (!MP_EQ(g.g, MP_ONE) && MP_LEN(rp->d) * 4 > MP_LEN(rp->n) * 3)
goto fail_e;
mp_gcd(&g.g, 0, &rp->d, phi, rp->e);
if (!MP_EQ(g.g, MP_ONE) && MP_LEN(rp->d) * 4 > MP_LEN(rp->n) * 3)
goto fail_e;
+ if (mp_bits(rp->n) != nbits)
+ goto fail_e;
/* --- Work out exponent residues --- */
/* --- Work out exponent residues --- */