X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/0f00dc4c8eb47e67bc0f148c2dd109f73a451e0a..32bd36cff950788ec62bd36a6d437da12aa4fd0f:/pub/rsa-gen.c

diff --git a/pub/rsa-gen.c b/pub/rsa-gen.c
index a7a2ca4e..c12be18a 100644
--- a/pub/rsa-gen.c
+++ b/pub/rsa-gen.c
@@ -73,32 +73,39 @@ int rsa_gen(rsa_priv *rp, unsigned nbits, grand *r, unsigned n,
    * conservative about that sort of thing.
    */
 
-again:
   if ((rp->p = strongprime("p", MP_NEWSEC, nbits/2, r, n, event, ectx)) == 0)
     goto fail_p;
 
-  /* --- Do painful fiddling with GCD steppers --- */
+  /* --- Do painful fiddling with GCD steppers --- *
+   *
+   * Also, arrange that %$q \ge \lceil 2^{N-1}/p \rceil$%, so that %$p q$%
+   * has the right length.
+   */
 
   {
     mp *q;
+    mp *t = MP_NEW, *u = MP_NEW;
     rabin rb;
 
     if ((q = strongprime_setup("q", MP_NEWSEC, &g.jp, nbits / 2,
 			       r, n, event, ectx)) == 0)
       goto fail_q;
+    t = mp_lsl(t, MP_ONE, nbits - 1);
+    mp_div(&t, &u, t, rp->p);
+    if (!MP_ZEROP(u)) t = mp_add(t, t, MP_ONE);
+    if (MP_CMP(q, <, t)) q = mp_leastcongruent(q, t, q, g.jp.m);
+    mp_drop(t);
+
     g.r = mp_lsr(MP_NEW, rp->p, 1);
     g.g = MP_NEW;
     g.max = MP_256;
     q = pgen("q", q, q, event, ectx, n, pgen_gcdstep, &g,
-		 rabin_iters(nbits/2), pgen_test, &rb);
+	     rabin_iters(nbits/2), pgen_test, &rb);
     pfilt_destroy(&g.jp);
     mp_drop(g.r);
     if (!q) {
       mp_drop(g.g);
-      if (n)
-	goto fail_q;
-      mp_drop(rp->p);
-      goto again;
+      goto fail_q;
     }
     rp->q = q;
   }
@@ -114,10 +121,7 @@ again:
       MP_LEN(phi) * 4 < MP_LEN(rp->q) * 3) {
     mp_drop(rp->p);
     mp_drop(g.g);
-    if (n)
-      goto fail_q;
-    mp_drop(rp->q);
-    goto again;
+    goto fail_q;
   }
 
   if (MP_NEGP(phi)) {