X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/285bf989997b8dc94a0783e260fe73787c7ae767..6ecc0b8facfd2f1f13abc03b0f2013112af3430b:/pub/bbs-gen.c

diff --git a/pub/bbs-gen.c b/pub/bbs-gen.c
index f57683f1..fcba8288 100644
--- a/pub/bbs-gen.c
+++ b/pub/bbs-gen.c
@@ -65,14 +65,14 @@ int bbs_gen(bbs_priv *bp, unsigned nbits, grand *r, unsigned n,
   pgen_jumpctx j;
   pgen_gcdstepctx g;
   unsigned nb = nbits/2;
-  mp *x = MP_NEW;
+  mp *x = MP_NEWSEC, *t = MP_NEW;
 
   /* --- Generate @p@ --- */
 
   if ((x = strongprime_setup("p", x, &jp, nb, r, n, event, ectx)) == 0)
     goto fail_x;
   j.j = &jp;
-  bp->p = pgen("p", MP_NEW, x, event, ectx, n, pgen_jump, &j,
+  bp->p = pgen("p", MP_NEWSEC, x, event, ectx, n, pgen_jump, &j,
 	       rabin_iters(nb), pgen_test, &rb);
   pfilt_destroy(&jp);
   if (!bp->p) goto fail_p;
@@ -88,21 +88,28 @@ int bbs_gen(bbs_priv *bp, unsigned nbits, grand *r, unsigned n,
   g.r = mp_lsr(MP_NEW, bp->p, 1);
   g.g = MP_NEW;
   g.max = MP_ONE;
-  bp->q = pgen("q", MP_NEW, x, event, ectx, n, pgen_gcdstep, &g,
+  t = mp_lsl(t, MP_ONE, nbits - 1);
+  mp_div(&t, 0, t, bp->p);
+  if (MP_CMP(x, <, t)) x = mp_leastcongruent(x, t, x, g.jp.m);
+  bp->q = pgen("q", MP_NEWSEC, x, event, ectx, n, pgen_gcdstep, &g,
 	       rabin_iters(nb), pgen_test, &rb);
   pfilt_destroy(&g.jp);
   mp_drop(g.r);
   mp_drop(g.g);
+  mp_drop(t);
   if (!bp->q) goto fail_q;
 
   /* --- Compute @n@ --- */
 
   bp->n = mp_mul(MP_NEW, bp->p, bp->q);
+  if (mp_bits(bp->n) != nbits) goto fail_n;
   mp_drop(x);
   return (PGEN_DONE);
 
   /* --- Tidy up if things went wrong --- */
 
+fail_n:
+  mp_drop(bp->n);
 fail_q:
   mp_drop(bp->p);
 fail_p: