X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/9cbd8bb7d639df855832ee3e3facdeaa903696a8..591d081bf68095a6a329240b2caf0bea32219498:/pub/dh-kcdsa.c

diff --git a/pub/dh-kcdsa.c b/pub/dh-kcdsa.c
index 6bd3e19e..d27bc7d8 100644
--- a/pub/dh-kcdsa.c
+++ b/pub/dh-kcdsa.c
@@ -66,12 +66,13 @@ int dh_kcdsagen(dh_param *dp, unsigned ql, unsigned pl,
   rabin rb;
   int rc = PGEN_ABORT;
   int i;
-  mp *x = MP_NEW;
+  mp *x = MP_NEW, *t = MP_NEW;
 
   /* --- First trick: find %$v$% --- */
 
+retry:
   pf.step = 2;
-  x = mprand(x, pl - ql, r, 1);
+  x = mprand(x, pl - ql - 1, r, 1);
   x = pgen("v", x, x, ev, ec,
 	   steps, pgen_filter, &pf,
 	   rabin_iters(pl - ql), pgen_test, &rb);
@@ -84,7 +85,10 @@ int dh_kcdsagen(dh_param *dp, unsigned ql, unsigned pl,
   sp[0].add = MP_ZERO; sp[0].mul = MP_ONE; sp[0].f = 0;
   sp[1].add = MP_ONE; sp[1].mul = x; sp[1].f = PGENF_KEEP; x = MP_NEW;
   ss.step = MP_TWO; ss.v = sp; ss.n = N(sp);
-  x = mprand(x, ql, r, 1);
+  do {
+    x = mprand(x, ql, r, 1);
+    t = mp_mul(t, x, sp[1].mul);
+  } while (mp_bits(t) != pl);
   dp->q = pgen("p", MP_NEW, x, ev, ec,
 	       steps, pgen_simulstep, &ss,
 	       rabin_iters(ql), pgen_simultest, &ss);
@@ -92,6 +96,12 @@ int dh_kcdsagen(dh_param *dp, unsigned ql, unsigned pl,
   dp->p = sp[1].u.x;
   if (!dp->q)
     goto fail_1;
+  if (mp_bits(dp->q) != ql || mp_bits(dp->p) != pl) {
+    if (steps) goto fail_1;
+    MP_DROP(dp->p);
+    MP_DROP(dp->q);
+    goto retry;
+  }
 
   /* --- Third trick: find a generator --- */
 
@@ -117,6 +127,7 @@ fail_1:
 fail_0:
 done:
   mp_drop(x);
+  mp_drop(t);
   return (rc);
 }