pub/dh-kcdsa.c: Choose the starting point for the right result size.

And try again until it's actually likely to work.

diff --git a/pub/dh-kcdsa.c b/pub/dh-kcdsa.c
index e366a16..f4d0390 100644 (file)
--- a/pub/dh-kcdsa.c
+++ b/pub/dh-kcdsa.c
@@ -66,7 +66,7 @@ int dh_kcdsagen(dh_param *dp, unsigned ql, unsigned pl,
   rabin rb;
   int rc = PGEN_ABORT;
   int i;
-  mp *x = MP_NEW;
+  mp *x = MP_NEW, *t = MP_NEW;
 
   /* --- First trick: find %$v$% --- */
 
@@ -84,7 +84,10 @@ int dh_kcdsagen(dh_param *dp, unsigned ql, unsigned pl,
   sp[0].add = MP_ZERO; sp[0].mul = MP_ONE; sp[0].f = 0;
   sp[1].add = MP_ONE; sp[1].mul = x; sp[1].f = PGENF_KEEP; x = MP_NEW;
   ss.step = MP_TWO; ss.v = sp; ss.n = N(sp);
-  x = mprand(x, ql, r, 1);
+  do {
+    x = mprand(x, ql, r, 1);
+    t = mp_mul(t, x, sp[1].mul);
+  } while (mp_bits(t) != pl);
   dp->q = pgen("p", MP_NEW, x, ev, ec,
               steps, pgen_simulstep, &ss,
               rabin_iters(ql), pgen_simultest, &ss);
@@ -117,6 +120,7 @@ fail_1:
 fail_0:
 done:
   mp_drop(x);
+  mp_drop(t);
   return (rc);
 }