From 68ebcd7b86aa161abdf7151d9be9101538cf34f3 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Mon, 2 Mar 2020 18:49:21 +0000 Subject: [PATCH] Provable primes: be more careful about max_bits_needed. When judging how many bits of the generated prime we can afford to consume with factors of p-1 and still have enough last few bits to vary to find an actual prime in the range, I started by setting max_bits_needed to the total size of the required output number, and then subtracting a safety margin. But that doesn't account for the fact that some bits may _already_ have been used by prior requirements from the PrimeCandidateSource, such as the 'firstbits' used in RSA generation, or the 160-bit factor of p-1 used in DSA. So now we start by initialising max_bits_needed by asking the PCS how many bits of entropy it still has left, and making sure not to reduce _that_ by too much. Should fix another cause of hangs during prime generation. (Also, while I'm here, I've tweaked one of the compiled-out diagnostics so that it reports how many bits it _does_ have left once it starts trying to find a prime. That should make it easier to spot any further problems in this area.) --- sshprime.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sshprime.c b/sshprime.c index 75c4cba9..4ed3eb1d 100644 --- a/sshprime.c +++ b/sshprime.c @@ -358,7 +358,7 @@ static mp_int *provableprime_generate_inner( mp_free(to_free); } - max_bits_needed = mp_get_nbits(upperbound); + max_bits_needed = pcs_get_bits_remaining(pcs); /* * We need a prime that is greater than or equal to @@ -619,7 +619,8 @@ static mp_int *provableprime_generate_inner( debug_f("ppgi(%u) no need to recurse", bits); } - debug_f("ppgi(%u) ready", bits); + debug_f("ppgi(%u) ready, %u bits remaining", + bits, pcs_get_bits_remaining(pcs)); pcs_ready(pcs); while (true) {