+
+/*
+ * Invent a pair of values suitable for use as 'firstbits' in the
+ * above function, such that their product is at least 2.
+ *
+ * This is used for generating both RSA and DSA keys which have
+ * exactly the specified number of bits rather than one fewer - if you
+ * generate an a-bit and a b-bit number completely at random and
+ * multiply them together, you could end up with either an (ab-1)-bit
+ * number or an (ab)-bit number. The former happens log(2)*2-1 of the
+ * time (about 39%) and, though actually harmless, every time it
+ * occurs it has a non-zero probability of sparking a user email along
+ * the lines of 'Hey, I asked PuTTYgen for a 2048-bit key and I only
+ * got 2047 bits! Bug!'
+ */
+void invent_firstbits(unsigned *one, unsigned *two)
+{
+ /*
+ * Our criterion is that any number in the range [one,one+1)
+ * multiplied by any number in the range [two,two+1) should have
+ * the highest bit set. It should be clear that we can trivially
+ * test this by multiplying the smallest values in each interval,
+ * i.e. the ones we actually invented.
+ */
+ do {
+ *one = 0x100 | random_byte();
+ *two = 0x100 | random_byte();
+ } while (*one * *two < 0x20000);
+}