BN_rand_range() needs a BN_rand() variant that doesn't set the MSB.

diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 54d622e6b412f5fe508633188d2f3ae2a9d6cfa2..b8fbbc83869fa8a7f43c7d9cc3b8c21f7f729cdd 100644 (file)
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -121,24 +121,27 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
                }
 #endif
 
-       if (top)
+       if (top != -1)
                {
-               if (bit == 0)
+               if (top)
                        {
-                       buf[0]=1;
-                       buf[1]|=0x80;
+                       if (bit == 0)
+                               {
+                               buf[0]=1;
+                               buf[1]|=0x80;
+                               }
+                       else
+                               {
+                               buf[0]|=(3<<(bit-1));
+                               buf[0]&= ~(mask<<1);
+                               }
                        }
                else
                        {
-                       buf[0]|=(3<<(bit-1));
+                       buf[0]|=(1<<bit);
                        buf[0]&= ~(mask<<1);
                        }
                }
-       else
-               {
-               buf[0]|=(1<<bit);
-               buf[0]&= ~(mask<<1);
-               }
        if (bottom) /* set bottom bits to whatever odd is */
                buf[bytes-1]|=1;
        if (!BN_bin2bn(buf,bytes,rnd)) goto err;
@@ -192,7 +195,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
                do
                        {
                        /* range = 11..._2, so each iteration succeeds with probability >= .75 */
-                       if (!BN_rand(r, n, 0, 0)) return 0;
+                       if (!BN_rand(r, n, -1, 0)) return 0;
                        }
                while (BN_cmp(r, range) >= 0);
                }
@@ -202,7 +205,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
                 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
                do
                        {
-                       if (!BN_rand(r, n + 1, 0, 0)) return 0;
+                       if (!BN_rand(r, n + 1, -1, 0)) return 0;
                        /* If  r < 3*range,  use  r := r MOD range
                         * (which is either  r, r - range,  or  r - 2*range).
                         * Otherwise, iterate once more.

diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod
index 2a8bed5fed8f1c75c3c49ff792a0c4e27110865d..cbae2fca9774ad92cbe66b0ab848d0a6fdf54d0b 100644 (file)
--- a/doc/crypto/BN_rand.pod
+++ b/doc/crypto/BN_rand.pod
@@ -17,10 +17,12 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
 =head1 DESCRIPTION
 
 BN_rand() generates a cryptographically strong pseudo-random number of
-B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
-two most significant bits of the number will be set to 1, so that the
-product of two such random numbers will always have 2*B<bits> length.
-If B<bottom> is true, the number will be odd.
+B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
+most significant bit of the random number can be zero. If B<top> is 0,
+it is set to 1, and if B<top> is 1, the two most significant bits of
+the number will be set to 1, so that the product of two such random
+numbers will always have 2*B<bits> length.  If B<bottom> is true, the
+number will be odd.
 
 BN_pseudo_rand() does the same, but pseudo-random numbers generated by
 this function are not necessarily unpredictable. They can be used for
@@ -45,7 +47,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
 =head1 HISTORY
 
 BN_rand() is available in all versions of SSLeay and OpenSSL.
-BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range()
-in OpenSSL 0.9.6a.
+BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
+and the function BN_rand_range() were added in OpenSSL 0.9.6a.
 
 =cut