Fix BN_[pseudo_]rand: 'mask' must be used even if top=-1.

Mention BN_[pseudo_]rand with top=-1 in CHANGES.

diff --git a/CHANGES b/CHANGES
index f4dee4f0e04ca6f7687dcf3b2b4b6910727e3ce8..4955e13732d551b66cab8680b5636ce44765d838 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -113,6 +113,9 @@
 
   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
      Bleichenbacher's DSA attack.
+     Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
+     to be set and top=0 forces the highest bit to be set; top=-1 is new
+     and leaves the highest bit random.
      [Ulf Moeller, Bodo Moeller]
 
   *) Update Rijndael code to version 3.0 and change EVP AES ciphers to

diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index b8fbbc83869fa8a7f43c7d9cc3b8c21f7f729cdd..fb583fb358fcb990f5311ca2a6b7e345f89b14fb 100644 (file)
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -76,7 +76,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 
        bytes=(bits+7)/8;
        bit=(bits-1)%8;
-       mask=0xff<<bit;
+       mask=0xff<<(bit+1);
 
        buf=(unsigned char *)OPENSSL_malloc(bytes);
        if (buf == NULL)
@@ -133,16 +133,15 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
                        else
                                {
                                buf[0]|=(3<<(bit-1));
-                               buf[0]&= ~(mask<<1);
                                }
                        }
                else
                        {
                        buf[0]|=(1<<bit);
-                       buf[0]&= ~(mask<<1);
                        }
                }
-       if (bottom) /* set bottom bits to whatever odd is */
+       buf[0] &= ~mask;
+       if (bottom) /* set bottom bit if requested */
                buf[bytes-1]|=1;
        if (!BN_bin2bn(buf,bytes,rnd)) goto err;
        ret=1;