Let BN_rand_range() abort with an error after 100 iterations

without success.

2 files changed, 18 insertions, 0 deletions

diff --git a/CHANGES b/CHANGES
index 26c84b0596..3067dc6389 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.7 and 0.9.8  [xx XXX 2002]
 
+  *) Let BN_rand_range() abort with an error after 100 iterations
+     without success (which indicates a broken PRNG).
+     [Bodo Moeller]
+
   *) Change BN_mod_sqrt() so that it verifies that the input value
      is really the square of the return value.  (Previously,
      BN_mod_sqrt would show GIGO behaviour.)
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 9e08ccd22e..e6705f7025 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -230,6 +230,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 	{
 	int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand;
 	int n;
+	int count = 100;
 
 	if (range->neg || BN_is_zero(range))
 		{
@@ -263,6 +264,13 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 				if (BN_cmp(r, range) >= 0)
 					if (!BN_sub(r, r, range)) return 0;
 				}
+
+			if (!--count)
+				{
+				BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+				return 0;
+				}
+			
 			}
 		while (BN_cmp(r, range) >= 0);
 		}
@@ -272,6 +280,12 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 			{
 			/* range = 11..._2  or  range = 101..._2 */
 			if (!bn_rand(r, n, -1, 0)) return 0;
+
+			if (!--count)
+				{
+				BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+				return 0;
+				}
 			}
 		while (BN_cmp(r, range) >= 0);
 		}