BN_rand_range() needs a BN_rand() variant that doesn't set the MSB.

1 files changed, 15 insertions, 12 deletions

diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 54d622e6b4..b8fbbc8386 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -121,24 +121,27 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 		}
 #endif
 
-	if (top)
+	if (top != -1)
 		{
-		if (bit == 0)
+		if (top)
 			{
-			buf[0]=1;
-			buf[1]|=0x80;
+			if (bit == 0)
+				{
+				buf[0]=1;
+				buf[1]|=0x80;
+				}
+			else
+				{
+				buf[0]|=(3<<(bit-1));
+				buf[0]&= ~(mask<<1);
+				}
 			}
 		else
 			{
-			buf[0]|=(3<<(bit-1));
+			buf[0]|=(1<<bit);
 			buf[0]&= ~(mask<<1);
 			}
 		}
-	else
-		{
-		buf[0]|=(1<<bit);
-		buf[0]&= ~(mask<<1);
-		}
 	if (bottom) /* set bottom bits to whatever odd is */
 		buf[bytes-1]|=1;
 	if (!BN_bin2bn(buf,bytes,rnd)) goto err;
@@ -192,7 +195,7 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
 		do
 			{
 			/* range = 11..._2, so each iteration succeeds with probability >= .75 */
-			if (!BN_rand(r, n, 0, 0)) return 0;
+			if (!BN_rand(r, n, -1, 0)) return 0;
 			}
 		while (BN_cmp(r, range) >= 0);
 		}
@@ -202,7 +205,7 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
 		 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
 		do
 			{
-			if (!BN_rand(r, n + 1, 0, 0)) return 0;
+			if (!BN_rand(r, n + 1, -1, 0)) return 0;
 			/* If  r < 3*range,  use  r := r MOD range
 			 * (which is either  r, r - range,  or  r - 2*range).
 			 * Otherwise, iterate once more.