Fix BN_[pseudo_]rand: 'mask' must be used even if top=-1. Mention BN_[pseudo_]rand with top=-1 in CHANGES.
diff --git a/CHANGES b/CHANGES index f4dee4f..4955e13 100644 --- a/CHANGES +++ b/CHANGES
@@ -113,6 +113,9 @@ *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent Bleichenbacher's DSA attack. + Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits + to be set and top=0 forces the highest bit to be set; top=-1 is new + and leaves the highest bit random. [Ulf Moeller, Bodo Moeller] *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index b8fbbc8..fb583fb 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c
@@ -76,7 +76,7 @@ bytes=(bits+7)/8; bit=(bits-1)%8; - mask=0xff<<bit; + mask=0xff<<(bit+1); buf=(unsigned char *)OPENSSL_malloc(bytes); if (buf == NULL) @@ -133,16 +133,15 @@ else { buf[0]|=(3<<(bit-1)); - buf[0]&= ~(mask<<1); } } else { buf[0]|=(1<<bit); - buf[0]&= ~(mask<<1); } } - if (bottom) /* set bottom bits to whatever odd is */ + buf[0] &= ~mask; + if (bottom) /* set bottom bit if requested */ buf[bytes-1]|=1; if (!BN_bin2bn(buf,bytes,rnd)) goto err; ret=1;