Fix BN_[pseudo_]rand: 'mask' must be used even if top=-1.

Mention BN_[pseudo_]rand with top=-1 in CHANGES.

2 files changed, 8 insertions, 7 deletions

diff --git a/CHANGES b/CHANGES
index 273e451cb1..25987622a9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,9 @@
 
   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
      Bleichenbacher's DSA attack.
+     Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
+     to be set and top=0 forces the highest bit to be set; top=-1 is new
+     and leaves the highest bit random.
      [Ulf Moeller]
 
   *) In the NCONF_...-based implementations for CONF_... queries
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index b6f546b88e..2e45770e8f 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -76,7 +76,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 
 	bytes=(bits+7)/8;
 	bit=(bits-1)%8;
-	mask=0xff<<bit;
+	mask=0xff<<(bit+1);
 
 	buf=(unsigned char *)OPENSSL_malloc(bytes);
 	if (buf == NULL)
@@ -104,7 +104,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 		{
 		if (top)
 			{
-			if (bit	== 0)
+			if (bit == 0)
 				{
 				buf[0]=1;
 				buf[1]|=0x80;
@@ -112,16 +112,15 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 			else
 				{
 				buf[0]|=(3<<(bit-1));
-				buf[0]&= ~(mask<<1);
 				}
 			}
 		else
 			{
 			buf[0]|=(1<<bit);
-			buf[0]&= ~(mask<<1);
 			}
 		}
-	if (bottom) /* set bottom bits to whatever odd is */
+	buf[0] &= ~mask;
+	if (bottom) /* set bottom bit if requested */
 		buf[bytes-1]|=1;
 	if (!BN_bin2bn(buf,bytes,rnd)) goto err;
 	ret=1;
@@ -156,7 +155,7 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
 		}
 
 	n = BN_num_bits(range); /* n > 0 */
-	
+
 	if (n == 1)
 		{
 		if (!BN_zero(r)) return 0;
@@ -194,4 +193,3 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
 
 	return 1;
 	}
-