fix BN_rand_range

66df02fd · Bodo Möller · 206eb6a1 · 66df02fd · 66df02fd
隐藏空白更改
内联并排

Showing with 19 addition and 11 deletion

CHANGES CHANGES +6 -0

crypto/bn/bn_rand.c crypto/bn/bn_rand.c +13 -11

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,12 @@
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
         +) applies to 0.9.7 only
+  *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
+     <Dominikus.Scherkl@biodata.com>.  (The previous implementation
+     worked incorrectly for those cases where  range = 10..._2  and
+     3*range  is two bits longer than  range.)
+     [Bodo Moeller]
  *) Only add signing time to PKCS7 structures if it is not already present.
     [Steve Henson]

--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -239,22 +239,15 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 	n = BN_num_bits(range); /* n > 0 */
+	/* BN_is_bit_set(range, n - 1) always holds */
 	if (n == 1)
 		{
 		if (!BN_zero(r)) return 0;
 		}
-	else if (BN_is_bit_set(range, n - 2))
+	else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
-		{
-		do
-			{
-			/* range = 11..._2, so each iteration succeeds with probability >= .75 */
-			if (!bn_rand(r, n, -1, 0)) return 0;
-			}
-		while (BN_cmp(r, range) >= 0);
-		}
-	else
 		{
-		/* range = 10..._2,
+		/* range = 100..._2,
 		 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
 		do
 			{
@@ -273,6 +266,15 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 			}
 		while (BN_cmp(r, range) >= 0);
 		}
+	else
+		{
+		do
+			{
+			/* range = 11..._2  or  range = 101..._2 */
+			if (!bn_rand(r, n, -1, 0)) return 0;
+			}
+		while (BN_cmp(r, range) >= 0);
+		}
 	return 1;
 	}